Malware Analysis Report

2024-12-07 10:00

Sample ID 241114-vxjgpavnbq
Target 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock
SHA256 1b5a8e869b055d982bd716b578823324045e387f6fc1dd08bfa3af41d521810f
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b5a8e869b055d982bd716b578823324045e387f6fc1dd08bfa3af41d521810f

Threat Level: Known bad

The file 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (86) files with added filename extension

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 17:22

Reported

2024-11-14 17:24

Platform

win7-20240729-en

Max time kernel

150s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\ProgramData\UYQUYsII\KmggEwYg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KmggEwYg.exe = "C:\\ProgramData\\UYQUYsII\\KmggEwYg.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tykkYIwY.exe = "C:\\Users\\Admin\\fSQQcIMQ\\tykkYIwY.exe" C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KmggEwYg.exe = "C:\\ProgramData\\UYQUYsII\\KmggEwYg.exe" C:\ProgramData\UYQUYsII\KmggEwYg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tykkYIwY.exe = "C:\\Users\\Admin\\fSQQcIMQ\\tykkYIwY.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A
N/A N/A C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe
PID 2744 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe
PID 2744 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe
PID 2744 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe
PID 2744 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\UYQUYsII\KmggEwYg.exe
PID 2744 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\UYQUYsII\KmggEwYg.exe
PID 2744 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\UYQUYsII\KmggEwYg.exe
PID 2744 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\UYQUYsII\KmggEwYg.exe
PID 2744 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 2788 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 2788 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 2788 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 2744 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1952 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1952 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1952 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2872 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 552 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 552 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 552 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 2872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1204 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1204 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1204 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"

C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe

"C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe"

C:\ProgramData\UYQUYsII\KmggEwYg.exe

"C:\ProgramData\UYQUYsII\KmggEwYg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUgUsAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGwsAIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWkkAEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsowsYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgIIoUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYsYoIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaoEAUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIgIMQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CokUUYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WooUIcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SegggoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQosUQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWsYkkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqYMIIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwsQsEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\umkgIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKkoswMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAsMUkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyQYkQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1276490681-2143973628-563057983-827462945204758279818902039832484148-2029328464"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyYcwsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsgUMUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkocowwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13563015291216316142-592465361482467033-397818061202391033619757826562039031530"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "603388801584603998202743043538423027596340746-10905222352020213210954195218"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15084832901146298332-68631705126703698-1264887355-4433096921507012637-1081678912"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\juYYAEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kyYAEgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqsQwsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuEAEYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeUkYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYsIIMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "622939208-1847088399920666298362018149-143260812-5914486111418954198-518439880"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoIIoUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xookAcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcMwckQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgYQEQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8765545191662633477-574365400-7495695741564513600-9390357-1248257710-1006056097"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1965860021-1150610840-512722201-14166980661195517371-305079680212947587-1797946196"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUMQsgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1412561420-139185483126672942121083130711031755902-6941419652102851021-1247997257"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCIcsYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aioAgIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "109120090320444004948000852371991843953183108199110816216785114096141292902966"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgscsosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-74383857-1655244438620192632307748891-1736029534125785961916396524551955276791"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2007448363-173474745397754976-414907195232105367-19593668171829206824-1239522962"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jyQYUMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMoIIkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xKsAssUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1645843485-1614205120-261966123-1913340093805245344-2046821868-1199324017-1972266098"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSUIUEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1034779942-1201004914485273321-1074558851636643198-778612130192505787-429305052"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qaMgYEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "854522223-1492492830-18224246088974977602099810958767900282-1655250687851006119"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqMwoMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17372097781093378494505352238-100085335351226903113172544601681364982-931592613"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-579029972-1222394546-1675905739-1757837219-1365894587-81467423318689404711887861409"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoMMEYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGgIgEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-637575650-565729861-122823225210549661766774455-1276597507-1044235091685916534"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-412115781-19551691891798385596-68502210610877158291460519151240738716-1881016560"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1503201775-1204450192874861304-124535814-706409329-23123279178077461488830197"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ligcAccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-765148294-15292869681272388903-129922401-215614391-2098445912985170856-385388246"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1644618814-1800363416-253243433-748923661-11540531736888452791079707220-1199918875"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwwQMYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-947817127-1877280428-20891711161508528198-11808571081249326880-13011476871734295459"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-124198394622483207217249771891848815799-404695774-5466868161542913857-556347997"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsgcQEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-854926542105423204118092401201906590898190130356-11074055211792638603-687534173"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16954399352043402414-5036313411482669700-19626750511400986964305724716-456759215"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSgkUkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "166558777767324430-179042678958247333736412244-1502583548-6554540501513086786"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoQQUUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1164570331-19182650608349026774734888115273441811727162777-15471641580799241"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1566779929244250562846619832-11057506661502309441-160487886819006394421075388775"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\USYIAYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20323631-138645960976439055886217803-1410356752-1459960958-1112155484705309505"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEAowAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIYsgEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwIwMYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-167177007992447765491925264220993657211228496964-3975322111407802304-1229320104"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcwAIwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-864190778-99082694-4486602651497648855-15504971521849457383-5554327601888185151"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9150355871975559989-13561835824053737151843950458-1210728126-606003634382693097"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "174845790453971967012402175303595306521083393909-14866321404551082991944637409"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAQYAsYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "951950626-1962874894-3195473251886212753128187584-44595272814686528341997525649"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqcEMAQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "234523922-976270720-959944113-1587738946-87725660-139037672313200947492073632469"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1092571273352588841-1154552660-7681490191037049623-991683928-18186034691878243675"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIsUgQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-84622628-167361748614690780-538226195-12042484551297153980-767699026-990866417"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-135740335888069818835509122717378996641375287999-735479062-5052194031023822991"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAsEoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1218744702-21383659977646787621129189500-2146765392-972385048931514599-770842985"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqEYMgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-863122949988354361848772055-11837727451960512417-514277398973092665-1799593575"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "34627120420010167551619252096-15439397518905386581791388197-159576353359401804"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-148162748-2070962029-1076417618-93613608018971984171875717417-864961108-448802384"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiUcQMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-751320647-648912373162475233-845845274-11209155741800281890-15668961661622614416"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18352217671493533290-11825213915806658917988469661913461722338274388822302225"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcgssggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "333508772-188723377175602773014777013761978799116-1103814929-1643607255633104666"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11158906541085234707-19560287733679148784174980621526334111969533927835491552"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AocoMAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5881408731398234998-1943691897-1530848071-2089986271-14227309841601052084-1386677195"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyogkwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1462673869-971740665626742241-774111590-10823935769188759641000509240-1023796902"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1825965236-20546263076336940052051513811-252453081829946858-1793743530923982853"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqQYooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1192060788846493047-17832725632068078081-11436349991263453213-20162826051063115276"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSwwUwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "378857876113740479-1286223440-1577704804-1004429994-1258695741479300264837025748"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIgwIAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-604111698-1627199494-7611452271639190335-13481411897512698951644711982610593776"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoIoUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2072697174-1785294488-1449874836-114844363414758127231502287619-1818588686139584577"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1696958502-712058858-200356460018849721481635269513392028891790103627-941958990"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "619715340-1789074711-668448051550022146-1838770691780906016200100959-1001257186"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGMEQcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1146100537902044969-14977271117922349211722333685427225548-9516461631032657557"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EscgMEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11885800551144120975-748281811-1429023508-10047472621864911289184849861-278275618"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAAYIAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-129734735816651184425395653721036838833-8489164551873620562154184839-1995037812"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1643681631-1379801219-1645212134-73100189577032934-813127728-12068783631612601970"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1252220274-635232607-916652908746515724841388076-2116826268-407111210-1467250031"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYIsEEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1769825553-367462831-371548899510674248104496904794352326015552911912100868133"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgIggocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17057254261002495258-757171417-750622279159608008-2101837701-1955836378-1058939399"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1922409077-1935466801824346203-1451939223-32207342-858246139765400081-472528364"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "937784425-580001179-1984973410-8757420483489785001452267562-1019696301721890978"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17162277991091940161-1771909142437911899-97521500921103963181961761628-463876489"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "373805015302386838-528153182150163079220512932141017459847-20510183881623731425"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYcIwMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17698848492055864341450074651755722584441880667-1650777872467691779-2098811311"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "256775802-747091774348564411-349864685-627899298191210786346547110398120346"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCYQIEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkgQYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "346710158715718538-11341548641560946496-1303841226-14117592541078853126-188117141"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-159251071010518087282040929324-1032732744-21027374901539553118-932001746-1816376696"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYAkEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1200656301-2128003022-1689544213169660871218138925391853753650-106925188028874531"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1608604417209476007-384660126915393094762174707-6727223891293693235-431709740"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10297666921568496288-1942969394-2088305194-15514138161438002325-371893149994004433"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1973954458-75876744-1589690263-151048321-9161477893257862641862013671-1225433551"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2744-0-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe

MD5 3215e5c76e0f1a09a058174a99292d55
SHA1 0ba5e0c4083efa214698e0cc152d76a499105d2c
SHA256 78811584ba5441d5e232239701e9da0baee1ac1c0b330ad84b5a78d961ca3ac1
SHA512 c226c7e27d1831bd5f4e2a9da023ab73a16b3dd1cb1f27e74e79490306d428dabcb679f35524b3405cebb49aa511c27fc7b292ffaa652ff9ff69654454dada58

memory/2804-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2964-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2744-13-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2744-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\ProgramData\UYQUYsII\KmggEwYg.exe

MD5 554025dc67564cee2a526b88115aac51
SHA1 c2df71c9b35fe2ccab69a01dd92d9a577890d55c
SHA256 d766b3fd29ea740739a36141f915192af2c1e24a11884e85d34324b5b620b5a2
SHA512 a1b4c1fbc46a3440ee038d469ec580baa444b4140813fe97c3a8090a6b0d37c0886f17e8a647364f85cd70d83a27fa0e8c13bb4886e280ab66839fc4b1dd3b4e

memory/2744-29-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CKQMkQEk.bat

MD5 b3a73e507edfd3b3e9fdf7a3f6802706
SHA1 880b24dc2a6cce3b52cc8b78fad9c7cc2d26b52f
SHA256 2f97b990358561120012088105932c2b3d8cd1f15237ff4606197d7f9e36d295
SHA512 4f9d89b55174ab4fcadc2ef4c816ac52860e52bf2fa667e200616741f497903729caeed24f5f7f8662c2e896e160c1cca9ce8327a024906d0f9bdfec9feffb8c

memory/2788-32-0x0000000000360000-0x00000000003C0000-memory.dmp

memory/2788-33-0x0000000000360000-0x00000000003C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUgUsAsA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2744-42-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\qoEAgwAI.bat

MD5 4e250f9f160b62126ec720e69f78680e
SHA1 f81552320101071702782abf609eb21dd089766e
SHA256 ec8f9dcc3a2d11d3a95a3b85e005d922450d2fe03dcec5ed42b13c5b004e0325
SHA512 85eb1941c30c48e444887759377e0ff92833f386d3a255a958126623bb59f49367abab1a75fa7bf63cff71b20da16f4abc33da128ffe3cb24ea69f2bf5533314

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

MD5 ea4ee2af66c4c57b8a275867e9dc07cd
SHA1 d904976736e6db3c69c304e96172234078242331
SHA256 fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c
SHA512 4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

memory/552-55-0x0000000002290000-0x00000000022F0000-memory.dmp

memory/2872-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1788-56-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IiMIwYIQ.bat

MD5 4aba066345d839428a6ce1594c18c60f
SHA1 a3dfa9dc47ce8a5494388e209eb5b04ca40bdd42
SHA256 7054475d34639e621b1591b0953532e9d7a82c4e0d88fa842711c72da2fbf235
SHA512 260a8d4eafd22abab8771b425ac63570f51b24fbfdee261d029107606584248b413ca99b11057ff15400b84fac48bd1c976bf920bb267024014a2c684f336a4c

memory/2404-89-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1788-86-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2940-88-0x0000000000120000-0x0000000000180000-memory.dmp

memory/2940-87-0x0000000000120000-0x0000000000180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pSIEQkwE.bat

MD5 3e0d654646a10a012e2c712f3f923b8d
SHA1 698dfca9f2222879ce7c22c6e1855808ce5e1cbe
SHA256 6975908e34f89904d7b6c5962a83367c3d5dfd81f72d246cc12072b14bedef2e
SHA512 5897cdefcb0952efc88fee283422b391e8729b0af7a88e65ee7a4b6fe58acfc618ec3d1648989f97ef7a5819933de4a90db6333ec5669390a2a5bf6b64f6487a

memory/2144-102-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/2340-103-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2404-112-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\naEUEUIE.bat

MD5 ab179d87d50136e7f5f66169c6f97a60
SHA1 0e3f4d0d65333dc4a6d2f589400349c2f1c6d36f
SHA256 5214e92564b3086bd5e8e99c0dccfa115ff801c6ec58b0d8ae3e9966f237ce4f
SHA512 51328b8a53e18f7eec7ca17223caef88eadce6c8ba3c89769e3d9226c417f147d568bc995c969f3152d1001790ceaed5067b5e273ecacefc95bf61e76dda9085

memory/2660-136-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1472-135-0x0000000000120000-0x0000000000180000-memory.dmp

memory/2340-133-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1472-134-0x0000000000120000-0x0000000000180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XCQMQMUc.bat

MD5 3fdddc531d386a8a42e19675ebe237d3
SHA1 4388c2531cd048111ba4ec45fe9a60e43958fb20
SHA256 3534656ad798defcdece96a4f4cacd3141ae4c3fc1478028442fc626d59aff17
SHA512 ff5b9e11b66ad9e33a7801db9471e4027ce966ebcf4f36b3e90eb154bfeb452891f21fb19f791d10bb87e9554287403b08f996b37b068179a7f268e84257656c

memory/2660-158-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1724-149-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2032-148-0x0000000000450000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DYEIcwIw.bat

MD5 1f5369e068d0e7af54105a663a0af3df
SHA1 8232fed7a3f2ad70aff89fc8de5578ccea0ed1cc
SHA256 7b67567e9b29c5b2fd2a146ea6ade7ebb2a8f6c456db4929a33ce62ff5393908
SHA512 a08616a54cba6322dc46313b9372ae2acfb074800460b673675d6bbffba0d26bd39944a13c72789fc23dbc92549bb3e6a7277804d6f39437fbe4068aba9ad1ed

memory/2960-174-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2652-173-0x0000000002250000-0x00000000022B0000-memory.dmp

memory/2652-172-0x0000000002250000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HCsUkAcQ.bat

MD5 6880a893e72b387c0dca3e4c65ca7eb3
SHA1 5d31e98308a621e96eed89271298098b8ec4858b
SHA256 483cf9a6527db045d86e6bdb55282c26283d29830521f10d74b0f5c6bbde5642
SHA512 601cbad170ed925612c55682492f82200e11bbb39a5f116ffc84a64e24119fb1031c4119488703404a568a3f0f7ed39351421fa257bb8a9f878639362c995972

memory/1724-192-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2276-198-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2960-206-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2284-197-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2284-196-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YqUkEwcQ.bat

MD5 67771e4e5d9babb0fce3bef850be4f84
SHA1 605c915049796e7ac62a6bbf8da929fe3861b4fd
SHA256 39f4fa0f2ac781244da3bc47c46e181e32e881c2fdad13b2c8c28f72734c1674
SHA512 3323e33c7019aee6a585d43d80c81d2e098f59f2ee36dfaf9260687ecb43a9d21dade540dc2a4207273250630e13160ea8d08898153470db4539e582dec7bb53

memory/2276-229-0x0000000000400000-0x0000000000460000-memory.dmp

memory/772-220-0x0000000000310000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsswwcQg.bat

MD5 7fa414d64cbea1b73ee3e26ebf26134a
SHA1 07f7bf6f175ccde60940e32bc7b011430b6dec1e
SHA256 14bb7b1edc7b641deb464ef5909eac61c85fe72fa27f597e5efab52238718885
SHA512 a0ff5ec6b043a44df2e6812058f15b6afcb85fda45260c0ade540e685b2d4cfa829a55fe289f90dcd8e778d5890a5a2f6e76bd9bc1cf8717621272505ddd0aa7

memory/756-243-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1872-242-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1020-252-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OcMMQYos.bat

MD5 ca3b02d0b5b5bb9e86a3bc6e71b2143c
SHA1 5f2944f33405fdd6ca3616020b5d9426848c9dd0
SHA256 fc4271b82938df8cb7ea3531fbdb6a7cdac54f5fd436dc797dbcee7ede481778
SHA512 fabc8730d34f93ebb9978cbd78432bd13efaa572a1a7b03bbebe9dae5b218f907ad61ff7fd4c5d4e43dc29a4d7ddc186b4da5247d684d630289e2226230c60cf

memory/756-273-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1908-275-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2436-274-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jyooEIUQ.bat

MD5 5188bbcd237138e07e03d84eb28f3f60
SHA1 65c83ffc53012283d2a15016027fa37508c09f4e
SHA256 7cb224d1fdb005773a5b4dba99e5c50caa416cf0fda4f80d9b877213bcff3ff8
SHA512 5cd9078716226d3a14b3ae0f0cdc7063617b1b4b398e096c88e08d03b5780f82f95546643f0b79aadef9b2aecf618235caf9e2a41a4dc7b93b117b9428ebb547

memory/2052-289-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1908-297-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tWUkYMcw.bat

MD5 05882b7679311ae3e077574989d4ce7e
SHA1 5d4f5bb5930aa4efac731c6f4775ded3005ba8cf
SHA256 b5c8790f1c249d059bdc48ff695f46a610e80dfb01c624ad6f6b1ffacdc587a2
SHA512 3c6a31d216d6891103d43def65debbd9e1ccb4b3b86b621d5963515c69b5f42a075b5ec4055ced46413ac3e84df3cc40a046b70de86200b0cad6ca07427be758

memory/2052-318-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HowUkMAo.bat

MD5 f1ebaeadc69e3352670b7628fb862348
SHA1 e50d2ed3eff9125156f31b9cf6ca359300577ae7
SHA256 6a2cd005ccf236a7e18a42f99b5f4dab659ffe4389e94e1669e1418292dbede4
SHA512 d2f91fd897e4ea9dc76c21166016d86203e01e1a2cf0b87c9985084d4a55dc295c9393a4dc0db0f18f461e2a98db95783002f26e291eb128de8604141955aacd

memory/2320-332-0x0000000000260000-0x00000000002C0000-memory.dmp

memory/2320-331-0x0000000000260000-0x00000000002C0000-memory.dmp

memory/1724-341-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xiIEIwAI.bat

MD5 0381185906494e785d3482dd5f4896b6
SHA1 470536e1cf0aed50acb8d4d5a8ceedb9b8ac973c
SHA256 296314f114dd05f8c1165dd8d2bb851904e040d0c547c3bc1470fa837bab6b75
SHA512 bc4a31c23182a2ef142ee6585dd9b6b944599099c5eb7369f814ebd11acf84907439570209441eefc31b96cf22606970d5de7362258c292228ffcb089b3770bc

memory/2284-355-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2284-354-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2268-364-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qyIEAIQg.bat

MD5 f6e9c4947b157ca297f4a071139b78e9
SHA1 c7f4742c7f19d36b2d81aa3b6f3d3a7cf2788b59
SHA256 0c17b83a50ff7f5836a825ff7dcaef9f7ecaa7727318cf4ee9385d7d928a497c
SHA512 2031144b201d0122d1c140942e4e9f68d2f859b0e3a6f77257310b867fc888ab79a11094129489854463cacff4f08a35fdcc09f0c81cf9eab3f3cff50795f47f

memory/616-385-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIsAUIoI.bat

MD5 589c654476e6676edd6d7b86db955a2a
SHA1 6544cd120765d77f38307c0dd00c808056de4efb
SHA256 1609d8034f2aff89c2ad811089e994c61a9ff67711607592918e5a9b11b3d4ae
SHA512 ce9b0416aa8d3d48a3b694de3039ab82540bc93e0d08db3467029c81748cb975b5a166df597b3090aa89f85bb6eeaa36e4bd59cf5caf38d96791f3608847c40f

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/2644-404-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1016-403-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/1016-402-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/768-426-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2904-449-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1556-448-0x0000000000180000-0x00000000001E0000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/2644-447-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UQgoUcYg.bat

MD5 e16335ff950e769ca6d0c9f973a34803
SHA1 11d5be1a45e3f5b17bc85eff207a53632f11301c
SHA256 5ed83d9e701834848f06386084dd02fcfa5e5c8f26442644fb32318704aa1c57
SHA512 cb8d8301c6ee6ecda25badb10a93e7cc5a1279955d2fa13e4778ad2e54bc8b25da1e1144cb6e63476d7944a22afaa3fb98831843c5ba817fe54b37e7cad54161

C:\Users\Admin\AppData\Local\Temp\cAQY.exe

MD5 8120e0c6b1845aa07a913aeb5a7a6b53
SHA1 9d2fb9e8550f7529417bf81161ca0d167173d01f
SHA256 616558a63a45f329237b61580e8b733a1dc91f016e06ff6279cab70205d622da
SHA512 be249b29db4b2346ccae750dc03a306f74eb71337b05af23470a24985307ab3ed3aed7f04f4d295ae8a87f8326d37c3f57739627d03b23b2eb7ab2aa8657e31f

C:\Users\Admin\AppData\Local\Temp\GAAIcEUU.bat

MD5 fdbad67104f5edbfc0e3892e85072f22
SHA1 1231b8fef69bc51f09e385a855462bf2c52459d8
SHA256 8934ac2da78517f469c339629ffc2dd839742877a4ee75d40f340fb654252f0f
SHA512 1803418451c712ed89782673d137dbe3c0da41564c33015f5479c9aec529f855619c9b401a1de20123e0fdc0f35e68cc641dc816b39a3e36a8bac112311f576f

C:\Users\Admin\AppData\Local\Temp\IQUC.exe

MD5 18166094c576525b0b87e3894b858941
SHA1 bebfaf63585ffc086a7a3ff68765143791adc257
SHA256 11a41686acbeb471e322ddc141a6d7c9e9ec0568d1aec7472825d7184da47fe2
SHA512 5fbf8b4500258694eab8b5706a11b906193a423ebbf4fce182f310e214a2c58b477d4699607991130f94e017f862e8acee48cfbd4f713a51735b134aa331a02d

C:\Users\Admin\AppData\Local\Temp\ewgq.exe

MD5 d62a62fae45a169d79f600fc86c43068
SHA1 2ab6e346cbce0a9a27f42f57ef1d1df2888cf8f6
SHA256 ee7d1902c3fe04c0f7c1c5d6c268067a57e6c98d9560ab16357b8b1fdaf94965
SHA512 6203b22e6a56aa1bbde2c8039336ff562e169a9818f66b610270e39729e0224d35033e944757043f991cf78310297540bf37c5cd37f00da8507fe3ad05cfab84

memory/2248-477-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wwwu.exe

MD5 9f971bdf515007868453c2110ede58d4
SHA1 7e18a8e93046b683ba1379a0474241a636881be9
SHA256 edf43def74aba860687c0c0778d27d94c896dfa37907875d938190fc1fb4558a
SHA512 a8e71d12074969f3494c8c34ba927054a07b676e2d731a557962873c3bac321ae33a92b0714a0c584d11ae7ed2324878070dee9890c91082ce8b498e814ff36d

C:\Users\Admin\AppData\Local\Temp\kkwS.exe

MD5 2ab5019af3ecfdb17876f2d44e532e99
SHA1 a05afad05cdc58c5fd3e98a35c82db324af81246
SHA256 f0550b252aa1600327ced819e2b905602ad59ea601e721217ed96c6fef72bef7
SHA512 d6fbb04a5aecbcb2da87b5fc6ace7237c132bbb49af9e9b7686c1f1a0d629ede3a985516289805ef86c57acedf26806fc98baadce746d6398a595cc8ea9d37ef

C:\Users\Admin\AppData\Local\Temp\YEMm.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

memory/2904-499-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2272-476-0x0000000002240000-0x00000000022A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vIoMoIUs.bat

MD5 16969bb656493aa0530f0719d4d8c7ab
SHA1 1a193e7108716b4efa365261abe67e10309e4988
SHA256 e10e0c4e973f507fd9f225be80544ea43b3cef865abb904315b46c0d67161e1b
SHA512 b256ea3138ef83ac92d83ae9b620592f2ca0c9e4f4222904529765f356985340913ac74548a69cec419b3837a343909ba5eff7714cbd5a6d7ea648b3d955b3d1

C:\Users\Admin\AppData\Local\Temp\iUMu.exe

MD5 6e54b6c71312c25bc7755a1c9c90466e
SHA1 bb851057826bbbb4229bfec363bfaa2bc9ddc90f
SHA256 aec7b30be4f77c67ecc0e123c587646b27f63c06fb1a5c9dbe14826c6ddaf699
SHA512 1f64e3b491f1647f3e5969f3c61d9c04a34682754fde6819a87b68f7fd88e188886efdb3821372579aa778bc6a3f0ec83c671a027cd7db75026748cc83c01942

memory/2248-569-0x0000000000400000-0x0000000000460000-memory.dmp

memory/568-570-0x0000000000120000-0x0000000000180000-memory.dmp

memory/2164-571-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEIe.exe

MD5 294f3589aa18fc5fb7f6f116b3d254c4
SHA1 620d4b1c767a475bafa649ab309d2502266e9ca5
SHA256 6c984abd8e7092c4cff3069db860f576d843340b6b7b194d8c539c7871202d21
SHA512 c62afc8cf7584c595fee55eea709b1be63df80552bc687dce2bf233e44c1802622b7e517057f426b9fdb57174237a66c1ecfc5b772687d2f70bec8f5d48ed29f

C:\Users\Admin\AppData\Local\Temp\qIAi.exe

MD5 a9cf797f9c5976f00ec0cb6e1e705fde
SHA1 c8dfba5ff6e1068483300d363706e2bd4cbc4b99
SHA256 85acdf3ef2cdb93a516067a3505caf463afb989f9e0d6d800d9702f3cb45e9ad
SHA512 c354f803aef4b95c84b4f7dbde60625f4b4e52a2f644ba144f9b2b941a3bc54b32ee24ac49ff5de97f1421b6b652f280c287673404fa33dab57317e8784b97e8

C:\Users\Admin\AppData\Local\Temp\mEYa.exe

MD5 5c3d71238589fa29828fc7fe9a2268fd
SHA1 d41d35b6d4ebb7c39da3221bf164cdd60a487630
SHA256 16ab0bef07cb8c5d304973fe10e68d8550c658a7c70c936b5b2760c4e6df89ce
SHA512 23eab00fd68d08393103d7b9d1dcef60458f53445a7eb9879330b246b19300a91c800999d67b3e517cf8fbabab7fdbe22ec4c0c26147cc5e4162e68ad057ed2e

C:\Users\Admin\AppData\Local\Temp\GkoK.exe

MD5 74c3ae157d918e85d03c07bd6729c268
SHA1 42904b7e6aa47fa4b71081f7c48d00363c3183ea
SHA256 0db08eb9fc68ebb2b6b367fde39b35329fb5c6c4d2c1d9df24af98f22db87cab
SHA512 cf60575b24c4f6acdef1c3183ee05a4fcfbee5d055237467f14a40d6e2bd6bd86ccfc2ecc1ee31cc9c9a086911a8a826f2e1b875b2a74ee8c5d4745063aaea3e

C:\Users\Admin\AppData\Local\Temp\CsQO.exe

MD5 47b785622d089d478587de4312f4fe4f
SHA1 cd78f6ae3a698864681aa9151f74bcb87c29b22e
SHA256 3939b0937b429e99d6e5e78e0727a8c3eb955e993704c43856440e91c10f20b2
SHA512 201f21a44740138731577be4bc6663ba3fddfda6a79f2fec8fd8ddc5cdebd60c97025513bb4399530664eb98222ee0c442c55703da39ea468dc6c4b0f1b2680a

C:\Users\Admin\AppData\Local\Temp\jcAwoskg.bat

MD5 5c5cf4d7d00555f295ab407798a78e21
SHA1 256df0ebe3c91494316e77136297912a03863947
SHA256 d41a0a2a71fe573793bf1e0899d738f5ff8e6b8c7cc122014bfa02be98c33c4f
SHA512 e336b4d9e92e1ee337b216db774e5e8710df7e5f34067d8f6c9abf6d6a554634c3b9cf982ce8834b32e40c795bfd6b494af7c75067192af6fec02ca5c83737f9

memory/2664-646-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwIq.exe

MD5 461a919fd8f86d967d477cc40fc9e311
SHA1 ff362ec141fb70daa9652806acc81b596d9fb2b9
SHA256 b1f8de0200a041bb716e1f7739864789bc28b9e48717bb44b229a6f536cbbfb8
SHA512 125a731e9258ddadda0856740e7431257be255473cc830f646410ea97fc8bd28302333ee0331ea06e423d1439aa4b651ead08f18e3d900c2cff8654cccd9c928

memory/2164-680-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAAa.exe

MD5 0f948175f25a795203a38318a4daa1e6
SHA1 a844b30732178814f5d0e7e268a744431fc50584
SHA256 ecf5c4f34bfb881953fb6ddb91c33169015e955c22e60cba5b4f5438131e7c2f
SHA512 25d3e43bfe8e3d10b254ee7985d1ada06bc59e8432f3508cb1ae3955a50f07ec48d671a41d0066810a2f7bef28d30c58d410ce7109354d5eb87f296ac6a30682

C:\Users\Admin\AppData\Local\Temp\gkcS.exe

MD5 512af626d31ec8218ec368ee9ce82b65
SHA1 fed7b4141b0034aeec7affc46102b3ed24b2739c
SHA256 c38f4c870dc096c6c3d3652bde363e19f44bb449e082982d0333458724e0e006
SHA512 0728c51f8044684d9588bcc50a3de1016139bb9726172ca43d27e45970410641bd598cb9e238c61d4ecbdc4a72b75089b87ed0545bf2c23bc14ee1c61a6860ea

C:\Users\Admin\AppData\Local\Temp\UYEY.exe

MD5 d3cddc08cc15300ce8e1395544f1e1d4
SHA1 c643eafebef8d8f35434d3dea81bc5ee8b451c6b
SHA256 e535c7d27613263cb1de269b020e04661114dc3327cd8a6fe0d299a1e59a3d95
SHA512 9f22891310b876ce00a612a0d87e9735b9cb47e5f8329583b2a3991d1d08d6341717ea56b7936cf5351e802b27a72c72e82bd076901e29d2e6f18e933bb00d43

C:\Users\Admin\AppData\Local\Temp\pQQMUMgQ.bat

MD5 559fc64eced26277f3418bf30a95556b
SHA1 50f5e330faee43ce628e99163430fdf94d198764
SHA256 55a622b0b5f9e19118aae67121cdf52a9431c9b866ec2fc7052be9a05cc7e91f
SHA512 c4f8c9b65ba97270b9f6a67b983aa7b1b8a02ec2c10418e8622a97b49e7445fc908c42823eeabcede87308e4c02f70e2af30796e414972b93c0a382191804f62

C:\Users\Admin\AppData\Local\Temp\EsIs.exe

MD5 f1990d3d91c939c35324ffc5660a8e4b
SHA1 6f8723e7c991b50d9171631c1d8f0b570c8d6b33
SHA256 6bd3d079ab1b9824a923a203244641fe6d1193e4555a8ed5a2173208e900322a
SHA512 1e8d294bd0db0d16c494330d7295418b10648f8b135547fa47a807e4b17763a2b4b172005ab65845dacf44e36910a0aa6c89ea166a18ec54d5621fa047e8e766

memory/2720-731-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2936-730-0x0000000000160000-0x00000000001C0000-memory.dmp

memory/2936-729-0x0000000000160000-0x00000000001C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAww.exe

MD5 83e811e538b19ae3670c4ffd73934b4a
SHA1 c2f54c29a14a8a56b5de78fbe22230cedafae4ed
SHA256 9f4a19f2fe36f1ec909398ffbef06a046cc9053faf372ca0ab77fe52b91df49c
SHA512 6dfe44ea87285ea06ea794fb2b2ee86c2d3a134a55ae4ee9fbdff226a527e800fca62e40c8ce29eff0f3ea0c96dbdec7e9b95239ac54fc7823204c9cfc43faf3

C:\Users\Admin\AppData\Local\Temp\eAgM.exe

MD5 9c7b46ad60ce57f75df98c7ecc4111a2
SHA1 4ead9c47693cfa34297d2c9c18bf8510d42a2433
SHA256 9b75e4388cff5903a83ee5fe251cddc1140119568032f0fbe0a0bc4894c15e4f
SHA512 838e699a5feeb93c54338c4c2da97be40bcb926f903020b62375032db744be30c2f1443e5de32114eb5bce240940514cf6e47c1f08537be8001cb0fb018e6a6a

C:\Users\Admin\AppData\Local\Temp\mwIc.exe

MD5 2a927733043afa4f064e377b3a2557f0
SHA1 ab15aa90ac737c2f77aadcffe8e17b94191f5e82
SHA256 f2baa91363ecd4a734463ff69f3aba5e916a9416f5c07a383ed137ee48be2a1e
SHA512 3834c9d3e87f634ea6ec9b1cddc8cfe08b3334dbe25084e4fdbe623dc71cd63579aaba7b957eb0c9cc2777fbe7062dead71ca731a4cfd81dc1e05ea93f0e6c9e

memory/2664-753-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkAw.exe

MD5 42abe9e543c00eb9c46da7b7330520e6
SHA1 c5b00add8888e4e462fb056a6badd7b4dcfb8a9b
SHA256 7c0103ee3cc2dd11b4eac51cd5af9b60953b756a6fa225d2494f667c0c24ef58
SHA512 28a70960646c870ce5bc8d68d92542dc317fe945cd051bed82da7f88f42a0290485cac0e8c35457a2695f25eadb0b820fe079f9477ba0ffb9e410748f7667cef

C:\Users\Admin\AppData\Local\Temp\duwAkAQs.bat

MD5 0e52652bb8ec015af47744d643258e78
SHA1 b2bcc915f277aa41713bfee1cc12e50464ea4bcd
SHA256 807c58996b534c8c36fe888419a7bfba149d9382950cec26ac988e83a9e80289
SHA512 ea645f85d45aee579df37de756d8c5a33561d2a2cba98ce01d7284b0c1e5b8d1a92418692f789b3abe77ab0ee16fd997cfbd8d43d03444e426f639df5bece4aa

memory/2972-815-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoQs.exe

MD5 bbba5a18bcf96608295643cf57a0fb4d
SHA1 a6615fa26db30d2f3c67bce098f99413ea0bfcb2
SHA256 f2fc0837c88cd2e75ff3b787805f6e902cb53039b200ca2b69e3b34075ad67f7
SHA512 9b2ddb4beff85076fb1cb1ff96ff5d065580870e821d26c47a3acca90574e76bf2e30610ad7a55fcd0150e28e7ceeaf18f9aa2db0513a4ef705523cade7cf15c

memory/2720-824-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WYcc.exe

MD5 9a5f24cdcf5aff52687aa29e543b6324
SHA1 4d4ad90a909acd610643bd2006e907f4c9eff3fa
SHA256 9a3dca2ac390a754a83659331a73c019377c7c6eb6e3a492746b33c1b4b73c27
SHA512 f94dac6df34d3698163acd782177efb47781d7497121043291d61b325c72ea258fb4feb9ccae5d2d1b200f59f25bf1469996ea6a8e96e5f8698506ab03c56b2a

C:\Users\Admin\AppData\Local\Temp\uMsE.exe

MD5 48186ae9e418fbcf76d598325cf91b2f
SHA1 0f739b8b66e5720687a0a685ae722ab162a4e066
SHA256 458957e36788605de99eda3f4a94b02db1dea47d6eccaaaefc85b22ee4d58cd8
SHA512 2ecca20a3d467eb6968c3036e93387cab22be1adb74f694b80de046ced00b54bd61809fb012c2185b4b9dad2c4cb673bb2666eb969883f67932e8cc3da29c0c0

C:\Users\Admin\AppData\Local\Temp\KEcO.exe

MD5 cbac0833d6e5b98980dc061f50ff425d
SHA1 edb5d9425fcf30c962b6f797e8eb9e4db7384c3b
SHA256 b72bf03b91c18f5f4664e224e60a1d2bbf936ec013ed44f2b7acb719f8186082
SHA512 861b6b347bfc00fa8cb27709c0037402567799a6a1dba2f7802da5f6b9c32d58460954f97900e44c7d79fd5fe7ff2333f3c3b43b97e9af54a32308b61f3b78c2

C:\Users\Admin\AppData\Local\Temp\UIQu.exe

MD5 2b3446905076ad08ec8c92895c0adcd1
SHA1 5b4a23cb4dd8389aebd6db742cf33707f4a85a8c
SHA256 be5a36e4f2f9324197528426c4c4194f7dbab708e609b937204e3e0cdb985b00
SHA512 2487c546a67c19924b500324f2ff91c92bb994514fb3178f0b21fbb4a5029df7ac3213946fc8d35de3894f031269f4007fee16c80e75603e3dd2d605c0e4cc72

C:\Users\Admin\AppData\Local\Temp\EMUQ.exe

MD5 5c44b65c73515a83594ffa56f1b2dd43
SHA1 1c4a243d3248ca783a740d8ccf3f1c819053099f
SHA256 b37d11515a4cdf9bde807fb77a5e15c10e0d0fd4c6d4dc0324e4d775bc18502e
SHA512 ae582c5d6fc14e429d3849ffaff76feda0c86967cf52372eec1f39f8c523f509a7264ba85c2dd06ab2af48ecdcc7234704b59bcbc92ab1a03b81b8c98b7a4435

C:\Users\Admin\AppData\Local\Temp\oUscIcIs.bat

MD5 e4cee5e88dcc3cfc8341f0a15edc343d
SHA1 2459e7c53379879e6cedc14a0a8b48d378fefc19
SHA256 082d7954a9989aeca5f75a9dc10f18df64a3af4dfe6899ae02ce2d57c39b67c8
SHA512 a60aaf620e3408103a5301f3174873c24786d563c833f1c1325dd63edf74393154fea5d09fb471d566379480a2fe545f67dda7db9566f1086935f18b5e8c9fcc

C:\Users\Admin\AppData\Local\Temp\MYYa.exe

MD5 8960481fdc8232bfb2841b091eb22bd4
SHA1 d89977c2d7ebdbb25578878f5b4c0478795af550
SHA256 309a6e1cb934f0e023c6712f242570b57ab15e7b1bb35d7534a920645c3c6990
SHA512 dd36c179bf98c2d4dad4911b7f21af0da800abb66f4b8b9e51afbefce6434455b0d89e34501dce3589ddd3315580741c95375c665706ee9fec836e44e543c52d

memory/3016-912-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csAI.exe

MD5 3de97e899521ed733846fbee8e1a6d4f
SHA1 33017a7b39e6dc81e5d15ad1cd27acc3d0ca63c4
SHA256 ac9b08053d45f0d89fc3db3e6db79f7a274eef2e16a704f065daef43a5fe4edb
SHA512 76e5acbbc224b56d23f8c5794bde3c68dace3d7b252c0d78110531aeddb63f7884fa202af8610c86adae4a4bcd252f8c378390001ba59f8e889f2f8b3ade9764

C:\Users\Admin\AppData\Local\Temp\YUEo.exe

MD5 e13c0a103eab496e00d16fbee7379fad
SHA1 b5205a4394574a11835c05aa431d226fcfb34eab
SHA256 94f3a9bc82f7bb805390f9c00dc5448db08e076a257a0fd2af23d0e6e50e0e7c
SHA512 ba2fcc016e0df5061fbf4c49863b383b5bd807a165273263b9ccbb40b43edcdede0e1040b3a9c1025b3500eed8659e6801e14231bceae6073c35d7b97be2d68c

C:\Users\Admin\AppData\Local\Temp\IAck.exe

MD5 d3768c8a14ca0b119ad7704795f61710
SHA1 f134b9e00115720264e54a66915909cd2e108100
SHA256 22eccc2dede07f1571a303f6d289b7bf0822c147b86e4c972bbb4e508d8e8b6b
SHA512 38a4f2da05a679c7fcf26f487d127766329ab2faa5723b2e3a7c6154ee9830c1f825743779c3d3137aef74fb4cc0c038efc86a222b5308f4082f2270ebb56c3b

memory/2972-960-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYkI.exe

MD5 893e61d7901cc7d66d2682f6ae0b006d
SHA1 068f80d724db04b3d26a04add02d76462737753a
SHA256 4ea0e33da526ae787d3029edb548949206d1645344137550ea8c4c0d9228f373
SHA512 b4392a12780bcbdbc8eac10bd4de1d5a5d8a895b9ba6340ebe2dc7d187b05b870626b965cf11be2bcb042fca1626672dec4f9e9fde36695e54dac8d1d265792e

C:\Users\Admin\AppData\Local\Temp\YwIC.exe

MD5 e7dd5dd825db2fcc3daa178d8044d93c
SHA1 c57a77e11422f3d9f026a52b87f011f91bebb643
SHA256 0cc764cf22f11f7d808f7fc584cc64093698220ac778253590a0f62a2e804ab1
SHA512 c61a2c7cf324dac6d8b35bf089f6f388af679d2c4c1631ad24899794f729d5695f0e41dacc2d9d22d95337b260c3a91de618915a6046a403fd21a479b90f375e

C:\Users\Admin\AppData\Local\Temp\akoU.exe

MD5 0a8fdc937ad5284f55f92c003ccc7ee2
SHA1 ff057959b1f329bd77bb8f32495fde91780490fe
SHA256 09c4414a0418a9be0b0a57df552410300453be1217878caf50b0616cfbabd7d9
SHA512 554850c2ef2bdffa3b3da2a9a981cf50a8e584c0a89c4cd21f12f089fd4130de41b92ee0c2345e4ec8b164b7f33f4f3cd17cab4b6c51fb4400c0889ae84142e0

C:\Users\Admin\AppData\Local\Temp\uosm.exe

MD5 a9d6818858ff27747897f02e35422c94
SHA1 66adbbdfc20297d1c59285cdfd611937a437af05
SHA256 0b6389e927b12a86a894a1d7f736a4079db99bd5c6be4178bf8d00428f4ed54e
SHA512 2483482247b9c3f666c2b811658cb9c2b21633de4f1025769702e89d58262330a48e6a442609abd34e9cccc771011194298d96b837675f0375a7c082bffc9a4c

C:\Users\Admin\AppData\Local\Temp\kAUEEAww.bat

MD5 df93a7204eaf7c8f4bf5c78706de023d
SHA1 d4ad69bf01d8d15cb0e6e1db9593b13b78dd16a8
SHA256 61badc8caecd5336858f2864e0e1e1b3a3171c3203a3e9d82f34113bd8a5bae5
SHA512 d6c6372519fc06a134ed35b5659a06207f5b1ffaf8092d8c381f7c3c87700e6c79563a35d2a8e494f77f2e7ff5d32e703a002a319d615d171e7b371a5e0436cf

C:\Users\Admin\AppData\Local\Temp\cAso.exe

MD5 3cd3a0aa7d197bf04398eb63e153506e
SHA1 704d65a3c6e6024a0fc14348c9d577568931fcb3
SHA256 cc11a7d1d777e77a20bf83d3b52c8d91f3421ab6526baf4e765371d66a1b3b61
SHA512 d538d91d3b2f55a563eb792fb114b37446eade1a4a945bc393fe89e9144264cbffee2122f15885142fba929253df620cfde5339f72573b5e3a77bab4deeb335d

C:\Users\Admin\AppData\Local\Temp\EoIu.exe

MD5 5e59e7f49d141d3288ad722b9493cde6
SHA1 5be3404ca16dac3085f17c561b0d3b9a46c1a44c
SHA256 4b7668fb97482ea2ce450f2e3845eda802378a6d0c397c932346528f998d73ee
SHA512 c628df66237c43bb2770e91de36ae45839e4188d1fdbf0f197d8ca7e34ad341179e7a92bbadf8b8bd0313e8baf99180e56fcfeac7d0303e9d1a728523dd73f84

memory/2328-1049-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1892-1048-0x00000000022D0000-0x0000000002330000-memory.dmp

memory/3016-1071-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CsIE.exe

MD5 45668d9cd305d42a2ed6523da44e57d3
SHA1 da8f06718ebe659564c31edcb78f68488a3b6a77
SHA256 49ea1f6a34bdc7fef7f81feb4b2980359e5e65a5890ff7adeb70467664155933
SHA512 87d6e51ab0b237359991ea5a8f089a3e1b9e294d8836cfb6b092effc8f95feab9c19f7f9b06471037940572ee201603d352a6be4ff4e80aa8db8fb288a4b6d09

C:\Users\Admin\AppData\Local\Temp\kkQi.exe

MD5 ac3bb501835dddc9ed7596aaa833484f
SHA1 5611f0d691ac28c266d7188d04bb2d4b40f6a0c4
SHA256 047a4b2888bcb14b801d57878d6d5398ed9b751cdcf95def846f64dedf50e01d
SHA512 87127879c1b059ec90c641d60f2af9cbd2f3dd7dd22ee47da1763156c401ba1f9a11cfb38cc9700693c8b9a4174e1328aa7f6041c91a60105d51027301fb65a2

C:\Users\Admin\AppData\Local\Temp\wkMA.exe

MD5 fbcb59f012485f1fae1a460035047275
SHA1 bcd53abc757c0b497dd1be657720aafa224e307c
SHA256 c6ac21fdd072547d987f147f1165f92112af458b782575641352362945c4d7e9
SHA512 5541f579ba81387d8d16305c95df93bae2b238b50b15d875429900cb76088fc4e17eb1eb90b09fb97ed321d35e1d8b34269a16ea9c07f859b5483b6f645ce293

C:\Users\Admin\AppData\Local\Temp\UCMMAcUA.bat

MD5 62e4383a93a315d6a810067bf87f9641
SHA1 099f6e34b8c27f3ed1328148bd93d0e540703618
SHA256 fa9d2edca0a9af4e1c2f67ce86193ce779d7c06945d05a4a19415fee3ba65315
SHA512 6eb220432137132fe673afd6b5e2275fbcb975e9ba141547071e4984d307221ccc1c33aca9c14a4a0fe06c0ab73373fa203fdb838bfa9efd8b990f824e29a6b1

C:\Users\Admin\AppData\Local\Temp\Oscm.exe

MD5 6f75a1c981b70c57b5c0900e263d9039
SHA1 f827a46af40482290e0b13e133806b317c4b5d2b
SHA256 39f12b36a58a71fca3232fd7e2a31ae436e9815c0fd8ef0afdac1e58d649358c
SHA512 fe5bf3e4fe1b20f30749186a27b2ac9111833daebc896684715c11247051b493b11842011dfc79aa7362cbfc8d361210342e192c054b95cbe6ce6cf67d7de31d

C:\Users\Admin\AppData\Local\Temp\CkkO.exe

MD5 608c30fdfa3defd2bcaf0c323cfab606
SHA1 1da211214ff788eabaa2a2b4d801496f5779ded7
SHA256 d268931beb628a0262e35dbeea22801332b31cd53b5e9aa655a8ad74fd0cc798
SHA512 bfb61add5a38fc28fa5ab14f71eb5941354cc17351145c58c6cc3002423cdbb26ba8fb32e8b9a44a975a0b522d763aa37958c2e1471dffc3ccb3065202305dc2

memory/1640-1142-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2328-1141-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkUW.exe

MD5 282410b4f281fa97655c10eae577942e
SHA1 03199b33f4248658a1942d87b836f15234e2fe8f
SHA256 44a50192bbe35956dd9f7db69e24943e06584f41c5459d9b2909b817eb6e700f
SHA512 0ace008a9fa4d7be5db95e7341152c7c65f1f7ae571178181799e5c0401cbc2e71b171b20dca40787ce9330591ba3f57f6358594d995f68a4d935364bdc2023b

C:\Users\Admin\AppData\Local\Temp\YMUm.exe

MD5 3c0ae44970412822770d7c8d737d6aa5
SHA1 1a32367864b5c2b90229a810cebdd565a967322e
SHA256 56fdadabb64342c01b302c4533b60c5da84ea151a9d4c0b130033c51f0929b96
SHA512 8ac6b07f94ae0ac7bd4f2784228c43fd3401d58524bdf55f9da3a218b452103a27b598869c4852cc75801a7b7d2d2a2533c55f24ac2e8f6971fdb3ec2e8c3c3f

C:\Users\Admin\AppData\Local\Temp\GoMS.exe

MD5 8cc2001fe07187b2f79e5d364870f2f3
SHA1 143485a0d5ee8059dc245f8e32d24edfde2190e3
SHA256 efdad3331e9a9fbb23f9c4fe50a3cd991493a513e287ae0aa6c005fe982321fd
SHA512 fd2d41b90bfe80cfe0c6c8b2b7fb0f5f22ebba0281ff63da27aa039496ecdaa2b924c0822811703415685798a9f9e4e84f1b1c07b5488bc9a158a6f6603f859b

C:\Users\Admin\AppData\Local\Temp\qwkg.exe

MD5 c643793ada090ce5663415bebba70eba
SHA1 7cd02d89e83c1138a31af7f2bf5a058e46b9f467
SHA256 dab84f223531ce25dbe550e55702ef949029e56b48b3ab881dd81d19ecf8cbc6
SHA512 a7fd3ece4e3414959ed683b8f8c1aa46bb7107f0748ae979a089b1fec6c8ec7aef493425b239eab222bc80d7087faa024a0a75421b7c8b2fce1294747b3806c6

C:\Users\Admin\AppData\Local\Temp\CkUY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\SwoY.exe

MD5 720386057b7553bdb876d395c567bc69
SHA1 18dc1f4f77194af313fea303cf19a970ac985229
SHA256 3f2a1d4c0727923e131fa87351ca07191eceb093ae949c9d82950c79274f2d4e
SHA512 4c95d1d35374cbb4de758dd976cd152fd553977b92bf2d0bffd2f6d135495a2694fbc62ffc519aadc3bcdec8fc1f5398a2ea17bad32e5e8627b161ec39da6359

C:\Users\Admin\AppData\Local\Temp\QgAskowk.bat

MD5 c6035fcf2e20978d5d80e9710d6c391d
SHA1 3ec6ea178c029d1aa9ed8bfe4f00af31133f7ee9
SHA256 89212ca98d6500bc367ea1e583ddac9fd2016e65a776206f87ebfbd6b146f6b6
SHA512 22a8a00d99b5c5c51bd5b691904522b5fbcb769c93ed9178b0c1b984b72873de5ea265cdd69de3356861beeedcb818f0e02a7e09f567da963dd3c400506574f5

C:\Users\Admin\AppData\Local\Temp\IYUu.exe

MD5 a229cd5c28fda9856178a8fcf74b9a1c
SHA1 edcbf9dd977f6a788a38ffdde5ab4edb2e35d6f4
SHA256 de58bd39ebc67ea608bb508b4a658eb42c8558fcb58838191de7a7a4368f45f7
SHA512 ce84e3ab0cd7c2ed3b65aa4ef68671f2dffc840151f2a4fbe2cc61c3ea8a811e9795d353d110d8237a7c4b669d1085531f539bd07cf1a05366d1dd591c16a867

C:\Users\Admin\AppData\Local\Temp\uIMm.exe

MD5 c71b2a2e8c1d7e1de42429f063874f28
SHA1 01a76dd75ce6e56da5d306408202cfdd0a2ff9d0
SHA256 ca58ee76aed85bc31fa19a227a61104b02f140346e2a0761209c6cafac0452d1
SHA512 9ea705da6c6921ee0e03525eae7bc9e25f79695a0388d3a12d2438a42ba9af3288ab574f40bc3ec22d1623097ef8d7dd42fc01f910c05006b2de67b276efe5b0

memory/2372-1231-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3008-1230-0x00000000003C0000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEgU.exe

MD5 e3da0658145917b31ef6d512457fd5cf
SHA1 9bd170976ad941b1f214c77266088108dd4764c4
SHA256 7904e41aaa71f6d0f99e6329accbca0f58e71ce06f2cef7576eeff648ce63257
SHA512 0692951e090fbf68a6b1a7e98d47ebd8d8f9571228e996ea3f33e7bf74a071d18e581f0f75eccf2e26632ba3971ea63ec03b2372d3aaf1e84cba18b2994c2801

memory/1640-1266-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rKsgwcsg.bat

MD5 01750a1cde6c2a976313abbce0fd1a37
SHA1 96d06e044d409dd989a3a94d36082f640bba9170
SHA256 74a5dfa71eda5f613157ff981976990f324ed17c7c3b397bf6b38685ea6ff24d
SHA512 894df9ef4f96fef96e1929774c48c5b4968fb5bec2bc7d4352cd3ddb882c9d9990c90612d1ca5db7ec46313ba986de5bca6738d1b11b7da70ff03c2aa2625b83

memory/2372-1284-0x0000000000400000-0x0000000000460000-memory.dmp

memory/896-1288-0x0000000000370000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OkEC.exe

MD5 cd7254b011402107356351429e8339cd
SHA1 02ac403fa99b5f1d4f1d2af4755fecd3fb420ba4
SHA256 cc41b74b5977e074585fd777de6f098076d58d8108d235bea3eeacb31c0de47d
SHA512 ca75a39639a2413e17ec5ebfc2bc2a9714f88f2e418ec23d8ec621b0b5b196913be9a6e9144f6ba2905ebb670108c8fd43e0dcc9163410b03eb0872bb5d4310d

C:\Users\Admin\AppData\Local\Temp\kEUq.exe

MD5 4e59e677596f580f3f508cfdb87db996
SHA1 a0687340c4fdcc624ad09514ef77d6018b1ae6f6
SHA256 fbe8371790e986a04faee8ec7ddd0dd9c7a2524c4c4907f140cbcb7432f7cbce
SHA512 da1889dedfcce4bc80893ff944011686ce5737f1a8a5e076e3bcf6d4e8e670c4bf033dfe50f8a597af0b817df7b2bd897a4f82c51fb4cb13688300efa89559ce

C:\Users\Admin\AppData\Local\Temp\yAIq.exe

MD5 7c51f8640fdc8ee2acd5fe197bbc0fe3
SHA1 d2de55d68cc96cde6dbf5f0982b00d7fc548fd77
SHA256 8aeeccc5c92ff2d9c8e1167cd1ee9f13185af9e4dff535723901e57f48a2be7d
SHA512 c062b1fd22736c3b9723cfaf8bdc42e708d5e3af2c9fc6e376000b09dc607146dc0dbc9602f1887deb9b1ec0b282e8c2fc8327885c433aa6142e047464bc3a0c

C:\Users\Admin\AppData\Local\Temp\QAcW.exe

MD5 519b09678bfe61ab9258a39a9e196e37
SHA1 a437dc6d61a7ea362dfd7a8c62edc8145fe3fc43
SHA256 9c788ff3104db6b5d9b9ff897813802f0c2b9e662d8a120092344dfdcb87766d
SHA512 06ae6dc3875dfc7dbe6d4c6729b897cdf29af7590f26d569cbde22cfda66bd6d543bcd6956af2ad9073830158535676aba017e4909458b961ae9ce3734f6a08d

C:\Users\Admin\AppData\Local\Temp\RuYwowAU.bat

MD5 4f07a3b31744640b0d6e4ef6780c013b
SHA1 d2f56efe8c6a2e0db453ad0bff90b765b3785822
SHA256 407d9e03257ab7f82a544305d8142271ad7bab557798d8667901d31271e226ff
SHA512 2cb786ce88a577a0344c438a6c02558af686aac21e412185599f06ff95f2d10bc7804c577531835831a4923ee6685b71b1178fbb5a6efcbe5f8f690d0a3dc968

C:\Users\Admin\AppData\Local\Temp\mgQy.exe

MD5 8b0e9e35b4142601dcdffa31cd04643d
SHA1 a5db551b6a6ab8c7080faefa9ca51a03e1333b90
SHA256 bdc482301779dabbc9d847e837b8d4dfdad45c19a66ed423adbc94ca2922e269
SHA512 2959f94173a84d9b74a2a3b0d20079c01dc151a3963e8ec323f275966fc6a1bbf39d4c992fc3fb17402e36effada2995780f2c4db46662286a1cfd7b4db0d23a

memory/800-1369-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wwgs.exe

MD5 b91cd53bdea6af77605090bb747e4c39
SHA1 32766078954fee651ebf4cff097e8e15d971d750
SHA256 58753d89945ac7a535a39e4e790765cccb2da4eb39b0f9749f5e20f8bf785907
SHA512 b444042ac00b1297426967f168c4144fff2b72362238113d4e2596d00fff8b7e06b9f75f587e0c105df45b3a75e3936d1f50bc0b93c39ccc609cf72cc353c632

C:\Users\Admin\AppData\Local\Temp\jWkskgQs.bat

MD5 5de6fb3236d74270d35e58cb0e821910
SHA1 ff5b8cc9e45b8fed4ef61c1bbd9191487c6ae4b2
SHA256 dcb42395080a62781e25ea23aaf7eb3a78e3eb06465e5bf5f4fb9c014f477749
SHA512 3ecdbbb14f8293290d55db42ff25085aef16c91bb60db4c8a2c71219c46cbc5d89526455f513cbfad2b5148935691eebe2ccfd00a16ed1090f7027f58b7f9a27

C:\Users\Admin\AppData\Local\Temp\GoAo.exe

MD5 81048fbf10dc3344e16fe8704f1d61fa
SHA1 f340f43431c40b2b38ff0366101a7d715a6902d5
SHA256 51ccd55596e441599fe895578b6c43bd705ac016088c718f2005929487a75837
SHA512 4ed3ab17e3dab272ed3e4961b59672b9b6a80d9c35808227235b5f420c90049654cc2b77b4d582e0dbc3dc26e10fe71091257b47b685c6b5288f304339df4364

memory/2132-1375-0x0000000000400000-0x0000000000460000-memory.dmp

memory/860-1374-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2956-1407-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2864-1406-0x00000000001B0000-0x0000000000210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Okga.exe

MD5 7fe506efccaf8e7c6d164f2e473653e1
SHA1 124380862350716a3900f744b10738dc24448898
SHA256 b17ffe70dfdc27aed4991e891e9cd383628b3e2186808aaba65b6c1c120dc6e6
SHA512 414f436db07834cd8e5d05674eadd366b60b926eda964b9aa96a0f8f4e1edea7bf7a917280930e018c74950d28004fe37c2884d58907c08e414ce6f1a435e46e

memory/2132-1429-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eMkK.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\zesgIwIA.bat

MD5 66f216cfa9ca82c000fb444cc40527bf
SHA1 39dd632f1c97e618878c1f65dbe2a0de3a5e7063
SHA256 19f3034bdfca2f45267dbe31a4090ad734ac5e71da6c2430a368f2f02cdbdd9e
SHA512 4e1fc0afea28fe1fc844c7681c2008c6a4045a03c20d58daeb3332e5b6b651d30833ee0db3e00920d0390fc720e76f0454a6ac682f1613dd5e131eba3ae84001

memory/2956-1510-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEEo.exe

MD5 dddae8f23973150de2559484ca1f48c0
SHA1 7d609ad892d30d2ee9f752e3f5c290cfde9568af
SHA256 a37bcf1f04be1c86a8eeb7857c01eefd3eb998ead15fb348ef58a06c102a8ac5
SHA512 ea7415f026e19d76e43ba32ac9fa718fa6c86264971c8d16af3bc9084c6d1052f2f1a52d95746a6cd061efc7ec57e87aad5e0ea9766be7215ab35cd6aef21f35

C:\Users\Admin\AppData\Local\Temp\skoY.exe

MD5 b0134a1a01b9daadb1e588d8505ad373
SHA1 ddde9c6ece3a921c489c81e1ad719a4b546b1973
SHA256 652316cdada5c0be17e054301dcdacd2db86b0fb7767430e3bdde77d2e41a867
SHA512 8b0f0afd7886568e4d6f8a3b8e43ee00a6c03f4541838c8caf5c5b350d07d182a5358d534fdb1d7faba4e0ad92300c8bcc07be9b9eee189511a36ac3b7cb5e43

C:\Users\Admin\AppData\Local\Temp\QsYC.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\EkAk.exe

MD5 03fb3560cf8a1a83bb6eaf71ccf438f6
SHA1 3116070946978c129b6e4af520660489d6c0a407
SHA256 a5de449f99fbebba69cece269984220bc22c8502933157b5dccd399ca445cfad
SHA512 927361d42397165c38b653bb99534ce1c8913effaaf94cf33e0ea18ca79f5445d0e3bdc9263bf33195476fb2150e7d8e0255cdffd19084d7824c034b46819c54

C:\Users\Admin\AppData\Local\Temp\CkoowUMA.bat

MD5 d9e15f56c572a1c8f7c465697fddda16
SHA1 b143972c0a40235fb3be1b4c02465e0e6917a98a
SHA256 d7ddf5a953dcca3a1a45f2271ea386422776bb8c096b689946152ad17b8ea540
SHA512 1851ec1e20b27bf7da36f9ee2462f66e9b65eb455788dda7c00197dee21c91d02dfdcb930ca84a4e3df5c34af823ddff380ba383880ce0d2a6fc202f37988cbe

C:\Users\Admin\AppData\Local\Temp\acMI.exe

MD5 536173fa10115ea08c2e82646802b41a
SHA1 d4a89532f6bc707b79c04c355213610f415a3a5c
SHA256 e7eed1e9ecbb42d3eea03a67fbfac7af8756e503aec1af747feab55ba8428a7c
SHA512 7e389ec162fc186476c4291f7edd3919aaeca2026c931eefdf37209be6d1c4d6f0bfd3fe22e7148f85e6d03e0e6858ae2c798c81865143a2fa944ec48ecf7fd9

C:\Users\Admin\AppData\Local\Temp\uIwk.exe

MD5 13e45d44115b28532c92b205acd2696f
SHA1 0638d3b825425e7536e75461b5481b7c42257c40
SHA256 9d7e74a5cac019f2e300c03ae85c4d135d9d5923de5d6a251849e85a460af1a6
SHA512 3913562d538a9f94c91124310c8a85e490fb34ed23e88f52bc945c4613dab7e9db165b6f507679a0ca674fba203c84135425dcc12ea94feb93daeb172b72345b

memory/2892-1564-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2892-1563-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQAw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

memory/1888-1511-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1792-1499-0x00000000001E0000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\icga.exe

MD5 5409c8d506837f24c4ba4eca4084504f
SHA1 b49465f60115d9c8fbc78aa23498b179d0446754
SHA256 1cd22a248d3239a2c618c4564b72673d41d55634e01880f3f57250e59344bad1
SHA512 cb1878a954e9d0c90a334680c79004b6739ea8e9c481bc7af53409241b1b8fa2110fd0c766f7021e16b0ece4483805093c46f27c748f264f221824c1729ff13b

C:\Users\Admin\AppData\Local\Temp\WQAm.exe

MD5 9fda1eacf3710bc8076d2c2d7e36c5e8
SHA1 fc2c8dcfa53e023e14a822eee064fe6e4fc867ba
SHA256 7e64b2599cb2c7229b7b029d8c64adfa5d07fb254ad88353f31f5ae96d87317e
SHA512 9d05f22dbadcf32b2df0d2baf4164e558b13bf8a012e83a72db32acca4183ff79e27deb4bec80aed3b51ded2a026dd4c76cc42a857368970a5510bd8a7b1c7f1

C:\Users\Admin\AppData\Local\Temp\Oscg.exe

MD5 b2a09785750a58e0c4910b321d832142
SHA1 20538b569c7f86e55db07e688364758454d263e5
SHA256 735b97ed23ce9781eaf31f9b49d3d0e90fdb643ca3be3c25ab01a34ee09dbf31
SHA512 dd9d9d5d2f81c02b8a491404f841c9d86936952034784dbef7153aeb1c48000e7b592cbfbed0c7ad443a4ebbb69aca2918b44fa748e099304b6ad2235e532c6d

C:\Users\Admin\AppData\Local\Temp\MwQw.exe

MD5 2336f211d6eda936909ee80a573eca88
SHA1 1fd320d106c2268f213cc3b08411df496620b381
SHA256 71634d9c9614a8b6ff550174a8ef452821d31d8a90231701632249b9d628ec98
SHA512 ce12fb9b49e333d8d58ec6c6eee1f9d2385dcb6b5d2ac0b1394861b8663b23031669c1fcf87870330bf9fd8e723dbc7af513f8ab24f0509073b9d87305d9a568

C:\Users\Admin\AppData\Local\Temp\Wkoc.exe

MD5 62ddd9f5d294edff2360b5d915639bf0
SHA1 54421e0be5a379673277b098c6d3729e02fface0
SHA256 3465ff7cc796136653ba41ac22ca480e84a67607383a5b1ae3bca90e3aa94061
SHA512 06908fba3af6a07677599fbda2f98f2363bdaabefb7017ac8c33ba336d29f710977ba3407c219e50acb145c68588d47624c8d242d651fad7a1595b6669a63b5b

C:\Users\Admin\AppData\Local\Temp\cIAo.exe

MD5 78226213ef49f862ea4cd09d0586d45b
SHA1 fb6039dd3a67d4388b7dc9d243bc9cf6cbbc3a17
SHA256 68f689316802fe48eeab9a2e89eda4aec0ce2988b055e271f12a42e34c085ca4
SHA512 090ccb37eea40679d20c66eecb974d027fa83f43148dba9d40e0c794f52118510763e67fb0dedf06096a6376c2a07c2a6f276162166bb15d2e60bee40bd6c3e6

C:\Users\Admin\AppData\Local\Temp\KMwI.exe

MD5 5b04c917ffbb9f3b7f2cc4b2f126c8a7
SHA1 cc440232d8a76c57d8b67b6fa57c333915748407
SHA256 f206ede743a8771f6b51f87fb04a6d75d5eb020ef52bce44bdda3b318979986f
SHA512 691ec2bff693f59b9e7efaf5e9edb5145c5b931c19ce16395a5b50adf5c7d14030864e6d5f2d203ad10dd559880e3835ca3e89632c6a9654c0d803355cd80b54

C:\Users\Admin\AppData\Local\Temp\ckoEEYIY.bat

MD5 335147274addb6ec0562c5b7eef53f49
SHA1 2a0769645e3dedbc273dee95c1c7b28aed47cce7
SHA256 eac87fd9a42c01ede40523e54434e615b840c58584f8c9aeba294e887b977d4c
SHA512 1b2b35f94dda739057b3620ff4bbef4e381e2cbd41fe9b3cc4f91d82b682593e4e142905e43f3b35d283d666b83e182972a598e58ae135da80133d09cd2b9759

C:\Users\Admin\AppData\Local\Temp\MMUm.exe

MD5 a3be6d93404b68c03b5442656e9afe5f
SHA1 f84786f5a6e8e47deb616e898609914cc73af336
SHA256 8e16ecf2a34578bcce29b45e7327c7746f8483de31732701897a7c0005da840d
SHA512 ff53b1253a3a4a644fd9cdc12c21c277c19ba37097f94b842dbcc4f4f4b658da40607808b7df37698d4112ff564e8de32213ebbbf9dff4bf45d2f81994912937

C:\Users\Admin\AppData\Local\Temp\GAIy.exe

MD5 bb95ffe658713b4c1cea99b7eb260c5c
SHA1 b38b8ffde824fb2ff21023c6b94bd3118945007f
SHA256 acd47b6da80f1cce2d8840f22123dfede1afc1ffc2a69b2f8a2e3cce96050759
SHA512 a8b4e2d85b3ac4d4b499289699cc772bd7f9a3e96088a7f2472ab9e2f5415a743df4526db3dd2100ea4943c2e0ba076fe12e4c32f410867239acb44ee6daddff

C:\Users\Admin\AppData\Local\Temp\AUEk.exe

MD5 9544bf91e72d9c669275e137bc406f50
SHA1 39d8c8bbbf284e35ef7cba59d54ea6a0a52f0ec1
SHA256 eb812c29017faef6b1df51656cd612e6cbc73dace943ce3ec45286c1bdf008f6
SHA512 13121bd7f6387bd9d19d29b8bf7600b04f48b7950cc43f115cbce6db6aea174c8c13aa7a82275cd902d23aa075c7bf405c12874d38d914d64a170c71d39bbb4e

C:\Users\Admin\AppData\Local\Temp\WUcskgkc.bat

MD5 6626a32f83c7f8c3747d3d261c6a8352
SHA1 cc70f76e25f8d7b9974e206a5aa80c734556f35a
SHA256 f925914b598879c56819983b7e70ed4804a97ae7dc5d073e6dcf94829eab388f
SHA512 69910dc684e2320405a4bd78c5b5c50518f8116805546e167c25a96c017e88acc4d63fb857bcd93330be71f2b7bb3c9b46d4b20d39052a3da4713aea81a21535

C:\Users\Admin\AppData\Local\Temp\QMQe.exe

MD5 ac4090889ee40b9de90e05f107aa68d3
SHA1 ef51629ab9d576fdbab6fe560402baece220728e
SHA256 e7e0555b5eb8ad61133f8874110e2ae885d071b8485a5d64254fb18c4ae12723
SHA512 8fe5df56c5ca15507d3fa12ab8615f7b20889bf2ad367ad29395260bfea6b475a3e404eb0c07a2ab0046abf2eab131b672f478d1854febca063483d50ef36fad

C:\Users\Admin\AppData\Local\Temp\iYUY.exe

MD5 981aa5eeab511c581ff85c1902ae5fe5
SHA1 4f8f9354f489c9e5b11c65fc8929ee8767025d9f
SHA256 366ab3dbff1508254f1ef09ba4116ec66f17bda8840bb883204f749efb65b9b9
SHA512 fc92125c391381f8d280e43b6d272278aff9c44b51afb63df1867e156d6b705b185d09b8e9feb17ca3ff49ecec2130408d8ddf505c7694555ec3f947426091f3

C:\Users\Admin\AppData\Local\Temp\cQUW.exe

MD5 7a1828c15ca318417acf5b91fe8a1b34
SHA1 b16f20264851c66fd4cea677b7a3af3de8fb0c44
SHA256 06bb707b4660aabac2ec21b2401605e5dfe58110cd54b7d395db332aa2d5d7be
SHA512 a7891b15b67f9ae217a888debde9475e97b7f34cbabc2c4a5d9c5cd95c4680fc9267f83ec9f0b326135e0a137e5b3a1a19c571c0fcbc50be57d4200bed27ef75

C:\Users\Admin\AppData\Local\Temp\kMQUokgA.bat

MD5 ced29d13a4ab0bbcdad3c908e61abcb9
SHA1 7522349e800cd36fc77bbd03541aaceabc1f078e
SHA256 e839d5c9247fddaf871984054e965cdd09da35ca034bb8bf7aeda062e5721a80
SHA512 123f714944af82230d1a266bc89b3ac9d1eb97537da10243efdfbe427f1c39033080a5eeb1d86c2b1683d4230f4af3b543379dd843f42cef382706031228f8b6

C:\Users\Admin\AppData\Local\Temp\kwgw.exe

MD5 a7865573cb15d6429a6d7f0ad500803a
SHA1 a91e56dbb802b71ffd167f8709faff187e29be06
SHA256 ff3e8f2b45851279f71227c19a78dbffcac6937f84b5683f4f0484e9424171a6
SHA512 4f7d8445b930477ca7ff01733e6e7a90984cf16b6eda49aa5b82dbc3d83b9721cd4e1db6b8681bac5ff3cb49160c5df2749e746ec36b91c1e131f34563a711dd

C:\Users\Admin\AppData\Local\Temp\aQIw.exe

MD5 322c0e0bdf84737e1614896674f696e8
SHA1 d99286c6ab4bd20150bb447a682b469b6d7c92ff
SHA256 2014697f0ba1326913e47f62c826400d1d70ebae5a98fbe9726893e12a53988f
SHA512 9244808a2a77ee3a090725e943056af73db336eddf1d5e8e19055df993173a8f21d8329a44072175123f697627adf95016711f00aa3de53165b04b433a5f7d17

C:\Users\Admin\AppData\Local\Temp\qsEE.exe

MD5 6a005091e45135ba949534f1fd51c122
SHA1 9c36d5df0acdda1dbd8463658e6b53886f472fcf
SHA256 557819ff27204fc22401664be6dfa1291cc6e0a6e12b03cf62bfcb14c35ad88e
SHA512 75631e75e980ae354cdd65bb64a4a977123db07e6c9ed66f2a89ea49c57cf16b51a864c67f4df74a0fffbba505ac2340483b9ac75dc6725bf1f7a33e0ca59084

C:\Users\Admin\AppData\Local\Temp\wOIkcMoo.bat

MD5 eaed0a04dd47a3ee259855cf1004fd74
SHA1 98baae385c47582c63ca008d6a81dc24a71a272e
SHA256 790e04a61d88cd04c644666d3a09f6bcf10fdcd6b42f1e5477e2888bc8d10138
SHA512 d7c9d31a323119494eec39135ce40d58ffcdb66f522a80e68a6c8577595931011cb5f03900ecea27f5555c46c16bdb234d35918a57991b7098adc13122ce89fa

C:\Users\Admin\AppData\Local\Temp\QscM.exe

MD5 392d3a4f8df87532e40a038974ab9242
SHA1 23505229210848c54aca01b414403652a2824824
SHA256 82e6109d566713418e4db3fad31af0ac18c312cf26bf1e2b8e955ca56c314d72
SHA512 52d9fa852e378fa1ee3d5a5e9f20c174c7019f8939e0e35a24608331161033fd287d755bdd5fc915a428af00e938c48048363af9211332ae8d40cf335344c9d2

C:\Users\Admin\AppData\Local\Temp\KksO.exe

MD5 4987b08f59f468070c429628307796d5
SHA1 4d2e5c6cc71a07507cb22912b9e1e72c78dddada
SHA256 416cdd4200d5ecefcd191cded3e1ad15726e9555766ec8529b946f082889bee2
SHA512 7a3cb9696d52a1a148201251102bfef744ecbf0728ccc6a2328e608c629a289df483773507ded3ec1b69553730cf7a70615fd5acf88769db3e55b189b18bcc4e

C:\Users\Admin\AppData\Local\Temp\CwIe.exe

MD5 37dedad343355b7ffd5e25f3a32d83bd
SHA1 d79d045cafe435193317ca2233d09f02025c7e09
SHA256 bb981f1b9bd8d0afacf75e5aa95fb65df40ec88818f72977f4cbdcb525f78c4f
SHA512 dcb6215619b290d7e6bd62dc0b2a86d0026a9805ac3707f58bff0b72d189b7a9a6cdc57c37e0cd6332b73b17738dbe5c724731fee261fc12f6d50b59f072e74d

C:\Users\Admin\AppData\Local\Temp\LwYwEAMU.bat

MD5 139596c9e9792d65419af495ffacb10d
SHA1 9aade3a3faeb912566f58dffcfa39aafe38a3494
SHA256 7afc79f76c4f8e899985ea40dd1475a0b0b5f419303112bd9e6c1d3e8cc8e846
SHA512 7f35cb16a1c8cff88591ba84c84dc66b987fdc52e550299d18e40155acae91a1afbb20bdd5c3b0b50ff0e57d16482b0cfe1a64829dd9a7d8b362fe54a021fcc0

C:\Users\Admin\AppData\Local\Temp\wMAW.exe

MD5 38bf2a0f3acf2dfa2a393cab59179101
SHA1 462a44f9602ceea6afc2ea8cce6518b3b8c4da7b
SHA256 c4a13b5f8272fcdb632a70b1aff10dd53a964217092cb8071b82022e5fd58c18
SHA512 26755c864a840606b57a70374489524e6a341fb0f8fea17e1916b79db06799def305c32c89b48cfa42d1a1b59fc796b563855d4098b666e80fc664562722d0e3

C:\Users\Admin\AppData\Local\Temp\CscW.exe

MD5 23ff28ca06857b82223e9ab0f25fc2f1
SHA1 d88f27977ac5b92006899b0c20cc5096e99777a9
SHA256 77840db677e3496cf7304337122d85749486006518533309626abb2e808b31ce
SHA512 90c23a5c4e6abf487b7967647375c167fa96f430b19ff0d78a58d01c9885f18eb3c89ebaafaf487dc725efcd1011f42dd9a38b7a3dcf90409446835c31b93ec1

C:\Users\Admin\AppData\Local\Temp\MwEw.exe

MD5 940f2e6f93bbea66d5ffb300dd28eacb
SHA1 f57b59b61327830045c7e46fd35ac3f89ff6eeb7
SHA256 16684a66abf46bc886c88cb4ecd312fe25d8e5c6c7cd8139830e3491288b5561
SHA512 528dc14b4dc9912b6c341250a9bea545e19d28c78c4cb654a4283063ec879dd141e562166cd62dc9dad0fdd0bdb1aea7d6287d93d0dd85259500b15342466f99

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 818c552a39e35f2e0911077058f1d4c4
SHA1 9402e82fb644f370f576e590c8d7334ad17d5160
SHA256 9e31344ca66ec4c3c270b8038d27da11caaa07c95201319a67c2c657c11397ca
SHA512 7d5b9d0b01aaff9c31085d8b2c629091ce1a39bfb93e51dffb65f483ba7dea54d36a28927f39b2924db272d9c33411eb7fed1997bfdb1bb93448b5a6ffc9ea02

C:\Users\Admin\AppData\Local\Temp\XaQoIQgQ.bat

MD5 3af3872d74ce81c7dc8604d5c155881a
SHA1 5906169ad6f604bb333e917d54b6de75a2ef52d0
SHA256 5df92f305ea69fa51682cb80f249962029c1c46d4c6d7c060d4f5ca18c1e6f2b
SHA512 f43755a5b45891d229b0cc22df232fc7ee7b10d7b8e9445d294b8ba8a02dfcc30f00f79900b6ab47522e36e395a292b025a6b2af9b52c23c4edf5210a5cea2f2

C:\Users\Admin\AppData\Local\Temp\AkQw.exe

MD5 b415a261e98cb3f965c7b25795c7946b
SHA1 9c52a03b3f80f3d0d15224f5f7531d33fbe7a592
SHA256 201ce94b0508770a2b270742920c8c3ded626950f5e857fab54d18c6b7953ed1
SHA512 58ccf66b2224ab631c579f5610eb019f22c013e8b16657b95b8f624f6906e010d58265c0be0dd329702ac3f971b510fa4a59c43633fa1da6332c72dae69c7efd

C:\Users\Admin\AppData\Local\Temp\Igkk.exe

MD5 d873103b5d0ffd85391ba9b14c4e3c23
SHA1 2e532134896714cfb7bf47b7446747019afb29fd
SHA256 eb22fde8f354ca0c0f3874e3d18e626c90a1902d2e513e93c1908fe1ca647c92
SHA512 508a0750d983d388b02c923814a954767f62dfc8c3fcb8800a4da903280d93003c88c12016dbfac6c37e7c6dae4a0da1bcb28538b129a4ae73f5fc790752a25c

C:\Users\Admin\AppData\Local\Temp\OgQy.exe

MD5 504082d3614816c314dce45c46025d7c
SHA1 73fec6f26383ea090e9468ca5f273a0356a63137
SHA256 d1ceab7293473dd63dfaa4b603d757c1a394fc47b1f5375f1e78f948905ffa0d
SHA512 d1dfd4a5ca638f937d47e6c3bfc11079b8ae4ec6c04351809d8c0dfb2e07096b1a2895c456ca356093e469c54b2b5977f6f19a2e7a4c7b2528b13a6eb76dfe1a

C:\Users\Admin\AppData\Local\Temp\Mkwu.exe

MD5 8b4c9a4a111ebb85f22a515f4a3088f6
SHA1 69256ca85d0a95f2febd3f47088d59f83ae1e6f4
SHA256 00ca3291f1f7f267bf61b73fa017a2887e0876a58ae4491e23002f7b94dc2590
SHA512 15765dd46df1c98ec8ce3b18458cbc5d9c9525c517418818dc66b4b3f11691ce9aa6616a878761f782bcf52e9f69fb5576ba3d13c3a88740b9dbf42f252c2806

C:\Users\Admin\AppData\Local\Temp\TuQcwQEM.bat

MD5 0c535fdb2776d66a697743bff3f458f1
SHA1 e3cf6782471e59ad76d9937b3ad4b43ea2a64079
SHA256 1f0b5d1e32464928ad5cf30c4f5e694f12ffa562de38fa7615b34f59763ed612
SHA512 9d54ec2b3786c39bcfea0728808149cafbdc65fd79e5817a677f1f9e6f88020f3c8277bd313b16bb965ff086be962a355c68e69b662a49b5ded336430984aef9

C:\Users\Admin\AppData\Local\Temp\igIc.exe

MD5 7cc259569f73066e8716a2f26b1cd412
SHA1 522c96801c09ca29290dc4114b64ffa9ae814577
SHA256 0349e11dd4d7d272d1d9840246fee7471f58f1bac769e70ed8ca42991efb5cf3
SHA512 5f845ac4e2b4d3701caac85623c58a3299c3daeb7c8692457305f180d305f09c066b8fc3d99f5656a7457210e703dc004e8ae317d514d5fdb9a26f9b3c2ea17a

C:\Users\Admin\AppData\Local\Temp\oIge.exe

MD5 586339487d118a4048f3d5441b4a1099
SHA1 0516b8ffb5e5955b8b9eb07521243100f0d1c660
SHA256 7e3116016697ea05cd5f35a1828607191c761d0a9162d37dd8f20618781ad5ca
SHA512 53797d1cd444f33d567130f8a5f7e60465dbc7d332e1da2599c8cb54a111b86606a69153621103044267a482eb89dc53ad1db5b53b62df746ea2b4fa640379f9

C:\Users\Admin\AppData\Local\Temp\AoUS.exe

MD5 9742e53999060659b75e18338b0579a6
SHA1 9f0e6f9f417546796ec27fd818a2bc2d784a1b13
SHA256 cee3d3bae71c7d574feec241493252a2de871462598064341fae6aa9fbcbd57b
SHA512 9942f167c0c17b72d391e7980c736059f1996b5e909940c57d0e9540e9fc2caf91ecf493999308e9e290d546bc101199ea3ae17f1d25588d080847e4a95f1cee

C:\Users\Admin\AppData\Local\Temp\DUUQwAMI.bat

MD5 620266927498a76c12e33c1bf135b354
SHA1 e8c4a0101c4109a3af734941ca2cdc29fcec3cf4
SHA256 f63d0b13869363b0dcf27f103d36bd78f28ccadcaa4ab7300ed59df2a6489087
SHA512 ae0505db7f2f529cb70e321ca7803318e6ea328f1864f7b53a8e3d048643a30806d451e75de3d7fcd0375bc04919487a54e3ac347b0e32b62e3ebffa2d60d3dc

C:\Users\Admin\AppData\Local\Temp\sUss.exe

MD5 eb5dadaa22098bfe1a006817d1577d45
SHA1 4b29c037f0d57d70c1752b2e2bd711d43f4a4777
SHA256 8fa3f5d629f8b45459623d62fc449eb661815a4cc2d49d132659b8cbe7873003
SHA512 65e309e46b73d08c25fdb43d76c2acd89b78766cd78ce67f543825efee68a7e57fd5e144f28f617f397da23b17bfcae408edd60349c46f06010b7164c7f288f6

C:\Users\Admin\AppData\Local\Temp\MMQA.exe

MD5 aa153077af1c0f5504499e82421fbdbb
SHA1 7b44aa0220c0ed1afbf80581b8301b1ea2c95aeb
SHA256 e925e516b622fddf01fa7eefec9e0e234e6c1b86a52695b1e8b85c3172f05e97
SHA512 ba740d492f3a1b40ec8429fe74dfb20d79b2b008ef7ed92e34e88e0b673d5a861420ad33050dcf155749a62d000732247a27a0535a0420f0795a0baf384c1c4e

C:\Users\Admin\AppData\Local\Temp\IGkUcAgw.bat

MD5 df743011fce4f3125e6e8f9883bfd66f
SHA1 0d9043792e5c88ee71c5c58309ec6071d48ac164
SHA256 2d0857c6c2aaf7989727035eea039c9f54501157267dfb01199a7514b3393897
SHA512 5089d87b3197f635a6d32539d32a664d681fe5216cb3254beade5258fbebd509c02f89fd85c9bf4eb25c9028864a6becc9d6caf5ed448d9da56a78f19690bff4

C:\Users\Admin\AppData\Local\Temp\ogci.exe

MD5 c8c0e373c07a630035f12c2fb3d51765
SHA1 c0dc91990039ee0d33f578fa11709e4832d02dd8
SHA256 c093ca433a696c63136972d95512c1a3d3d4c5a41717c0b18368bd5786448c82
SHA512 d4f40e637b78c88b7467ede7048dd655cc4529ab0f80895fe43acc9e62974938405fb7b0bf3040df3bb21ef0fc2241db9dc89718c862cc37e2f6beb3d6ef7e20

C:\Users\Admin\AppData\Local\Temp\yUsA.exe

MD5 e23bf38807f9cc29a00f33bb16c7cb7d
SHA1 ca9b91afb2f2ea70296deb44d2c90a24d759e22b
SHA256 0636584db8193882e030cbac8db053858882859b851b0e990224d6b6f0f2230f
SHA512 99765f48003e4fc24baea3cb507acf2c9f23439a4ba19f671e81832db2bc4a207907438e82e07053b73d2e8ba3bd300ff3a20ab1330a2a3b0a1d2306c7cde906

C:\Users\Admin\AppData\Local\Temp\OskI.exe

MD5 7728bcad0fc26c9257a80367fbc19147
SHA1 ca7c85bcf66133d5971475a7af6b37abdc4ef890
SHA256 2cd280626a437472307cec64bceda958b4df81bbe462d9fab48370a4a695c3eb
SHA512 8f7fd1bc5b17a8c83e78965405c6f5f02d925c06376c90ce219e543469d67d52b9af9d659486ae33618f98376eac9965245f2fcc8107d7eb47f7dbe28f4efcac

C:\Users\Admin\AppData\Local\Temp\IgQs.exe

MD5 4e0b4393b29cc8f9305a31d174f2b475
SHA1 088e4a5ecb2a2f6473fd85a7db745b49b35629f3
SHA256 ae62145f3968e9f435928ea7218c2b539f0b845b4a4a715583c0eb4b0fc21182
SHA512 4800a28d3d8f4529e30cc1fc6d252e0018211657387db88e45e8c2e40291a83ab8283340cfc91e0edae0c1c184ba3bef355a92652d487525dcdb113dc3fa6dd5

C:\Users\Admin\AppData\Local\Temp\AWoIgYYY.bat

MD5 c3481085a3e2f08a60d017b96b779305
SHA1 36514bee19eb875404286aa534a377ff61659a59
SHA256 d35be41a343a919e2666a86104ada03dc4f99439a6996a3f6d85a27e9ba8bc01
SHA512 240e887514a49ccc10ed2669d4eff4436087fbe27b8a2b8f1531a4728e346ed7683632d7456f21aa31c850ca724cdd4ef1994778e0d9a6449e8d9c1aa1c3ddaf

C:\Users\Admin\AppData\Local\Temp\SIYu.exe

MD5 90a75ce6ed09c9359e23eabdd3182126
SHA1 1baa207514cbf4fae5dd37406bf8535c0362c6fc
SHA256 6922142d96c668bd269d7eeacef68ca82609ab6d26a7a7de366bc6d65a2cd99b
SHA512 f9d80c66b9d788edbcbe22f1981629b2cfab904d816be3aa89b12bd436220e467615387b7fe1dae7be5c288ef08b385a9509fd7c11c3be576372312c067faa8e

C:\Users\Admin\AppData\Local\Temp\OAAY.exe

MD5 6dd40eb0ba447a66f37cf0a260ff9f3d
SHA1 fcbf84eb5a444ad9f209ab59e12148d40ec4e5de
SHA256 c1e8d01584b4d5fb137baedfb5815490aa2a444c98742ca8371f84f18994b0fc
SHA512 2c0a546ca2ef93814492320df5e64b2aa865e2f2678f18b6656756d60cc1779f54916045c86d9ed1c77c2d11e697dfcec719349561af7228eebf90547804a59c

C:\Users\Admin\AppData\Local\Temp\sIYC.exe

MD5 7d7a9db5b9635a0ce1f1f7a83060dd40
SHA1 55ce16ae177bcffa168168e34c5ff94fd7373428
SHA256 ecae200783d3e5200cc8dd5ab29dbdb3cc4ed385d3e9bffe9496fb12388d5dfa
SHA512 6a2aed2bfb7e487d36d72c0257ab7ed62633dbf17c5b4ff5ae5e016c105aff83b2f57651a92eda1f99e6dd6b42f8ee4bf9b8f6d4973fda7d544c466349928318

C:\Users\Admin\AppData\Local\Temp\AUse.exe

MD5 df22a31e69d989f4937c354913c34dde
SHA1 5fa4e685a01ab39286dd3165ca191b254008a4d0
SHA256 47b33c1ac961c7a3fddb51604dbfec0fa195af236599ad9fe5dcf2a55315bca2
SHA512 e77d16bfb431526eae7e2fea2da003d5c073cfc199c45b2a67a530b0c89cb3b47a516ff3edb426b7d4ba955e40d011b26c795996e8aee2292d5b4c72b3b80721

C:\Users\Admin\AppData\Local\Temp\KoYUMAQo.bat

MD5 87b607c1c8d23a7bf7e58b02f9ebbd70
SHA1 ebb666539797dceb329f4cfa388129fbc27ef0de
SHA256 6a041dec63fd3a541d28f8e63a12b15add9349c48711fc8840f48f4a22422b3c
SHA512 f77a39ab9349a4ec89907a0601a2a26910b15841a98ff102cbb248a9786e19ef36c453e24b6a467695b115732c5bc4816a74e50dd11d50a4e84f97f4c3b0b41a

C:\Users\Admin\AppData\Local\Temp\SEIW.exe

MD5 3ca6a22e1502fb746ed38a87495f92be
SHA1 6f78e27033b3c2518ef33ddb5dccd059c788ce94
SHA256 ed097a8245586290ac780293c7b88b0192a9be49e5f92c3baca66a9a777ff2be
SHA512 1f00392b5f0a0b134ec5fa51c5ef427ec09d5e5848ca8e0b8f9ab154ec5e39231e2a8dcc256301c3a1f527215f0def0f96b63b222132363b4e1f75e32bda0ff5

C:\Users\Admin\AppData\Local\Temp\GkMm.exe

MD5 94eac71116358a869fdc418d4e4853fc
SHA1 696df6349b0d74b113e42cbc498c2731f294a81e
SHA256 f8ef5b4b7ee7d65d2b3a89efd331e963d047cebd2729bf808d0195077c1f166e
SHA512 7c280e44057a779d14c838490f854d4134fead524128de0e935b4e6fdfc9daad22c728d0203738161678efb608f819cfa8db6781b26ea86b34f82672f54bdf2c

C:\Users\Admin\AppData\Local\Temp\SooI.exe

MD5 5ce60a2405efbed5e804813e197f08ce
SHA1 0da95607612c593ba9f4cad6bbc4a438532cb7f4
SHA256 ec91b472733bf78ecb4b121959898342e430d254e732176234406c469dd45226
SHA512 1c7e85c8df54d0fb60515926c8e572424410eff7bda4793376ec1798c745df693953c1913444c71375697b61bd3e4611b3d2cca6e9cb516e5fb0b986435343eb

C:\Users\Admin\AppData\Local\Temp\wUcsMkwI.bat

MD5 be151be56cc403d67420b9bb7afcec98
SHA1 2055d2dad8bc45588291f2ff23f48ee1afd52321
SHA256 29eccf2b0d3c67d6f096d88fd0df2ec5d4e511ce392f049b2f764cfebca395bf
SHA512 7b8432e5f847ceb24002701be0fdc2ea83f973cf52f87a5e770daec28e11c580b715ed254670912003f2cdf6d854f46703f52f7e619c78c79f3357ed49e9ec44

C:\Users\Admin\AppData\Local\Temp\WYwG.exe

MD5 ab1637a275acc85736d525ef8c6306a4
SHA1 f6f32904c756a5ee71f612e85e37b29be6197041
SHA256 1dbbce42b692694c616a8e55a4e0fb49190ead448898f079045eb4d6d35e3c02
SHA512 31343b2331c535d09b48e3897bf386a148ce200a198c6a4927e4a16797afc9b7dd11b9e855a5ad4e196b4585b3e3c7809399851e689844f94815c8ff7cd1e1b3

C:\Users\Admin\AppData\Local\Temp\WQkK.exe

MD5 909e81e1197e26f12d8806bfebd42e4e
SHA1 c6dcbebad6ffe4961e2c19169214b45f5a226dc7
SHA256 20a8cd4408e1f567fda96356ecf0558b2d69db62d13e2abbc147279f2e893472
SHA512 3c94c14572444fb61233a8aca9e099eb590f88a25eac360e4a9d6c75eef83bde749a60c881374b5529a842e092f6f105983f0255dad48fff44530c618f703596

C:\Users\Admin\AppData\Local\Temp\swUi.exe

MD5 5f733fd84c75f4612a34546c8b38ec2f
SHA1 cb1ae6f53bd162a8122e6409e0691d4727d305bb
SHA256 f0c4e8d561f75049095d8d33f6b12b9e993d0212ff910172f7690c0bcc4c6a81
SHA512 e83aadad7cc909b57ce0cfb3ed6e609493f3bf977955b00e635da03697d52e089dc4e1add40d53334fdf5597ce48fd6c782c64d5d6e9813ebbed801bdc2e00dc

C:\Users\Admin\AppData\Local\Temp\wEAs.exe

MD5 a30ccc68f9e14e468746a5494708c6a3
SHA1 9b822537ea7e03fe05e7ce5ddd1044ea1fd17390
SHA256 201565ea7993d8393c8aac2614c91d3b41c1785da79334bf6783b244b6d43db6
SHA512 7bb541ce74e7fd64d89776a207fce6109ed72e9d5fc8c2b8f3ef7fbb4411a60ff52be2ebf353e0a5d0ce1cbfda3bc858f60c5ba5b1006b7294947a3637de01d9

C:\Users\Admin\AppData\Local\Temp\ROUcQUEc.bat

MD5 7c304e8dae2af1ff4e7c137ab7104411
SHA1 549226baf3618e65fe4b72109b8f7d31b659f456
SHA256 d03cb09b93727f36a272427eaa51664203b961d6a317dc67fd8830876057a460
SHA512 70238cfaff0b1fe538aa75df5e4b94102840f4a1b2edaefdd15359098ebe686bf463d925089b16f6c4e5f5e1093f0242e057207375e0e84bbdead316e7a69b2e

C:\Users\Admin\AppData\Local\Temp\nwIogccM.bat

MD5 fc2b0fce3d8ffb1b7941c879eb97da21
SHA1 8ffbd805a805cd89259598b5aec597c19459bcd6
SHA256 b1a23d815400067446501b1780c3c3a4d6ad23a6594598c85615ef2fd04a90b3
SHA512 d08d5345f04269160cc15ff483c340126a4751129cba4e87b1e1880c0857e397687905a7049c4f54cae9026cd1d30ff32af0d14c0760ec1bde68bc14a049a07a

C:\Users\Admin\AppData\Local\Temp\Kowu.exe

MD5 9844426a3f30f7e328686f243a6e8780
SHA1 802ef60a487eb9c3fa55ef65b7212494a8974fba
SHA256 aff6e3558f6f7ce598e7f5cd03c24d52f7e1f5cdef16f739f23f9d69d683edb4
SHA512 c7e1e567dc5f9e6e22b4338103c43d4e5d9615644b473a030cc2796bd033276115ece137ae2b54888f5bb06267f2022b5dc6925cca491c2846491b5a90951142

C:\Users\Admin\AppData\Local\Temp\hawYQgIs.bat

MD5 8684b8a1893f6439fed752f7611ae458
SHA1 06bb74ca71a637d4e0a931e63a09eb03f5a71c41
SHA256 d50d9a327d86a27583fb68fd8474a16c8216371ada4314758cd927281c793f7a
SHA512 5ec2c3c50c9ec1544d361ff7967458bb0ebc50fe0d11ac0909687bed9853d47a896bd30360c85fabeaca4e399b1b7b90b5aafe7a3cd0733fdcb26f9077d4c799

C:\Users\Admin\AppData\Local\Temp\qAkO.exe

MD5 970205bda724890b89c82a5ef31efd81
SHA1 c9bdabb21e0639f8affa7b81e99cf177b5efdc3d
SHA256 ce6ee744d3e0efc046038a3b2f5dbdc8c78989334d5585ba0faacc1367757a93
SHA512 b954945089a4dbec9e8f12c809fd4cccc390d31aac3416e6a81de939280bcb61d9d1df1f6b1770ce4d2d3494d18768f0198dcaa00f3c34d9f4f6b98751ed5f6b

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 d4c5bf89b6c1f2ab0ec84491d431057a
SHA1 168222500d57c9962c24e2ff09ab159463199fce
SHA256 3798b7cd0908106eb779b24e9cfbb1d5ae9efaa07d29a08b22645fa52bece4f9
SHA512 115f6b33fd90b066ec85129f0636db52038d61ad446d53655e2fa78142bbb86a4c2d683e8032696ad6ce353899a4d0dfb85c5de35da0fb1b62c92f5de1a7206b

C:\Users\Admin\AppData\Local\Temp\cQgE.exe

MD5 9cc79db92b9f29933ec8adecd1661dd5
SHA1 b978019303ba78d88091baa0a671b4f3276cf930
SHA256 872fd13a1609ad71e07cd855f88d90659eeb5892b5975993e3fa0d032a4359a4
SHA512 ea10e5f27e9591b1acd60e554eae1dfcc05c3327c18cd715362194a7484fdcd1b7186758c944c7c045c0b7e34d287052649334f35c041b1a7ddd8c2845fd0dbb

C:\Users\Admin\AppData\Local\Temp\aYcM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\VooEcggc.bat

MD5 a6f196c6680061b8e1a94dcf2d94257c
SHA1 7c3714a84e1205ff4811de2aaf463b01b7ca7070
SHA256 f5468dd33e177fe05cf3f3519d937af33fe798b4bb4b22eecc1ce359e54a601a
SHA512 0205239425b0875f19bde8d3d8fd0659b65b29bfd5ff2923140d60b64299fe618c5275ccc01436a292fef337b0ca1ae4600e0abde97810e633be68197a5b80d4

C:\Users\Admin\AppData\Local\Temp\aEgw.exe

MD5 f6b30784e3bea859e606c257ce6f0ae6
SHA1 c1bf2b8a81bbaf18c6a620c448a9e3315b8d9b72
SHA256 e154abb05a371b609181dfe1309febceb739a22f717d5d7a5d6b2e88ff958e34
SHA512 b6049f1e2e83a739ae005f66cae46827f5ba3b00de97028ed4ff9dd179aa47e84f33eaaa8aeabe2a3ab2e2882715ca4591ae22a54e2a298f5a31a922676666e2

C:\Users\Admin\AppData\Local\Temp\icki.exe

MD5 933e022a1c5da1503e3fcd88ba14f1d5
SHA1 67715c38b79fab5762cd918869229ac7fd1837ee
SHA256 5d2aee919a96bf056edb0099c886ab1ee658d60fc4980c4d3e7ca45c8f138ec0
SHA512 d90ea2208771d26db453f27b13a0358660e62203ef4bafe56d3e97181d9dc7b6d9c6778ea64f3f8ecc4288930041d63219b555bdc2cdbd10cf9405425e1dcea6

C:\Users\Admin\AppData\Local\Temp\AwMu.exe

MD5 1a3bdde616f408444656964754e97011
SHA1 460ed61ce01df4cd8e48544f2118f60e4325c89f
SHA256 152362adac17deda8cafc3ed41dde499726fbec0ce7d827a90c7072528f1b380
SHA512 ceb43310e9564448d32a8d42721e70a15f13bad2de8c32aebdb014b3be42a6077a182686ed132c66643394cc6b95edd15102849aeacebc7833c9cc63fc0c99b1

C:\Users\Admin\AppData\Local\Temp\PioMcAcY.bat

MD5 40c2af6c73d1dfb2ada6fc9ff3bb7d90
SHA1 e8408c512305f8d5d20184304dede0f750cf3986
SHA256 efa62e3077e019cd8c324bb12ef1767a1a48e9b31b4225d5a491ec2e0a1eea78
SHA512 2a299b2f096ccd4a5462c059a8a2a85b94c0d62a52964d650d91aa82f56e42da2550b826f74e6754357b39e2783626e2d21972a82dca8b4375298b586c29167e

C:\Users\Admin\AppData\Local\Temp\CyEUskEk.bat

MD5 8ed3f1af49b5738d8d7cd64a0c65df45
SHA1 2092dc85d33acff3f70fe41c5fcaae2bfacbfd5f
SHA256 cfc85a4f41e1c2dbaa10eded0ecc8912b3c3e290301ba3015cabadc42a6a8e18
SHA512 453492144853b5bb64c4ffd1c3c45812c0a651c4f673f8447dde029c11b8199c835569d1d36ff3206cc79ca5914b4a0ffc5368a9879de70eba9c90d0684ce026

C:\Users\Admin\AppData\Local\Temp\kAwW.exe

MD5 699f7a19d49a345cbedd0d7dd31b956c
SHA1 c59c400a6c8f1829ce89074a8e3dcbcf98bb952b
SHA256 033a515698e129951e2721bf4da8b3c5e0a701744d3f45b7dbd643b533d473d1
SHA512 709ff5b9cdf6cf6ec12ba33956bb820b47bae4243a4bb136b64573c7532bf62fc5290a35321903c7b23e3a6489c6f679edf62d903d96988abd832b29862afd03

C:\Users\Admin\AppData\Local\Temp\GUwE.exe

MD5 1304dcbcbc5ec90750bece438f90a33d
SHA1 788fe0092f27b89fdfd1f9ce115c8e10f199f794
SHA256 d53c082eff9ca7e061f5366c043e947a669a21d156e7c22c9b3fd8700551c3c6
SHA512 137ee728d9c4944261a900281cd1e94149c098fe6e8c53427e3b75d6bc24cf35fda6d353025dd1c9fef78bde104865532256f3a8f12e3b23728c0d4cb0c48a3a

C:\Users\Admin\AppData\Local\Temp\eEYw.exe

MD5 fff96533924c0a573d14ab300597ab6d
SHA1 948adff9899b34c6cdb55964d9646a1eb6040326
SHA256 979f420264ef373a8872f58888636289c37671f1abe96dcd3a5be67f0d1eaabe
SHA512 6f1bbfa4cb365d6bc95d69ae0a996baf5354738f5ab8a91926395d73be1549b2e1eb4cdd2ad3d2d749a252135d049e352e46cb5dfec67064148cb14fbdec64d2

C:\Users\Admin\AppData\Local\Temp\wUsK.exe

MD5 94df24efed812125320e50651734dc66
SHA1 d824b5b1f636d24784830c20b1268d4b999b37d8
SHA256 0b670163f36b7fcf80d3ce077d2314e132d3f6024087ac571a5a269fef55ccf1
SHA512 465c98899775687023dcf8bc4f84afa87861071a42808334b4720e97ba2fa4cd474bcd295b13e033ac111c86a7148160e3067e3fec7b17529821a6317d413d62

C:\Users\Admin\AppData\Local\Temp\iaUIEUAs.bat

MD5 47633c3d8b47fa7186927279def879d8
SHA1 078f1c07da32eb269e3f6a7b576ec8981935ec78
SHA256 536a5fcfcc43ab05f82b013ea6711f62037cd3c78c6197f29f0561df992b8966
SHA512 7a34c9648a4a8e77c4d355c0e9173a9c2bae73ce9a602578f65eb88b254b661573ba7b4fba20d3fadac29d081d1e2b6d5df399d18efc353879ac77e5c81053f7

C:\Users\Admin\AppData\Local\Temp\QggEAgsQ.bat

MD5 870845ba1db4be513114c06e5d736b21
SHA1 be67ec03d234f0a33122b7be0acbe8a57c938ddc
SHA256 49f4088aa7740b6ee117e0848b9e2e79b81bf6953427f0c2d5c51903d9e2c386
SHA512 f53f0d95f0c5bd0f0fb0acb16f35967fddef8fa89733760f05ef0fc81ea85f39b0719ba392ef9b17d74599dd9cb96fd9459f801f0c9a552c6014226cc136a1db

C:\Users\Admin\AppData\Local\Temp\GcUEIQkY.bat

MD5 4c825355f40fb22251360773ece8e8a0
SHA1 d6c33fdb714a0048af451fbcf85ce74c2dc86d82
SHA256 abe27fd17014b4e92a65c614eaad175f8d8ed5111dbc602c8694aa16611b2f77
SHA512 eb0f123e2773c2525bdaba41f1434865cad5c613a127300c41cb6882652f9e53a615de4782a3b2040f8f4e38d88317c66c249c6b2f1d9f5144e1c518e6c160b4

C:\Users\Admin\AppData\Local\Temp\HkMEsoIY.bat

MD5 9e784e4f153c0fffa637ccd727670a32
SHA1 376da9de308c67006ed227bb702617996d370670
SHA256 da403e4ad1a6dcff3724244ae3f1a3811f3af249a1d18105b064a42f813b52f6
SHA512 4451e858b52aaa7f7b931fc5e8375d2dc713617a16c2af0bf220f9ba38b5447e256ec3f3c92ebc3f9f8b19859119e8b99a3dfb267224272f1ef39f3736cf4053

C:\Users\Admin\AppData\Local\Temp\DkYYccAI.bat

MD5 a27b7c7c4736814549142b70b8504802
SHA1 16a53000d02cf904ff748f2a2f7be2281a7c0a28
SHA256 23cb6863e604ac5695ab5c08acc07ae735b0b5afefce3f6c8c4c39d586646997
SHA512 3f5fde3923a212654690e356720f663e8c5bb9afaf366b179f75da2575c17559d3b281ec243519e75d283ec8cb6a9b84c4066940f5553c2cc521dd4fb5dea4b4

C:\Users\Admin\AppData\Local\Temp\xAgAkQsM.bat

MD5 8c14ad6f99ccc9ffafbda1a2e8123798
SHA1 d31368124487fee1298d97de22bb72f6b88b0df0
SHA256 1d98b744029883dc5deb9dcaa9a011f8317e2fd2fdb5ccaee14afe19a6868365
SHA512 07eadd21a3a23c5a50132277c3b34d2fc706dcd8da07135a08226704250aabfacb8fb76404104c9dc568c6fd559d7854de73335c18cf20d95755a663cc5c81ed

C:\Users\Admin\AppData\Local\Temp\hAgAsAcM.bat

MD5 7f14cd2e0b1c1b3eced7374fccb72651
SHA1 b7108a2b63ace1c8634f28e583c043930b3c3716
SHA256 7574534ab38332b2473cf47e068c410ab5d522389fa2c1261003b215c66eb3fa
SHA512 7e962647b25ff601b569898f62416bbabe36187103ec8e6fbcf9f2e9e69fd4d31d5999cad18e593881601ad49689e7c6c87c08c9c6f00ee84375488cd765d976

C:\Users\Admin\AppData\Local\Temp\BGwgMMUE.bat

MD5 f13f136f4ee167861300975b40efda25
SHA1 c45d298b21ec1e7877ed2a877a8b46cb0a279e2b
SHA256 0363b6085f021dc8638f0c7d9e8af18f6f24079a860dacd2a2036fd066408d60
SHA512 af7d3c5a4cab2f9d30ee1cabc595d462d22dc0062584c640818719c2909420c67a3e86fab2273b79c618c5598f5cd8a7c441370a7165d38198c76ffccced930b

C:\Users\Admin\AppData\Local\Temp\WQwMAAAw.bat

MD5 32ba9179020f4e8447f021eb57f3a52a
SHA1 0a678197716acbc8ac05af47957487a2e7f003f7
SHA256 841d71ce9b9e66952fd5ebd674a0244958161160145fa373171b9b4cad5870b8
SHA512 e81fbb3ee656965fbb1acc36b3444a1b7b0d72be33066facc86ab7b9a9a437855a09d46fe8db62762b1909f6180765694bb0614afe7aa7acb4b3d64cfedaa5a6

C:\Users\Admin\AppData\Local\Temp\SesUYgQI.bat

MD5 fd83cf762cb6190e6db14b2caf9c8283
SHA1 a2e54684cd92978c515fb42241eb90b3ddb979c3
SHA256 a204c64bdc25e167b528cffed51e263766989ec252373774020326d9642fae74
SHA512 b7579d67c25b5318e224380cace3fddaa60d8f23adfadf57ef35138a42c6102aaa3c5db5cad69a70bb065f652410a77c2057826632b96c739bab790055050e60

C:\Users\Admin\AppData\Local\Temp\CEwUMUIo.bat

MD5 8e8baf8a385acb643bba40fa7c1ca446
SHA1 12b4456722066c59f0d374178aabf07ba8f444a6
SHA256 98edc38193c8bec29fb64f722b075aa45d6e5f64a2bfa26d6c3275ad86dac64c
SHA512 3198e7bae5a6051da5975b696b952a0fc4d8ad5893032990de791564d8219b8c37a7f795d95456bdbd81973f87cc15c19540e3da3a3deb36375db144a220bee1

C:\Users\Admin\AppData\Local\Temp\msEQQksQ.bat

MD5 14379c8f04306c455dd1f04ff2b42e5d
SHA1 829506d958d0dbc8d53a82aa13db29bdc3d40bf4
SHA256 9d7c85d2f7cd40d66244bb7dd00ddca15ec47a911cd0b253660a27941fba99b3
SHA512 3e0fb56874b0087b365ff096d9704ddffd74923974b06bde588912048934cb64396c775e2b6cab78028d9f0bf9ad30dc460e249a5d0e15a201d4592b2ce75fb5

C:\Users\Admin\AppData\Local\Temp\vUsEYoMQ.bat

MD5 6e144ad68ae4d7f3401c6e675410893a
SHA1 fa2c5a9df2db2bb1fc2fe3de390f0d810c5d37e8
SHA256 ade7d3706b5d0874de4be9af765ee0b13e8a6b5dd55b747ba187b87518200f31
SHA512 908e5dedc8e213da9fd6c880f4497432c35535ae0602f4785b9819083b2c74dd2e6cf769b6c4ec82173c70e96cf7eeb9f6db8f9f689a9e13bb192b3ba608f758

C:\Users\Admin\AppData\Local\Temp\rUUQQEIk.bat

MD5 244f29828b117ea42737b917b1a8b7ee
SHA1 c37b5f8a86dcd85616858878be144b1652e1c7a1
SHA256 766e1a7fa223b08b664a568aad72e64a682676e589b23afdfc2a8758b6188acd
SHA512 15ff1e5932cfd783ef97ae6b306356640c8ce2faa5efae9275b5a8d003f35e1b6135338a2366d9f91c4fc06350134860e20ce49ab5eef5f96d83f8bd20873fca

C:\Users\Admin\AppData\Local\Temp\VAUgAMsM.bat

MD5 96f383eef09c0afe7e94b78b4a3a35ec
SHA1 85618d7ddd5530ec7a75e6cbde038bc757221d37
SHA256 b05eed5cbd9a3de67a80e52bc01fec2d30855d24f8743140c917edeb50d0c19c
SHA512 42788af10932230b36ff959ef00a15ffd0d7f0ad8580d904084516c9df8428453323e0aad8365da9ff661ba7cb24b1d3f417e259948ac8271f296ec1c6a6a4fa

C:\Users\Admin\AppData\Local\Temp\FUgMooUY.bat

MD5 4b7efb9c2107b299e7feb8eb9b9ab648
SHA1 e70b9c8ab49dbd0ac8f2b5872d73a68d5845c583
SHA256 815805753e0ab001c6da2ecc4023ef6394b0dd43e82dd229e71e884b6935196a
SHA512 f4b95483a03027c5f1a6e377c9adb7b5d9c6e07ceb18d4b36c526354b5c9d6033649d139ebaf29cb1420e7365b13745c7bb5fe92069020dfe413803fbb651841

C:\Users\Admin\AppData\Local\Temp\QswIkMoA.bat

MD5 8dec9d08447e5b384cb3b7c7199838a6
SHA1 fa2966a4299a7db6a714fd217957078526e40412
SHA256 bddab283de9fa6aa02945686926999c5a1a6865916e0c07bcff085a8f4294541
SHA512 2343acf987fd0d7de7b974e7c83600410fcb5e7c2a24f2a7f8fc4826402ef59aac2d596eec672ba97eff3a7679729c63ff1dbe0661f7191e93b4dfea44109209

C:\Users\Admin\AppData\Local\Temp\iacwIIIg.bat

MD5 924b2ac38086c9b695a3569440b33217
SHA1 829cd73a65438aab3a73fada9db8bb175b6067ce
SHA256 48727b97b1200a456e96259f60fb97dcb585b6ca4b5f55c63d6f83b010f8af88
SHA512 529e45dcf93459efb8451da09af85396852d5dd0a453ec3910151cc1f0fce4a57ba3005c067a75fbfb8e92b218e4c7000c5ec851976d9be388d2e0f2045579c8

C:\Users\Admin\AppData\Local\Temp\CcMEYoEU.bat

MD5 72de6a2da6fdc5983a476db75f63c6e5
SHA1 8a05f7668e1e21835ea1fe93cdf4e2032d1d1a9c
SHA256 8d24ac85d08788ffd5e1e085715b7a03d99b81db378e1f0751bc54dd4f3b0cd4
SHA512 41cf1db600dc03b5d6250ea5c3b90b3291715b86a4a189faab1f9885154295079e9de5e79ad8b7510c13a17a96ced9ad0f9cade5703f5e2eb18462fe171e2fae

C:\Users\Admin\AppData\Local\Temp\AcMgUokw.bat

MD5 824486e8f78f7c436cdf7409aac7e64d
SHA1 b3c1826de2c7f9424ad0d29d94680ddfea8bb0b9
SHA256 6b6eb297aa22800da3880bb2777016a3d3cc537736eab51de2307858b8078446
SHA512 33a032532b098b5a7dfd80518cae20dd16d9fa14097502065e590d470b07c776dcc2b0648a3f7730770a7eb6047f5defcc8a49225868d2d713bb69a3676dc294

C:\Users\Admin\AppData\Local\Temp\acIQckwI.bat

MD5 22c3654056b10d637238eea1c6d1f016
SHA1 8b681f04dc2861342ef3a10dc6a8099aeff7aa32
SHA256 c5350ad11bf42b471f258f711b3d0b8abd9888bcbde9b2738425bf9a5dde5650
SHA512 3b060e68ef23ace09e989a90343e68ab7ef8e06a0a447d601a5ac21ac81a747e9eb679545d9daed22ad795bb811836669303c7f321b1b20dad8852ee75757fed

C:\Users\Admin\AppData\Local\Temp\BUwUgssU.bat

MD5 eca95a616e1e982cd9b7bffa5d6cc1fb
SHA1 e36fd3b672fdc85fd93a34ef2dcebac35ecfa014
SHA256 9e5aebe6707ab4be79adb9120768e2565ab8d282f9049f0239463652b7434404
SHA512 00848c929b40383f202ed7f437000aa089bc38751a203dd988ea4731d82becb8c43e4761efe9ac03028cbee4a0588d04a5754a4b0f65873a760a054a58617663

C:\Users\Admin\AppData\Local\Temp\zcEAAoME.bat

MD5 fe87dc41031f1645f35ac253502a34a2
SHA1 bceaa41431969222c456fedb0f03450ef066db76
SHA256 b9fd3b098dc9efd6a3df646c8b08dbc0212d6ff92056d08269d1de49231d3bbb
SHA512 9a280d5c5cd603b4ce79433d68aff9ef7efdaaa2b653f256024e2b56a08a4885a0ba2c2a28b72a3324b5a533389f2e0363e1602583722e693eb2fa6a107a7d6e

C:\Users\Admin\AppData\Local\Temp\tUcsoQkU.bat

MD5 bb26913d95b4114cc411e2a88c6a4103
SHA1 d16d99b477c148fe72fada249214e655bb475da8
SHA256 d88ce8c720fad6d59aef85c7c3e04c847511d781c01a07e93a8cb38e9556f7ab
SHA512 19ebe6bcdd70bf52a1862abe56ddc8c5c3632461a551bb288b35be2d5a288889fd5bb4203e650eaaee9d334aa3815dab76df18178fff265d34f950d07298f7f5

C:\Users\Admin\AppData\Local\Temp\HQAAkYsM.bat

MD5 062b4b71ac834cae6c9a60dd5129e348
SHA1 8b0fb3364524211ee0c2eaf62429610f1b532290
SHA256 893a5d3e34b3cc0765ffbf0ecf1b5ca82b587b998c40e397af6f7d777484835d
SHA512 795f99526d76b332d03ba3ab6c8954a19b08d0e096b4d07d5666249c59363e1718bf4d43d34a0b62475c9bab6002fecb4d42df3c51461f7fe2b44af9b615573f

C:\Users\Admin\AppData\Local\Temp\NsAMIMck.bat

MD5 7a5445a70fe5b027299a146b0b3290bb
SHA1 effed6e93cb38699327d73cdd84ec55508746e7f
SHA256 28641e409755e316546cf398df60fe3f16bed5a54fdd12c74a2d9aa61c89e01d
SHA512 3c0d3c76850318f02355c285564a9f75ee85ad575dca12d45b7b8687059543ef2543cb7ee0515ae0429230b9effa27e4699e7a073dca248fe79ba9c836c8fbf3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 17:22

Reported

2024-11-14 17:24

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (86) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FmUYQswY.exe = "C:\\Users\\Admin\\DsgkwwMQ\\FmUYQswY.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fAgUoQQY.exe = "C:\\ProgramData\\KCMwcMsU\\fAgUoQQY.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FmUYQswY.exe = "C:\\Users\\Admin\\DsgkwwMQ\\FmUYQswY.exe" C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fAgUoQQY.exe = "C:\\ProgramData\\KCMwcMsU\\fAgUoQQY.exe" C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A
N/A N/A C:\ProgramData\KCMwcMsU\fAgUoQQY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe
PID 1652 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe
PID 1652 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe
PID 1652 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\KCMwcMsU\fAgUoQQY.exe
PID 1652 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\KCMwcMsU\fAgUoQQY.exe
PID 1652 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\ProgramData\KCMwcMsU\fAgUoQQY.exe
PID 1652 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 3668 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 3668 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 3056 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3056 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3056 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1676 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 1964 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 1964 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
PID 1676 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 420 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 420 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 420 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4804 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4804 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"

C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe

"C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe"

C:\ProgramData\KCMwcMsU\fAgUoQQY.exe

"C:\ProgramData\KCMwcMsU\fAgUoQQY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reIIQYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCIoEwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lowscYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkQsQMok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAQcsAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKYUwcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqcgkAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baYsgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIoEsssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vicUEYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOYYEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiIkUowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwYcYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGwsIskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuYwYUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsYcgcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUkEoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jussUYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqUcMEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWkMggAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWkAowQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSoMIEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuEUQQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQIAkIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkkQQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgkYkIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCgIEsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKogMgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgEUAUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwwcckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgQssEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leMsEYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcUIcUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWYAsMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCgMMYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgYAcsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGkEccck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCsYsgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwEkAYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iScUgAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyQAEYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIsQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSMwYUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeUwssEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMgkQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huMIMggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsQYcAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsgYgsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKAMcMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSogQgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmkIkAws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkUsUkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmkUAkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWQcMQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWEYoYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsUswIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIsgUAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeIMcsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOYUsYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucgQsgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgwkUkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEEsgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQYcEgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeQMEskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSIIoIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEQUAUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuoQEcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGoAcYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsgMwsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCcsoQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyEAwYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWkUgYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKYQcUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYcIQAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmkIwoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgIgoIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkUAwUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqgAwIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcckoEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAwsIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOswEQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgoEIkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSMcAgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYskUsIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmIokAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaQAwUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkUoAIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQMAcYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYYggAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsEMQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgMoAEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqMUQcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYQUksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWYIsYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv DGREyEaeckKFsJ0qxUkkDg.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1652-0-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe

MD5 7e5c1b2fcdf513a8fe3d91f72a43fecf
SHA1 976de28a56c48aa8b70a02f582aa472810eb8477
SHA256 c2f529e8537a0e477136f638c84c08228d9602b0edb66c00c5a27bc94008f7e6
SHA512 15d01b0c02a8a83fea24103ea054f7e66e1f457c5911cabe140c8219b36f9388b636b3182feb9ed9c52244601779bc231b2579e7c03df84b48e2a51ef0c6b883

memory/628-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\KCMwcMsU\fAgUoQQY.exe

MD5 e54e27fd8223453d2b276b4185986ee7
SHA1 817e78400448cd38d6feb4812d16bfdad2faff8a
SHA256 a99a7d17048c3d3e71894fd0e7cc503e67b4bfe383b7bb78a2333f226880631a
SHA512 82df2eaf61e5b7d89c4c1168726c4caba31bdc35a3f1efe9d70e9cd4a8af95c75a58f6e409444687526ccced5da21e3ce08ad59aa429841b63a49fb244c856f2

memory/4212-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1652-19-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\reIIQYQo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock

MD5 ea4ee2af66c4c57b8a275867e9dc07cd
SHA1 d904976736e6db3c69c304e96172234078242331
SHA256 fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c
SHA512 4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1676-30-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4804-41-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3396-52-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1532-63-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4516-64-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1532-75-0x0000000000400000-0x0000000000460000-memory.dmp

memory/452-86-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1468-97-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3952-108-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2868-119-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1260-127-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3108-131-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1260-142-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2652-153-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1752-164-0x0000000000400000-0x0000000000460000-memory.dmp

memory/220-175-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2360-176-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2360-188-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2548-184-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2548-199-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3476-210-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2872-221-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4640-231-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2136-243-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4664-251-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3144-259-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4644-267-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1456-275-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2232-283-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2524-291-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1016-299-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2280-307-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5076-308-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5076-316-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5004-317-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5004-325-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1644-333-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1464-341-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2640-342-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2640-350-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2492-351-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2492-359-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4404-360-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4404-368-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1644-376-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3136-378-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3136-385-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4220-393-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4728-401-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3356-409-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2684-417-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1108-418-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1108-426-0x0000000000400000-0x0000000000460000-memory.dmp

memory/720-427-0x0000000000400000-0x0000000000460000-memory.dmp

memory/720-435-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2268-443-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4088-451-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1476-459-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4344-467-0x0000000000400000-0x0000000000460000-memory.dmp

memory/412-475-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1072-476-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1072-485-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msEo.exe

MD5 7a3594ceddc08b754c824d393463f716
SHA1 ed82977c0bbaf3faf8d1d86bff13cfa1d6ba1890
SHA256 a8a83596c53eed9a0fba41365263892b499b243d209c9cb1046ebf6efc7189af
SHA512 4e423bc2c532dcebb11cc5b1fab38f1595e63b07246fb77006a9cbf243ccacd06c59a5faaf855254718a9f8c65d41773997733b0b042e81687bc6316de608db4

memory/4340-507-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgQo.exe

MD5 866747cc9134af19aa19d5bf3b86fb34
SHA1 fec01fe1a8fd0c4b9ce405bf3a5982e5ac204a63
SHA256 470657a4fca6ae156eb763613e741971ea179f7f5cc838fbdff112c4ad1acd70
SHA512 eeb46592f13e706159507a7e21a0e96a547999bb882d764af70f5dd9ba7b3b6867f639cf98a4c8ca1f9a2fb6e6ff5027c57522432c35476023b65a0864a44c4a

memory/1952-522-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwMw.exe

MD5 d8e32a6e1f8ed391987b2d3e243668e8
SHA1 c0f23be9ced72ab0574518a6d5fa546f87d7fbdf
SHA256 9222bd58bd0a66d00802bf142161282c873334c54d92349a4636b116baa403d9
SHA512 93ec730a4eea13895669d635304f6dd440a0c20429543676e180c0a829a9e2b5d4d9fc8058a3c019f7c69fd7578754f37529d8f1dd7f421006185274b288a3af

C:\Users\Admin\AppData\Local\Temp\qswS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iAwU.exe

MD5 4100b0bb9edc7847cdfa55ca13157d2c
SHA1 3604221eac132ffdc004071fe239e267b4390ac5
SHA256 fb442e2c9c4e705ce31e3f0b27bb9447a291a038d681cfa67434ac9cfa9fc0f4
SHA512 b369970fd13fb056ca27ce4709ab24d0c0e41eab80982d9c94c68c0c43a27368e6c7448d820059835cd6e3173d005a45821f955b1f22deaa8e2aca7852313675

C:\Users\Admin\AppData\Local\Temp\ewwU.exe

MD5 6d67135fc13f5cee12ff0ba10d8098b6
SHA1 1d6f08996c5120cc6fb157224c6a3cd0d9208c78
SHA256 34f85d1652ce3bde630c6bc3e1431aabb89a6da59af67a00d9e7d46d25e5f739
SHA512 1e0601f4e000cbcf403a1210ce5742135fe361fe8cf163e26c2d611c9d9ae460d914cbdd3dbb55f9e4aef0c4ded311f8bba94036e810fe4c7e19a191770459ab

memory/1952-572-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QAMW.exe

MD5 66bc140eff853f980fc4d9cbc0e8a940
SHA1 dc4c001ac871175123ba1fb157ff696173044cbd
SHA256 17bf9413e3dc3c833d5103e85135cf394161e272276c36288479f6e30f0d6147
SHA512 ca0966cd104b97e3c5859a575d1e7c70481a818090dbc636550e8e4cf963f0d33a083dd62063087a697c1637923babffee97945f266892d7a3cd807faa3bae89

C:\Users\Admin\AppData\Local\Temp\cAIe.exe

MD5 a94a97a82bc60408f3ce3d54e850e49d
SHA1 6f080943b54c02bc2ba5567d94ab4a2cf0784293
SHA256 1258d29328c79f62863475d2d20e9da22becac25aec59fe516780a05a1f196a4
SHA512 383d021630c74cf1054fd9247e340d000260151081a9fba423fba8bd403f536974cacb675aa8d670df1b9f4ec5a5e6b1654fff08ec0fef6c3f8bc55a27233ef6

C:\Users\Admin\AppData\Local\Temp\AEsM.exe

MD5 83a6ee7c0e8ddfed1632b01c8e0d3c35
SHA1 12b80abaee739f4bee2685b0cb231488fa647205
SHA256 970fd4c5680b91ac53ef036f1740ffbe95e02199694d1fead26b9bdd0a3ccfc4
SHA512 b9e7c44c9e3465eddf4bb53d1980b6de1df61d5122189c126037ea3cf1f4fb1ae1de68388399f3532ed9ade64e7ba6e2b2411de899d4a135d1c49b9b3ca9da3f

memory/4496-636-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYwO.exe

MD5 0fe8ac199a6fe353fbde6397869cb1aa
SHA1 ee2e05f3a8049b9df345fc84c5602043262ca1bf
SHA256 10366a1ed8a72946968036666b4e66d231edf252dbf66a499579d61ae3be03c8
SHA512 2e8805038e4332942efcf0457cf3b3de96e5673a6e3424da118cbcaa2fd2af5bc1dccdcbff1de72199d87ae1a237198794629af3c78338075361282b1b178ff1

C:\Users\Admin\AppData\Local\Temp\aooe.exe

MD5 5c67142d180dbbb42afd85008d240da3
SHA1 b61ede9afc29a3e3b5024b2bdae439e26c017622
SHA256 3aba2aa08bed7989391e3d0fa69d08c12d51ce9889e07904051064680524883b
SHA512 b132a8f5d66d3e8f4c62d83e474cce4c416fca362f615b7ad56eb46a010713e5d22e796b07843cec24cda3e47a49a3901f9dbbe1fbe2fe6901f67f39c8240371

C:\Users\Admin\AppData\Local\Temp\wAUK.exe

MD5 ee83295df731f893743f64d8cfae77e8
SHA1 6bc7ea0f92870e741e317d79556c02e5b226db7c
SHA256 9e052a33971a60fcd282bced77f303fbae84b374cd6e9956082e03d6c0b07297
SHA512 15a11787460d28f4a5510485657b239058408371c2ec93a39339d870b6920edb865f753d6ff51e2345282f10ad729ce91c0aeab850782849b3c5f236317b8135

memory/3620-668-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ywkC.exe

MD5 9f55748bec98b9e16abfb12797bff328
SHA1 f69790fef915b95283443708a1b75babaa7d58df
SHA256 b4d56d8c0fab5e16a5a37aaa0b91e0b3b910769547eaaaa4af057c4987b81b8a
SHA512 026dad1c4b67678a1d481127a578841a5211c9cff80d2aeb3aaf26c2e2e42cd63a932c7faf76d304da96abf88531be9de88f6b546fe5d1d6bd4b9cd1629a40b0

memory/3144-673-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUku.exe

MD5 658bfeca623970a1f6c2978774fd9bc1
SHA1 03a78a27d610d819c4e211969bb7ff84d9f24ada
SHA256 cd833981d2e4ff00bf03fa756cb276385d96e913acfcea0fa5b4afbfa3d2cdce
SHA512 863247652b01b9dc58b11af77808d9c371d1ea36a3184ecdbeb386dc48e8b16c909615653631b03455d3c6df8131bdfd50f9f4f1e906913936fccfbf1de1b470

C:\Users\Admin\AppData\Local\Temp\mggE.exe

MD5 697b8d1cf6ce73568d5e8c29f5cd4f0c
SHA1 9ae4b11082ae78fb1e82b39c397a337d13844c49
SHA256 089c58cfe7f6268355a9cc86987da0e1184c3cd101d0f474c11715a7bcfedaa8
SHA512 e71c72876dff1ed7ab26f4f57be16e03c3c3e4bebdb407a3b2f93f5221bdaa0fbf2eb0b0aac5ef6098e0d15249874eb13253a8cb90476649605bd42f83568763

memory/3620-737-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sYcQ.exe

MD5 9106de900cc8a7d66800b5c84ea0b5fc
SHA1 e44960a1137c3abc1b61d474332ac69245b5590b
SHA256 8e55e1048aca5c12e13b0d85cfbab48974dc55ffa8710ef119130de4fb21c846
SHA512 75c9f78b0930e65bac6b37f1073d650fc53858d0507e9d18a2cfe2e3e31994702eb8488f1eef5d526fa61feebf2f8ec2a9a33b9b455990e86619a46bbb973955

C:\Users\Admin\AppData\Local\Temp\qooU.exe

MD5 75df3f64b68a08eb5b624d67fe4e1718
SHA1 c908a542670f2d05f28b311b8d51564edf6b2b98
SHA256 7032eb506726166b98343d66860494b54847881dcd01c467e92ebb90ff47ac9d
SHA512 e5c98421635dabd2ea64a1927f395f1ce65b2af688dd2aa5b71e7a1417e3f7de8d2ed0111f2f20924fbd0665950efc8570d799f3da2272723c3817dfeeb92d9e

C:\Users\Admin\AppData\Local\Temp\Gowi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\GUIK.exe

MD5 c806ae3c600e48edd1f83a8d9cf502e9
SHA1 d121f529e56d186d6a3645711ea5251801f4ad55
SHA256 2e5d1e44ae598873ff56e46c3861d79a04d388f976f5814bed4a69e9d659e719
SHA512 ea63305596d54c386067b97950baaed37570bfd50b6018ff972eef979df9886b49485ac082028602271ecd512d8ecf45771d00ed3f9016ae34e22b4a5f1a6335

C:\Users\Admin\AppData\Local\Temp\eEUy.exe

MD5 7db839ca3a8c62c8813d0b700f430e1a
SHA1 1eda7da426768d96aa435dd10dfd7561edacfa93
SHA256 820b4c04a8ecd3a03cfe2443030113f8a23b209db4336af317c15e482f940d0c
SHA512 bd08ddb9df4f4118ab9e26bc700f8021593acf7074bb15bafdec716b80cdd9ead2cc3f1a62ea3da874580fdd9f77756a0fe311f98f0068291a3c6f4864bedeb1

memory/2040-781-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cAIg.exe

MD5 b1363ec38ba5629f256ea14df11a505c
SHA1 f5eef6caead6c818d187e4a883244a3db5e943e0
SHA256 f623ebc933ce267fdfb3e8724a689ee04b93d7b21e5517f23809f76c89700355
SHA512 9185a132b95934f4018b53d2212124d829132d19830e4a29e3e335d8c4aed7a5ff3502a060f319b5b7978c833f0b7edb3644a7ef7e8cf3dafecd999aed280e91

C:\Users\Admin\AppData\Local\Temp\ucUm.exe

MD5 7fee896d2623ab97b54385ffd63c06dc
SHA1 d07ca2b9732a40914514f7a0023d0c79b812b584
SHA256 5ffe02a079e879db8d86c06c665efc9b988ada891db9dbb9c8bb7356fb06f8b9
SHA512 aad9dde972d2679bfc0d393f41d3f66ffda107a339fcb95f0f70b72a7b4c09352ec878b2633e9c07114f2e07fcd9641cbab09440e5863fabf6adfe943c33e9b6

C:\Users\Admin\AppData\Local\Temp\SwcC.exe

MD5 7d771aec59c0c58129c2c0a3463b34b0
SHA1 193d39430e52ad74d0fb5caf0e0ea12624f3b207
SHA256 afa3bae4c9fb612af6d5ddfe8591d397091af53c64f09fb5107a6e52ce57ebc6
SHA512 b4162627102100bed1700ca0f6a0a13081bdfd7d37c9459e8b3777d54186ceeb9a801715d59b2fea0eeeb299f0527d4af36ef41ebc79353214aa137a18f903a4

C:\Users\Admin\AppData\Local\Temp\uwsc.exe

MD5 d0f46edd6c1529be94b672c61eaea1bc
SHA1 1e1b8425bc869dcb0b4d9e661d49c5cbee1c7c87
SHA256 e00ebc539aff4c567512b79839464eb8c9a5473e148a1a942241d20057e4b563
SHA512 46763372fca277fef8e31481319bf23d8cfea82c8249bd53a03877491185ef0e2a8eebf36b5d2fc5d88dc4200d770c13a9ff5cacc1b2bbbafea9988fe570228b

memory/2040-845-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2268-844-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIQK.exe

MD5 6da2640c789c55949db0861a482a2c80
SHA1 282afdc8e5409722db52be97dad34eb6e8881397
SHA256 046a84df264ae9927c6feed05d25f11a4d2540524cb0712d103bf4cc4ba60142
SHA512 81f12743f1530c2b4b90a776c1a2886e77a41e2feecc3e9d6ee8f0b490c9ab2060aefc01e8fdb3b360b0460a4aff99263c9449bdb01ee210f54aa1d882427b50

C:\Users\Admin\AppData\Local\Temp\ycMa.exe

MD5 a218603bd124663125f51f412f0aaf36
SHA1 31fec80fefcd1f10c8c3f1f2a9850a17e7e2977e
SHA256 6c16f8848ddb5d337b5cc25136020dbbd671e19f16492d06c7d28fb77c6410c2
SHA512 f891c431366d0b4ac169a9b1f8b79d41abf1f0a6536c56fd5cfddf22bfc0afd606b3429b6e60123bb37c1eb64645a80789f2e76fb3d912d03258d523ebb0bd15

memory/3620-878-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2268-882-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ogcc.exe

MD5 d3049f367db66c85e13a4df69ef48bc3
SHA1 a408438ea42257102dfbbad30e508de7ff4c2e3d
SHA256 bdf78424861ae27b76110eec879c9024d93426915419209cda5481c899252e01
SHA512 0a10d56605548b427f15061739a5bc9b8fba97ac9729ba7a333ae2e1e10a131be9c72ab604df41e82c32fcad5d9ba8e77c72b15d2a8681f9697dc0b0b55b0227

C:\Users\Admin\AppData\Local\Temp\Aksq.exe

MD5 7974e0b065622d37e4868196cd3dafca
SHA1 718d08a503ab01b4704a2438758f712addfd4d49
SHA256 a6d5f7704a57da36df670a1ec772b532b8f9b893697912ab8ba85fb1f727a41f
SHA512 14aec696c48badddb4a6f747620926bf08e8d83d8aab2a99639f2185ba60b184ba545c295bebcece2eb7adf628f0f713985188139732383352114992f8ef9100

C:\Users\Admin\AppData\Local\Temp\yIkw.exe

MD5 d614e169f4ee71b845d47826566427f3
SHA1 be296bfe8bcb679d08a4d6105dcec0cf34661520
SHA256 41a0115def270f38685325bac61662dc67836392d6e197e4cb4d301c16481626
SHA512 49269df67d845cd06faff724ee6c3d0d96b42883d82d1c72a9ccb31539160457c701098318ed5cf99006c850fe8e8e4748215738abdbcd62761249e2113001e2

C:\Users\Admin\AppData\Local\Temp\CwQw.exe

MD5 c6c88c2f4710ba5fa7d68a77a6859ae8
SHA1 e4ab2bcd75c4bd8f22cc9b92413981b2cba061cd
SHA256 eb58a656ecdc7541f565fb77eb2f456ae0bf85e1e7c819bcdb33a9f9836bb245
SHA512 bda13fc9280d201acd53f2328b85e88dd712364cffb4abac59fc3b73832e43aed16405808c870807fe56738030a7d9202fc3427a44bb6d8006842de7451b3e0e

C:\Users\Admin\AppData\Local\Temp\KAAa.exe

MD5 f75ea359038ee35363c7f35fdf208f19
SHA1 be83a567708cf075f672d72cf0c1c45ec78923a4
SHA256 f0b766f9e82b617e713b65cd4c151f99f0a7d3e40df862cff7e72708db7a33bd
SHA512 608b808283c1543d3e19421e922dbae86b3e5edc6ba122e3f8eea43a2cbf899da6f93b573cb9fa3a0123be89ab58168c4f392cae83f970eaf21997d8192b7470

memory/3620-960-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAMG.exe

MD5 82ce79c46cf5c575a8ec5eb75ee87af9
SHA1 cddffb4d1f3574e538ebdff859f86ae6ceb3f7fb
SHA256 246fe0ac0414da5a8bc5b15ee996ea96923ba22e855de6b982e13c776cb1ff58
SHA512 f0778c11b8aa3d8b5fc48fa4d8bdadb873d6504a0f9b2dd3ae59680ccf8a38511b6e2f3a5da3301e56bd2579ea208370529e1b0ebd5fe25c994203b792d2bd43

memory/3652-975-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoIu.exe

MD5 1813b2dce7a418ac11a593adbf9229ff
SHA1 da9ef915898a303049f2862ccf1e7a84c23d8a0b
SHA256 92225bb8096b40e2b4a1920f464ed89bf8a595206e9fb621593ca5ee229b66c6
SHA512 59f216539d03f45becdbc30bd06eddeb49980ad22d98aa5663a5974bbbc47baafa1820de004f9684c8a52f8018b7d9e13df91de1bf72e26c991f8a2e0490860d

C:\Users\Admin\AppData\Local\Temp\EEgO.exe

MD5 5803d172a37ebda0d29ddc63b8acb0f7
SHA1 d5d306363bcda6a52796924ab49b6be19b1f3af3
SHA256 cf12e575cf61467066377856a691c0b144e60e54099fbc8e31c476dfa2d8880f
SHA512 d51a61f63127b855a69756652b35c072be0e7fa16c615a7f7b2df134ab85cd6845f03df5658275858661d6e5e7a0423ce16e9922b9c52b8757e100300cec3258

C:\Users\Admin\AppData\Local\Temp\Swsu.exe

MD5 a1cc15b0f2c729b40fa0033546296944
SHA1 1fff29a241c5f6644d7f2597eb9cb17c150b5ec0
SHA256 57b36a16853b43fd633b8c9d45d4b733c03d96b802cb6a78c6a20918ad486e55
SHA512 a31d37b1db216b88304e5dc5000ab58ca94c0af5c74140e05ae19eee1e9f4fdac9e35c9e476829bae094b74633e724f02cdb557f0d9937b2b1e886533fc8fb1f

C:\Users\Admin\AppData\Local\Temp\kYQE.exe

MD5 50581e7b7bf405dfae173efe59bc0d05
SHA1 708c523c8c4ab4e897df0b6f6d1bc2c466ef758e
SHA256 960fae898deb06f88a231877e3756b589ecb80124f745aa307d5c27dcb232c32
SHA512 8385cefb48aeba7ec3bb221708e0a617bdad4d1464bfaab5dd41c2087dda047b7a19ead7e395e5eb9f54d99109383e30a96b24f0cbec4b415e7762e30301fabf

memory/3652-1038-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIgo.exe

MD5 2c27b868e9d0996cd91f679f8c4f1c48
SHA1 72d9a5515e6e449ecf8fdbd5c74394f452eb92d9
SHA256 3d44c4dd795d20fc2c01afb76483b6fd84ddd6b2916ff15cd75a2f6fdd273b7e
SHA512 16f1245f46196b02b6a088de2ee80df8387d76d3fa5133cdeb80e92514e9a280a19368651c7bb2c39fb2fe4c5b278be950a9b7f2e1e5ae0966e417394ceb8d6b

C:\Users\Admin\AppData\Local\Temp\QIYu.exe

MD5 47c7925e540c4bd0a191bcbbd12e4114
SHA1 c3b6448491f82ba1f302ce54f72c00055a005b0a
SHA256 0b32aa08542a5f017e3ef9f24468662c089497450a068a64cfcd601007395a01
SHA512 eabfc429df3584269e0bc77c50bab29fad1828b8e2378c7dfb35d32fc13aad0465b0d6971af7845214f83908448def6843eb273ecd3f1204348c372282009ce3

memory/4228-1074-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AoAA.exe

MD5 a6b03bdfcb02808e25d97f66097e5ad1
SHA1 9b1293d809d2a23e322f588db9f6cc2f7a78f6ed
SHA256 8d0157b4398b1b8e377364412f9372af5f52511752e8a3e68e70e523744ca7b1
SHA512 05056dcc309154b284439284502548999f3faaf7d5d79c860114cffc568ed8c949feec50abdfcaa6652cc90ae06c3a721b63538a656bf8126056605456a4d162

C:\Users\Admin\AppData\Local\Temp\ggoY.exe

MD5 811b57dbef8a4df62be7fd0cdf14358a
SHA1 97cf7b09ef96eaed54f2adbf5358f16627720170
SHA256 73352bc8068d526d6c006016e8a337b387a1b510083b7bd5fb1316adbf9ccece
SHA512 0aed6982ae985182297272b3d43064550c922dfb3cc11bce02a9f68b4452d51330cf55270c9d57c4c9c17bd3bde2c56db8869f3dd09fdf1b2560ebf0213c4853

C:\Users\Admin\AppData\Local\Temp\sccm.exe

MD5 e01059721798039fedd92ab231360ce6
SHA1 54fefbff027b13482b5dc0d903dd186aa543963c
SHA256 a70e75d244106d799fe717a629b0f08e7605ee9c5ff82456a064fdc1d390e646
SHA512 dd8d69b58c231594f11d3bc89c923f6ce2083ea9ae57ff8a3a34d8c2842569976838e1957fc874d3df0e462fdee8ed7d343d056b7a5c9ea3e6c1e1622295ffc1

C:\Users\Admin\AppData\Local\Temp\UgkM.exe

MD5 835e40654e493d1b688c1690f74661d7
SHA1 05dc98b7e60a831d3c028c414d3e705e14e7edcb
SHA256 95d51e8acd88d46021b0b48cd5b5fb6652d73d43355466a3e0acfab9981368ad
SHA512 db7c473e14cb117ac0f3447b4aa5e42700ec313823f05fe2e110dab013e4d21ff167f74a2a6144d3b1b9b2513a1c813fccde2740c23fa09dcc332b9fd8566140

memory/516-1138-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3752-1139-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMAo.exe

MD5 40be66be1565e66b075b6ca7ac823464
SHA1 40bbc41ecd760ee3cc5e3bff836814c22c469d0e
SHA256 ad02a211f4cf265baac7363d049048956119e0a3511a7bc03a043da94349df81
SHA512 a82269023a72ca0725317e24482161a8de78e8f3f8582f60b1adacaab00d7762ace1a0b1ab2f19e0372e14c1ee58aaedb7bd76f2bc752ae56d2c2a96b3e21d8f

C:\Users\Admin\AppData\Local\Temp\MwcU.exe

MD5 ff35b98d83055fa56813edc10aa2319b
SHA1 eb5ded4f30dca5c876085482572027ef3d538da0
SHA256 c714af79b9500294a1f013a29df16a570ad2f4969b553723864651a80d1cc5ee
SHA512 8cddc8909cf124743d5ab2a1e869d9d5b6d3b9e1af3f1a7835a9a538b436d7dfe8dc7be058e39259e9263aabd25697ce0f5fa9fdb6ff06e73cf85196a32407db

C:\Users\Admin\AppData\Local\Temp\Ssgu.exe

MD5 1084ebccafbe52b9010290a0a8af090f
SHA1 133f61518feda6a74cfe7fc31964d69f4f55e7dc
SHA256 0c88caa769969b0ffb0a77fccf485f013867a0912a79c5e41446f9c373986b65
SHA512 a8be7f0d2fe7c4c1fdcef8420124eeb393c6c07f06224d130dd6a9a2054b8d03c6f6339d7477ab330a692aaae34ee5153a1764304570120bbb8d5db7c5f0d679

memory/3752-1189-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QsQE.exe

MD5 6737b2af6534af2579844184779c579f
SHA1 4d65471b72c3cf9ea0f509b6b5246423653b7af6
SHA256 4c659c3380c690d4066fd14bd0dd9c17ff09f4584c586f2770a5157cbf232a52
SHA512 ce72af53d333a95f41ccf5368b67a1c5c4cba143d8d4ce724b454a22c8dc936ba8cc36fb79d3c24d4c1294594eff08d2370700fd04b6e6accfd2f05f466e6ca8

C:\Users\Admin\AppData\Local\Temp\Ggos.exe

MD5 07e28fad10a768e345fabcffdbf958fb
SHA1 2b918e5db6eaa8c08acbe31cca7546a9474c1d78
SHA256 19fe4b76dc70308e58ed5a2b388b68df7b8feb911c9d73547c9d3a16e71f23be
SHA512 b776af21b83d980f208aa22e51d5b115a43602a5aba92c5a05b5938d4bdf29298036e64f5d2c3bdf7fc0aef09833a5a5c0208bcf37e48c48186f0d61427d36ee

C:\Users\Admin\AppData\Local\Temp\IUwu.exe

MD5 54fb4d70dfbc160e28dd59cdbad04eea
SHA1 f268dcc6b6ac26bc0790aec8acb2945e2f68d917
SHA256 85b5748ea75c75205395997e339d1d262f30acdb5d42fa9a09b0c054778a157f
SHA512 9759d340591f9d2cd261f1c3309c90bdc55bfe384b17ddf0b36e23be92fb85807a346cd78f6527bce332b4ff2ca4e12dd09832de065593c893024315f2760e44

C:\Users\Admin\AppData\Local\Temp\cYEG.exe

MD5 1036b461c4ab5d347afb6d94bd465a24
SHA1 80b8f4d1e61cc989811d93a4c6a823426ea3e102
SHA256 3c36b71e66e14178b3cd1d0913d369756c621a24bc9faf0eec81b26d65d194ed
SHA512 d31525f69ed216c15434982cbdeb19d357bda88f3d84062e187503b824e8e6daf965efa2350f05bbc53d6715ae559d9189f1aab96b9a9c6fc42d8c8526a112a2

memory/2144-1250-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4488-1254-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Eogm.exe

MD5 d0f1cda93d84fdc97ddefe28b8fbb358
SHA1 565db57754db5c43d70ea828ed2c2f323408518f
SHA256 4d497bc4fe04b0644aaf66f62c212c37eb8d49c80caca0e9c3a1a6b7de15241b
SHA512 00abd458868df3d221aa0b2ac425243c9163f9482f9005158442cf35951fc038b36f9ebc393f7e4291eb32a3d269f020e3cc872baf5c2b7b3bcfebdfbf5661b0

C:\Users\Admin\AppData\Local\Temp\GscM.exe

MD5 4689148b969c98882ce6bb3805c39b11
SHA1 75648fc4025041f8485ce38e102fc4b0df682302
SHA256 4b3ab29778304f0d078ca8dc089bc4c4cd27a5237b4c589864546067fe707987
SHA512 61b70039caaef6b39f259998afc27731be6b24316f0dadbe0ebe0ed659df1d7e0268f6cc5692056860b354987ac5c29ab026c5c18ab8364ed5ef93299e446849

C:\Users\Admin\AppData\Local\Temp\WUwC.exe

MD5 d896b655c26e9063cdf376803e71fc0d
SHA1 4eca0ee9dfb7cd6789f35dcca6a07b05c89cd85f
SHA256 bf14f98e3d10aa0347c8ebc32ba9cbf9b9f9c5a4fd86b39a00791a3333872fe8
SHA512 6836149114a04188a97289e721c223b3bb7559083ef4f1a2615f6d2284c6e70e626515adacaf4b77f3ab70e8e304790b1699c28febbd5d42a1d1001aa8c83eff

C:\Users\Admin\AppData\Local\Temp\mwsg.exe

MD5 6093706234049b2ea791e119594985dd
SHA1 e4a40c01259cd066f26566a3b5f18972e2f96845
SHA256 b45f9a99f02cc39633c6b9e4e980fdcafb2c648d263d98642acda174817aee91
SHA512 764dea04122068bf03e1bc07902638de037e0f877902bbab10999c0add0c2dc77f9513c06bb162e733651e28bd69637fb178cc03248cba83c1edd2c9e239b7b4

memory/2144-1318-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYIa.exe

MD5 7b5ae7332bfec9356c260c9ee7eb757f
SHA1 fe1dd047e5562ef6fb15dffdbea25c626eb4b6e7
SHA256 ebeebf321239ea495f5a218756a2d3a08122f7620d3d3828ef5fa5179fec9554
SHA512 210a25bf656520073307497d75f45b10a768ee4274282cd22beb94f4f90c256bc7aaa979736f78cdd989f43d06c2cc89a6e7136c125c2189d301dfbe9215689b

C:\Users\Admin\AppData\Local\Temp\gMQw.exe

MD5 e19480960037b92174678a592cfc52d7
SHA1 4348069732589c268f889ce5cb7be2e26c0ab93a
SHA256 fb5e99b50c7787574f664372794e58459e14dcacefe54f0d39e389620ea993d1
SHA512 8b12bef97a4e5ebe0ae3b45d181392af0a2ccc71384d35c8d470dc2578d022881c62b313c05f2c517f30e0564e301b87abad092ce7c61e5f336d9a8a8e9b7372

C:\Users\Admin\AppData\Local\Temp\WUwK.exe

MD5 18c6cc2fa7ed3d92aeb64f6141cf7b7d
SHA1 a5acc6576430c3a9eccaf4f0ee4b026b986c4c3f
SHA256 d633b994b371ed68e7451d868277302ee9e6a7092b925af43b833ed62dc65d8a
SHA512 0884de3eedacd76ccbd79ae35f59c4ce701e95dc70989a80310151b1b09745fec5770c11133ec9bb10ca63e9ddf9b037de514ff577ae910c1402dc6e58548f05

memory/548-1368-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoMS.exe

MD5 c137bf6f816d926ea5953da5645054bd
SHA1 b763601693c372e7df4892d7fd7f6137d786ea19
SHA256 22d6aae9ca6754de8ccd0803202b2b0c8e5ae80b51bc2b0815c04f60cf8d9e8f
SHA512 591417990d4839a4ad7d5ba55d309f8db360fc9ef8bfd25eddb2489a930872a24b9e66c96e989af34ea4b09475288b2a4d8c6df87c204d3c6c4458658ccea965

C:\Users\Admin\AppData\Local\Temp\qgcc.exe

MD5 6ba7436fc9f7646919b6020cea90afc1
SHA1 9d0a99cd43428c25ec9c3aa4582239355ce835c1
SHA256 780b6a476cb9fefe2795815defa2f5149a27b4f13f67c0c7f710fddabddab644
SHA512 410cdad733b90c0c4bcee909c03197ddfd917b578f0d20fb3c3b2374d769c888c2ec0b975fa8d88c39b39b8e50173d859a631f17e5e076abf94ee324f8288e55

C:\Users\Admin\AppData\Local\Temp\IAMY.exe

MD5 ca03d9d0fbff4fda1392b39d5a658208
SHA1 a95023c3fc7b8ba9eccbbe4a60ac91a3f59ad16f
SHA256 84b3138802933951877c10852e1d19b84e85d1133d1d4accb8c143e6fdd19524
SHA512 fb203d4b3e9f18ec8d6ddddc59e0f35d78d6238025e06cf5827921557aabafbfe109b006b8b8a9a504fd7b3ff39d3938f206a0e0039787ab16577555b2b0695f

memory/3416-1418-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMAG.exe

MD5 63593ffa62294130ea190b17fc980215
SHA1 7746ab1f503fd9efa5bfa86553dd9cfde7dbd0bc
SHA256 c19f4248a7335002dd5174e1b09a6299d1ad194075acd6ff97ce8710fc56d171
SHA512 7f1df37f6c9d4b9db031395760ff2995b1bfed0ad64b6ca6e2f29bdaf0b635260dd57e3901a0ea1aa1141afac833d788375b4668b12cd6d86f0226d661b1e1d7

C:\Users\Admin\AppData\Local\Temp\ocEk.exe

MD5 26c3c2043254ba32fe40036e4a62c0d0
SHA1 5253ae717f495f91f87b74dd71c26d9e3ca704c8
SHA256 b7e0421a51fad2026139f8f0c8fba2a4f2bbfdfff8b93ed1de5601f7cb54854e
SHA512 1df6bb60e18473c4a569a99169d3e623b0a2a9fb1f7ddfe511e1ed0cf5f066f51581a9420b6f8f6920d92140c5f20bc343b0764093cb16ed4580b3f8e41bc74d

C:\Users\Admin\AppData\Local\Temp\mMEs.exe

MD5 1bd6e2582f2a67081c2815add8ee2c0d
SHA1 de302600badf56c8bad6db60860189c90d8366c4
SHA256 0749ed79719e993c993d02ce7d2b07beef218c6f47a8382c9a029e2f9c9e456d
SHA512 d58a260c1a82c20275d9ac1d417da4c219044a5d2e8f702c4b16fdf901dfde4703df0c6cac3b23621fb732bf2ceb0aa9e714b6801e64e09188a71c864cf39112

C:\Users\Admin\AppData\Local\Temp\YQUq.exe

MD5 23fa40135b0506c0b6a3596414092825
SHA1 1b2c92ee41d836cbfdd4762c6f15abbe1d36c91a
SHA256 299b7b442a98b9a1a72554c81dade6412b73cd8190cd12750a190d529d6021e3
SHA512 4f27f2f08d5833952a695caec2a08960a1cce75f522596ce4ea644e0aab2171473e998d8f56e9564096a03df62bd67a4769da67d4ea67e52504cd7a211d2f484

C:\Users\Admin\AppData\Local\Temp\qMEm.exe

MD5 9180d672118bbd8a651cb5f7d6a77e71
SHA1 2aac83d7cdd4160e3489c42d305a598f959536a6
SHA256 a91f1291ca260a068e669f810a8316bd420d3dd6fd7c0877a864cda42157cabe
SHA512 a77cf7494a3514bdcc8580015aedb283da4709e9042d45ded26a2a516a3643a3fa8005d9aa900edffc857d670f292d022dc1e21eb9e4fff6b69b36c3e8b4d11c

memory/3592-1486-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kkwu.exe

MD5 e3d8acfeeef991499ee94c2e04cb35f5
SHA1 8178a6936509542af19054e95e0a5a1e0289f13c
SHA256 70776f7c7d5cff210f96c2eff8aa45658442a7185b6385bca04006220b8ed942
SHA512 6b5722550763c0fb0dcfb5e67d4e75e8c13a3c77d53eb4cbf3bb1eb0429f3a7896e00a21e524125410fef7fac319e7b83499d2f6e9dead823dd9d3d38b016cd6

C:\Users\Admin\AppData\Local\Temp\IcIc.exe

MD5 559df107a0c79ea90efec595a45596c0
SHA1 195a7d68071bdfc926741bd1315378e00386cc3b
SHA256 d943f7a97e4d3b27fa53e5e4723c38aba78d1bd3b5ec3d85556f91e1bb5639d6
SHA512 fd1be253954b84a3d951946251e374406cb761924c744c9bb451be6067d957f03557a03f8ae5b22e0913f4dc1046a53d89c2b956ee4e624dc921957fb6ae160a

C:\Users\Admin\AppData\Local\Temp\Gcse.exe

MD5 149a445ae22a71a19319f32ef62bf603
SHA1 2742fea84ed637775e68b09807b4dfa30577d1cd
SHA256 8598be39e5b9b2c595f2b1de63dbfd125c29f8023b4fac7234f1c06561e66509
SHA512 ff3f35a911a32e773a4d16db8f28fbd445033438b8b4f799ff507cc18d03d52162f38ac07d5f7491fa6acb93f02c14a37809b959315df935d2b718a5538fe309

memory/744-1546-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQIW.exe

MD5 a25333a2c29da03ddcc3219c5bfc6a2e
SHA1 fe4f4563ba13ae2b81d2753e786cfb32f1a0fe01
SHA256 c0f1893f0e9025b9f6b5b8c8c4c7207934d746324579195b1ef99b85ee28078f
SHA512 7f6af8f478771d309048eb56726c3ee49d64e3388cf353eebc4ef077608dff11dbe05d30f73cd1fbded9872ea3fcd1446c0be46b0e2d8d64fa20c4b1338b0aa6

memory/1684-1567-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UcIg.exe

MD5 904b3a31f400e82742eb63dbe2b326ff
SHA1 4a1ef00bc59b59dce6096003efd8e57c8cba7c2e
SHA256 73f3985148bd5ed3b650f2f9baece06ef9339347d21dc62a42823be3341a9294
SHA512 accf46db9d570fdcb31912fa7e55e6c319e56dfa410f8e6eb0cbf1b2902a2b902ede2642c02c067dd1114430486573b773dc6bbee796d6b10ae08324b555cbd1

C:\Users\Admin\AppData\Local\Temp\koMk.exe

MD5 4252e4f781d3be2a25236b979e73013c
SHA1 4a6753690966df22a2d97d40ff15b8f5c9b64238
SHA256 ed01b4b56b8b7b33629d76d7be0f983102ce6841b0b610cd24434e5aa2ba0840
SHA512 342a52a771b25dd9499738525211c68d356e95c38a5e0770069c7bf0de1780686432fab63c95d09ba29e26ceb0e2087e54144197b100c66a0d51d5667a6ad257

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 4e9b1850c85bd30f80b12c5d61feac78
SHA1 4a1bf2a3accfcb47be1fefaf8fcf10189a57534e
SHA256 5bfc9d0d18afc7321629636badaa2d9c925b232a63a0aa05669aed3325783ba9
SHA512 7eaa6fba97fb261e78cf3b24a9dd9d2849c2e7eade3f9a9fffc45bcf3dff29121d7866f0ef6fbc9dc8f490837740fcf281c630550d585b6d8c5ce030dccb5031

C:\Users\Admin\AppData\Local\Temp\SwIa.exe

MD5 011931e70ee327cdab48b70f4529bb8a
SHA1 ad283f8a381e0d2237ea7936dd203272fac7ba79
SHA256 67a20662415d17bfe5f4cfb8e8519265759a19fa2af149c1c84328afa766257d
SHA512 57c1a843d324325639d0e377b74cbff455ce059d87c972ec8b685714b9e80782a47fb4bf8c30924af78c01f3a890cae7cfd39dd504f6e58fcdbb157983d86339

memory/1684-1625-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQsm.exe

MD5 de7dcb71d6f591608d4ea761ca38fde6
SHA1 6b1ec0d1621c5777d7bb7c23a7120b41235d4147
SHA256 c02f56ff12f6af75de3e2ead4bde88e6f9e19945c47b6adba9f80a82fdac5171
SHA512 094bce208356f3194eeb7edb0c051e23646bb0331d06404e5b5fd090480de6fda72009ca910d7603599bc3b6ba7389191fe574640c922cfe83b4f64af4b6a714

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 82f52456b6258b745054aede728fcf9e
SHA1 5471abc18ee2b5ccbc20639dd7e83b9eebac4cf8
SHA256 28c89dc99396dbc188cbd62d434ce57c4fb058f009492101759edbca86e1827e
SHA512 09e6cf522192e5671c074b0c6f2badb878722862850abf4d46244bace57f8036157535674d55647eefe7689df4d216fc58d3bec3c66f57e7b2a430f1c13b2ac2

C:\Users\Admin\AppData\Local\Temp\iIAq.exe

MD5 84f7edcbc7a545f08d48fa1fdc3887be
SHA1 82c02cf0c814f4019f70b08c154e41d14dd3f363
SHA256 60809330a6eb28ffe270f710577a20a515ef3fdcba65f72913c3f8f1ae70082f
SHA512 93dcd0da796500d79c52f13c9c66bfff234d84f1fa36a9b380e4fefda79437064d911e3f167ec8298c7dc833c9fd978f1e6f80b2d1efb9e1b69f418bbd2a79f9

C:\Users\Admin\AppData\Local\Temp\WAwo.exe

MD5 00015583fa835cc9bb633b1bcc872abb
SHA1 1fa131425f46d62cb9b5a6b27f4324d262a96a68
SHA256 96d24cb847fd3afbf87e28a26a851f19e4b8c0224ed4eb097402259545dc3be6
SHA512 8d37c38b3a3bc81c0953b1a744fae68cc6d53f2347adbc9f6fc30088e13e00adcd1895a6cd5988f949292218591d4835b6908df27c33abad7150b2b7369e537b

memory/4312-1689-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kowU.exe

MD5 00b376be3aa13f124dfb4afc0c11557c
SHA1 4327c076c1178cf4237cb0e925437805848a6f70
SHA256 e18ace09ef02a641bbcf5b483cc9677aeac41b296d5a8960193793c4f3fdb0c7
SHA512 578c36529d4d1bbcdc966ba5857f46533e2ca92dd71d8b5cfc599d4246fb6699c38a6aabae59dc8ef01523cba06994647637ebc9cb4a6aef1f6eaa77c34bec65

C:\Users\Admin\AppData\Local\Temp\YYQq.exe

MD5 ddb10141aaeda44d307c8a3c2f9f544d
SHA1 2d346b8a2025e3e98570355f309eb111f515c4cd
SHA256 b9dfe908643d8f09ba1a1f3eef4d7580d43233a3aa677a1868b634fd7e8a5842
SHA512 28510574d9cfbd200f691032712d64ce05d2c942f10d7bd9b3697006b31b4d306d07efe7d928dcc77eb451ff9dc6db9e46dcc957c1b1c697fd58585d7e3ea4b9

C:\Users\Admin\AppData\Local\Temp\mYYw.exe

MD5 afac55184286b559632118960a0e0448
SHA1 2242c01550eaa0f304f30e3fe46f86756230361d
SHA256 10ddee0c0273bf24c472aedcd8bfc2fed747aab158f9d32d0e07f19577296e1e
SHA512 404c7c09ace3212d3e922a062a113211ae692e8ebe9aebc36b55af9609113edad540e5c44e14aafb1152600d3878613db1639e1c1e45fc6235d59b18fb61b10f

C:\Users\Admin\AppData\Local\Temp\CUcG.exe

MD5 584bbc69ebf93eb886c926e81ceae562
SHA1 db496da0d7b0b6aead38cf0f87d7e4a2956f816d
SHA256 9dcce1b5bb88d6c090e54fb180560f2747e5bcdb1800b2bedcba41bc9d9c78f1
SHA512 af5d7c676cafc53b01c4d8b3a3d03e6db6a05f0f3aa7e48ccf47bef8a6e62fee1ba0b6a76cd38b4f0fd767bd8785f8591ee49b280ed513387887a420b376a592

memory/2032-1752-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMwe.exe

MD5 7871b41bb14988bf4694afb27751c254
SHA1 3b9492d0606f3787ef69a02fbac5048c7c38086f
SHA256 afccc69b2639e290168fa7022e3d892e2dd01dc94d7329f02461551403b23357
SHA512 0301b677822ac1606e4b6a2380b0a3a8e816b30b8d887c73299dca5bb0bdb003da5a68fbac2f89e8319b38dcfbd78a205288ec8efa0cfbe7ffb1329973987848

C:\Users\Admin\AppData\Local\Temp\UoIq.exe

MD5 81a30bd674780ca1d922246cc7147c2c
SHA1 4e082ead9b91a551f8fd7a5697d6fdf3c5d673a3
SHA256 f8879eb718a177c2171a243365447a03f5fca104841131bd660f87a643ed818e
SHA512 6a9be63140a4fe653cf1dc0443665be69b5b5c4e75197955202e070e6fde1cc113281f6e66ccb23f709048aafc875b4b8cde4c0e447107ca4426d663005bf13c

C:\Users\Admin\AppData\Local\Temp\uwAs.exe

MD5 9b4af750d99330c9e6576a153afdad41
SHA1 19f31093c7779c0ce6460925dd6372773bfc01ee
SHA256 112f287cd2fc4ed5f009ba1fb5d6488e1d86785a762e37e9ada8cebd49f6bcfd
SHA512 aa48acaf78beea7cfb3194e5fede7b6765f861a19b1814538fdccb727a004cc412c9ae5b55fde557ad9a68c6e8e7447611c45a5e5e6228a9ec8e9b9cb7ebb96c

C:\Users\Admin\AppData\Local\Temp\sMkw.exe

MD5 6900764fe215a66fa83c8b1d3a71be17
SHA1 eef93c35b445f56cda7193d806a27db097e65bc5
SHA256 9f86f02e1f195518f6712595f7c47d8f18d809b80413bdbae440ab3f0b1f2fa1
SHA512 df06dae8ab1cd8f9a3f185905e7deb18ae710804133ad7fed7c880054253d180212a4da5b36ea6c8c131256050f41f3c12af1254616c3d3f57d76b2a37847b7b

C:\Users\Admin\AppData\Local\Temp\CUwm.exe

MD5 5dc6f64480791f8e48577861eaeb9589
SHA1 e6d73f11e6b0f8d9f0164bb06e075a2c92c5277d
SHA256 bc244b3bfb1fc5dd450f8bb1ce4f37922bad2d699694d9ba1788450650a8ea53
SHA512 cdf411a3b6add2cb0de16cb6c8956cce1801f86a2c356f0f958b1a4fa89f596944b15be3f6f550b4aa1da2f552596abb9b36b3268d3627c8ed5e9a519e0e677c

C:\Users\Admin\AppData\Local\Temp\YYcu.exe

MD5 5f188ac4f2efc6b393d4100ab78bc8be
SHA1 243fd61d3ea548bbfbc1a2f70abf3304a0978dc4
SHA256 2b88cf17c5ccc1c38e6ebb2906f1a118a9810d0fac4465cfec6eda6341177da6
SHA512 2b74c56e725db57040a25a23f48e20624b9565c0baa44d2252a32d5ee211dd7967285dda19720dc0ac4018865f929a3df3fa6336592a9f0354e92b31bda44d21

C:\Users\Admin\AppData\Local\Temp\agEk.exe

MD5 31791e9d6ec9e0e5c64ef10cc8d9032a
SHA1 8b9e7dc9ae5029c339be6b4a3ed97350472302b5
SHA256 3f279534db5f9bdc8f51632a71f89e9731866d9c0e152ea671c74742c1573c12
SHA512 1a4ecc6b47e5389159a2812fb31f176c6db855dd851e16015d371d194b0910b2503e168e2bc6b59caca1747383d2d52e16b109cedba4d8e025a771fdae527291

C:\Users\Admin\AppData\Local\Temp\GwAg.exe

MD5 43f86d6830698794e2fe1a588195cde3
SHA1 55d2be95092dbd55851418efa5ecd08fbda5bbd5
SHA256 3e3a64026a1dd24fa5452631ebcab8d9e9f6d629094c059ef10be0150e3f9a4b
SHA512 2faf4be80da7b1465b5283d51111b25594e566be5e3fbef87c93fc37de2babfff04f40a3d7840efa62641342811935c857c89376c96cd19f33e3cb9b2a8f947e

C:\Users\Admin\AppData\Local\Temp\MQkI.exe

MD5 a445c1088db3bbd631489d93d68f5cd3
SHA1 513440f3d80b0c7000375825faffef2b10b7f195
SHA256 049389f92a7c7fde7b79c3468435c4a3cfaa84fcebf74e72384c7cb50ecd24e8
SHA512 7b2b4daf79b294dcf4262f3c34fd94c3d706a93f9a5d5ff7fcbc020d884c8696809b9867b29cd3b53884d5e7c5952a7e847a939d8f0eff55760b2632f2d1e14e

C:\Users\Admin\AppData\Local\Temp\UoYu.exe

MD5 b10b300e72adb9e5641ed391d911226a
SHA1 5cbd7b25f2e0064374e4c0e16d439009b348d9c3
SHA256 140693d8bdfeb3ca156f487648eb9e0a03631241015ae55faa11cf1a9b715bff
SHA512 dfba4c6832b06e40e0fafd449111837bd5f76397f80554213d3ed2e0ef7cff548b0dc8b384a7018afc8255bf58008b7b97234975aac315ade8edef26eac7d067

C:\Users\Admin\AppData\Local\Temp\IYgE.exe

MD5 fd9af07ee24df0f9535911e630b52e6b
SHA1 318b0d5f8f23edd51c01c4bb2f2e97ba9bd7d87e
SHA256 649197f60c09ac7793a499d5d95b0bcceef8893e547628fdabdb57a8afef6866
SHA512 4eca834cf19d10103bf2ad6e7e92c0fc7b8d9d79cfbd3c59d48eb614cbe6153e25b841a7e1660f25182fd2341cafc40bbd7e9fe341a0bb89e5f017b152855c7d

C:\Users\Admin\AppData\Local\Temp\scAu.exe

MD5 dbd2374e1be69a0685be789fd287808d
SHA1 2f1b9873735bbc8b35de7de8acafe669561f89af
SHA256 bdaa8db785cd9f10461a7c8c3d10cef279545dc0de08fbeaa44a0ee7bacec4dc
SHA512 603d598000a9d4a883bdc683f6e4650dc55be33803ced5c21439ca22ddd794d67464090638d340e098ad01d2e9818f0e3b5025a95cbbbc51f3c2eeff334788f1

C:\Users\Admin\AppData\Local\Temp\uwEe.exe

MD5 4a970149ab9ea0385342331c56bb6f4a
SHA1 597b75260d2b7a5ef220a2faac448ebd6273e5ab
SHA256 8bcd109700f1206d96dba62936ef554b54bacefe1250bb066335241a09f62b61
SHA512 990ad36460e78cf4023fa670c6fa4afb6944db106edfacfd1d29288ae416efff33fd8ef9dc3b26bf0af5fb4876a444e6561101fcf65d890be242e4acd04eddc5

C:\Users\Admin\AppData\Local\Temp\gIQs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\Downloads\HideAssert.bmp.exe

MD5 d146ece2b43d2902490082a32c9764e4
SHA1 c35ba4463001db38b3019322ab84093271af7986
SHA256 e5396c739887482c1b908a115bee9dfef547a159ad108b3350376482f0971461
SHA512 306cc5364189a3bfc70cffe9025ec231048c9ddf7bd9a94aacc7d7098d3a20ee7b129a11a5d988c11cc0796666a83cf1b1d8b7fcbd9d5bad416f54c63a3c5da8

C:\Users\Admin\AppData\Local\Temp\AgcQ.exe

MD5 fbd0c687f15d93adc5cd58205f51c557
SHA1 3ed683e3c6dd514c6596a64ca295281dd53d72ef
SHA256 fbc0e7fff1cbd7a11d48f6a7b57c54f7b7636637deaf383802b9a37d3e29e5c1
SHA512 4fcf77933d0bf83669b86cdf07887b633475519143cd1706cf2e50e7965d25aa9425c377208aaf535850842bdd2d16121a48499e7db2acf24937aa551a77b5ef

C:\Users\Admin\AppData\Local\Temp\isck.exe

MD5 408d30eea29cfd58058185ab86a6f24d
SHA1 a0b86644b3c2c0dc4cbfb964ef69870a44526055
SHA256 9c213e69a509e5d32a89ab8f3e53f7cc0fa6af58cf6f81cf44c396e0ffba315b
SHA512 eeef236fc0df6da40be3acac40a16e3a5f3082733258fe186d8cb6134216e3d3939c62e65c16165e26b6efc4c24675600fa7446bb6326fa7e5fdc2b9fa4e518d

C:\Users\Admin\AppData\Local\Temp\AkMY.exe

MD5 176a2392d2e09ec4e149099c4bfe49ab
SHA1 8df7677ca6575de6c5bd962f85e20e25eb7936b0
SHA256 023e1da8a75fbf8908aec9788d8d5eae013c3e1f561ac01af2036430ac41cc3a
SHA512 ff4e473ef8ac0c24c6abffcdb5ae197ea69f0c17943fcae8f308036ee4efa09c6592e75e8154ccecc88da221955b8f8d6a894a3e16e7f01da7d118a189cf2451

C:\Users\Admin\AppData\Local\Temp\YAcE.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\UckK.exe

MD5 9dd3c43a6a2f445965e325ac5f139617
SHA1 eb9924dacae4089a4f639eeb3e2c4e93dd188139
SHA256 fd9345cbbb3057adb550486d25fb110153ff65cacd36907c1caf4cfce8c79048
SHA512 2a78ff841373d473886f9ffe9ea8aebe063dacdf9c6ddd987b1dc0f2fd7b4e36ea84d4e4d476f0457add249a97e123ae4a18c5e02862721e25acdd9728372e90

C:\Users\Admin\AppData\Local\Temp\MMcc.exe

MD5 61d6dffed47af92624d8a1af9c4a83f6
SHA1 e4ab98ca89a109176f10cd34c6a41af3296cfa67
SHA256 1bd3e0cf85be7029ef5d25730ebcf65a4311568fd7bd13efd64764b934b629f4
SHA512 91d3f292db8af3d432f84d54aacc2beb5b9d76f67bc33dcccfcc117e88b1b035c92c0e3184319906c390d4cae4ac1f9a9f77241112b2d24b6a2900cc2a709123

C:\Users\Admin\AppData\Local\Temp\yAok.exe

MD5 2477ce0ab034c7a6d37586c29720b4af
SHA1 55aa1e4c2c944aef3a388ea4533902f6ae84e03f
SHA256 d01fa8ce1fe462cf256f8e9ad73288b952e68bbca450605e1657748f3454110c
SHA512 b9a8baa85abf2d24d66f310b753c593d34b4b3f501ec6860e493511c64dac3f9720a7617c4469511f84beec6de378cb604037a8430bf6b7689494383272a3acc

C:\Users\Admin\AppData\Local\Temp\YUgW.exe

MD5 cd3edabe099ebe92aaeb56a95fb200ee
SHA1 850659cf77b1d2f7fe07b6b5dfcb25de1062cce9
SHA256 d8bd8289c7d43b69a4aca3f9d7408ee407e642d72b00642dd363e70bcd5083f6
SHA512 e38a3d9278f196bbc7359be2ac228c4e9f9e6672d787f770157013a7c317010025c1b9490da941719868159f9b2925e581fd52e364abfb84ba21d2a270e29d6f

C:\Users\Admin\AppData\Local\Temp\sUUg.exe

MD5 a0797ea0d16e7794ecc7b412df780a3a
SHA1 a65d2832dd9f863c163e92119c76e5d57af31e5b
SHA256 2cf2c65867a80f198c42c6c4db4f2c8e7c2ec865c59fd2e124492437494b4df7
SHA512 58225f1e7eedc4869ce17a4b7057cb89f151e4159457b1c36628262e27691c8e439ee9eddcfedf016350c55037c34fad3b4390b65392c62980fef92a7f6939fc

C:\Users\Admin\AppData\Local\Temp\kkEy.exe

MD5 2b17d85047b5fa56ffff96c9a46d4498
SHA1 af21392213a09eb9a343a53c76d97779f1362d92
SHA256 49cc7f3dcc6b3db374603799741e2f69c6aed21678bf6578255a4f1946cf183f
SHA512 9157b9e5c9dfb936b71075a44e4c981a6e560b1d6368ab01e4e1271f40a52c77b11cb1eb3971d78c458f46168deed3c77126ba7ba91d07d74df07f7521b2cc22

C:\Users\Admin\AppData\Local\Temp\ocMs.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\ResumeApprove.bmp.exe

MD5 bf5f6489e8712c39347d76789ab830c1
SHA1 dc3b3f3c65774aed662b3d2d56c5e0d445306285
SHA256 6ee9275495ebcad6426112d7c400a106fb7bf4c61a92752a301d722878874a3e
SHA512 62d86b1414fff0b02ec572df7b5567ffe8106c23e52c1f5aef10121943be7e01595a3edd193d0d6d580658e91f949b28a372dabd07902d6d24fbe4e40aecf480

C:\Users\Admin\AppData\Local\Temp\wksI.exe

MD5 e87a711546462e0123e5f653be469f18
SHA1 ed2d866949a6d9335d9062b2e7f2897cee3767f7
SHA256 0dd3f93484508fa39cfb446b69603bc1fce9eae88d3d1db52a0cea01f5b4f0a5
SHA512 18b426bf176f01065e13263847c664269092f57e0eb185898e595635ad4cca7973e37081a7dd4ecbc27bead2ace97be64014858689175e55a12813d7658792a5

C:\Users\Admin\AppData\Local\Temp\eUwE.exe

MD5 07cc5cdcf89057cd38bf11a425037358
SHA1 b4bbbe435fb10379c6aa1c72d92838ed02c63335
SHA256 8ebbab6e5bd35b456c48794990cc60f1c675dca63630a968b6757ff1a2545846
SHA512 4d8435d0f305e5507ddc788cf3f22627dc0ae4e94d5dfb9dbf153a2ae3c4579ed011806355abb9cbb3642bd7176c455d021121fa39a45a5f6b8f3ea8de69f9e0

C:\Users\Admin\AppData\Local\Temp\OoAa.exe

MD5 3bb4ec3cb5daea12c816abfa340792d5
SHA1 0eaa05cd1709cbf935dd8e5e8aabc1f0ee5db20e
SHA256 003153f13d9f0d8b9b3578488234f0d8f9cb1e3f08650c1b697f9ff8dde9eadb
SHA512 896d8cca1feda63c2738007a44ba79eb62736c8b5bb48c495f98a3e9310aabb825a8c5139359455753d2bd109f3a27e283730d2326a20a9eac4c435d89966fae

C:\Users\Admin\AppData\Local\Temp\QsoY.exe

MD5 781afd80ace0a86f3e415fd31f3e22db
SHA1 915f9fef84fb2c85a776f51a8e624a471e95e0ce
SHA256 57e9cef1cd9978a95997bf9781683027748df23a1f60aff77f6e12ac4afe0636
SHA512 1bed39928647c1f1852ded7841feb2bad80908619b3c3fedf97496a26287e9dc608ac9270b73c335433c1d7887df49631f4b1d1ec5cb50ecd97fcd69f3b6f83f

C:\Users\Admin\AppData\Local\Temp\mMwK.exe

MD5 ec75e3d4faaab7c4cbe0829ff04d9a16
SHA1 35396d5fb66f5e45fb66b695bd139ca7a476746b
SHA256 073cdfc9c7d271685b6183a512d36501f3c60e92ca28bd9052bf15157d03b920
SHA512 3c0c759a4e1d9d7e5aaeb1a0f55cb1eb1f0b7fe8a96a32f817d811961204062dacfa11f8068b18ae9f64de39dca7aef71fcb5ddb2f923e414ae44183f965e511

C:\Users\Admin\AppData\Local\Temp\EoUs.exe

MD5 131bdbb6db63d8b2e69b02316dab3731
SHA1 c8d8f6f022255ff0c6b0e5c1197b6aae8a5521ce
SHA256 567e6a80383423a1a757aa9ed82c2bbd98d55d16ad8d21e9884a9238c291ce12
SHA512 6e87c27a0e6804f703040971bd1ada00136822952273e82417ebcae828e0fa5c581192052f75b428a2aa9541bb83fe4ffa189a17e9094631dcb11c96ec2db5b0

C:\Users\Admin\AppData\Local\Temp\ukcG.exe

MD5 207651a87e68f1fcb948cf0833c03e50
SHA1 271269666def09c01a68dfd6a20cb030df73f822
SHA256 774bbe73c4f7c168f8e9dca2b611a5c9b7690d82be7b0b9ee87fa6e1761b19f1
SHA512 0e3f0a784747855a7d2b449b150cfd96efac6638d49d0ef483e6df5d0d064fb1eb1d8a6faf6f9992b1b2dfb46a9b344c3a70cf8dc3d60ec7da69cfc8a2d9e5b5

C:\Users\Admin\AppData\Local\Temp\SoIO.exe

MD5 19d8f3b484bafa96fe7298ab3c908d52
SHA1 812ef07205eb0e02549cd337b6987641c21f3b85
SHA256 39d8be5f796afde6ec83d00f80d664bf0704fbd08c1f9a6035fcf97dfca86781
SHA512 46a755050251201f3a3f6bedd8d13fb8849d2f8b9537e48296b47c916914eaaf1fa646f26b205340fcde1665532ee4530f8ee631baa16f17bfea4a46d5e51bc1