Malware Analysis Report

2025-08-11 06:23

Sample ID 240403-mnnfaacf56
Target 2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock
SHA256 c73a86117863dd382b1bf3b47cc95d79b111fadff9665e82193d265b5437a6d7
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c73a86117863dd382b1bf3b47cc95d79b111fadff9665e82193d265b5437a6d7

Threat Level: Known bad

The file 2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Executes dropped EXE

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:39

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\Geo\Nation C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZkccIYgY.exe = "C:\\Users\\Admin\\zgkYwIgs\\ZkccIYgY.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XgkwYogg.exe = "C:\\ProgramData\\vYAUsUsg\\XgkwYogg.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZkccIYgY.exe = "C:\\Users\\Admin\\zgkYwIgs\\ZkccIYgY.exe" C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XgkwYogg.exe = "C:\\ProgramData\\vYAUsUsg\\XgkwYogg.exe" C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A
N/A N/A C:\ProgramData\vYAUsUsg\XgkwYogg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe
PID 2220 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\vYAUsUsg\XgkwYogg.exe
PID 2220 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\vYAUsUsg\XgkwYogg.exe
PID 2220 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\vYAUsUsg\XgkwYogg.exe
PID 2220 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\vYAUsUsg\XgkwYogg.exe
PID 2220 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2628 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2628 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2628 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2920 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2920 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2920 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 2860 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe"

C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe

"C:\Users\Admin\zgkYwIgs\ZkccIYgY.exe"

C:\ProgramData\vYAUsUsg\XgkwYogg.exe

"C:\ProgramData\vYAUsUsg\XgkwYogg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUsMIcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwMYgsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiIQQgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUkUwIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGoMMEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiQUYEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWYYsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYQwQMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOkogEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\besUQcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGokgwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmEwMkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QawcMgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1164015407-83263679814248953931652111062-7485447151450733996-104359558-171568185"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcAQokAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWMYckAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14712578220019959985407645-2031997773-1811758945-1796608953733381374-706557059"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkUkgYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKQIQAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEYsgsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQwQgYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMwgYYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKEcgYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuIYAQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14481486461803314791-1583567641788117715-260367756-2096661927-11197524711634166926"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CioIMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XksIoIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqcAwgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\seYcoscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1667194495241903806-1703085092-226220267183167298742901098-8446069961369211242"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\paokUQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-294336569-56485929112052284771219790565-1992889209787577594582999813195472259"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWwMMsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-986492658542551088-995406744-15436005356287696413290746321055388164-371250181"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEEAAkMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeYwYwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "192157485415476453961523702842-814651430-492284824105320493-329212591499242762"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOsocooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "437328829-346739045-170533794725874460302234707-1432080156-1252656834933258607"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwQEAMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCgMEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1756134745682108046-1369058282-380071299-120613023-921699843228396908-473403000"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10438353141055151607-1975910037993288847-837297004-989614011621309291-661682198"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaYogEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2409688311821248654885891739-16776984411847556981818677657-529255140-1137785149"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSMwIEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1269599140639551947-10947868201643827967-712160434-1312644075-1501866526-368750026"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RakEggMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "47836698121144766301158834529161960117818484124451900181610685432434-1635245111"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUAccEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuAIUAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1099458973952047348-1417971374-136298260247623347183867981914216764661659402158"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwYoMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2126061442-1158333009-310419201582671473679731270-1563449797-1547195096-1299707348"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUsQcEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUYIcYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12114742601012432991520795531-1349868762-3026119102540283312044106380-538983276"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "377853671287221726-1329793932-6428716-65398629216139519158392804221340031404"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCUwEMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1659644443-633648525149101253017654015401836144671-987420475-84437219715613771"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "402992478-374480161732842788-149873540-1064841798-1567503241-1150990199-252581324"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmIIscMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1351193727-1162998725-1776739932-1250914315-792742550-1873675965729685575682535061"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGMEsUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-774028357-37535231533884886815391834668053841101743247384-10687971991353207335"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-138510971015518669402061918131166606782013796491551396917974701087670-1020190868"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGkMEwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1037229859-408294397-757431462-1154012658-1183263465191308276317316354371272161849"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-637324326-2087875329-733956998431072019-2049235541401126572-1678467626129671180"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWgQooQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "856861826-16365323911278542263-1734885553-647948265-1297222157-17024947411642833785"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmQwwAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYEYcwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1591829306-601915761-1356024425-325897696-375692410-1419926204-38886079-343762697"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgIEUEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1371155218-205888484-1096653318-1546400701444902664-1689829076-810586128-51073642"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "555524174568423864-197066105-93076903311144870353381255833445072601429073027"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-202767118-15365210731534090759-1144347052-16909987548188368518255852521836425965"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\foIsEQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1628855849411418330971984500140383300511311139942145936812-212980939048242874"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIYgwIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13142737991021864292-1955893238-1113314120-17738488491343963997-1761438830-1424869345"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-195632221815124153601063200812-341502960-2154196851220908426715223352-499233757"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eskAMoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAEUcsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2909331161537115197-335311665-19863913411131362918235607560237652938-1765144300"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2646447610385778461748936303168960624933538379-55775052419427451621383387928"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-337916926-5313065605526103422047404657721002513-23616339616028759611446880913"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\omoMIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1166221626-1680653583-106444746254081568-187834117219368047492104496238-1912313009"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQckUUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2098979938-169485698-15824349381428390940-557207711706615326-20315588091724337213"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKUcAcwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-186325184176436981947122632557409526-1907729732-825869059-1321412208-1918472896"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-116607384169693197128054559412969901441892520359-12041986441556500523-1925981660"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vasUgUQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1005294918398874576-1682573215-1527240121058160136-684973648-1207437907-1042780600"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWMUMEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1769896651-1999269758115440694616834182551107925967-805679297-2035997482-1197210243"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12311489437711646471377680976-2141136790-32788387010894411642410747-1553767851"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2083687626886782263-12671775691664892161-13670370662047833341929741864-1477274442"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14811583541569975146157696543114329626661537897222694247102908063972-1400082323"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUMEQAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-958906213-17861491292131903242-4217565281209229690-384448847656277154-1515593682"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "159954301810137301683904091672251095667611952-12927874-242126311248567577"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1975986726-580427549-18242491151377096140-18493229611321391789587953215-1386037053"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9676760312057540048-1368190091107284721317338575461709735611-21333183111339961844"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkoYsMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1580104818713313716018964211388255265564957209875727711-1475960502-1425242382"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1182316321645933454217792750-1536682691-1269826972-504693141313077513-826536550"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12393644361641162125-17844853141186803172-680778099-5007340101323411880-1947798682"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1130368567-76848638995471732-715794875728249481-631697437-883362587-1891024584"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-619101625-90816953-1239385564-101741356416327031518854809705248107901214603026"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwQgkksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1274776359-435364261820983010-17875738082063738000-16425924331120091829660676089"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sakwIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17498297381406266990-1022259814-151149562-5142387571185328698-175314451395852263"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "108036815016330025257326691657347283131703595658-1029820546625468787-1183132114"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2037028725-2099419776-1738150401-344091676-1028880750-1164879721-581424381-75415899"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1782169071251741078-316351724-672119517-1518698313-1306163297387061529-1959237025"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yskAkIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-197717118122453142-21107493011510159880-1922828213-861624107-124666923-897908148"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "873200383-9909679721668878131-1400950072-1294480568-201798103-1951186634280396145"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-151110896120827562667306249-171683075-1231556130-223201793-1352425846964443041"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-567395956-1454678860199606054878180062-6622972-882122705-14989124831452004121"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LskIwsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1425445576-2091029414-1279419623-61544594-2077062941934778623-216862374-2074509223"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1226751479477111339-20941942171067888667-1126593595-682355303385886179-1008930106"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2687764242010002843-1604441774-349508139-715710183101377252511423949-1052134419"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3803147141476851112-156042308214486285521456066064-1572429312620881041156944132"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1159784125341015955-17062975881777972143-1642187568-1995535679314833182-875706267"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwUgQskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "977143228-10111450971331177253473956649208844401615161231-3176953541855718840"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3923769342105677978-1127124316600538584-116651658818429008701956036371510513079"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2220-0-0x0000000000400000-0x000000000041E000-memory.dmp

\Users\Admin\zgkYwIgs\ZkccIYgY.exe

MD5 5a3fe52bf99c89237ae69916653f2006
SHA1 c61a12156ca50f1fe547fd903add0c6521ca61fa
SHA256 c319d49cccfe5fe860ea5427bc05744ec1c1db8471eef64e1611259f7c64bd78
SHA512 e9292fc6fff56c70b65c37a92398aa04e3e28c8f42b9494b4f2dd576dd572a03247f15bd22cacb614e0a8a71b273d884d6a0ddde4cac5cb1896eb087f82715e6

memory/2220-4-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

\ProgramData\vYAUsUsg\XgkwYogg.exe

MD5 8efeff8541c90b9a3d66b91c72bb89f8
SHA1 116fb3684065727c9809fa920e721466e4ae0a72
SHA256 65a77370d3971185497cf3dc430516adeae0542465cc7c716d39f2db47c8d60d
SHA512 da222da362dc60ec0dc70aeb89d412d078b81391ee3663047a1b02d9b3bc057f947aa031d29e425a5196aac700f90323be8598c132d432384fe06c649a23e1ba

C:\Users\Admin\AppData\Local\Temp\kswQQAMQ.bat

MD5 f2534066f47beaa345d05055dab0506e
SHA1 3359bffafff5c4a82e57e1ec63d8e57693cf998e
SHA256 6a2a48b29787c0830340b48b3772d0daad534c0817c4342086b85b4cfceae9a1
SHA512 99c67e9f293547e5e5d968cf8f70b6fc1a6683242c679db0b109e0a91e174e6d8398fa40dee97addb857a6f528b11d885ac60b6f7d2c81b9b7663bfe846c48b9

memory/2220-21-0x0000000001BE0000-0x0000000001BFC000-memory.dmp

memory/2220-19-0x0000000001BE0000-0x0000000001BFC000-memory.dmp

memory/2832-30-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2628-33-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2628-32-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2860-34-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-42-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zUsMIcsI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

MD5 d36af1ec9b66bb61a728702fd39ea0a4
SHA1 a0483b7947de6daec4a69864328662b3d70aab86
SHA256 f590cbc7c830731b68b55ca1b1ea11818b5afa3566537440a17017296578dae9
SHA512 3047a98c784e0d60dcf46635350e983687156fb5168f713dfde0bda9034419cc1a547999c7f8113d9fb3bd672167f06349aef418c3f554617ea7565eb40095f7

C:\Users\Admin\AppData\Local\Temp\EQYgMAIc.bat

MD5 42244f8a3e550a915e8984237e85cc8e
SHA1 850885044356071a631a4cc80fa225ba08c7208a
SHA256 4584ff4be72d1e39d4535e7e84e86052f2fdc378cb539c9364c5c242aab4b8be
SHA512 5f3eb50fca0f19d3de94ab500db413398d1d5856c30264ab4b6857b1af780108e084cda0cee68873447dcb220df988c3fce074997b7df054066c34c211de74f5

memory/2920-55-0x0000000000120000-0x000000000013E000-memory.dmp

memory/924-65-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2860-64-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\OmgUsAMs.bat

MD5 6c558004776d9020d730d02e7ba9737d
SHA1 1c412a6a3f35d859009ff643f45684aab427bbd9
SHA256 112e41c6189f6055059ce0ec7562a662682d51f11e1afae595a6b33be38be8b1
SHA512 ec16e6850a316526137ea529eb0e64c71906b4603f3da5e8ed6f2761f6417b1502edcc18a5b73836657ad9a0ba517071e2c1fb489c06be6422c04fe0be2ae9fc

memory/2024-76-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1412-77-0x0000000000400000-0x000000000041E000-memory.dmp

memory/924-86-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIcIMYUc.bat

MD5 cc0a7691504dc08dad871cfb79d78f18
SHA1 9a1c443eb7a427a7372d260569b35b8cfcae01ed
SHA256 0a1c698bd3cf380c4bca77fe6603433764a990855c2274129c26df880716623e
SHA512 be82745e815f5d62959ff721f83f861e1d4750914792afac6f57c9d46b5f668f6e64bccc22262b521c16fb3cc843383e35fc1319f6b065175291246341978c67

memory/2456-99-0x0000000000120000-0x000000000013E000-memory.dmp

memory/1888-109-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1412-108-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2456-110-0x0000000000120000-0x000000000013E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YeEkUEcw.bat

MD5 cc5b5531729f51a7ae9bc79ad5d4a163
SHA1 6d9e83cc4597158d6792913f92f65ba54ec75db4
SHA256 d5f528b4760fa46eff553f7c590da4e8c98df0740488ed9e9bf2e1c4f532c684
SHA512 897f1a655b6be9d01dfed8b7c5057bdf3a9c2684cdbc235f43f4a44bae0ad3f19e7328e88ef288e2060864c23359c8a444c9fbdd2e538385cbfbe08b1479aaf8

memory/1116-123-0x0000000000400000-0x000000000041E000-memory.dmp

memory/836-124-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1888-133-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uwUcsAYw.bat

MD5 30c456addd451b2a4ff9db9bb7976c11
SHA1 5c399c2584d13e56c5563d18e368f77a467fa46d
SHA256 4c0c61b2da019597d7f99247248443104f31cdd4e11ddd8f215c229f8a6881f0
SHA512 cf1889216b76353c4b791a2c89f839b0b3f862e105fb43da74b6bd846bc94a9360963e906b696560af6ce4012a284d945aa212ea290803cee3c19034365ef6a6

memory/1508-146-0x0000000000400000-0x000000000041E000-memory.dmp

memory/836-155-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgYooos.bat

MD5 ad1abf6e077219556767a766a5c5c6b5
SHA1 93b552e0e595e8c1f158b5e1f2a67473bcb3d9e0
SHA256 cdb08afca6ab8885d0e6d5fa0f719e6f6c1bf7dee2480b00753fb984c8a17456
SHA512 f742f51b72ff5247256b343d3596d8aaa32c8b8125c998c307f7c6b653720a064f242739645d3099de039aae1900e5cad0676d3bf2b8fb293c20fd0d89d0f734

memory/1508-177-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1908-178-0x0000000000120000-0x000000000013E000-memory.dmp

memory/1908-168-0x0000000000120000-0x000000000013E000-memory.dmp

memory/3060-179-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TiAQQEcY.bat

MD5 f91c3649f3823e5ff1856bbb56c68873
SHA1 cc3832909165563affc3eb4757ad4e6c41fd12bd
SHA256 7848df177f4c2c8df3fe863119fb0c1f100e29555cfa5870b12b3a43df2bb0ac
SHA512 12d16c4c364e8dc11d35491238dd12ea3c5f2a08b3daa36a801a618c1454c11057b98929b33b6a1e01e97a39b43608ce9319300933a96f7ce7d744c5098ad564

memory/2492-192-0x0000000000280000-0x000000000029E000-memory.dmp

memory/3060-202-0x0000000000400000-0x000000000041E000-memory.dmp

memory/324-194-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hUgwUwsA.bat

MD5 cd2b4dcd33c0ccea922783fbba1abc7a
SHA1 0eba254ccb9accfbb4a68594df5a8028161d4f4f
SHA256 29ad3d2722755162a11ed4419397e7c021bef9ba5833effc3faad2c448746766
SHA512 f04cee4f4b40104a8af4499003dfb3b5918e99661224672134038537e4794c10ef4539c74fd264241de4e4b14c8400505eb6345c6c6b4c3d35a6499edf0dea9f

memory/2348-224-0x00000000000B0000-0x00000000000CE000-memory.dmp

memory/2464-225-0x0000000000400000-0x000000000041E000-memory.dmp

memory/324-223-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wGsoUQYA.bat

MD5 c1aa29514adad90b2975b36fd2fed81d
SHA1 de43b907e06539b507be0403ea655e6918cbd1fd
SHA256 b844926fe29bdfde28b3f5470e900f5ce67bcc16d414851b7d04eb8095b75fb9
SHA512 3bdf8bc48c3d2aeaa6c6741aa9ef13c3baa092b45ac7051ec0592bf5cb95d3da5a84635dd2e6510ef8fa135069f9a168684f60ed0d9ac1999b97237e65817bd9

memory/2464-247-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2040-239-0x00000000001A0000-0x00000000001BE000-memory.dmp

memory/1484-248-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vessEIcM.bat

MD5 46cd51299060338b078b19a9f9bf9ea1
SHA1 46223dd92423a7e1b26c574366d7bcd72ae5858a
SHA256 7205d275084b659035f1d661aa60307251d8a560a5761822d84a0a8dce827f3b
SHA512 bf86f308e67b00535770b4a27978d34ec56beafdda7907ef144fa8f01a1a3066e86cc4f9114648e3782ee6d82500ed76bdd30e05123e4fa45431ee017bf29ea7

memory/2052-270-0x0000000000120000-0x000000000013E000-memory.dmp

memory/872-271-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1484-269-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NGkcEQcs.bat

MD5 f2149a9513efc119d02b4598cf067513
SHA1 defbf1c218489589a11ac363376c6d961cc01061
SHA256 ac511ef386fab08890ead0b595143e8343737769a0a3f7bffcc0d172c809a1e9
SHA512 52342713a72c33cc43d759b715f5de185a8f633e89bcbeb0e440054f96ce26aedc37544a0428ade568081f754c2f5a4da0cd5ac267ab608432ab93291e33b7f0

memory/952-284-0x0000000000120000-0x000000000013E000-memory.dmp

memory/3012-285-0x0000000000400000-0x000000000041E000-memory.dmp

memory/872-294-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wywgcUwg.bat

MD5 fcba01dfb37b90efdc504d9e324bd122
SHA1 937cd68974017b9d6625911ad1f133fe2d066a24
SHA256 9e92aa12b1eea1ecf916ca2b608bfba034f7b99466b35ac215f5dc8734dd845b
SHA512 b7e55ff7e4c4c60dbcb850132d79f2cdf2b1cb47ad4afeebfc5cc94572c79c3b883f500e46eb6daf61ecf3381e4acb17870ebdb5183facb3d550f760463366be

memory/1588-307-0x0000000000120000-0x000000000013E000-memory.dmp

memory/1184-309-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1588-310-0x0000000000120000-0x000000000013E000-memory.dmp

memory/3012-318-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tQIkoEMQ.bat

MD5 82b1638c144675f4f696805fdb152d39
SHA1 9aac583a43d6ec0e4b8c2d9e1b7ec716a35825c0
SHA256 b546723162d95fc30131c1b745e00a6f171e93897fdd8245e3badb585a6ba64c
SHA512 a6e4360d149131a1fa28c303344d0bddc324cc5233edd3ecbbfa2978ab0e8c0e3362993daa4bc0a0c4ad62f5e75e2769c843e7b3b46a700695b8bc51684ffa15

memory/1184-338-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2444-339-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/2636-340-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XAMcEEAo.bat

MD5 2819e04278a1472668cf9c14631145cf
SHA1 d1f4efe081d64a5fa359e9f2d4f85a5098aea4ce
SHA256 2ab22ca9febc7aaa062b09155aaa410d2167462e109ddeecdd85e4a05514f12f
SHA512 b49cc14e82530a006c78b46ed25594ceb111ce7a675caa61976fca7ecf1b36220b159176a7d93c43cbee9f5fd3e411f17be90cd0db6a8c1465f2c79113bd6988

memory/2004-364-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2480-355-0x0000000000120000-0x000000000013E000-memory.dmp

memory/2636-363-0x0000000000400000-0x000000000041E000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\FsAQoIwE.bat

MD5 3f036e1da0d776ba37cc65b0a3301b30
SHA1 e27e1ca44abd3d939b2b4e555a5adc6fcfa0d080
SHA256 9ae10f15d30d15fafacc97400084fe8001e9ff26ac6c9e7d4d1c327549f40ae9
SHA512 4644ed66aae4e55e0ce86905c7ab87096e305c37591c9e9768c60c5b0b6619c01d6ee4630239ffb6b1e2e509650ab3f420d94f84785504e642b7473a7cc3185b

C:\Users\Admin\AppData\Local\Temp\qIgg.exe

MD5 37cd5c821647aa7abb484fd124a6abe7
SHA1 6ed2e33382a782c7aac1f891441e8cf5f809d1ef
SHA256 f59fa3eb06cabb3bd55ae26068ce95056d3ec3d73704de067941db783533258f
SHA512 becbf298d396efb0b74f8cfdb1c6e35d11cb0653dc5c3ed69eaa59fbb737c80f15b4520ec64c6519254d86e0448f004eca1dce9b7aafcdf287757eea24062442

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/2004-402-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2592-403-0x0000000000170000-0x000000000018E000-memory.dmp

memory/2592-404-0x0000000000170000-0x000000000018E000-memory.dmp

memory/1896-407-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2456-418-0x0000000000170000-0x000000000018E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AeocUMwE.bat

MD5 0f47a2463dd825280febe3031ffadcdc
SHA1 178f89407af50d65bb3725fcd0113b528a9d8ed8
SHA256 374c5b712a19b509493f84c1389c0d22f92464de82e23e3d694ec7afdbe1bb9d
SHA512 0dbe7f0c5251284e1ebdffebfdcb0602ff51be2ebc11e8805b224a77f3506512deea9a75cfe55394051cafe293a106b16bec62202f9d22cc69d9da2a48416f01

memory/3068-419-0x0000000000400000-0x000000000041E000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 e08a1c20eaeef6dd2214b8aad57acb3d
SHA1 7dc821747687ed11576c56f6436682599cafe803
SHA256 279675ef07a03218ef4c67cdf73436bf00ba35d8a79cf670e30266c839943068
SHA512 57010dac7e5a7c6640f455d873909c01cd9516cbc8302ab5c156a9cd076e80508466a6e584a62249720ccd2b413b3e194bcccbcbbe6b9494507ae1b90eef2e70

C:\Users\Admin\AppData\Local\Temp\bYYm.exe

MD5 e90e226f6c77982b86de5cd8e03bf3a7
SHA1 63e4fee7f8a1ecfb27db464d2c6f632fa633660b
SHA256 38a906b603dc6a22cc04242289f82b9fe97dcf572332c523e8dfdfb6ae551e9f
SHA512 a14512af4a138ed3d720a789281a58a81db7bbf4bcfc9b57900ea8927865b2c68495b084234f2011670e0a2a9fc3fc021c37d47fc58cdac26ddec73dc24e562d

memory/1896-454-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hIgM.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\SYcK.exe

MD5 315f986872aab36ae38bcfbfdb917487
SHA1 f2ca038525b5c98689377c9822c2453bb889c493
SHA256 5e9b99e3fb57a6e223c40db5817e3f733377c5e28654d7b4063f22109076cc09
SHA512 21fcc1eceafe056a79b776631293345c367579ef696228032ef461ab05982a6bddba1ff19dad382f6849c0397a249008afa43d9cd0c5e4a0c9ca9ab8a39881d3

C:\Users\Admin\AppData\Local\Temp\HEgMkIIE.bat

MD5 9a56071a2df43013eed4f2c43c95f39d
SHA1 c3d97a65764d18a22d64574fced2e93de3a10af0
SHA256 3afadb9199b906a7275e143609376aaab3aa99c44ce0dc627f266353c4c026df
SHA512 2d6b86f78ff593cbf8cf16b94d567314164a41db2967e00e0f386517ec75ac1962c9881c33f4ffaad168b559b5e13b4e854cfa934f7db29c7269f52a636e1b0a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 9e8052e915538ab6038248cd34351e9e
SHA1 3c206ab7e255b88b360b77184614ab5733c026d1
SHA256 1f51b361fc1cecc7b22dd60fbf04a1a9990a3cbcd756799dc9d6d8a94f595078
SHA512 32f6ea6aed0a96f294864affbe53bf0b736d4d62eceef16241cd138a5ccfab2cba03c491432e4182968a7cc45affa3fff39df4fc4d721ef4338da13c030a800f

memory/2980-492-0x00000000002E0000-0x00000000002FE000-memory.dmp

memory/2980-493-0x00000000002E0000-0x00000000002FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okkS.exe

MD5 65da0f95201889512f9375aca15e1ec4
SHA1 405b1669bd5f861bc694e17d5801ee244560aee5
SHA256 ccb47352c72055ee57444dd991911a8a8b508fff805d3cf7141eb30836056348
SHA512 a0fb4540c95b2576e6d13b7a3326b5fea6b557488f96572fce0eebc87f968d3baa79b628df715fdb74b01e9d1b3a267b2c7aa4d1ed4d1db873ba979da0b3a516

memory/3068-517-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HmIUYkwI.bat

MD5 f654b39932f0018f082f4439020d35ec
SHA1 a86cd4d999a5d50e52092aca52cc32eb8ec31532
SHA256 0fd064090e8e2c44c5fc33ac16dbb624450e0aa13a50db3970490cced814f73d
SHA512 8bf93ab5edc1a618b71f4c4d63d1d86d0fcbd71e63f5de85e3bdd988c93be31e8c78aa3aed1d6e516f14638f1418163e074e44a32299561e0aeea19b99f85d47

memory/868-509-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMAk.exe

MD5 40009f9166e24cd32f90be57d0cf2997
SHA1 c9b7b334b7579aa7b1cd4a672262b8f404e83b0f
SHA256 5637ecd1525f4176a10b6e86876079d4f1efae91d4f151af823c877a9866b3a0
SHA512 7a1a2c698e6b9a64998163dfa5a3ec2fdb9f7f804eaddb52e121c1397f041f3a4c8670924bbb71665228b13413c9038f0abe7198a18563f569c29c74e420ca1f

C:\Users\Admin\AppData\Local\Temp\vUQe.exe

MD5 be1926c8bff80219bb3d58a579fdbf77
SHA1 df7f80d4a4108c1d03471443c13f2bf7814cf63e
SHA256 c447b6b415fd2e768452001aa25753108faa5703011d431f9960dcbb9537b123
SHA512 192c037e46e2e681394170d9f13db55d463d70b17aa192425c855e450cee005ab87773455cc069edc908a5c2be288335df2a35741f4ece9329ae5ec7a1f07e97

C:\Users\Admin\AppData\Local\Temp\fscU.exe

MD5 37b1828b4ee51b3882e259cfece5509b
SHA1 22720c628f730838f7bd18d126ab4cb1da8ffd4a
SHA256 1b5a9466a7915da9a19430f09ca3fc14f9869f8718453648e9da71336c3632c7
SHA512 27c2e5e42dac5013cc32156a1c13e96cd57c2cd063cb67f54f0670ca3199cd4161b908243a59dd1ead98c739c76de5e511ca9a658c0393bff357275ef05400ce

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 1a7c883f32e08019080a2b9f3beef841
SHA1 7626e8f5e7e27483dd1976d940e05f57fb881789
SHA256 bba66398321726e41dd84797424467a8e22970c87fe816dff82adbcd924c8e0d
SHA512 95e564abff20a732e66802494bcbe4b339c1a49ea2af205e22b00a87fb140e0b59973627bc1900d1d26f0b6024858701de71b0e8bf28b20a851fa8682236347c

C:\Users\Admin\AppData\Local\Temp\nUcQ.exe

MD5 10fb57b53b7d0fddde1c6492d64bcdb5
SHA1 e074f62576f1bfc74a47801419c73e5fbb17d84b
SHA256 5517958c8c41ade69c38860835033b2dcdce01e0f7578d0bc1919828939014b4
SHA512 c0523368da4690d5fd5c41febbefe2cb76f966b98bbd7683e46ed5b2b482baf40c3a7fb358f3a423156d2e4f029db1b9a8902f7162df21c45fc39f973d5e127c

C:\Users\Admin\AppData\Local\Temp\fusokQwA.bat

MD5 89220f8744ab11e00183353c4329df7f
SHA1 cfbb91e7b1c8e319fc4986cbab6216d04726824f
SHA256 bc10d65bb968ac884bf1982bf19ff7e1f5ec394ffc431335c3b90c161639934d
SHA512 7d587df90c54c853c13d35c8d19add72454192b6d0927d949ef06326cd2e1abd86f44287b1b25c6250130e3a856a25b6fade96c9a5cdc2628723f31ef0363d1e

C:\Users\Admin\AppData\Local\Temp\uwcq.exe

MD5 ef182545eb42e3bdf6112fa9c0679164
SHA1 d08ae3e8c385bf499b8f1f29cebc4fefecd1f3e8
SHA256 b291eb92ff250a0d8725f8fa69a514d655ac38fbc4a340346a1938bae33cf4da
SHA512 aa712d72855e54e1b0d951f7a31693fe82bde99fa8af672d5654ec09f46508801ffcb80b9567254692c3c1b8fa9e4b05a72cf91074bedd8611a8d7ced1024b7f

C:\Users\Admin\AppData\Local\Temp\wkUG.exe

MD5 2fc59c9cf51538d4593ae04fdf255ed6
SHA1 22b006dd855d746d2c23c2e1f8ffe67cc7662866
SHA256 37f67ee228492e41f74cf11b6b328d107b5f892e69bd5560ed1e1382a9ceb543
SHA512 cf56904757f0646b84b3287dad050e4caa6677577334981bd365676deea54a696aad2f194fd3d52241ac28c2613a7a4fdbc9feacf5a9c0b2e089a0fd9ccfdf1e

C:\Users\Admin\AppData\Local\Temp\hMAY.exe

MD5 96887cf728caf45def1f0350b38b0419
SHA1 688b4e204455a9bce8cced348347c7a973357a06
SHA256 b6773658e8d386f4a73ac83b9ac4e74643640e16f458e8f1ba18291f3ec188d4
SHA512 72ce07ecbd2fad459ed88c337fdd2e88ce4591ba46746eae71e2500881930d92f7efc55f29f509fe3124d03a02e5f4d5ec6505ac9d29ef26771ccb8df538d1aa

C:\Users\Admin\AppData\Local\Temp\ykka.exe

MD5 fc38705d332df3831710fac3ea3bde9e
SHA1 ccafa4670427938a07cad367f1f57e840bdf3457
SHA256 cab3e846420600e1d3f637341b2893d8beaf4c4385c16c5f78ecefa46d044c85
SHA512 c98ad0e6ddd614586e0f0f581670654cc42ddb2b8feac8c7a9ae37b9e4f7430265fa04d628eeb7271113323194ca5e9e8659cde96bd9ca6475028c324828a90b

C:\Users\Admin\AppData\Local\Temp\BEkS.exe

MD5 1596ee716996eb86efdc86b97a97d2ef
SHA1 251ff7ed0a4bb89f2b9548bf99868e710ab12da3
SHA256 9968c30bdf41aaa4575b87d35c91014d39119cf2f69bbcab358848533dab3238
SHA512 24d2621470c97e23bfb44bbd7bf0c3bf042d39aacb0d7482e5109a598380922a25a1b54ea61c481dd491258b1eb348773c330e66cb8a5b1c720acc7a81845bca

C:\Users\Admin\AppData\Local\Temp\OgwooQMM.bat

MD5 e86a54fbbba914769ca83370f63faa21
SHA1 0cd697adb18ca9337cd62be675ff775bb4b31862
SHA256 f1429738dffaf041fef0841dce0d2afbe13110b02e8d2f5858bcb672fc45dff2
SHA512 57768805b04617257607e4bb53ee6075d69ed9899c760f41c9ecf850d9032006fb2167d3712684efa513178badec2af9ec9edd76a487a49ea415e08f97e660f9

C:\Users\Admin\AppData\Local\Temp\zoAY.exe

MD5 2f457eb97ce6afe6c31fd1c0a91fd1c1
SHA1 b716573ffc092cf263cf355e2002ad416b2e0935
SHA256 88af5a9578063f6e38b0607b02d54aab200ccc5300af4884e781680de5eda640
SHA512 07d603dad9c359a9b963b4feb42c55bc4cc9c413e2ce9c626e97010a01a11f14f4446ff8a025201d9922f823e0010473b7af16a789b6ac12e7991d303720b577

C:\Users\Admin\AppData\Local\Temp\pMgm.exe

MD5 2264e81bd46cfe7befc0096da4531337
SHA1 4986bcbad3f3483d8ba7434bc73873a4e3ebe9ee
SHA256 3e0074d47424bbc844a691527009ab2cef89121c7fc013b6bfbc9503cb3d89bf
SHA512 511500fd9d5ca79315d5660288e6d347a1bc83f9e926f157e26a27f818e2385d58a1b989b37b9dc4dce255b61614c85739aca398ddb2c820af61d6960ad22c04

C:\Users\Admin\AppData\Local\Temp\XQwO.exe

MD5 1a7e1896f0490fed4380e34cab725b6d
SHA1 38274004ae3a770fa7e9ae592c0f3316cb682db3
SHA256 d85007f21de23d0f78a4a2b33fd7c4026b142f1b28f37714a307dd8052be0376
SHA512 3e69ccc31438b86c00632322767f108afbc766565864f9957f4f7f05081811d4a67a8469002d825531799d41f171143fc454f42b90d4328a9eca2b0edb535bcd

C:\Users\Admin\AppData\Local\Temp\uYwi.exe

MD5 cf5159173942116b11e882d5a9951091
SHA1 a69dce3d61b2f4477fab3d9185de8464e7335fb8
SHA256 ecd868c5cb91bffce1e487966947039ec575f9bea50b78d3ac5b0f17c20f93ab
SHA512 ca6336ca8b0634636cd2edb7dbeb1bb20f3a44d2617c049b4e0e3f7dc50f35fedd3726fdbaaf24fdb4f54536904d7379faf84688cfdf16fc0f2428c27c6ac5f6

C:\Users\Admin\AppData\Local\Temp\GsMM.exe

MD5 107418ec43712e8193895a5af5ee58d0
SHA1 e091be18554e60e0c03dea75a9c5cf37634007f2
SHA256 5daab8287db447a2fc549be49a61b9dffbd2eb7fb54ed9327f1285ff8a36f05d
SHA512 2ffee827c6802d393ff27f971599fec524eb358ff2998e9b5466c0b127db67b090c1643a0ec0deba30de477ace106ff1adf5a44e5c7eb37ec48128258c738bdb

C:\Users\Admin\AppData\Local\Temp\KCYokcoY.bat

MD5 4357b0aed2bd926b5c6e8e7ac484bea9
SHA1 a23d2ce8755ff3c95414b34591f76bda346de202
SHA256 5b03882b3018b0b7cd695bdb92c47e381cc4f211e222f465f93859aab84b6d87
SHA512 300358fc159a11512e15b3cf577870562ae0fb669506245812082ea0f7ff7a631a13e9840fe148b16ef7439d21bb8d6b19a6ea64becebbca15166f9cb280f9e3

C:\Users\Admin\AppData\Local\Temp\zgos.exe

MD5 cd575d5752a960d555722f6d17614f7a
SHA1 7f43889a9515fc4af350ecec248d47ca9dd174cc
SHA256 580bde3835bc8a0f0b2061b9421d499da58a2c833003345e8d551963c672020e
SHA512 81d4f37ce8667c8a118f82a45add81fd3ecfe29bb7dc2daf856581e8233fe1037eadbb7a242e7d602553d7bd88c0838f5ddfdab46c567534f6262c1f1eccbdaf

C:\Users\Admin\AppData\Local\Temp\ZYsk.exe

MD5 d0cc4b93c51616847b6371c593436aa6
SHA1 9837bd1284c9fe4b111be39998bdff2d1b9edc68
SHA256 36434468aa4ad41c09116de1565637eb52707accf07cb568daf069dd3e6cf38e
SHA512 3b8e94ac48464a93187300b50fbe89bf322b561e1f36586e88607979e3a1ebf48a81437506a1bd5f7c8fa1e888e30f368e3fea36e3024554313c4d3263cef22d

C:\Users\Admin\AppData\Local\Temp\hoMI.exe

MD5 d32c8ecf08690aee8183aee34a6e0cbb
SHA1 bbac34d3bf3458ca413eee8fb5dc0d12b7bef645
SHA256 e17cdba4f0deafecb3f99e03d795a01b65cc72f867a1c8d53d898d8209d64dab
SHA512 2525b9dcc9ea90eabff462c7c882fce4c6609fd18a440d80c48e14ed2f9dcdaf0f5332d92e21818775c2519567fe2aa487b916449e70e461605918c908cd427f

C:\Users\Admin\AppData\Local\Temp\dogq.exe

MD5 1dc4b47f9aa2cc15467c619e236e3003
SHA1 aaf6582bd5614472e25aad541b081119e324fcd8
SHA256 d93631c3a5e6597b1b9ce5e505ee7c0e7e3d7ef8efd4e7ba374da037c1abac7f
SHA512 b61f521467e51683826cf7498fb1f8b663f76fa410a7b49ebea89792745df7d7445f02f6445b11fd8adcf1287ba437926c801385b47ffdbef1a62ec7b73c560b

C:\Users\Admin\AppData\Local\Temp\yswI.exe

MD5 8435839abe7cb1214e75cf873533875a
SHA1 8f963861a9e5d701102ffe416b9c58d23a18e7cd
SHA256 4d47a71d6baceac4594e0eb4b25b65676f16458e8ff628f75e643427ac1c599c
SHA512 3604183a9ab58d9f96c7cf6dd9d91ca72190d525cf2ca14513fb355f38df7f6e1a6f50b6651e2ffabdaaac3f2a44cfea8abcd801c4b24e48107d7905cc1b3c97

C:\Users\Admin\AppData\Local\Temp\agEQ.exe

MD5 826f3cca982196436d5d51313b0db7e5
SHA1 ebb6e4544258e5029bb06dd7c1713b9ebc668811
SHA256 733266c8d9259764e1a60ea50604cc33dda46211b04ee412fc1467ec0afb990e
SHA512 3948712ccec83215bb20ff6edfb9e1b99a3e34103cb030bd1da2079ba0e881d2fe88d3c300f5d469f70ee1b428efd9f4426d2afc025303c772fa7b3faa29f9ca

C:\Users\Admin\AppData\Local\Temp\QqoIAIMw.bat

MD5 e7fbe5fa227fa73793971547e62d4b24
SHA1 0a45ccbff4e40682d409b67ca5127c956a60240c
SHA256 8c73d8d31991001973e9d7d71fc6cc93d03adf02c27ae35b3cc60a6c5ec6c9e0
SHA512 63dc5dfc390db218efb22505bf95a6f57c13ea45d738b279ba864d99a813a25549dce5fea9ad662b4d9bfaf97ea28a79ee6651faf482406930eb254613ec9314

C:\Users\Admin\AppData\Local\Temp\CgMq.exe

MD5 1b32822cbcc8945eb807d6d367a2b5be
SHA1 8b9d7096eea4394a5de41cdbae86a91b383bc040
SHA256 3944c8b43c6eb8bb5d34e9e5d6041670e4c9332f8681c21e6f801a36c8295616
SHA512 891bbd80242245c71dfa4b2529874200d25ed1f23e496ca43abcc1d15c674246bab86ed7eea8a53e72b618a2af4aeb7e893cea5e67757571620d516aaa405f63

C:\Users\Admin\AppData\Local\Temp\lsgA.exe

MD5 b4468d3eaf4b170a603ebe49cffe806e
SHA1 02fca832e5bd4146bfa854ffe0807f2a0b96e9d9
SHA256 909c3b46db8882c004d37e7831b33386f4559da605fd23be9ef6b1b8302b8423
SHA512 815b58d2d553371fc9ca50de1ecd85aa41151b4e0f228fefea64e8c7c6eae5f1e893510184059eb743844d329eb0abd066834de72325b65b4ecd9c2d53678768

C:\Users\Admin\AppData\Local\Temp\YEgO.exe

MD5 87c8d4dcd8188247c97feb4dff8562a6
SHA1 34ded373a28a7430c2141a3c347a18f83897190c
SHA256 add928043fca4a5fede429fbdd6857d00ccc2f7e499713b64877ef302f638efe
SHA512 d8ecc9758f5884cb5c33f94604cb1a88a36460f6c9ff9358abcf47f95174a1a9c43de8744bfdbbd65ee1a24d2547247f4034a7d5708b60ac990b46d444e78b29

C:\Users\Admin\AppData\Local\Temp\JQIK.exe

MD5 a1d4d782d602ec7b1f7ca7acfd555c95
SHA1 3f354da255a4bca7f3fc1982938cc729eb4a73aa
SHA256 18a69b9b6286d0aa7607b0881d535b10cc22c854317a92259da4fcd07ac966d0
SHA512 08c8793c888c3f7a695018160c639b2e130b74d61dbfaaac89258a9c3f0c55697fd83d0c2860a499203e6545c2d81326516350ba63021d9b32ee1caf2b13b1e0

C:\Users\Admin\AppData\Local\Temp\WYse.exe

MD5 6d1806e7a404745c9cc0bfcb0fc7cd9d
SHA1 07493924b0b8fa973323338e3339b4b04f55c088
SHA256 400fa1971beeb2db8f68489d0f3bb7de677d94df6d024d5eef9002ce1f82196b
SHA512 133edd12143566cb9716a03018f840568b00ecff960664ca520f56d08c64c55003053dd91638ecb0cd785ff249eb6025d1f1c973e7f28d2ad73f60586d961c9b

C:\Users\Admin\AppData\Local\Temp\QYYi.exe

MD5 129771bf14a6f2eae8505a63e6def1a7
SHA1 c91f1cf0e55bdae635c09532e17824871687811a
SHA256 b64ed6beed35694bbcd5b1c3cc4fd804a028d3fa4868c25a831b8b84f546aa58
SHA512 674243609de4d92fc9d2d698a5d4abd012136c00cecb8b82b259b2836e30cc9aae1adfee275453d4695055f9e7fc270f2bf9d3d7b95941fbf9d8adbc2c8c72ff

C:\Users\Admin\AppData\Local\Temp\VEYQcgAc.bat

MD5 ab7216c170821203fe5fb7f603e5ba58
SHA1 2bbda253ce2678d764a838e6343765f725d0d97c
SHA256 ee738946ab261d138444aea92537dd3ce8b2585a8cf3444365a912b5a531c78b
SHA512 136db29b1c8c69ffc01a879af64b7fcc9b3ad2c8d62d4b911e8a7e9b944486a081f2d510bec569ef825e8c32ec6d4689e0d0db7191173b5078495fa9178eddc2

C:\Users\Admin\AppData\Local\Temp\zwIc.exe

MD5 3e985b6d950afeb09466f6b9cc7caa35
SHA1 7b668a51c6d2af433b331d56128e6cb297b5a47c
SHA256 301b219528cf6b7fbadef43e1e6ae074ad0bd4b2a4580ae16f35a046527824dc
SHA512 7ca56f97065f4f275e6687593ea296fd6f31a68003b93aa0dda698c1cfa1b4ff48fc8a51a44de21e06223f73552021e32223816701666537bb152adb548bb360

C:\Users\Admin\AppData\Local\Temp\Nwwc.exe

MD5 ac8a1a2bf11d54393920e206ef6ea893
SHA1 fca21546677a22b7a99ce2d5d4854d94e536a434
SHA256 92f38fdce4462d5876997b2a38d775b4089dfa732e506bb503f2c3d741700ca3
SHA512 b146ec31c8e986704f1c3f6c13cabf78b736a2b52b5c69151a5cfbcd3ddcd122f867aab499a7cebbe18276e60203864de973d15d3d01fb22e5a2915b298576a0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 c68c68a29d20f52abd00abc3120ffee7
SHA1 a56ebc4bd169e07d5636631d8624f3c71a41358e
SHA256 c6ff490c196676c0400b2496eb31811253812e7069aa74c2edb3b6fd3911e10e
SHA512 392c74bbca8c005e8164629ed27eaa1259dcac6d1fda48ebb70ecce7935a87e2889329870e6ffc7e668ac006ab53b8c6b968cff5b15c028330d231b8168a0989

C:\Users\Admin\AppData\Local\Temp\PAcQ.exe

MD5 cfeed6e305539820849e76c5af302a29
SHA1 16747e696a3f2e5066f18085921c7e9f6e6f91b3
SHA256 34a9276a235e92d956261488ca09e272d1c4fa600ebaf3f3e2626b0f10f8ff7b
SHA512 089f181a91830997b277416df7c7c1ec61dacf14ae12ec88b5ace00b2fff5ae252c18f3a265cdde7c3e3e2014b51a6d69341bb48e016b040a9deb283344bb24b

C:\Users\Admin\AppData\Local\Temp\Yksg.exe

MD5 cee141857a5eb1136bb9370991c80f7a
SHA1 1444da405c4e3604e5dd2deabe24f361f996d314
SHA256 8ca16c7ae7818a9538ceafea81c6246676d9dc200e61cc7359100881dda86fad
SHA512 ae19037f763d7d2d0d9111b472843585c8cbc14185fe040b1a5899ca20890ca2a8340035aeaeb666229ae5f7cf31c623f77ace8a7602bc5732dc4576dad3a704

C:\Users\Admin\AppData\Local\Temp\lswYQAoo.bat

MD5 2a2d251b16781d26d1ce9b113b4d69d2
SHA1 fa9b1d87094c81f78e550664416230018f4e303e
SHA256 9b653b802cf6cd3e38d1db30fe25b778878e6c7e2e6f26873027036ac120a3f6
SHA512 c6338dad8eb9d560983c73085ccde83b9b1dbe60fa0bb79ea1a91b68f6d2030da85bed83d2301f931745e48a82e9bed145ba36a2649fb974675cc28eed12e484

C:\Users\Admin\AppData\Local\Temp\Nsce.exe

MD5 38d03b60f89cb5267baa5e85396db8c9
SHA1 150f89a15b705f9d1a36aa96f876636a0d3a48a5
SHA256 f899082a2753063f689d87686084243589e222c72c95ebca15cb0068435f5e14
SHA512 ef4af95226fd4af9c889e0a1493ce302eb858c35a7b636638054c8afbf83db43f826892f24dc53440040c142a1602e4ec9f54b9f311b6b3e4efb2b701dddaf61

C:\Users\Admin\AppData\Local\Temp\KAAO.exe

MD5 29c9f5e6fa77a02bd760c69b2657641f
SHA1 b7cef08f8182ff62471d8b0810a650a3d7f12e03
SHA256 97b339205f22796da0d034d326fb14f21393870ebbdbfd140e2742db0d143f6b
SHA512 469ff84f2595b1f22e865bc482d3640a06e2074f4eb5a5d712bfe11aaa11a5cff97517bfc2be59651a3adadfc73a526ba8c20d4466ef0d3be7256dbe2f49a110

C:\Users\Admin\AppData\Local\Temp\CIII.exe

MD5 ac8896fc62b0cccfc3e8908d2efc2945
SHA1 b62b4fd2224af5650a3fbf6f9ff0936dc51dfcb8
SHA256 47dfdb5289c8815e0a9bcc0eb2c28bf2942ac3b80888550b5170bcbe27a771f9
SHA512 39fd7674175fc3f08d216c0b37441586c694dddaa8639e51a6f03a0b25ee608837696057dc98f6b4ff681c61856b5a56f104c4df3dc545a136f0ef995a6b85b6

C:\Users\Admin\AppData\Local\Temp\cMMI.exe

MD5 01b558453ee2cd643901eec38d8ceb0c
SHA1 1f79cf345bc4ef873cae0e6e92b21e30696cd047
SHA256 df80cc156e37c1f2fb675d9b2d4bd266dd9cef4f5ad3855cbda3051822472a0a
SHA512 6b5986614827a03687710dfbc2e89f1f84735a1007eb59e3224c934a60d57bba0040bf05d408986b9bd4353d88572dcac308953bbcaf28c17f030050f5834433

C:\Users\Admin\AppData\Local\Temp\fekMcswM.bat

MD5 5f652c1ea74ee7eb6166f3800246276d
SHA1 87f2f5a962141a60b15a451d5b846a7cd910c4df
SHA256 43c481d0c58f678d51671b794d1a55c8f898356dc0a1774443a9d0990ca83917
SHA512 523270af6c73eeaa52352ea1286f3aaa06a351d916733ea7152dbdbd4985c5403d42f5007ef610abbdb285c3cfa283d7b8a81dcb682d8aba611737e1d3625b7a

C:\Users\Admin\AppData\Local\Temp\CoUI.exe

MD5 89bddbab585067c5f8655a945b3c2025
SHA1 8fd89ca4bbb84c2143e6901a7b2c5c6657698cbf
SHA256 258f02d1aab8eaec271851e0233a9727682e952b76bef68d9b0622eecaf60c32
SHA512 bf2dbacd2ed8dff1a8d3294872c7683d977ade620cda71de7493372ab9ec8411544a056143e4033586093b29fa6c9271b941a7bcaeb76108a45561e5b3779aad

C:\Users\Admin\AppData\Local\Temp\vgQe.exe

MD5 8b013d13b730bf09e102f4e55828b2e0
SHA1 84a9823a9812a9edae5f16927303f9e50ffb0734
SHA256 c3cc8296356ac3c31c793b598f1fbceb5212b0d52101c5aca47447180bfb3338
SHA512 60eb8c2640247d14f16f0d7c3dff9c252952c5e5bf103092581ca525965472c21d8b833ebaec6787ebf3841b477c04ae8cf04f47b6098626fe3503563313746e

C:\Users\Admin\AppData\Local\Temp\pIII.exe

MD5 926bfcb199755cfc35e22ee30ea2fbed
SHA1 d357659342140c04a6186a38906e7971bcf1ed31
SHA256 b49b6326e0c5b7e42a31ac972ae49ea138da8ad2ca65851fd52cb314b8f0f761
SHA512 ba0c105c29588def88d8abd7a86d308805cb7b4c5bdf827555bb9d316bc1cdaa283eafce94b27742797f873c1ba37f0bb698e5e5c113e0abebdfced57991db7d

C:\Users\Admin\AppData\Local\Temp\tokG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\SssA.exe

MD5 a84962e9cb20838326129ea744940ccb
SHA1 81f8bc0fb51c1ca59ec1b54ee6676a6dfe61401b
SHA256 ae13b4266305f877b575bf7ca051afacb947cac5efed73c2d729890fd4cd4715
SHA512 87933c312f865a129e639ee92663deb98925943be4c22d6403a452783d9df1c22d65a5d472721f0f64a77cf7ab358699492841fd59f8b4765798387c150097cb

C:\Users\Admin\AppData\Local\Temp\HUMogcYg.bat

MD5 ed98bd173ed351ffc668fe9414781394
SHA1 aa1c55666e8a49bb3c0c20c732975fca86eeff81
SHA256 b59ff692d267b0e2a5cf386aa58bb79003b84bb4e68d5bf5432f2a9190a68552
SHA512 1278c9647e0d5234b35369dda6784ff1df286d110743fe902310d7b9e271c1d6734cba57e8044f6e233ce059d3423556fa74c852706ef6f8117a676516c8c766

C:\Users\Admin\AppData\Local\Temp\DAQW.exe

MD5 1521dc36121d5d89087add032e746766
SHA1 23a258da17d51dc5ba74c8921f27371597790ff1
SHA256 73ff3ded99a03d57d5f1f0f8c8b6467b581269808c545c7e5bea37b17e59c40b
SHA512 41ca5060c4a4edb27ada0267dfb62c1286d24cf05bbdd8fb8682a34a2dc5269a0a3799aea3c18b7fedc15bdf6265537ebd4219cdf69fe310b498534d16734117

C:\Users\Admin\AppData\Local\Temp\jMgw.exe

MD5 f266439bbc3ae3df021779690f1a443a
SHA1 2f27d7a8c06f6b0964bcfed79a2cb7793b0be6ca
SHA256 2b08410db8127e33b658c5370984cbe125ccf8ef583e15b5c81060f117e93dba
SHA512 b916c3f1a3cfd7187c3d28730684c569061b4b175b6f0f52b7a73f5d0413d663322979d907b76bb1e02533645c7b55f1055a041a6140de920b4b46397dd75bad

C:\Users\Admin\AppData\Local\Temp\GUIE.exe

MD5 14504b4ef9d8c0131c9c2ddf136d3532
SHA1 0ebf8b950a43022ffe8f12741f5e2511ca50e0af
SHA256 08bdb10ea4fae2c8b2cafdb3de09727426b0efa059bcb04b60fc15087bc5fb18
SHA512 92e310e0e7c86d2e30aced8d37d4734aa105be8789180bc5fc7d0a87fa9c7de41bd9f8c918a283def756bce172dc2f0b024585dd424e10426a7cfaba0e9e7898

C:\Users\Admin\AppData\Local\Temp\DYcYYMkU.bat

MD5 f4644722fead5e952619f5d0296499a0
SHA1 b34a4a0d87f0b1e12f967fe884c8aef392a8c2d0
SHA256 806a497c98fe6f4632f156a236a2e3871055a485a92c56eb207e54c3ba9445cb
SHA512 7033cff17d99af4c4058d435fe09cb8307fa26aaf3e72f2ba070a409ff6d6660c68b7c54c0286262eeec6f4205ed9d4c2e6649b11865db031cdd9dafc6f66826

C:\Users\Admin\AppData\Local\Temp\tIMY.exe

MD5 f96786f7b894835bb6c3bb90396be5d4
SHA1 4602ce8c70ba3de66ca8b5da4a2494455e592226
SHA256 f901c8c0710b556abaa3c52137f2777c52f6f1ca6f78935b78dc7c3d8c59b995
SHA512 02bfe48b72feb2969e2dc1c4f92b8e20c401d083eade2a314c9d1d6be31ef2d0a3396ef1f53bfa93bf11a4f2234ad175ac96c3ed1d6ad2f8067fd7d5a9b7f7a4

C:\Users\Admin\AppData\Local\Temp\XUkw.exe

MD5 aa3ed4a517f2ea9f2190a3b9980441e9
SHA1 9149a4504146ebb7c06d5ef421b41feac49d6994
SHA256 04f579be02e08e6cd451be39f3c9c115ffba48cebffbe0d4c9d7ce17bcda72af
SHA512 c6bd5cf236188560e9d9f4fc46f142802bbebd50ac9c050713e18a8bf8ccb8f2a3e584f89c630a7986871aa84ad87f892d1d65437a634bdb621d7fa96b8162d2

C:\Users\Admin\AppData\Local\Temp\HwMk.exe

MD5 0ad79bf4af1c397ae93aadbd884d917c
SHA1 7f0835c25944e3fb6f3b05e1601a5097cb32c67e
SHA256 38092f06c8a6d3668b6a30fd5ad0b8260cfe8f2d8eca79dadd529522a6e2364e
SHA512 8b5e73822e69c1387a09f34533bba607c7f2a6023aed43dc98bcee87ec919a953f34e4d365eac6ed47626173e6fdfcd4a2e2b873fb5143fe768cea3f3d4ffbea

C:\Users\Admin\AppData\Local\Temp\OQgC.exe

MD5 f9cb86923b5e02dfaf844f57ab41bd05
SHA1 aaad32508df0617f1f6099b5fdd19c7d2c68bf0a
SHA256 d7fba976d017379817e60f616d3eae5746fe7e65fdd9dab35fb59a5e7ad7d608
SHA512 982a15cb8ad551857730ab320705b9f5bb206af8f72d3281d4eb93825b7713982c999b66c1f5a0ac21b0b293dd654d7e5be88c8b62a18d307fce53036aa20b9d

C:\Users\Admin\AppData\Local\Temp\dmEMYgQo.bat

MD5 218dde1c8279c37b8cb5b4de81990938
SHA1 48b15adf6f5f17c1a0d80e796c038245f416f670
SHA256 cc6b83175fe48e5e4be012b247a4d16d84dbc404a47fe230eec3e5af1aaf4daa
SHA512 3db62efe20e5c1b70b1bdfff865e310e6523beecdc44155c2e538e44c258d20819509dc74bd6d227fe7844a9909852db21f65937eb202858fbc70ced6d556dc4

C:\Users\Admin\AppData\Local\Temp\xkIK.exe

MD5 d9a834b5597bce005c719c71f62ab124
SHA1 ef7b64ee740c3471665ebdb6ebcdc1878eb6189c
SHA256 eab8355abfdf76861346a12a9055d69849d449815333f29afd15eaa58694d72f
SHA512 668eb32b3ebf0906a69bb45f0fd0c3278f6bf1046e0e202150218134ee1c6f796cf0bdd027749248aee6ea0e464002a767e143f68e30e0d701028cc91fa194cc

C:\Users\Admin\AppData\Local\Temp\DkEo.exe

MD5 da2cee63c7c82154eaba905befc1455d
SHA1 25653ef8461a628df1e91225cb3fae3cb282395d
SHA256 217469a3f4102b7e94ed8e1c658f2ed71a75a6fe899505f0af6e71990d72a1fe
SHA512 7c05fb09b28efb71439765ec6373fb76462b8e0f49448160ce0ba1036d40e3947dca320a07f08f36637842adfc546ddef3e96996055cc70b6f0f73948e1cb206

C:\Users\Admin\AppData\Local\Temp\ycwK.exe

MD5 24a7037f3be65399b28f853fbc75574d
SHA1 5f19ee43ae3ca5d279070e6f7ec2886da7510047
SHA256 f70d03985029c3e6b45a586b907b201bf7a52b1fb866012cb25f30e4b86e4592
SHA512 2cdd5bf01827d5c212a1f772e5faa2ce4cf82e8b52de127e072437ce09da8eebb725c4bfc774cf88f5da7eb3c3931acad1c7e9e63343233eb32e9c0ba6cbf865

C:\Users\Admin\AppData\Local\Temp\ScEG.exe

MD5 3bc9ba84a7c4b36352b8613284ca67f3
SHA1 e014c2cd20032307c6655d4ef5fcb862e9c9beaf
SHA256 ae2302c29c2331ac22faa85a2885512ad98d529fdf53928f53de90778f9c14df
SHA512 b7b32e9cb2f53db9fc41c6dfc738296b583cbb43fd0566458447714d26a3ba92ad3d3765273af3d90e25a0b6751deaada5b8fa404e123cd8123e4568e2c1c978

C:\Users\Admin\AppData\Local\Temp\JgYW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\fcIg.exe

MD5 197b06860dcdb1ddcf68e657fd5b70c0
SHA1 20c100248bf1927aee837eaf221c4e6acfc95c97
SHA256 e9b4d5704eab7b6998e5c464d39825451c0882e50c9905e94a2dae1191a5304e
SHA512 3f36aae54aec5910270d0c4490b3f538b68ad15b6074aac3161ecdee8f310276833c62bb73bff0e7726c5a3540bdea959c20203cee8b337f1a320affac4f8222

C:\Users\Admin\AppData\Local\Temp\zkoy.exe

MD5 e4951fe7fd732926fc52a83188a73be7
SHA1 83a26030b426a0c5517980df37c63b8375f9010d
SHA256 aa5bceb98c28aad484e26fe7e6f8500fffcb30655c1cdc8e64e0c3b2b1c8b96a
SHA512 60a09767e6064ef6018a36a5b7b8c360570af949296d9c66e27634a846748d2f6f33b3a748ca274d0d8b34f9d8e32afba932d1e53b590d9f1081dc1c3ccba2aa

C:\Users\Admin\AppData\Local\Temp\YyIUUgwg.bat

MD5 db8c929bc20809497563b5d467e68c1b
SHA1 a7bc0a379c82e23b0ae461b7191b2f707eebf381
SHA256 51f00e8b4d4fac6739eb1c695cdc1d04855b12fd5c846c644a9c080d7f0ba5d7
SHA512 b72c140c3da39d79e2cbdb9950fd9cacf8eb65b8a0f994c4ad238d9ab2dd8360480d7192b76f029a94d363d096bd48cbbea93184246cac54bd9e2a11fcdb9af8

C:\Users\Admin\AppData\Local\Temp\zwQO.exe

MD5 4dd00ec7551769aec1f9337f0d1c7f2e
SHA1 103ad8b670d663c72685f7fe68f1edef017fb408
SHA256 9a44a14fb9f823cc8fbc37d58556db7a9c74653f02d910c982effe298875c3e5
SHA512 7fe4e44eb53ede392d0eebb19abb55b7db1a3ff5934cb1a46a05c7f85719cba97b9262c704ef04a38d9a987c739b5eb92e5e9cd72279ca4f6a17de482171a029

C:\Users\Admin\AppData\Local\Temp\GckkEIAw.bat

MD5 7738141849cd566a15020e36deed8612
SHA1 ac8b9e6420c570fe1fcc480342b4fbfbee9ec07a
SHA256 8030bebe63359cddc651f5ff2021d48882dfb9bb3a49bb3a13c89f1eb2e577ea
SHA512 a5d04fd9aaa83e9099c682cdce88a44aee16c52ca9a922d4da21c9392a7d19461bb03c4f30396d40221a0d17c0c703d029ed626612b01aeb420504920e2ec8f9

C:\Users\Admin\AppData\Local\Temp\yAQW.exe

MD5 824cde85f9fbec2dbdd9307112f14681
SHA1 3f1254a5a723c869ff44fc593f3aaad56b16b1b3
SHA256 f50608f18308680fd514057cc4dd99899b5e4b06313f2027c8ec8603cdbdda36
SHA512 ff86a5f6e1d750ee8854fadb289501695aea4b04d64e57e4557ac64105f528e8e132e92fb62f5c5b8142e0ac2066dfaca734282dbb8f362ce391bab235e31e45

C:\Users\Admin\AppData\Local\Temp\IAkI.exe

MD5 503f4135061f3f55cb0ba56fdeb235d3
SHA1 1d6a7513cdf76aa0601580bad908b5bded06ecfa
SHA256 48ddfa3aeab7ef32e298a0bd8d36033515c39cc963fa5c494fe66536ee9066e4
SHA512 3462fd47ee681cf11ac1c942fe60a86ce1993f2fe10120a971e2287c94baf7cbc362bc853b8894fcaffbf7d8a6b327eca77d15c9ababf23ed8b11d81bb20037f

C:\Users\Admin\AppData\Local\Temp\HIgc.exe

MD5 3e8e3ee517906b00064b085ee94459cd
SHA1 04800099a802aada9540c64f776817a2b98f521c
SHA256 3e10da89a285cfca09302371d8c7b8436eb72207dece565123be7b093ccf8385
SHA512 89bb16c287c3e4489199a2974fde2d45dc525ef14ca3ccad40b4662f608c3ef4a93495d91489387005d3c8bb94ae9db2fc4aff6b96bd494d95c4f46c972e7f2a

C:\Users\Admin\AppData\Local\Temp\MQkS.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\oQcO.exe

MD5 bf6be8571edf1c5380dd11b0500d185f
SHA1 8668f036eaf937d88293788f259c1ee594dd8d51
SHA256 a1b1068eb57591fa3b38c2e197eed3b21946247f1469dcf079bb17598a62260b
SHA512 837e4f42a0e0bf5697d233961229d026a0c3e1ea9018cd24933da0a5c7c14b9b28a1fd27494ab0b0faba51ea12ef9f4977a1ef1bbde23a9575fefdbde5765b67

C:\Users\Admin\AppData\Local\Temp\OAIk.exe

MD5 c86455653d782150ff6b6644037c8f71
SHA1 3d1dc8806aae5ef3006a85804c4f094f21d410ef
SHA256 3ccd1f90a61e96a537514223cbe4a7beb4b775281487d855d2683eff72103ffd
SHA512 4a3533f29b02472071e8e06b5a00a8e958c1647afccf25ab9dcfd8854f5aa137d8342eee7d43e4f0b96aab0969bcbb5f029c3d5364e3597b6c170c16f97fe892

C:\Users\Admin\AppData\Local\Temp\SEQm.exe

MD5 fb7b5f8f89f0acc88d7d3fba58f92a96
SHA1 c324ee1014ba48eea5d500e8e03e30b2a2d966a5
SHA256 efb98be950e0e8e197b57f8d7dfb60a0952d738bc95d70d3a4836eea302dd47e
SHA512 15a968b4e1e3759a32460ab752eb511933a67a68fb3f338ada4a2b7d7d4049b6a5e93b7bb5b47d6d63ad4dbbbf1f0cd8caef0ded8bbcca7883b411ea63c1b318

C:\Users\Admin\AppData\Local\Temp\yOUkYAgI.bat

MD5 83b1b126428dca9e8a9ba207b40facf6
SHA1 7644f72bfc09e4794b1036816409e72d207f2581
SHA256 21a4413f8dd0038f0468bc0073d8fbabeab4136e87ce2b6adf7c59e34fd73d6a
SHA512 e07775f807b53e5311fc9302807f9200cb1f0296979a19daa50db0d397c68d186af9ed2b98a3a6636d6a17d4a8245a33b73217330599df026f52bf1a6d6f43d2

C:\Users\Admin\AppData\Local\Temp\OMkI.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\wYog.exe

MD5 df79274db15867f10655c114e898e327
SHA1 88d4d67aabd5bc4048e56dc7f6d3fbf4754edec9
SHA256 0d9c93c8185a8b4b32b1736f1c17842f6cd98e7d2afc3457504b363af609e195
SHA512 6f893472d2030581e1e873f0eba0d606b5ab7097965bba99a50f460d2688b038701bacdb0f0cb40beb6ab0fabeee94ce9f4ee22ce14fa68bf579283563dd980c

C:\Users\Admin\AppData\Local\Temp\dwMW.exe

MD5 ee1f2647b51d3c654da41d71750afd80
SHA1 e6dbdf94cf9d85f61ca4e6711927e1014958745d
SHA256 2bea7527cdb3ec7a4dfd15a3a4802ea5ba3806e3beb8a5a245df6a5471937afd
SHA512 3e02462d9eb15c0e665ed070d6474537ad60ec47c60291321ee99a6cb604ceaf381bf0a9f84d4338fc84392179960b782474dae4b91374e346e8ac8790366d2d

C:\Users\Admin\AppData\Local\Temp\QkkQUMUk.bat

MD5 b0a4d66c9b9a5375e7bba532c8ff2ba4
SHA1 c24f42a626d1de04fc4c324ba00fa0238f39b87d
SHA256 500434bb7eae22bbb6e1f8bc96c3df0be2a67403b13151ddf5859c99a1ac8fd2
SHA512 a4f17b66cddf5af5760a0adb07caa58070a0527332765eab106306653ae0136d279014031f4b4d6f0f6ee4e6265f4429120e8ce08b79dc7b5f2a088518f6726a

C:\Users\Admin\AppData\Local\Temp\yMIY.exe

MD5 0bb67f22170b1c20f4fc6e3c6716f2b4
SHA1 0befc548d2112b5dea12e666fe80ebd544828ce5
SHA256 44499698f99c587895bcf8303b7059a0d82de651dadc4b35b97828aee0097d33
SHA512 cae0c346894524f184a8137497a2beaa0c784e9f90d7a7177bc70360ddbbadc5e4be634fc966f310f65d13fc97136b832a70c593551146c98098a7b37c763af3

C:\Users\Admin\AppData\Local\Temp\kQQq.exe

MD5 ea6079e8353e3b0fb602f2085ac76bed
SHA1 7e670dc7415f797c5e2590105cbf950a577f653b
SHA256 ef480f16cfafcf4601098e3df4d095827a2a3dc7ee35fff077aef8f1e1aee6cc
SHA512 189b1678a97c428df7e8004000cc1db6aba4aa3047de8c43721e45a502b9351b3221166a840ac196e555496c70ce56e213e6b78c9a65c9a196d0749861df33a1

C:\Users\Admin\AppData\Local\Temp\jwcs.exe

MD5 4370164028979ea0ce6522ab9a5f2f72
SHA1 086b470504bde6658d4b7a238a9c214ee1997daa
SHA256 3f86222f11c546488b8b4d27bf9672b13bc096352d9cea3980637685c8ea7fdf
SHA512 1107ebab93b9c0330205d4946a3cd80309375272053e6ef06eca9208318afc69bc721860341c25d70a98dfbedaa52ad60b4088496ccc009f3b25c306bff52ba8

C:\Users\Admin\AppData\Local\Temp\TKowosgQ.bat

MD5 7f04ba67d0be12d0f6d755cdaee8b797
SHA1 a26c943d3f9972c36af459262bc68a3abc77b798
SHA256 f4e40f46b72cd682209c6d897cc5a5785c3d07a12720b187fec37de025aea2a8
SHA512 34a8113d3995aba769807691afeebd72f7ea72c2da291c2a2f1063ee161fe184e42103b3e9fbb3bc272b46980f3a0184651951b9fc0ee96a7e0f01c1bf80aecf

C:\Users\Admin\AppData\Local\Temp\fAMQ.exe

MD5 903d912aea628f209dbbffb3f515c018
SHA1 17a395f717788c2783d329e67a0904dbf04750b1
SHA256 21e2568afbde31514d7ee31dae3d0d5ef8a255afb96426548e9fe2d1dda07733
SHA512 94350d3fe005a8b6ad6cd5c9c9bc780191c7aecf0ecd342ee0d1043fd52298f5481875a9d10599464f96be96d58f0033742d0f69a94f49d3e852303af4a11c95

C:\Users\Admin\AppData\Local\Temp\LMoS.exe

MD5 c8c61638eda038a6ef282c8ed4f0e9da
SHA1 b7fdc2708b4fcfe23fbcb881ea022c650680fdf9
SHA256 6b552efae6d87d56f6edff7ec55c664c6e5afd4337221a747bae595be05d5be0
SHA512 a100bba5e192ccda8bace5888559dbe99b99dae1e233655980b4ac37ab05b341eb10897da75a4f729e86a0b484cb2e8c05d9cdefb17c8aee609fe11372d0fb7a

C:\Users\Admin\AppData\Local\Temp\yuUkoQYA.bat

MD5 fed12044482da48d193792aaafe98923
SHA1 8de91a3108f5b2bf03535c9fca776637ad887778
SHA256 c7bd0d63a464b2bdde6d7a0d34b5ecdd47d69ea874bf4c8f1691d8859bf6c14f
SHA512 0faf180d5604a664df308bb809136f3f44cc167dbdd6dc7f48b0cd45133757877c520f029632c61d8291b4fc50aa981f66a66b733b74e8ce5520fd3925faae57

C:\Users\Admin\AppData\Local\Temp\kwQa.exe

MD5 888135dc85b6d1bc45890c0e5666d93f
SHA1 0e04c25cc9069d56d7e58df0a5474891da8bec28
SHA256 59d37ca5263af2dd5eec6998a49fe70d3330cc328ceee7f83352536a038dd975
SHA512 e93c68d840fe97d50f901bae3144ed6fd1a1dc9bfdeefdedf8e34fd2af30dcd3df8888c448cab2f952b0a9e6fcc706d3634cfa1610230e3f472a2030cc621bb5

C:\Users\Admin\AppData\Local\Temp\oUcE.exe

MD5 e7eb2ccba55d6238dc0a19730b791e9b
SHA1 64a11830cfa7d1e3a78966258766e125f8243ead
SHA256 01b59b39becb67a7f0a0dafa56d55a23f306f0467e42228db0087811fcde10c8
SHA512 719dbf706737aa770096dd9919887511bc76d684511bc4a458afcf775e82ed097d775910599df0dce209da2b272e3dd400c7d92dd1fcd355ea9acdc5b7397f25

C:\Users\Admin\AppData\Local\Temp\YYYs.exe

MD5 985e50625916dbf8d3d8f8b2a1448153
SHA1 42a8edb6836687e8e47daafa27b2bd304f223ef7
SHA256 61e07e7ecfe033fd5ffec34186895746cf83c340094a6342900687411d9878ae
SHA512 c399e6f4f856e7b4b8dd8fbcbdb85cacb91946f56b86ed475069d67f8aea83d9e84ef220c76b7648432b25e4989516b4d699587919199162605276569df21320

C:\Users\Admin\AppData\Local\Temp\xscoAYYY.bat

MD5 3db7697f9c532426e3d2e50e60f53cde
SHA1 ae9f53d8af8c2d3c59b7e5def8c3e25e2a64ee61
SHA256 5e5c157c88ce2607e549cef3165df859e44158dcdaa67158570ea0eb6b8a67eb
SHA512 ffa69764a612e0d45c14f35b86a640dd2248c3944de234036a293d05350bed65675a2b04c13d9cbde9cb60759529c25849c672f040c05508684a284a3ba2bb99

C:\Users\Admin\AppData\Local\Temp\vIwA.exe

MD5 3226f7462ae527d3f300186266c6b787
SHA1 ee386fc4fb9f5f64fb344029d24c9e76fc79c77d
SHA256 5102103c445353db3f7f554dbecd113fad7ca46e75036ff56ef65a340ac15526
SHA512 ae71a2924117b87a95134317eb662e03260e47d807f94872174e66f6085fbbaf1107c65f92a1cf8493766ab5d625ac1c01d8fcbfa0288826cc9748b823b3171c

C:\Users\Admin\AppData\Local\Temp\FMcc.exe

MD5 8d739d62498fd5b4e47bae9f82925c68
SHA1 53337ea71144f0fad5c90607e243c47c34eeddd0
SHA256 aa7858ba8a9798d31733cb5cb7524b6cf2ebf4bc911bbafd886b9e825e06093f
SHA512 5e26a6ed41141a7ae0d1e60fa445fcdddc264ab7a464d1454cdf49fbcf241d474da0bc45c3e31a4be9d9262daad9ebc4ad33a3fb2c0c8ec9ca603010be3e35c3

C:\Users\Admin\AppData\Local\Temp\KQwa.exe

MD5 c5efa99e1b3b2e46ed3c13e21da65d43
SHA1 9eeb928dc90869d1e467cea55da51bbc9c784d89
SHA256 097fafba3830cbcebd78b739727e745a9a61af4798bb8709c367f937777aa40f
SHA512 02e0f49e4ef85a97286c7cea6708efb01186a841b3ced9312b573d35d6945ede301ba7421ea313acf9bb6ca20bb7a9066410d130d2dfdba206f7d0072362022d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 343ae86d053a449061183baba3a01b90
SHA1 15f22c7ce3193abff8532b89e6c04f6b20a8c700
SHA256 f1a5c3db6098507e727fbffede594ab9e8160905f1050a65071c811af029b83e
SHA512 579c171b47e635ca6d45b3f0bef194aebdfa36a352a2b16f75a7bafa0618bdb0e6db2eed9bce4d078514cda82d800523cfedd3092bcdcc6a3f8426e44241e31f

C:\Users\Admin\AppData\Local\Temp\xcEo.exe

MD5 6ad26b1b870ea68d63f45f9f4beaf6d4
SHA1 bc729c478be4daccf4d00a330b7898ddd44cfd65
SHA256 dfbe6b965bcd8d9b9a2604f58c21ba4a3009f82faed8b7a6e354b73dd0a4a0fd
SHA512 c3b16bbc9d14d8c94c3bd47a63c4bad49fa956acf0abfde77047c2acd506c8658a5af50dd6088d7c07f563d434622178106c7108d1ffc24c3dfb57ff5dd65e9b

C:\Users\Admin\AppData\Local\Temp\iIcO.exe

MD5 7ad22a3cb2b5b010611eb1ec70e9c13a
SHA1 27f356709a3987e87a7633467662adb5bc3011b3
SHA256 9ffb0bff06be72b506b6010a00e77897d890d1a38ae8e5969d8c2022db462af7
SHA512 25398ddbb2038b68624c77e723b8425b5923840194b36fb8beaa6f31555e6e1e0ffe11efda2f468c3af50cd1e8d3dc1a9cbd9539260569a3a544a64b9698ab96

C:\Users\Admin\AppData\Local\Temp\XqYMQsIc.bat

MD5 2476bad92b1b2dd411cb794ea1bbea94
SHA1 46463487786307586c7baf95a32ddabd35944f6c
SHA256 47594685fd68fef1ad7a0c60f9ea00c28d8e733685880c810f05e0db59780f77
SHA512 e3237d74fbcac769f35f48dd9fba600b72e226ab39fceb4be15306b1a6ddfd3a934988f35e676e1fc6a3f8886c9bb6c4382a4046927b5879585f9a8983aba716

C:\Users\Admin\AppData\Local\Temp\wogA.exe

MD5 4f0a1d763acd41d6d20ab1b34e4833d4
SHA1 8c9a0a3f80b9c55cf726c692d2a749b706287060
SHA256 48ec236fdd75dab36a860756dd470ea59181c275cf3eb390f8d61a80966e4552
SHA512 e69010751ba39c98d30d2e2a65b7463fee59c162514fccdb8ae81932617237e621509fa30c9e7f1e2e0f8460cfb27e8328aca5ac9d68f1cc4847634696565927

C:\Users\Admin\AppData\Local\Temp\PoEs.exe

MD5 613795df4c6fa1685a73a0301060fce5
SHA1 6610178b8bc4f42868cdecb3d7b387370d49c978
SHA256 e2989ade81c88b766d71dedeb46ebe1b27fb15fcad999178837d62009a4a644d
SHA512 cca26365c6fd8cb9888846838bdb996e726e8adaf6803b20acd5c1c2bdad64137ef0011cf208f3c48a5f8f0c4680c935d7ea25b32b059816b0e7b8ee3577d430

C:\Users\Admin\AppData\Local\Temp\rwMoUkgU.bat

MD5 1c2582c596a70cb21dedc22e55963594
SHA1 fee4e026f2399ce010480032a8d8c89bc28ad0fe
SHA256 2740fd49138da11437f3dcf0c0ff2e5ef4033add2c881402b94ac5f9eace125e
SHA512 2ca45fdde0deb49915b4e9d557037c7a25607dce7b7a09a4f2689975835a4d2bf5086edb118bd459bac319a867ea66e6dbef1b0be69b40f1cec7dfeff20149c8

C:\Users\Admin\AppData\Local\Temp\moIW.exe

MD5 19231529c68e7ac948284d0df882acd4
SHA1 14bb740b0c239fe47fef25a099c439459a24c026
SHA256 1f3eed7ae787d6948efe0d7a64840031e1059b891d5a4830216bc4962a9afd7e
SHA512 39ab47e236ad7ae7294c391e81431c1feced07f14e40e798445906e2deaf1c20c7ac1621998b83a591a3569024ec7d3c002e4151dffc3cf2ec34bfaf2a8b60eb

C:\Users\Admin\AppData\Local\Temp\EIsK.exe

MD5 6d522f25da2116564f92e7f9fa0679b4
SHA1 fe76812d30488f89f49dde074498d3c41bcffad0
SHA256 cd4e19199f62155a1e3684643435d6946c6bc64fdd756962eea4e0e7fc318052
SHA512 576f90af7e4b5fc2af26a86b9e2bee25d6a4afd35262c7eb5a874c8a123776bc137780a52d530e1e27bfc2fcce82bcb90fc65dc111016d952cd0f88da5580430

C:\Users\Admin\AppData\Local\Temp\SsEc.exe

MD5 91fc9f62bc68b8365b4752efc4243614
SHA1 a9054e139d67817b0588c437342611c4f0ea43ed
SHA256 52c588a79df6f39965784eaaa6a11c6b16d9c4ce1239d2e4b970bae2afbfa523
SHA512 1fc8e3e7471107ee371afcda7384ccb8364d0aaae103154fa7fbc9b0a2b8cc0d8a7f081025a88b6b02fd1326e46f7c006459a764f8ba3128fb3865a3af33c6b6

C:\Users\Admin\AppData\Local\Temp\USscMosY.bat

MD5 84abf2213f60587b2bd59bdc2524dc46
SHA1 3da4410fd8f6672ac476b5e61b9a591db1ade0b4
SHA256 63530ffcc9e56ea26bcd0884ee0c9b900f4d270ce1f61c08c663ddfdae82c4ef
SHA512 2c2b2a692c9ce7244caebc4f84143129833af754fe61c4016311d03b88634d0846c2594588d9aa3ef62f9b393dcdea8913872228317a767c6c73ba56f96b8ecc

C:\Users\Admin\AppData\Local\Temp\ccEQ.exe

MD5 ac391b3780c33cd82cd19a446ecc6c00
SHA1 897420018ec185953db817cfd3130c6247c71fbe
SHA256 6e6e42e2a8b4f2b4921082c65fb99d22f09263ace23da8a5faa541429669023e
SHA512 6293582aa1c936c1e01ca277c4622e837d2a9affb807c6e53a42e32b81142408882e9b1bf307c7adf6501a8e5fcd32620805c663581f85c62663e6130154d66f

C:\Users\Admin\AppData\Local\Temp\OYsG.exe

MD5 bed142b5fff349fb3b8597ec5fb2be84
SHA1 f341f65e23501d2c479f2f13a819a4e65a627b3c
SHA256 c7dd1c41e5c220e45b39b0b92a4c628d7dc7939e7448b758d5126926f8d57c51
SHA512 fc966b4d6f2226ddf800281c521c2d82dfd5c0c0bab0a9b53d1a4461a153b720f79a8749ea25bf6a1b0428c26e24976f5607d8ea1f7860f992b9a223c599666b

C:\Users\Admin\AppData\Local\Temp\lcAE.exe

MD5 898f8e66b370a15ef80a8140bc6040b8
SHA1 4b7d0599434a9f8d5fad8983df2a7fdf48ffa010
SHA256 c7afaa93d532792671b8f64ea25e4f5874471048eea5d8d6d2198365e94595b9
SHA512 c88aaac584415a9183c9f78dc74784fa577445aad85368937e2731a720e9ca2d0eca7ddaaae6b6abe1c83fac293353d7f25646c21771d8b0ca06e37bdbd172a1

C:\Users\Admin\AppData\Local\Temp\IMgc.exe

MD5 1a01ef89bbf3e48c855c74293cebd2ac
SHA1 358f7245a6310058554ff0b5c48bc3485ae985ef
SHA256 ce229094f47f8f5f23004ec57b9418de6aba20582065f2e0a7893bf95328e1e6
SHA512 c708775e5d0c3d5545ea1ee2dcd16a07e7579efd03e4f4caa474edddc50e84ca5a7179eed120e17c1ca80cd13ccc90040bd9c018c25099c3c29ba90784162f28

C:\Users\Admin\AppData\Local\Temp\cEIQMIgw.bat

MD5 7c834092ae4fcca0032f89f546d6326d
SHA1 0b82177930895826ca60f76f5d58d102785bda9a
SHA256 07e47f301c51e0e8f2eb86215a44bac11686eb2443635c4df62cf6aabebc8127
SHA512 27bfcaa562e06a8d180da04b0d69c9728a24ad2349af6c698dcb1dc259598aac5d50cee3865891bdd75253a107282b94234170a0f41f53be6411341fe34ad172

C:\Users\Admin\AppData\Local\Temp\XcYm.exe

MD5 0d4b33a4a42f49132595181b88aa7a6a
SHA1 2b889852247edcfcbe2230c10763373f70ea7a1c
SHA256 94e51a761cc625cf4d9f2a2db234e0575ad5c7af3649666140a3847601e76411
SHA512 b90e3ca3b2aee90073575cfd992cab0d4a32b6bc076e5a2501903ee27e4835f4d457f1f959b5dd45b3fd6d5cad89380aaa03e0dfa6e1fd1261fabde7d6fdc464

C:\Users\Admin\AppData\Local\Temp\oAck.exe

MD5 aaa48ea5401c5556251e902ea2223452
SHA1 e0a57174c61d49d7f013d6c75cf10f4c57b7cbee
SHA256 3205f09d27b5bb425d4ecd07830a405fd0ce6ae78254e324d418597d97ba147a
SHA512 4e05def2183dda2a22cbe572cfea782a4645c04d4b2dc2fd5455fd452f6e2fb76861695c80fe595e8873885acea8e3c35370b2f575935116413e2cbb3e11bb21

C:\Users\Admin\AppData\Local\Temp\PUYQwEAI.bat

MD5 a43cade50c3a91ef520dd757d38c0b51
SHA1 35aab512a493367a51aac4fd852f15a50335b280
SHA256 3166bb77874c0d9102c017f2e620eaf9c5f77a00d265c8756ba2fb9ef496e821
SHA512 93e832af0fd4430c7a3232551bafa52a63638afee237236a38f9696ca946e99ff560e4749c1e0cce13314ce1afeca11ab25b90c9c0f16b8c6221794ad50ca5fd

C:\Users\Admin\AppData\Local\Temp\YsUW.exe

MD5 bea158ee91d42b284c839bb152910364
SHA1 d1c036c08626fa074d9f7804f1d958481c6d44a0
SHA256 82c82948768a4f048ea064fddd3beffdaf813588f6963d0f6e6d9a5de00274d2
SHA512 51087802605b9e1dce1efe6a6b195cf2fb0b22681ad28b9ea9b18f3f906e27acda5d50805c5f3dd29e1621547f5cc5ff428c5fcfbebe43c60a81228a13e57274

C:\Users\Admin\AppData\Local\Temp\qIMO.exe

MD5 d3e881683336498107f1b89871fa6854
SHA1 49d8a267b98cdd232139ba62e995130b8da0e97c
SHA256 f86dadf6e1fdefd48487fe6a5550fd4ccf16dcb24bcf0d3fa72b52741db12fe5
SHA512 33a457407680672e150036a643b112f2365aceafb3b462dc9ffe490e3f2c03f8d61c3060dbfc3a08da97823025e45b5b8db99d214d080f7400f460c2f8d99fcd

C:\Users\Admin\AppData\Local\Temp\soky.exe

MD5 8191d6c58e0c12df6456ce22e7636fb4
SHA1 3617a87c6cb5cf27637f08cc57806ae739494ced
SHA256 d75e6f3ba7f7d04ba714ca5d4994a3d4835df49daea0e7e7233bdfd05be2c5bf
SHA512 ace7bf3465a10ee9166396d1126626850f79e982c2a47f0196e97b56f67967c37c56bae3660e8a68c200124e44a24108610a2c6da7833ca2e31c0c11ab29d5a3

C:\Users\Admin\AppData\Local\Temp\ZocY.exe

MD5 021f436a5fb1a7f5d45cf44b880e6787
SHA1 7f682b39e46555dc034ad596f3f8710ea82fdc24
SHA256 80471f2b6c49d3b32054b0c4c95370f528e8b3b94050febc0c989d50e26737e5
SHA512 82135707ebd15372efcf3ea935f246dc808419639b1064ef446066d6873d6625357c3f879baf405b40fe5099237f2b9aab9f2d47bd9f7998d6a6f1e3b3feef64

C:\Users\Admin\AppData\Local\Temp\AsUu.exe

MD5 c8ebc903d754f357f7aa4c1e860094e7
SHA1 e096451492c3e6a043702e79df71c4f08ded4f1a
SHA256 34e45d14561bc1ebf9cef0180ce92778a2c2e2a8be68b7c5fc5198e2576eec55
SHA512 7887377e73e7517d8ccccad470267177e11b39ac5dfcb9e38f0ef9ecb5db095e5fe66c62c164b7f1b2be2c8ab85afffff4923001e027be0c968c794298b3038f

C:\Users\Admin\AppData\Local\Temp\twgm.exe

MD5 7a6587232b4dd9f3f9c43390d723d516
SHA1 8520c3a0b7a328c738f50df9dba924ede6cd1486
SHA256 26a3d5561f94d5bd3de0f6647d706d3e98d317f8ff9ab6546518ecb0dcd5a9d1
SHA512 da2c5838ec5f48a3ee69be6a27a9c6426e65be8fca02017bd850262e37b52a8393a898f8eae4f0b819206b9f1579b62d45a17a69ae4e295974553024fd93a349

C:\Users\Admin\AppData\Local\Temp\tEEwkggk.bat

MD5 df851e1b3e1688ae64be8540c07471b7
SHA1 7e92b6751102481e2d595439fed3b698a18ac333
SHA256 5b18b7fc3da93fd8c46a80903a9d9ffb4035759b27137d0da67f6df9e9cc140b
SHA512 123fd33a5a21ef4fa30b48d2e883f5ebfbc2d1710f1c3f1405a7a596226108b3a3791bb473fdd8bba7e94a890a6709d27cbcd91562809a6d7845672c55968851

C:\Users\Admin\AppData\Local\Temp\CMUY.exe

MD5 77d77bebeb1352bf92b93876b0c3376f
SHA1 e51e2a6c930195043ab035f22e074442a75bf917
SHA256 b29bd1a023437375176f6e2c42cc7e49c6a789fc2c8ef5cd6029a699f99c1f70
SHA512 79bd3a8e8cd92a827bc8720a54c748031c1a4735f3256f18ddaf417a9d09525a40bd2e9b5925b92833f82ab5d3beddf26af5aeabc9cbb7361b1be4cd164916b0

C:\Users\Admin\AppData\Local\Temp\qMYU.exe

MD5 3b1cd1239a02d43d6a2e60b57066a382
SHA1 00b7332a3fd4923d974364723846efb3109c6afb
SHA256 a6ae426f8715402971638b2a6be2d47645819302a28b6f219623c752367f6121
SHA512 be7c027b9e43a5fdc5a1f9066da924465ed280357c10cb64e82a2872ac46b35565323f55f9f6bade652d058ff06818154f2d2c5db2f853c133691efc061de454

C:\Users\Admin\AppData\Local\Temp\GEUsscgE.bat

MD5 a18e93d0eeb36e9cd641cfccee10f947
SHA1 deb4f1255ac73dcd5baa2f45e6a2aecdaaf0464f
SHA256 72a065aa436b28f6517f6e7351ab96c20d2409390b6a3c87cd13f3a0ed5e7acc
SHA512 0737099d7f5d7d245567c2b1c41d288b3de1f1a7e23baec67232c525e65c89d229bd3db407a648cd03fe7eb5965238ae8b9b6c9cfee45d50088eed5713535638

C:\Users\Admin\AppData\Local\Temp\pQkm.exe

MD5 e59fd6d3d8f9031bcb2fb231eea20e10
SHA1 aa6e89b07629919e6f6c238e2bf55e90660a742f
SHA256 87c8e5ff22d57864c63636c5d6d0a49881f20809bd058ead3b70169faebd656a
SHA512 f01f47093a020ffa162dceebef866d4cd198f338ca6a209bc720368802a8ada9ab45eb10e7c7b745801b06021f6df1be8521e9f528f9b50b05dcbfe2e4140c52

C:\Users\Admin\AppData\Local\Temp\vckK.exe

MD5 dd5de44166768bb919ec61f98a5ffb97
SHA1 972e86f50778de8ae8786c4f0ae46adcd3fb40ca
SHA256 afceb92b393ab773153dca11dd395b8d515141ab7cf5f2b713d58684067084c5
SHA512 1893395e9a6cafb19ddff71a949e525553513e5cda835329379e3c2aae22d845c7b13ec2170599367d2a97e575385f32cfab60c2a973bff62f26511aebc119a1

C:\Users\Admin\AppData\Local\Temp\wSwAUgQU.bat

MD5 4b2bb26b664cc8390c3050e5d21d731b
SHA1 64038cd531da0ad97c45aa23cacf844c91ccce1d
SHA256 f874a38cf55072b451aea13445d33e38f997297546a34a4e2b11720fd1a10fc4
SHA512 1160baa16551161b5b1f0d623561f73e0d9bb9efff55f89aff9ba89d9ffb9a40a01ecc2ff2c4cc312b6099937922b2a4c3ab9b2f8a3acb02196cffe9bfc3c577

C:\Users\Admin\AppData\Local\Temp\nQoi.exe

MD5 11a66397056d4b69224e1f070d212b48
SHA1 fc4d562004a547a5142fe07c994e67ed4ff3d00a
SHA256 5dbb25e384980a12be9b94a95cd3dc262d2e3a3e30fe6144fb254c08389d0259
SHA512 72204ad764dbbcadd208312d3062aa9db87d45ff408657ab6e5db606ab2358c4a8ac214989ffb127c1457502921e769957c80740151c7df59ad0c4401b8d6ea8

C:\Users\Admin\AppData\Local\Temp\kUEY.exe

MD5 0fcd2b0e6fe3614e1b6bec97db1ffd72
SHA1 bf1056759b2c4a23b82abd3a005ef32c818c16a5
SHA256 8b9e438debcc2f6ec8954984b23fcc549b7a46f5010f46f3c1b8f530d11afd84
SHA512 f482483e02d3c5e9f6d2263bcfeefd77ecae470f6ae1868f4ad97db1543dac0fae4e700ab1b66409605cf5b5859c30d5c6ad487a19fac79b0079a166b18b6b8c

C:\Users\Admin\AppData\Local\Temp\rwsYUsoY.bat

MD5 e2bc9aa4ac5a8c40a2b16ab31abc1a98
SHA1 51ecd50617e8ef5da1d09d3d8f2ded5f93e9d58b
SHA256 46cacdd86fd50bd65ef6db74a6ff18179c5e9be5a858ba317647049643c1d001
SHA512 0c6908b2208f54c58491545e7ce82df913b4bf3f66e6eee26da148d26b6951d401e06bb42f336b665916d7dc70d9d0fae3ef1e4bc5cf36b358555a42dcf94b6d

C:\Users\Admin\AppData\Local\Temp\jwMi.exe

MD5 0e466a9376f69322fe51561bd7b95171
SHA1 ab47c1c84733ddb55cb86f442a8fcdc7864a75fa
SHA256 061916e955604c828018b5cbb2d98db0120af97866604c59725e54404b3c9bad
SHA512 6f920278686e3cab68a69a730a3d6bbb96d40f84eed754bf6c8757a3c2f36688b1e020981ef18ada1541cf0a2d4db4175d4016b850d0fcaafe5ebfb239ae60ea

C:\Users\Admin\AppData\Local\Temp\CMIE.exe

MD5 0084316a41f95d17ba2273ad7be0d984
SHA1 e32501acfd642d885e9987f57d50441e60cc8bcf
SHA256 54dfdf39848804dddabfceda9522310079e3b831cecd2e20acaff81835e17867
SHA512 4084edab2b021e5b202afb9a5da9b65a9da7178d8f31959660a500fe8f9f95c6b783409a6061458e46bfe9e2ab46b388ee5ccde407d7cded398f45afcbc3a7d8

C:\Users\Admin\AppData\Local\Temp\iUwQIEoQ.bat

MD5 ec4ea1c489e9105e16184549610955f4
SHA1 e44eb1f29ddb5770b4c1c2d97336cbb4c0bfcff3
SHA256 b3fe105c538a8d027b7aa755fcf6378ec779102514cc005dbfed2da543d80ac9
SHA512 0c534a3c51a924133bed37af58e5d83d95fcd3aac00de3f961e1b945055117cdc0979e13f1327715e8aa544a766bc1500d94c04f451edc5a84c361333139b1ae

C:\Users\Admin\AppData\Local\Temp\BaEowYoc.bat

MD5 2c6869bd17eb8d481771a8b90083965a
SHA1 aa029208fe04c0b6a84b4a4108922ca88ba402cd
SHA256 1f90d9ca014a5127f9c5feb68cc61f71c1bf6f6ac0091878dc53e27a4eb6c4e7
SHA512 114204e629c4f9f587d7f59a39328b7be7c1a82b1fff0aa347b103c972780815b266071c6c265f01f9b0455d957c33d5c49fac858f48fcbcb8e1edd639f3377e

C:\Users\Admin\AppData\Local\Temp\USQcwUoE.bat

MD5 1963e076a08a3758fa4c3ee50711299e
SHA1 e2b8a2723dabb919d278bcb3da4463ccdc3e86af
SHA256 a432cd80f2675eca75930c1315e2fa71399f5072d386d0e46c744e0c00c5cc54
SHA512 fe10a9aa8c76bb3f3df97676defa99fae213df813693ab5a7f4d8b3471e1fd501352fc2c6c95626b03d2a9c1f8dcae71ced56fbaaacb36bd05294a89d9ef4bd7

C:\Users\Admin\AppData\Local\Temp\aEQK.exe

MD5 544274a6e5cfe9d3179c682078ad1f22
SHA1 4e1c119a0461906d28005bb3702d7620e7217d1a
SHA256 b265cbb081039979522f83f98961c9b95a4af24c8821061cfa6eb191324ea87c
SHA512 ca7e6344bbcd86c3db0555051cd2ef52285c575c4a002a9d164ca3b5911d4f3c202366a9417d12005824ae6365d953245ece15251b47ff993380cece07e5344d

C:\Users\Admin\AppData\Local\Temp\CMcs.exe

MD5 1b3e72040057133c6c8ee200312ef7f2
SHA1 0ff761244636279d50628562565c67cfdfb95518
SHA256 b9a3b28e4ad6bb56cf0197bbe44464296f68e8395fbdd5b04b1d750849859d15
SHA512 c8a1e2c59723c5174c44bf76401f3344c9493516a9efa7176f0721a255d89bc5cea4a7fc7c8900cb2ec4c9cd425ab539d8e9d4789e048ec05ae7d37c8a35cc16

C:\Users\Admin\AppData\Local\Temp\mckW.exe

MD5 308dede11dec7a54074ce06cc4119d99
SHA1 173a205852aa0dc69e5f83354c44b521e8284cc2
SHA256 27b3c360c437a888dae3f3ce749e9e50b5f147d96c79223a74eafd8a7388e73c
SHA512 7973306afeac28e692e896cc197299a2c082844e256684e4e8e89d97a8ee95f009d26c612f1d08ff92ba66536a86e3ef7c3111b0a9457839869b6c15e2042d2b

C:\Users\Admin\AppData\Local\Temp\bKskUAcw.bat

MD5 aca8c0818bfe3b269c6fb2ed66702a71
SHA1 5050d83b9271b4df517ceb375742b24e9035d231
SHA256 421ba7f57fee6aaf1573c885c81502896f4088668b2efda382ca40236919d43c
SHA512 d79e87e09a0a52962a006c33a672f734104abc70c499fd2f3bea4ea1befc6a47a5daead36895810e0d1fd48d8f36765f7dacd0728b9cd9acad176624b919c52a

C:\Users\Admin\AppData\Local\Temp\qooI.exe

MD5 376d27fdacdab728365dd952ff52a8fb
SHA1 db6da4c3c4309c8ffd5f4ca9bf71416fbfdd2320
SHA256 555723ee1510cdecf6ef9dbd6cd4a92b857df00cbd65ccd31acce28c8593ccdc
SHA512 5100942be9bb9fd4814a35a6bd0e6dd54d2972aa5976d47fba05885214bda7a52d52dd349ec3b7894b9862510d606f81955dac9b9ac4877842efdf70906eecb3

C:\Users\Admin\AppData\Local\Temp\Dkge.exe

MD5 ac5705651e13f0b67b2062e939b91893
SHA1 689398b631868a96d6cb6af252c9881dd7819727
SHA256 7dca5daa8bc0e53454149ce4f9cecec66c35e36ef27c6d2b29e1a8414eb9999b
SHA512 bf6091afe5dac8a443c5e9975b91c233c0e4ae9cb12d8bc0654a58150094f05bb35eca4df49181524e84b5b5973e294cfc2f97baba986fece6990ba621b88148

C:\Users\Admin\AppData\Local\Temp\UKUAgogs.bat

MD5 726b94abf8f888a565a8a79f64adcbfe
SHA1 4d6be7791e9e3fa83a0d5aef908dde5fcec4309c
SHA256 1f7260132c5d2e93ee193699270902a0424c8100a32f6421cf8fe34c26d4cc3f
SHA512 14aaa6c66a788d80bfa7cc66d2877d14100021c7cf3f09a6451caba9cd98071ff56996aeaf245db8c16640dad82d64fd90f12c1fded9626a708787930601823a

C:\Users\Admin\AppData\Local\Temp\fUwq.exe

MD5 da11bd399c0c29ef1908ccb15a32f2f9
SHA1 2135f358a2f921e1a08a1a7be99d578b3e148fc1
SHA256 6150173c9bbc10ff76fa1d3000a7e71b9e59e1e13d2b386cc18537eb5f100bc0
SHA512 8fe05a69bcff0ccc8a7aa7d2f50a91a8fe7be8d5fab14bb809b85d55534087db8b8e372e5caaccbca0dc93ab0adf91bb50768e4faf5e8646517c6c8669c95c7e

C:\Users\Admin\AppData\Local\Temp\REcS.exe

MD5 9b0324eec9340c85f24767ef58e9734c
SHA1 8437ed586f9a1aa21d85242958256ba7dbbb3077
SHA256 650871b2f09a6e0e4ca300d8b8ea0ff97e8a3362c0a41e1000f58b5fbc3e8faf
SHA512 c74ea82c4b5df6c9c54f8268038e32765ff19cebda0fc676fa5ea2920d43f0642843bd2fd2652b9ca0f5caf76c799d53385c71ff0edb00884ce8d0c9822d9e6e

C:\Users\Admin\AppData\Local\Temp\Vgsi.exe

MD5 58fc98d8d38e4be340198e220601848d
SHA1 b756d69594bae278aea73dbb86ad50fa77251d7b
SHA256 90bb7f41974c2bd895bc626dab3151027f43c8d42ab927ceda9cd71daa35a8e2
SHA512 3e13c2ca0287f0c4f51425389c33fa688e80bce888dbddeb33befe00b3c5bc140d7bd6a1b12f87bc7d35bc317bf0422d7cd73045ba27845221db6d7f455caae4

C:\Users\Admin\AppData\Local\Temp\nEck.exe

MD5 a69a2d369c5290b6c14ec54944b12455
SHA1 7c2dcb44d4738e1dcfd1780f40f0e77b8ff7bbe6
SHA256 c665f537f4ad8f523dda7f5e180e8a54194d3948a6b76c4a0c8bb670b6284c92
SHA512 6ca8dfb706c58a4ba38ebc323dcaddecede9fd4b60d54e6290a16ef70aec2900e6c76a8065d9e66d44dd2b00eb13fa3f60620afe81a7527caf699d2182f94098

C:\Users\Admin\AppData\Local\Temp\VIYk.exe

MD5 23451f577e06dede48c109b00d6c947e
SHA1 2243af191397d61b61ad3f05c5c1e9329246b62c
SHA256 cbf8a68004e9981333cb82cce3ae813373c87f657ad72bd66f7738c0145221b0
SHA512 b80e2159d4d36f5276cf1b2a969fa1ee204a9b8ed14edabab28b9f56914d7c0bf7e967c30cc772138f3ec146dd84d52babdf6e029656d12b1c8d3d1b269420d1

C:\Users\Admin\AppData\Local\Temp\fkIIAYUQ.bat

MD5 03bd93dfc1a7dfccde1913ce661bd622
SHA1 32d8288bf83e95357b8251a54a14c85fd65cd169
SHA256 a32ddc03700d05d11525f21069522dd5944d4cb96d20177bb4fe3a1a299471c0
SHA512 073b6c3f77acd183b468c64290110bc79a513247647e065ec9798f949751d47ce927ee98abdb21639f0897ec9784ba38fef2724a6c4c1d3f44f006d77f9c81a7

C:\Users\Admin\AppData\Local\Temp\kAoE.exe

MD5 551f8bc2dc95771476f0bce7b2c44f94
SHA1 2bd9a37704296c59eb56cf77d5c0f98a9dc747ce
SHA256 946d8ed988c8f365e4100b81a1bea72bbe87786fc25d6720ddddcdb20eb46264
SHA512 460f4986d924fd1825e18517a221459946f7a77d13cd5587c60e533ff68fcb7218780d6483f8278248c3959b3d251891a7d0e6510346c616312230d4cc765f2c

C:\Users\Admin\AppData\Local\Temp\ZKkoYAUQ.bat

MD5 7bd17272f6c7b9f94264c30285a6b824
SHA1 b960a20076a8800a0cd2b898cee1ca160d69cec5
SHA256 29b1f601efb6852c180a723bd5c50c76c5ec1434a8cc9ed149a094dba56cb0a4
SHA512 f3b03e8394b59a98ca10c34c24584c329455f44f4572726c6cefba78e206a135baf3451df0357d1bb26e84d3c4210009390e5268e277e0f4d1c98fd13d79c58a

C:\Users\Admin\AppData\Local\Temp\FskcIMMY.bat

MD5 3b3495332cbe9379c5c6acb23964b2f0
SHA1 e09b44610e34b80f18e14980a4af04973cff4a58
SHA256 e4037a4bcbff49706f77c30bd83932722224c34cda0dc0b06b3001fab03fc5ba
SHA512 d333cd80cb61ba198a69f74de15902641606daf7db72ca649f827a91cf00174b7fc38700fa7e5bdc2ddf3bd55145a5271a1466dede911680dce60006b6995040

C:\Users\Admin\AppData\Local\Temp\nKAUEYMQ.bat

MD5 382b5461a3b3013d3a92eaf1123e6558
SHA1 8de23d62706fc41121d890c32b6f67d90e983326
SHA256 48d2b7684d662c6d837d5c4e509c765f69139685d2f5ddee8f050aa24aec37f8
SHA512 21b0d6ca529a01e9fa9b9d4edc996790ede45e208b7ee3459b092af7b973ed46b7697d6c1e5003d8b1ae959e2028c34ec49dfa0726f29408860ba9e787c6cdfe

C:\Users\Admin\AppData\Local\Temp\TuQYYQkY.bat

MD5 f8191782e710c4a9d5a09c5b405f3446
SHA1 395bd2df9741f27a24282314c7a18b3d414ab683
SHA256 2ac3d0352f225a25bc6e60a5ca96771435a7e2d065549da6952a50b28a4ed73f
SHA512 56b9a3ce4314d80eb5ac2e803caca040ba1e36337f3285025e0b04e25dd3eb1eb6232167bd759d34386abc63ecc039d37dba5e7c9122099b67c35f42a8a40f14

C:\Users\Admin\AppData\Local\Temp\wMYYgscU.bat

MD5 8d93ef72ac1b7e365dde329ef435af47
SHA1 a75d9c4d002411edb6a2dbcb96e526b642c90701
SHA256 7b21419b9cdf66576430640890c5291404b63486137e41b71ffde6599edac5a3
SHA512 92284bd92f9a3979d2a8c6cbee572bc74ee47d579d2c8a096c157c81d2705189918e282f382e541c22fbcec6fd6c1f84b30fff54e5cb1110c62726c1fad7164b

C:\Users\Admin\AppData\Local\Temp\ZyckcsUw.bat

MD5 b8e8c43c810ae691662a82cb1e4c5ff6
SHA1 80acedd737a468da5aac121bcc8b0a11efaba735
SHA256 ca8ff6511133b7f4ea51586ed3a7ad811ea602436ce884037f9e00629dc52221
SHA512 3660f240ac81067820d62d1c884f632aed682ffb1215a28851f21dab9eb9d1b46e1640467fa00eca67a62b9a0ae53ee7615a211fd46f1d8443253f121dd90958

C:\Users\Admin\AppData\Local\Temp\qmEUsIwU.bat

MD5 0a4dff379d071a8394290d77415f9f6e
SHA1 cc0cd1a91e33ea696a89f6106cfe0fa56dc124b2
SHA256 17972ea4f7b2eff0964bc81279240a4a0af125a652d201d8957d590db0edfada
SHA512 d31718d76178fb640a2e515620c564295f712b2858b3f5a464fe46a535b4e0a39224245e0a1335da135394096a98909e0da50a5a726e607e8ee9dab2ca2bd0f7

C:\Users\Admin\AppData\Local\Temp\ROcEEkgo.bat

MD5 734d89d1895c22690b0f19541c504dc4
SHA1 d77892b82e6874046737f0e067eda494cc4755ef
SHA256 1082cdd1a07080c877356acf140fee5ed8020929750b35b8255b1af881a0e66c
SHA512 09bfd7af4c6eee685eea206ca075b8ee8aa4584b2a993f8e9f0bcaa50a1b7ddf5d942163d4ecead9d754a8ad0fcfe22e405caf8aa295c6d64527c0c353ed006f

C:\Users\Admin\AppData\Local\Temp\XoccgQoo.bat

MD5 61a15dcae726f1270c6484b626ab4081
SHA1 1f5dfed2fb70776f51de70979ccab8fdfae6e925
SHA256 37110d3e9f71014800f162c295c518edd5eac28f39716f2ddb59734d7862cc52
SHA512 7489b35092442faa51c239eca42ee9704739c1691dc7f153c9a38df522b940624957e243efd520d9a7fca08771dc2e7a621fa232939b9b0a189bc701e6d21b1f

C:\Users\Admin\AppData\Local\Temp\sOMMMcEg.bat

MD5 ccb7c4eadc4c9b7d008a689bde81c0f7
SHA1 dfab74dc8ec45cc7d18538ce6f1a379b4e86ca68
SHA256 af5349d4ef1c5de2596234d964d90fa8da916de6ef9b98cb847103728d593463
SHA512 f672329fba6f11bb821c84f66014bcbe1df64c4bbb083aa9a87f95708733f1a33c962cd07b93650160e05c39f8171a9ab6349117a8072fc8428edc33c443038f

C:\Users\Admin\AppData\Local\Temp\TYEwocMc.bat

MD5 ffea1393898ad5a92f1476d93383b42d
SHA1 6afb97317615920596ab03365889f10d8f23ec43
SHA256 21f746e9124dca577360ca8479b52761ee9522a3e085d88ac8ffb151eeaa207d
SHA512 11ce07830d5bc232b7d1dc9fb9920ee9123e6742eb9d6309ee9a7bd3e315a5d8584f30daac684158147131bfdd9a0beaf203dcfaaca250da6a2c1b3dd73b223e

C:\Users\Admin\AppData\Local\Temp\VYgkAoAs.bat

MD5 5b558d1673482babb335df1defea200b
SHA1 2e34a2a0ceff8a15a2b27bc8d4595d42bcef7550
SHA256 da39676480a118ebe018e81a038616b7e08ef51a1061a34df22e088393f15fb5
SHA512 59f319c92a808dfa6c45544e600acc48861a52e9d155c61ecbfce1e9991b7cbd151b1d05c576bf88f444809894164fd5eabac50ee1393ed81d0ffc9f47649c02

C:\Users\Admin\AppData\Local\Temp\eiIUMwsQ.bat

MD5 7a4480d94a8e47801d20a7577bc51ddc
SHA1 a32374584ff9a4835d6384d473772b5d48e8ddd6
SHA256 e66e54d3a48033ce48b35498edbad861c6443bb10391ad1dfcb3bdc61b6579d6
SHA512 78d2e81c40dc40a8dc5ba2e992c50a76001fc1fc10e0e364d9db0cb2185debaa7b211b74516792003b579d9653ad6df3647e7cf6fe54cbee9e7334f92ca7a2b1

C:\Users\Admin\AppData\Local\Temp\IiUMswIQ.bat

MD5 c6d6e75e3cc0db126efd4dcc3b351f5b
SHA1 8796633f2c196a4b5172f14fdf3f75d4e282b6a1
SHA256 249a4b08e9971f1ec9dc7d6d306788fe8100340bc0eff20ee5281570be377b8d
SHA512 3a2924a22e4025226e87479aea81a3449535a350999aff6bde5ec291183b05f802ade92349090a3ae10563d1bf31dedfb1ed3886af477e6db03d9f08d724810c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:39

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\ProgramData\cgsEsggI\GecMoAQE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oaEIYEUQ.exe = "C:\\Users\\Admin\\dOocMAIc\\oaEIYEUQ.exe" C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GecMoAQE.exe = "C:\\ProgramData\\cgsEsggI\\GecMoAQE.exe" C:\ProgramData\cgsEsggI\GecMoAQE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oaEIYEUQ.exe = "C:\\Users\\Admin\\dOocMAIc\\oaEIYEUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GecMoAQE.exe = "C:\\ProgramData\\cgsEsggI\\GecMoAQE.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A
N/A N/A C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe
PID 3176 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe
PID 3176 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe
PID 3176 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\cgsEsggI\GecMoAQE.exe
PID 3176 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\cgsEsggI\GecMoAQE.exe
PID 3176 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\ProgramData\cgsEsggI\GecMoAQE.exe
PID 3176 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 1164 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 1164 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 3176 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4852 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4852 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5088 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 764 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 764 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 5088 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 1948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 1948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe
PID 5116 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe"

C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe

"C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe"

C:\ProgramData\cgsEsggI\GecMoAQE.exe

"C:\ProgramData\cgsEsggI\GecMoAQE.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqsQUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsIYMAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZywMYYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEcUQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymssokAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAUwowUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIEAowMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaMIUQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIwQggEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsUEskMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeQMIocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEwEEMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOwIgwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOgQYAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwkgIowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOcoEEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiscEssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaIggwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWoswckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSMMEYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikwMcAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IskAAUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYQAcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okooIYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKAUwgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcIgIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIccIMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyUcoIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkUgsYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soYYUcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGsUsAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEIoMoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOcMoQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcEskYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeUcYQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiokwEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioQcwQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOYEcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 216.58.208.110:80 google.com tcp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp

Files

memory/3176-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\dOocMAIc\oaEIYEUQ.exe

MD5 7c0603b7930d6e75f131dcd8af96469b
SHA1 94ee30384f8d0417900e7b643525421abd3c5249
SHA256 8e81356f8714ed7095989ca4a7aa4050456b1621c6f548ac6a5511293f81175c
SHA512 c92a3f954c08f2df95734f20f911ddf478d4681578c374f244f7b97ed91e78af68595043ed0936b286e63966a5b74c1f133b4c9cb46303b049802086ac66239d

C:\ProgramData\cgsEsggI\GecMoAQE.exe

MD5 ffa72673ebf12c07232d00bd5f995d60
SHA1 5072fae167677f3629ddd7ea9d3aecf4afa84507
SHA256 c7c45f2620f034ba7970d40d2d80753658621e4826e085ece23271bb6b8b40d9
SHA512 5aeb89340017dd81ed3fe647fd94c2d188fabf8f7e2c724877fac386b2683cddf612538f22eca442c57863f50b33dfaeaaf84c8f77f7f5859662d15ce722d203

memory/5068-11-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2952-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/5088-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3176-20-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RqsQUoYw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcae4b3ff43c32e4e3c7b8e3f97cab86_virlock

MD5 d36af1ec9b66bb61a728702fd39ea0a4
SHA1 a0483b7947de6daec4a69864328662b3d70aab86
SHA256 f590cbc7c830731b68b55ca1b1ea11818b5afa3566537440a17017296578dae9
SHA512 3047a98c784e0d60dcf46635350e983687156fb5168f713dfde0bda9034419cc1a547999c7f8113d9fb3bd672167f06349aef418c3f554617ea7565eb40095f7

memory/5116-28-0x0000000000400000-0x000000000041E000-memory.dmp

memory/5088-32-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3304-40-0x0000000000400000-0x000000000041E000-memory.dmp

memory/5116-44-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1180-52-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3304-56-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1180-67-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1724-78-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4204-89-0x0000000000400000-0x000000000041E000-memory.dmp

memory/740-97-0x0000000000400000-0x000000000041E000-memory.dmp

memory/912-101-0x0000000000400000-0x000000000041E000-memory.dmp

memory/908-109-0x0000000000400000-0x000000000041E000-memory.dmp

memory/740-113-0x0000000000400000-0x000000000041E000-memory.dmp

memory/908-124-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4496-125-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1944-133-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4496-137-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1944-149-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2504-145-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2088-157-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2504-161-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2848-169-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2088-173-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2848-184-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4228-192-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2060-196-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2444-205-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4228-208-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3276-216-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2444-220-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1212-228-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3276-232-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1212-243-0x0000000000400000-0x000000000041E000-memory.dmp

memory/396-255-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2380-254-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2712-261-0x0000000000400000-0x000000000041E000-memory.dmp

memory/396-264-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2712-272-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1048-280-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3468-281-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3468-289-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1056-297-0x0000000000400000-0x000000000041E000-memory.dmp

memory/116-299-0x0000000000400000-0x000000000041E000-memory.dmp

memory/116-306-0x0000000000400000-0x000000000041E000-memory.dmp

memory/836-307-0x0000000000400000-0x000000000041E000-memory.dmp

memory/836-315-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4364-316-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4364-324-0x0000000000400000-0x000000000041E000-memory.dmp

memory/388-325-0x0000000000400000-0x000000000041E000-memory.dmp

memory/388-333-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1884-341-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-349-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2244-355-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2676-358-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4872-364-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2244-367-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4872-375-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4092-381-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1172-384-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIEI.exe

MD5 0330f671cbe8c5ff56b906859a286247
SHA1 991a1fa994599a340effca567f29730c973bf378
SHA256 c35c24829b65de67c410b9bb7254db571137423e8446a36bfe7c103e4e48b455
SHA512 9d282157a4ba9baf6bb21ba288faeafa86fb3d6fb5ff62f5d81fcbe0c24ecf5f8ffec47e3a7ecd829690afdd99670c58c1193571d02ad78fc9d04821ee81a762

C:\Users\Admin\AppData\Local\Temp\oQAW.exe

MD5 c453079044fd7ae6ea4d51f4e7949acf
SHA1 fb9bac6f5f2a9b166f6eecabb7416f9f8df6ceba
SHA256 b1c2a7fb9704a1c23255da44b6ea4c29f512d2643eec12dd9862d39aca11264c
SHA512 dbbbad693b6cb45d764ab3d50142d090b8ab80fe68bfcc24e29bcc65cf07e9f5f0504e330d81bb28ef934eb08d2e0031c146c5a173eed01a0777aa57cf0b8bdd

C:\Users\Admin\AppData\Local\Temp\coYI.exe

MD5 c70f593591647006362cbb23930196ed
SHA1 d79ed5550a20907c14362501a00e57c30193ccb2
SHA256 3c128d92d0fce62d0bb75676ac0129cc4d04cb6b98860d3b9c7fd242c15c2c44
SHA512 0ff1ce6444d7295f35cd20665d31c645d564e5bb07455d6d578544e04c68c3e1b037c91d73545c77267c9dd56e480e57c14c6f3e57f8aa28ddc98a7193da65c3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 37497535aa821d2edbdfcaa707016213
SHA1 64d64bfe2f7e4814a9f17c4cfd0f5d03c0fe279d
SHA256 60bc0749c6d7b7521768a8e940bcb23fdc8d567a55f2d4df8a341abbe0a2bb97
SHA512 894f950fb5e50395865bd05d21612c17265bb82a2b084b02581dced0489f51c0313db5ddda428f42c259681925865901e47b26cb8439d96ca66680821a5127d2

C:\Users\Admin\AppData\Local\Temp\YwMA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\EosC.exe

MD5 b5f01194f236d96dd7908cf6e7fca5b7
SHA1 3835754890f23c8ae6793e8fb3d85eb96ed009eb
SHA256 b69ab6bbce03cdab22f63831636486746286f76c36f0b0c7b90df0a5d6da6b33
SHA512 3d699c403e1abaf85260bd6dc44dd2dd8dabd76531817b09ec9d97e4b41a281bc0e5317e8d6bce4e51742a4e8efaf923b8d783eb1154d3b05e1d92e7a42a99f3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 40fb56c061b6bf68c479375933cc23b1
SHA1 4a6c6647ec357faa87bd1b137078a922feb186ba
SHA256 c6c1116afa2c0af8264611425e6b3046106df1297b35a9cbbd836874ca90a56f
SHA512 0987043154b75bfbf88f3ad2c33c3fc4301eae6537d1e4e55e26d9a3d7a41821e6d45c327fcf2e76ff3e9e0eaf3042a9443d04ff0c33cd0a8c98339a7ef09b72

C:\Users\Admin\AppData\Local\Temp\WgQw.exe

MD5 b19cb473166ebda78941327679097c1b
SHA1 8765643b1a97ffe2ed41237ab40d049ffd6f33e9
SHA256 2a4e34e1bc0e956c9eb25f51779ce3c9c1b4b028793186fed8f2205c89e3c2d7
SHA512 25847e5963e1e6fe397e83cfc7aa200a86ca24004a2da80fce079e188cdaf857d9edc99d7fcd2e346d93f6c65b5bee830d0d6e4c54edec942cfb47ab8202eef2

C:\Users\Admin\AppData\Local\Temp\Usos.exe

MD5 705cb5e385ca5a095877a923e971f86d
SHA1 5981045f202ed865cc30575852eb10f5c8e1fdaa
SHA256 a7411793d7fa61159250256b8c9ff1ab8a3f3f97e326f24818fefa6fdcd18122
SHA512 d0bb58bcd3bfc0b9be88250e274191efbc3fde3c6bedace8c2df72824d8cba40426dc980382cf9641787013d1f03b72ddf8996a1c6ff68560dbe899681e98c21

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 1998f29fec8ddf6b0d329321c60966fd
SHA1 dfd16a5dfba7b5a9409d02555cfc4212a7b4d44a
SHA256 73952e86d8f9ec9e22cf2a0c473cd664f83c1074d012cca0d942f5a4e8c15864
SHA512 6df08c966fd65eb9e2ac9e82b21a334ce0e246d1159ced1da46e5b5b5f8ed67f6c8bb3e430d0e90595db1abeab41169ebbb33496c719019b5e1c8791a7197015

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 ca2eeb1406c37b704f357ab42e55cecd
SHA1 bc1c3b124309cf6cc4d9e82a30ad99a67f1f844e
SHA256 6c6a1da419c6ba068bb894262dc324a34036dd0fca46cdad4b7493615b830e1e
SHA512 7be87d85ec6ec3f96e29bd8e8e2b4d3c4d45e067cdb9422166198662eb7b14a7b24c618745f75d6052136833fea240d9427c5749e3b9e9e2a5e125faaf09d432

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 4a5c50f266b7a890eea06d51c7420b13
SHA1 3281a6b5408db1091b9d07bebaf83dd6fe8cc2f0
SHA256 a694d7f550f17ff4ec6ca0bddaea6acd0344ffaf75fad416217059c99763dcc3
SHA512 81987e97e0f10f2b60b1ca5b052fda88a111caba4c2f85710cd5092154686eaf0c8fa073f1da266718841e5cfefba50be28b022e66b21f8f6bae94ce13e829d5

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 5e58e7f38045c129c480a43357e573b6
SHA1 06c302d54b257cc9886d6ac86e896ef42cd59107
SHA256 05f8013b593a72c028eb3aac449ca56e55fe82a7fcb987b5fc13a77e8388d436
SHA512 36db6f096c2087726b0614be82fef564689cad8314fc7a29b9a04055675688b04a6cf8749bd71bfac9916382413cf1e3ab90e1dec2384197f74829e7a346ac90

C:\Users\Admin\AppData\Local\Temp\ikQs.exe

MD5 a6afad7f5a036561234f657c3e7ea9c3
SHA1 f6d2c98f65857745222073a4ca939302ddc40eba
SHA256 22267f506f34bda6c45405a86fdde63cd8798a2575c7c35344c07fbd48af2377
SHA512 d9fecd8028f231e4e8b7b176dc0d76598784b5a0d854bf1b1a472666c3c1b226f5509cef8830e04e09a39d8edc9cb516f05864123ae1076b6a05fcdeb2391564

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 24d2386875e9c0c6da773d9620f387e5
SHA1 0df6add6bce4b429ca84c949873f0c7439d65d71
SHA256 aad0a6b040016556525afd9dcba3e0cf100c07b944f1ed70fdeaae4f1232dd12
SHA512 8a622230a70cffc9355b749c00a491d920a4fa8d3ab7f08d08deef48efab75acebd997174d80cc2a76e526c50713ea4272ec84c00ac75f045bb95a35ca3cdc86

C:\Users\Admin\AppData\Local\Temp\uAMO.exe

MD5 f97fe3eb45268ed9b85e1628c16c350e
SHA1 281d6fdb7e7d33087c9a7a520dfce0115bcc23e1
SHA256 5b4f168162537c73fdba5e89c4b0e1691e0bf2213cd42b54a13e75d2b6078806
SHA512 2eafbc64b2a582a670c0cb7a22a3b301ae29af3d1917d30b639d0a9d7f851c8fbdbcf5671d4192547d29044b7bea31823430795c9d327bea9f2780eb4d028810

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 fb69d5474d137ea3bc0162de8b33f8df
SHA1 d13bbc293e4087cc8763071e01aeeb33bec0c344
SHA256 3a4f6eec1b12f270f06cc30ee9dc7e0b24a3883de6df2ef4be8003c255c5d4ae
SHA512 70d358b579cf044eacb60fca8b70ed094d52a17b31f21cecf2d977b19b1fb888856bf83944473f54fcc09c6ae536c6431c7167ee2a98a936a63c93310d3f1cdf

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

MD5 aa0b50378432b95bcad2d053da672562
SHA1 b5b1d4e261361dfe48b252c5c78179b86c160737
SHA256 485780bfc804acc3a528a6c89faa17f6c911bd9aa7961469e80fec169fce6788
SHA512 2a6b865f7fd266e35d6e0080e521754c5b70ff3348138d3c86266f765e4ae24c80e8ff77683ef8b9d4bbc18611f4eafd97a29dbca8dc9476286d9d25f9c69feb

C:\Users\Admin\AppData\Local\Temp\OQUW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 a906bad39ff3d98e3c1537f34ea3748e
SHA1 18c90afc43473177f2558a5b119705be4678c6b8
SHA256 dbbef4cb53da0d4373cf9c02d5cda70fbf1b2f5b1e6a0b704f0be503ef5fa042
SHA512 bba89224e34a73579360ade3ab0409e20e4199379945cad6839bb5e5f30c0dfcd6d880ff28436bf9941e4b509e04ac03ab87c78892c485ba10572b7a763f7c66

C:\Users\Admin\AppData\Local\Temp\gYYi.exe

MD5 215d3a524d8b4ecec4ebe7db418278d1
SHA1 467c08d6b27dea24bbccfb63ba802530782adda0
SHA256 75767cc91098d3110dde1635d45e4e2a05bec5b0da76ea6d748c63ec40225093
SHA512 729a006184512eb842e7a5f1621e376dca57d982294eb9cad732b9bb897c98596aa86b97db231fb309fef4a63eeec3574ec6a513071c2d5358d5b9cee5565c94

C:\Users\Admin\AppData\Local\Temp\QccK.exe

MD5 a3c297b9c1cb4e499ade11de4bc1bf5e
SHA1 6aa060d52149b11fbdc272c06b160c83fde30be3
SHA256 f271e624fd79497cc771a26eda50562fa07d98e1199cbb8ca4ec1e62daabd135
SHA512 4d524b18c33867aed7c1a012928137f49f116ff4cd7af36f4c165fd1e2764d01af3c26b90655dd73ae279e79677d2c135df7d6dc5d15a0b27de12070d70c7071

C:\Users\Admin\AppData\Local\Temp\SIQo.exe

MD5 44d95708e7dde1581c9d3431960a9d61
SHA1 5c744baeb7e18556e90ac5127278c032fee17eaa
SHA256 544c856cb0203ebc0da6d86951a8cb928c111dfd4d8075e71e194878ae8bcde0
SHA512 cb6a1267544304478143d15b6f1ebc2b65d237a7f7f9529f9b5a99c2bbd6b8feda1f10b2fb6ac300bcdaa203f2d0ea2cee9f3cab1646ede6af41541404e74e04

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 61529bb1a64ab0854bd389cc925a59fc
SHA1 e31b42f20b97d9ae7140aeb86bfd8fc7c10cf283
SHA256 b78689c04ac9a38929b1f6380cf52b87f3be926c86bc99ea42d7bdad999fbd18
SHA512 29436887d4b2c117be070888582ebfc231352009bcc02bb5e7079517d28a1e36a03bb97b169709eae49b40502210f79d508433a27e9f43264dd27dbc227ef10d

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 023aa754bc4291c84820a2c73cebd7aa
SHA1 c6bbfb16bd1f07d071dd6607c936bbd58bff5e81
SHA256 c32e9e20cbb67ce7925ba761a5d66801371aca84d3fc2f1bc70134a409f03b29
SHA512 844fffa3ac49d587274f101eeaef256e0cf69667d469c7cdd2f6fa437fd046ec5e11c7efedab6466fa63bd682a8f3665899001fee4ae0a930001a8d7518e6c3e

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

MD5 1df8df83533eb1f4c3f18a35d689a123
SHA1 16813a15e35b1c3c12205077e0f8510cf3a77dfb
SHA256 23dce2528633f8748f9dfd5218345d2b3776936b383b14def05bd67aa6f3d9b7
SHA512 d94a7587122732159381ad68d25549a9d9396b3829bf4bb1a4291f5ec2d8c546302cfe97bbc5f51c0d7c393f6c7e7e17dc7b82b893c74a95c62b81435fafd3a3

C:\Users\Admin\AppData\Local\Temp\IoMA.exe

MD5 1e8e8a8c386627728697c87fa2e7a866
SHA1 954cfd84e15e66fb74ab6368205d287fef9aef9d
SHA256 430b1d1f0d436bc6a9f48ab83adfdf4f6407707b4b24d9c48f6acc87536b4729
SHA512 4dc460fb4beb75fa6634d1859e37e1cbdd45e84dac499a032ced32e635f7251f8e878e736662c6f5f6be726a16bf778bccce153e7ea9f82fc1569ca73319e12e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 83636874772fc054a382aececa824fd1
SHA1 f9f512d065b5d914027a6524e4527203148c8034
SHA256 3ef550d5b12bce77a9f97e0de926a447ac7a6e5502d144348e6c2122b522c331
SHA512 2c1e7c810a313abc48b8ae2f5a0e9d27350c78f85d5edca5f109b1e4fc699e8ab65ab6df3332107a0e63ae6648daca4e31c90a74eb09d745029e90aa68cda490

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 cee7342dac6f951ad97d90ec7ae6326f
SHA1 a0ca959268ad8c0e30b6d7a84e61b61a0fc19a86
SHA256 41b4428d27cde5cf6cfc108d8a47069d75927bbafd13513addfc4af5bc74214a
SHA512 c11185f46571345db0a942c6bf46a8805493b3f0f027fd79de2777b7cb7ccc0c96faf1f8d8ef1cc29b1121df940878854d8f76beea6e3fc8e8796efa8d2fbcdd

C:\Users\Admin\AppData\Local\Temp\EQwU.exe

MD5 a77ec5f1d5f274027e1e8453f75c0189
SHA1 4d53ea45756d385bd35b66c8ca64dd547827c646
SHA256 621fa1dcffa90dca4e5d318aac1dd6e52cb019c1dcc29bcd3f0bfcdc0781c95c
SHA512 19f640c91740a13dced0a1b12c0271f80d8a44c5ec70be5b332d91c634d9cfa6b9c1991b6a555d3ac30c7f534628e4bd3c5e8d06a089ce8a13d01c90c6169d0e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 78284f5dbc6053f5635f42d6ea6408ec
SHA1 18a979345bbe5246f47b1263e05b46c79411b4b1
SHA256 e5d4c841dd2dab4c9ad6acebc6ccce7feab58b34d753ae508f56fd5d8e5c8b19
SHA512 66cb2b777c5e4639ae350d9b84909cbbe0d76ba68f1cfc7714b6529fb52d4dafc3924e79b841ddec3d1b0e56e3144d45303dc8a79bf9e98a19b1beeb367f5ffe

C:\Users\Admin\AppData\Local\Temp\aUww.exe

MD5 b246a22b64d898c488711b1073953bc2
SHA1 92957ee74b6fab79630e7b8e48fe9646e253e011
SHA256 9a0f2f9e686230771aa1fcf056bcd9378e4b3813ded7b7f9071c4ac60059cdc8
SHA512 09b214c63d9b1e048b9cd7645caea82ebc227da0e6b7d6b94e9930822beee4a794bde1a19d1a2813d823fb4f9efc7a07f9fd702b05f46e5320a4dddee3110a2f

C:\Users\Admin\AppData\Local\Temp\YAkM.exe

MD5 5077e493d94303fb4912c68742b5b8b2
SHA1 641f8836f0f1fe5957abb8eb0be957692e761212
SHA256 b348ea1d55c2bc757a006125fa75ab81172098e753676bdea7136b7d05764e2e
SHA512 bad5dbab1aaba115a4b41d72c0a48c3bf2d80397d9cd871a38ee1afa53b6d8f11248d0bd76512390ca06865ecbae5d83cd6e4442b161dd5d0a7c11828c52bb0a

C:\Users\Admin\AppData\Local\Temp\cAcG.exe

MD5 301c697d1c50c729490249ad22149469
SHA1 0d6e24bbcf78e90361162b5e75a5a90902216fa0
SHA256 b2dcbd92cb5c7b527f18496a0c00d8ad3b667784f1c6e207bdbc0aeb500c3f37
SHA512 95bbf1ab31a06cabde9efede50d694c59da7cda285df86f77c2ebd5e8e60b33c229c046cf84c6929ea18c8409386246940e034345fd06cdc341f1feadb803dd4

C:\Users\Admin\AppData\Local\Temp\ogcw.exe

MD5 ab195f32dc6ae355820cbc8341f83a8d
SHA1 ea708d5bd2e1d1ec7c6ab98ad0648c810f61421b
SHA256 0344fb586de7fd7882675c75e1795058c002e37c5f1f990c9697c871d07fc1ff
SHA512 ca8260527e82c5ff2d3dbc1fc5b5efe75142f3cd3112a16c5b6253a1f6097f56a9b622b51da08c9ffffcc66bcec4d33bcc7fad8c995e7cefaf3e1a42e40091f6

C:\Users\Admin\AppData\Local\Temp\esIe.exe

MD5 c9992a48c30f22a29f91c6751b511899
SHA1 73bd5226aa0fc2d320b235bec8a5c06c248af9bc
SHA256 c99e51fceeed85f5c28291767ca84e4527d24b929efb30c7f9d6209ae6f52c93
SHA512 3b3b14b492525fab013e292327228b4bfbd9fb8ffcf90e709057517f2cadd56b83892b087498c637bf1af3f57feafb2c898f61c176370425e58b61e01b21c1b1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 fc73a92c516e80d1d0f73993ea3cec05
SHA1 662473539a08c9006b90bc4acb81d058f45fb7f5
SHA256 40200b6597412e993ae00f51db7ff677ae71e398ae6df3730fd02820eae8f021
SHA512 6c43884719e5f71983cf70a229e28c7fb09988bb378c436d482f4953f4c1e5bdf104bda9fd2c2e52b05833675a88f5ab55cc48c5d81c24b3e843e68e1d4952f8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 33c8dcd9c3b9ac01127ef35a567e3997
SHA1 8121ad8cfdbe37b40f7cc0b96b74ee76bffa802f
SHA256 96a17e53c2adfe9755ef1c538fe6e1ca0cda8d1f85ba0ca081bd47218a46da4b
SHA512 2e48a82693d972ab9ab4dcf398c29b6b77dc152de508edd4c47f77a7985976b8ed9956ce3c1ae1206b3196bd773f6e86f480d9b319fc17706b7335082d077e22

C:\Users\Admin\AppData\Local\Temp\MMYi.exe

MD5 89bb80261c10fa213309397eee4a6696
SHA1 1c5c926a1e0e6e2dab865dd0379ee4c614f7a60c
SHA256 221b8f7e8bab9b8689659a9afd5bbf0c5b9869907d16da18a5313788b25d7b01
SHA512 7306357d122c0dd3ccb07782a37708f1020204a6db4a075bf7228ff1bb619aaf9a6f15d4f02d2366ac71addcdd0e53c4fef169dba08a6c500bb81c30ae1da2aa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 77af8a8f202d45b8173615685919acc6
SHA1 96e551bbbb55d0f315e98a33ef8b45d06d0a8f88
SHA256 ef2451f4e2905ae1aac678c0d2e812abf0dcc95a18e782d601471ad177ab2185
SHA512 fbe6bcdb1a80761b492be105af60360d55135c7bb52023c1dc9e2e1568e31ff5b2716c15712f662da8866090d3b0c5d3aca5b1e251b8bd18f49e0e08993cdb34

C:\Users\Admin\AppData\Local\Temp\qIwq.exe

MD5 d5cf72e07585e64eaca0aebc6dd9e356
SHA1 dc2e18c024f0ed4bf6adf4d7c4f729292d7aea2d
SHA256 c766afe6b25b663a077f6d70bd0df7f466a03130e800bddec119bbb6f9be3d32
SHA512 10ca64e07158db953c25446c509f51fbb00d6c3098bc90bc289720d43f042d985eca46d6988e9576b6b0041cd71013a110fdc2a2761a34faf62ba1a2b52e41fb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 f7373dc4345ea784fe5c28c1862d1e53
SHA1 e99bd7e55f51599f11acb38fafac5df76f3e7492
SHA256 33722fd287e57f4764ffd7b3ce52807bac7d849e602c1ec02b60e65910aa2da9
SHA512 28f17f9dcdc9b09ab63bc005c9c0f2e6d3558fda61e4d18fad542f421ef5c30fcd2a8e1f4e434b603b0816b05b0c1a9fa9130421e0a18e41ed747311df3e92a4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 e3bdbb45338d091e967c162decbda5cb
SHA1 65d64456c27f656117fea5e9b49df54586017b9e
SHA256 2e2dd0be64d664c7e4b74f4e5bd9f4bc882b562b7eb045b421a89ffa9f9d85e5
SHA512 b45f94300109ad933beb1ea817af10493a8ddaa1e24258bab14ff82d4f50aa0a8ed0975ced09c984ea3c8d4a2dc05eafb8c300bd64ba291b24a1578fe4288c97

C:\Users\Admin\AppData\Local\Temp\AgQe.exe

MD5 9bd7d456f4562916e7a1900e44012255
SHA1 304a0671998a7f50c13d1778d5bf5066bf849b8d
SHA256 2dfce68f220f3eabea4f8ec813084e9ef9c83ab9a9c4eeafb2da73757f8045f7
SHA512 c881b53460e19a2764be6e28cfbc517456650ca414d6e46dbbb7c83a0a12bfefc8e8fb3c3dd60b6250ec20e7a4c8bf76f577d21243edd3efd5ed2f1e34ed5ab3

C:\Users\Admin\AppData\Local\Temp\YQAw.exe

MD5 f203629e87103ec67941a63923e31c5e
SHA1 86d1ba788ec6c7b7f67ab484b74c381a24ee12eb
SHA256 f87e20e21d9f41fa8a1e9b726fca4d4db6887a7ed4be8c1fcbe7b2b208d6b936
SHA512 a4ff569710cc3c8fc45628c4eb47c8b0d34f3ada280607a1039b189d6e0726e9d5fb1389835e3fd9cf56d0201cd92ef71d461bea5d28317670590b7a1c507c0b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 186a2c285d070c08953623c5444fdc8d
SHA1 3bd2d90da4c1a1668f88943987eccf1e0d93a1b1
SHA256 e035e7a597d36b24faf4e397d3bafff2cafcd799a74b7b3cbdc16b991b014fa9
SHA512 c87c524a9be312a50a7d9a2145ec21c755164e114242dd93667549ef5e72ca0d99ac204251782d483368d26c253ce0f13f355772a8a2a9ecb8aa32239ee72ab6

C:\Users\Admin\AppData\Local\Temp\wQom.exe

MD5 7c94d45baa6a14885c45fa6f217dc72e
SHA1 b3c726a1f66c16f3c7cc0d774fc20de4f1b6f442
SHA256 2c4009cf29408cf80245ee1fccba8c0edf7a1c88fc85fa5f151a4b4a4b12aca7
SHA512 48befc1180e72d1d74764c3ab454f2d981421ed347c1a740af5644ed3a303d36e6ba9a4088f8f9ff9bd485a04121fedf17ce1aa283f211412f21feb3bee4f44f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 319dd61908ffe2519ec381e2b8a5fdeb
SHA1 e3a0f3bee230989c832be7f681a29de21bd6a037
SHA256 92a9b773f84daa9058b90b81ab15bdedd54f8c90cae3d1ee229b90ee65937bb2
SHA512 43458d90897160c8df6aaf968904b2a7929d4f043afcb15456c986606e6544a4d570e66c8fa5184c3b0d8a996bd53d01f658009fcfee5707b4639497de0f131c

C:\Users\Admin\AppData\Local\Temp\SgAi.exe

MD5 a3e58aff6499caf5d8fd96cbac7fc3b2
SHA1 d05b5284789adc97a602d59f094a7f7e7560c4f9
SHA256 7173e2fa333247046c0797277d9221cacf0acdba66eae5f024a8a1b9e369e123
SHA512 2f5bab42fcaf3b1033acaff31a04519dc7c2d36be6819921e1f5b7899853ba42a9bf1d33b823bdb6f15acdcb229ac77c9deed6139ae69c0fa2e64856d429f66f

C:\Users\Admin\AppData\Local\Temp\MgwY.exe

MD5 19a4f802d9d16b99cae1d749584a7535
SHA1 1d2e92a80a56411c3608d465335227ccd7c1a95d
SHA256 c07a85e98068cea9e97cd4d903dc2694bb5bc9f88e10796e7452b4831e8ea4f8
SHA512 ad984c21d4ec1b028145d58a7e59dbc1230bd7c4cdcbb8ac2a6cb172a62b8c839cbb828e598bc443120f627348aee2472f685c4c21551d000e675066bf162267

C:\Users\Admin\AppData\Local\Temp\oksC.exe

MD5 7f54de01093f5278951f12a7faeb9137
SHA1 e38411909cee2da990551bfdde0fc7871d59ee4e
SHA256 faba6c9a4070079f939f87102998ee0c692f9c24fa63e76d586181ed4798fcea
SHA512 24939e84aa1aa1622582c828401d0fb90c89654929419a4a4575eb80a0109b8176deaeaf47560f4da0d3d966ca6d5f4897cfbdfaaec969246c2fc5f32eb82fe6

C:\Users\Admin\AppData\Local\Temp\wEgs.exe

MD5 f3d3570134452456e2443eb16b7539d4
SHA1 d1a5eda237ad875dd582907b6ddda72a4a2abc85
SHA256 2ec89763316d45668f64acbcefffa0131db50354dd60ccec8a6f7663ce8ee0f5
SHA512 8e38610473a979b15468be53b40d900781f6b4acf281c685c86e0b0660ddb30e6ac6c194ad88f930631a41464f0bbd9ea8233011b846e3815769cae97ace9f81

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 1f57b3304d3e54c82b6de2b7997f8235
SHA1 260263fa3e49243c77ce006a44f8c3a27489302b
SHA256 3d3cb9b18d97db7752cfb08b7deaecb5ac83979750faf9fc06a49b97f5326c80
SHA512 efdfcdfc50b7285a50859e35ffa1a7dce7ac0f230b4b02bcb2f59d9f2cadd7894093fc9e43c94012bbaa1990328c7aaaa677dfce17090e1778d8a7f565d38b01

C:\Users\Admin\AppData\Local\Temp\eQUK.exe

MD5 03a3fb62c896ee5a3b7c8d81cca68d44
SHA1 d9d54c39c5a7c2945784dd71813a8790f31bad53
SHA256 d3400e63e69c4a03b993e8408c8b74976f4cccaa48767a9852fc80fa70d84472
SHA512 00b06e4b26aa669e42b85f7efe6e17fbea3583fb4eb7c51563e55f284f7235965a05c7c9a30d1290f8daaabc985e38636206abd4ec0e55d9d0d6913c8c4c2e70

C:\Users\Admin\AppData\Local\Temp\ckge.exe

MD5 d3fbae046511ee73ea43bd2b659314e6
SHA1 30699c037473099d8ca9d28114705ed63eae2d6c
SHA256 1d34098bed2905083ef0a7d8a25822a54abac41dfc84c4de1084c4ad018d686a
SHA512 b3a1250ca75360263d77926199389f43c50340b966df3f048c512fd62aadc05f3da144497c3553734d2b19de5a10c5d2ec45bc088c8f45db9a15a49815e9878b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 438a2f296794a24cbf9f04558a7db415
SHA1 0ea1816474cb53b45fb9cfcf4136d4e9445cf7f3
SHA256 c5aac192d6bcc207e8d1e9f245cf71fc74ff3c66d524aabef2f9a6c25451d235
SHA512 d420b2f125d0aa6b80f52684a956b241706eb9a2352454ae719a30a6e74fcb91cc1a82216aa2ce458a645e8b9a89f068339ae6fff2627de0c40567e47bf4738f

C:\Users\Admin\AppData\Local\Temp\isAW.exe

MD5 886067eef89de32a865256e2ced1df38
SHA1 7b6943104c1c25ac29a7b5959397e1d2541978a6
SHA256 4c0d92b32262a2bb0bc6c1d736a6c65e326b2b06e4ab0de3aedbe7474631c56d
SHA512 e7a414bed0fd846c3dd0081f52a8e03a8f9a4e5f8f2526ccdf8c3efd5ab20c429bb9cc5d5bfec72fc34a1d1efd8eaa9ca19224f641000f4fb0e4fde228c88f16

C:\Users\Admin\AppData\Local\Temp\UEAA.exe

MD5 cdda64784f756306a418c3329503851e
SHA1 9aca4d9e3dc8518679b1e5b0cc70eb2d9def98ec
SHA256 8b7a99592af202b0820e0dbda8e52dce904f00d3c967723f5b42a6dc13aeeca9
SHA512 4267f68bfac85602a9fa16077653c3a7851013bce369f43a9dbe2fddeec666d052238cde977e162246f25884e7b9db08e7cfc66bb295cbd02d9a6b4430c37758

C:\Users\Admin\AppData\Local\Temp\agUQ.exe

MD5 86c31529170c8d831735ce937fa8b025
SHA1 32d6fa5ee0e1c3ff3c8a7e8572778db13b15d113
SHA256 e3e8d2882678d4df79f8e7e069584d5e84e199a8de1ea439761f3c00c4690f32
SHA512 b52dc4681fd6efb0d740a7491fd4a50cc2f546a4f655758dc05be7ba2d336fd883a30eaf4cba2059de1644c078235a274a3c3b54d4e214c03ef83815c962cd03

C:\Users\Admin\AppData\Local\Temp\qoYU.exe

MD5 a8b2fb1c7f2435a4237c0f38a3e215dc
SHA1 0f62f058a24a5ab53ad309443cb142fc31ded3df
SHA256 03862ed8b6cd026a3108ff58d52befadafd4ba6dd9a427eb984ca82613c681c9
SHA512 5266c36b585b9ffbce72478686e4cd11da2b534d51e19784b3e8b85ed342d996d23e6437963f91a8d96053cadb4762feeae6c9113cc22485487ab22a3aa3d6c6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 b8dc61cc6b6c40618494d970ed04c373
SHA1 47d1dbdd7c208c5a2f489779615dea6bfac5726e
SHA256 5504522b25d47062d031b0ba94e84967f4760c8195c033101982b53031c298af
SHA512 c6b719fb4be0be35cc6af57b0987b239e4b3de5bdb2debc4c90c515d852c105de36e1110b26b75e64e19304f41e8e29337026fddfe88b739c987b3d5e3eb7bfd

C:\Users\Admin\AppData\Local\Temp\YMUu.exe

MD5 06792a9a7b2c4ef8a4ef1b8e7d95cfd7
SHA1 85b91c42fd914bf0b1f58268a50e4854158aa35d
SHA256 1540ecf7e6519877be80e0abdc079ff5013a6d8301da9b7c7fb96cd455270ff3
SHA512 da9860dd3dd464cafbdf6e33cc63d1328a9049411bba237061323ceeb507224b3d855ce1440a0e80afd9333aa4b3addffae3df217defaab6d68cdc8fe7af7863

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 35c677c4a03bcb67a267d2dda3e4181a
SHA1 95232977208ec4efb6858c39df3aa561cd1c4b33
SHA256 9ef5164f8f492f25df855485e845edbf3ede6aaf0c0d624b584b2301280f9974
SHA512 63ee634d3989117f67f043f4bf73bbc84baa0bd38b43cd16471454a7503c1378e8f74ccf718b752f816de89ccb65d1bc9755bb6bcf340900aa8698f1422578eb

C:\Users\Admin\AppData\Local\Temp\EYIE.exe

MD5 5cf68fe237a00b0dae8588b6e8cb4a99
SHA1 96d1c01561e8a07409c64c3e2469f9960f8af10f
SHA256 27128b3c61827952cc96e46267df60080e2de744a4fea27302afd8b179591ca9
SHA512 78d739fd4cb7b5f6081aae2435e463f43e67e4fdc3ee519b05f41f4690c5ed62426f81037fd9e46c13517ba7a419c2d21bb098c2b944d40f04af814c7fc719e8

C:\Users\Admin\AppData\Local\Temp\UgUg.exe

MD5 a3ee9a27a87b8d7cf6acf73efc05a38a
SHA1 9be1ea5930fb3b849f25b1bfdccba4db6d1bca20
SHA256 9c38f297e11f724cb7585012f1aa6304b5bc32afb2d0b30d29e6a97627cf88da
SHA512 52c9c220596774a39ca824cf6a063c003301b4cbde011c960e0413891117163a578ad5b8edc9f74b496efd7fdb6593f7ba776b368e25189d1d113d14cdf5a4d0

C:\Users\Admin\AppData\Local\Temp\AwUS.exe

MD5 2b3dbcff66e86b4374adfa918a1b5175
SHA1 ece7b2932c2855d2f15ff22849cdc894715b3c07
SHA256 3ec40cdcb121885e8dc7abd9866007b97bd3efbcd08b79821859c66df1881d2e
SHA512 6faebf1b1d6bd2b067bd4858e821b25293ec127e4a0e240df402d611526b71de14856635de97527f37800d93ba35803a13bb8af513c41fa924c1d3fcaa1037c3

C:\Users\Admin\AppData\Local\Temp\yAcS.exe

MD5 39dd1a5b0fb01d2c5e5fc64a30c55240
SHA1 0537078faf8e279abf51944487a038439d5fbc5e
SHA256 82f01ddf77088230a6595cdc3e9842d23dc421da81c0454b9766d5b845d0ef5b
SHA512 57269acb7a1ce10a90b16ec087ee99a1ca67b0a165acb14940033476e826ff23244d4c199b68fe281bfc47318e269f6ea1efc8b62600c177ffdac17c2c4fa9ad

C:\Users\Admin\AppData\Local\Temp\CoIA.exe

MD5 d3698d5a44b4218f3101605368e4be45
SHA1 f20101483ed2ca0a08124ebd4f06d3c7cdc26822
SHA256 0d3319542bf9f5be585a1f7c31e539af65cfa363961b7190a388afde52987c3b
SHA512 dc4bc74dd3ca624d0b1eebc7a1b12c6a69be33cbad74e3d977c3c8f36e7a8be241fe65b1258280d2e464bcdde62ae9cb3c77da44aca115655b7c4b6994ac244d

C:\Users\Admin\AppData\Local\Temp\Wowm.exe

MD5 7366edd25c7c6bd522f48cdb094342da
SHA1 c21973c0a262ef8206d0e7c4ae9380a4981f93e9
SHA256 bb9b92b661316517fa94b394456e1c27b145a7596e209538ca21dd040e8ec003
SHA512 4728ae52d67da950764aedfbb7a2391d4b1cad27c6eeeff40d497a9f24fa6ea816113bf46872ae71c5446354b8203bf048f9ec43ece274d7c54794c71958838c

C:\Users\Admin\AppData\Local\Temp\osMg.exe

MD5 a97e574881c56dad20a8cd0d22af2ffd
SHA1 1b0d698b89016c0ccb46b194b0545d32064d7a7b
SHA256 89eda20d06f4002e79acc79d05b53791b018ed22fe45d92b7582ed56dcb9c536
SHA512 21de04a8a56b9d41e3ce7f049913715e7d4c73f4e59ca40915289beca088ddd7dc9de94a338ae678c7cbf83f6595a9eec2b573d52ef929ca4a396fba04cfb873

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 dd53d301ea0d0ee3f332898a10cd8e90
SHA1 404a91e24ef27a6baa560d32242a6c89bd9179fe
SHA256 a7be829e5fd410ef47035f5f498313fe5e726e854c87f8413d4df9b2ca7bb9bd
SHA512 77cb5e3235fb401aee1b6e7c48a00890f4adcc2c7137bb5db27b9d0e0c0f947375c69167b229dbc6bf5986a366f20a810f63ecfa0a3faf2de62dd75e663b3cc5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 3bf62017f7ccf17ad6311312f2d2983a
SHA1 7f8fdcb82bda6e312d5208abdb487393858d02df
SHA256 478e84e0b9bf2bce7fb9ef53c6b072ed79c59a20b307b2ebdd6d06ff12d0902a
SHA512 ecb0d23a316575ae8865ded3c4d69d5b04ee3ec316ccdf96e7ce9b31ef13af0743ad8930dd25878684a3462961aef37dd8496df459cacefc9d1a425b68340dac

C:\Users\Admin\AppData\Local\Temp\uoME.exe

MD5 36a5cd62a5ff9e6d5b9810ed6e08f74c
SHA1 74bb41299e45697673b907df663878de36eb7fa6
SHA256 6de52737801dd5c8350e1e0053944db01ddd7e13dca06476afa9e3a8c56bfdfc
SHA512 ce24ce558a2ef6391f50d1c0cdbb0c5860978d093a146ab705d6e42c641ccbad0f391582718c05568ad9b523b1891e7b09d593aee118bd455399d8bd15a22d9c

C:\Users\Admin\AppData\Local\Temp\IQME.exe

MD5 a608f1578264488039c5f937dc254bbc
SHA1 730bb39609c4cd09218c61d4cef7902ad704222f
SHA256 e83c0daa91bbc08f18e0ed68593d84307651757b66332050e9203537aed2f669
SHA512 1f2147aa30a157b1a721799dfbd1436e71d9dd8ef49223598bc6ffb33af823dcd424ef90d90891c0c9a83b24544b1a8abdb94392d7aeae0e88efe4cc6cad9afd

C:\Users\Admin\AppData\Local\Temp\CUAy.exe

MD5 393cf3c83026835cee116e3b1b8f2952
SHA1 4a26624e5a91fb833b33619865777febb6e26852
SHA256 6c316d1cd302e245e8ee9560f856f8b75594eeab47dcf89e9fc9f832f8845ec3
SHA512 0f3f8e62988293db2aa8af22aaacea085ba14f35efd262a0b997457e88f677927119ecbd77183389e78fd348db7343be0175d379f0842e53febe54548a0a18de

C:\Users\Admin\AppData\Local\Temp\swYY.exe

MD5 b370e89937c259b99c594655ee490ae3
SHA1 b4246afe1a50c5b4f3e4c594cf1c5af64e8ae220
SHA256 a42199fae48d3a6e689574731833ecb78112ad793f6d11214650a6b782cceaba
SHA512 336cae441da64ef7e55a4f65978cf0909b50f71ef605ca3714b070475d3224ea50591e27f7072d1754fb728034328f78faa857f87d16516bbd3a3861f1024b0b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 c71509cc88413bb1ede4d837e37d6319
SHA1 d5dd07f9fd3b796ba773f201fd880506cf8e5150
SHA256 6f9eb9771ec6f493b4fd49d7d1cda6d4a96924989dc9c1d42eab82eb2d29754a
SHA512 c4fdbe566e94148ef4da69f99fc3876964614426a6f57514e9aee6ac6f904c727ad7e754a9b734a1fad6e1428e46998a550c2b9453b32917329144337a76b0a5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 257f452cb7619968dc0ba0848f1af7ae
SHA1 0c2892e89b79dd014d4fd94a6b85d0e2cb2a9e91
SHA256 9bca977801af086d39d8c3cc6412dbe999c92e3030e7da25cb38340c98007294
SHA512 10d861180bbbf895b01e89ae7ed3e89563a32071c1e940ee844ea13b122c862a07f56473a9649f453f2962c9d28e82b1a5b219b969b189576385e358590a128d

C:\Users\Admin\AppData\Local\Temp\CQwm.exe

MD5 5fcb3cab4255aff4cf9b9540d6a9a792
SHA1 dcfff747bc32acefb40c1e442fec805dc931a6d7
SHA256 e65833dbf7ac6b85a887f715b8ba0ff14aac1a296ec79c37cbce39181d1c8525
SHA512 4a0b2f87954159ee3d23d46892bdc8258f7ebeab9b3e2d05750f9bf04c07c2ffd1274440806a519cca114d3c81e1070b52e56bf1df358d88ba12fef7e09dc0f3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 9385887870aec122d29992220f5223fc
SHA1 154d43590982e7031eb4ab0e5918e32eab400702
SHA256 edbbcff9c36e311d94a3d0b274fc4134c1ba20f17c6503adff52bcfef5359c2a
SHA512 1c37f56fcd6a7b3145e11a404dcbd752e8f6b7e8fb04cd50ff6ad51ee08b4305025ca08554f6b799b5a6d532af302f32cdcf2f682554daaedde7cd630c819e65

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 c302b2e4ad801c4cedc6fa87071ae9c2
SHA1 cd6ac23af173eac96fbba9228cb7e0d2ce03cb8d
SHA256 20aa540cf2e1953bb19b3a6e1a05908d5511a11714f1dbd7600e05b645b30d99
SHA512 19f21da4fb6d669c1d05d0bfe7bc9c52e7833431c8893a0155d761d8cd69022953c17b89cb263b6b62997b6680b0b12c20c448cb4f9b87c0e1a198224fa56063

C:\Users\Admin\AppData\Local\Temp\EUIs.exe

MD5 51077d7e9acd45b7f4130ddadbfebde1
SHA1 80f56b578ab9a27cfe596310fc436aaa845d4e04
SHA256 1fd78e20258d76ffe545659dd0f242056593c31432067da4e81bcfec1a5b7e59
SHA512 87749698ecc3b734edadd43b39c681e01ed8c152802417480cbe24f5e626c95ecefc7b1206328bc5b4f658cc2948599fd5759507550d02b38066a77abafed936

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 25830ec562cfc997d339a319c96a7a58
SHA1 8ee59f4f787050a3bba0d9739b5b9e63a2122f6f
SHA256 3cc1a08aa618f50520ea0b2a11cb20cd5aa7fe52cac0e6bf73afcfddd86d59a8
SHA512 214dd61a83ca6627ce17616ab86648532f788f165438a8b74b3a1a53916ce05fa93f8c040f24c757d0876959c0821df0a2120b4ade36cd16d8a28ef8a3cb41a4

C:\Users\Admin\AppData\Local\Temp\qoIs.exe

MD5 86c2e3e357e6b201eabdff62cf0b606a
SHA1 a0bfaabeb8e308fafa6b5fca666a16a1f5a41b2f
SHA256 9aa604ff113a5c8f705725026ba50a6aa4d452f5b9f8d5bc5fa0ab4d6bf0901a
SHA512 3a382cfe2fe03eaa50b18cf8f8ae925d434e792d5a4029e807347778507cd8f2cb9a7923454d2eeebfe28dd308c78535b0836fdb2b6b7e4e83d54a072255ff95

C:\Users\Admin\AppData\Local\Temp\GgIs.exe

MD5 acd4f974878768ca02e970b290e70731
SHA1 c17b450686115a8d8119dad50a9356433a859eb3
SHA256 4b877c18474a41d57065cdeab2c107b517cffbe687bc4acb7994e810545848c1
SHA512 48eb78602eb506452ec134762bc6a72ded4c0deb68d92f89a208911a9ee3aa6dc1aa3f361f28695c5f15a5cc30194ced0e6bc0fa0e951badc1a05a693c441aed

C:\Users\Admin\AppData\Local\Temp\QYII.exe

MD5 261b5f9a23fe19f41ea46bc045668bb5
SHA1 9f9bdcd82261a0a790dee0beac29048eaad9c9f0
SHA256 20a2d5d183d1f1b668aef6f85fc9a08e77b1179176a2d26177a043ad3dd0af06
SHA512 76a41ba4b776d18935c47b0cb404c5b21f33059ca7d172884b257662da229b0f8439dc743fc95303d3938296e485267cd39a0c4f23631d44dc890b8e40fead76

C:\Windows\SysWOW64\shell32.dll.exe

MD5 b2e97d8e47274972285c0181964c8ae4
SHA1 d9e12f48172a06b41e37cf0bda6486fea95b92ab
SHA256 cbbe7b884611f080600a42b25a329b5151b1c04cd24fbd754b6b6983d6702912
SHA512 70e74e1fd64f5fda44d80d38c9a6920ebb24288a20938dfa7e14da5fffa42c57cc81fa1af103cbb6622856bc131fa6ea6ff4636b8fbac53616b4403c6391f258

C:\Users\Admin\AppData\Local\Temp\sQAu.exe

MD5 3d59ba6b551711db8baeab5b513bc250
SHA1 59945df5124539a03fd4352c63cd3f19fbbcaa98
SHA256 2cd3097884a0b8b336468e10150c2a11019daf7fc8a91b5e0cd49084c02e2292
SHA512 a3e3a3ee006f6ea015a7f914478b792869f48a03b01d5c1f5c2d9d1aa62ca327c5e9ec7ef69204bbe84a159174d033c53c1020ff071852e22f86193f5b82fe2d

C:\Users\Admin\AppData\Local\Temp\wMkc.exe

MD5 0b6b4a389a66ffe57d7cf61616d4724f
SHA1 9ec939100b88d1675acd86de6104f6befca3b288
SHA256 d9aa4e5bd32b944f882574ccffa2515169341d65d9532cc480761c290d5ed6db
SHA512 c5b6850294bc62a2ed51ff461ad651de691a6f05c51663a727fa9cf75dba39a98866b86426d1ab03652ad194288a84ce6ee3eacd5cb4753acad3a28eca54dd5a

C:\Users\Admin\Documents\PopUndo.xls.exe

MD5 09ba797c0cc32463423e5f40e5742956
SHA1 1ce47eb2badb0d4ea577bb98fcb864f22a8f8a49
SHA256 e3253e4f14267d088fa1ee010d7d58593b00747dfc5ddfaec5903d2fa4b096a9
SHA512 2a609f49b6f811c4a5bdfd61a1c19a5874919be1e1256d9eebce203f4b5e8cb53bc0cfb6126072eb1074b2b198084dc77c1346b373118ffd40eb9a21e9ddad97

C:\Users\Admin\Documents\SyncResize.pdf.exe

MD5 63d5b98da05d53cd42cd40e66571c9c9
SHA1 7951e608558f995d1dc9b6c1fbbb433df4564039
SHA256 8f47301111d2d24e082db61a0aa44fcbcaa2aca93d9f546c280318ca41d1c029
SHA512 b0a48b0128fe2db83e30d6d6bd779658e818b20ac8a0521163989edb907476446b3adb87979c263a54be73a8bcd1b5c006d47f41b119e5414220f7223fbb3cfc

C:\Users\Admin\AppData\Local\Temp\oAcO.ico

MD5 7c132d99dba688b1140f4fc32383b6f4
SHA1 10e032edd1fdaf75133584bd874ab94f9e3708f4
SHA256 991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191
SHA512 4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

C:\Users\Admin\Documents\WaitUnlock.pdf.exe

MD5 1d1fe24b84688da51db07110e9e1158e
SHA1 4386d1b29527853cf303bcbc1be6a0976f4058c8
SHA256 5b774229eadb5c497f78af9bb32adb83964bd48f3347d023f5acfadb263d8654
SHA512 edf90c6a3932bd5eeacc21e4adca6884d5b076dd7ce7be72dcaba134a6e4ce5eaf8ce79dd1ebcbe8020c1b8ccb1b4798c152bb62feeb778a0a7ab1daf63890a2

C:\Users\Admin\Downloads\CheckpointFind.xls.exe

MD5 c3142f3a9d0e36009f73b098043573fc
SHA1 8375f7c5406dfd67bb80623f3cb1567adaf3e72f
SHA256 e131ac478f07347bc82ca86e0b2f890f1e9db7eb7f6067ac5cdacbfd94f36ab6
SHA512 97e0a4961f259f64d5d34225a415ba39aea9a8df86768112e31da4a6901cdcd6260a22ffcff468178f9d1d42c41b50508c95cf2e5113b9fd87970709cdde5eed

C:\Users\Admin\AppData\Local\Temp\GIgS.exe

MD5 5e3f75fe5fda5460a1fb1bd73de9a181
SHA1 263f8ea667346202ad9d6ab883fd99ff2be40a44
SHA256 7bcb7a5c8c2273b4228ce2f85b0c6389e63fa803792d5d95aa0642ef0932ae49
SHA512 a3bf874cd6ffcf6d07f9a125f159e182cb4c2d9b595e0a13ec0dbe431a80b78342760264241e53c45271ea554152c60929d65784967d2c50d565a1c80a7b04f4

C:\Users\Admin\Downloads\StartLock.ppt.exe

MD5 f61e7274f8c72e913e00e758f950478f
SHA1 65014dd0e2198db4ec3fd1b19c4eb4d33a531510
SHA256 1f42ff2b26cbdf69ff6797783da06c1e297ae87a35e1f69fff7e4ed5bc9b104e
SHA512 4d2c853ece25440ddf6aae826579fdcb69560ab5f665236091e8a1a1e80e8d3870190e16a85e635e60944025145d2bd38729edadc7333a712a571db3cb98c349

C:\Users\Admin\Downloads\UseWait.mpg.exe

MD5 c90014e19490f8a8647700d939a130fa
SHA1 9eba67567f4b7f3906c616e5852fbcb1a9af9e41
SHA256 9bdc7c8680e67a499d2f7b153c6886ea76a5a0c4bf326328f2015e145883266d
SHA512 f67d79ff6e9abf297a7ae6d8cd6134d4fd8f7e6987a912da7abc53f4a651dc81f25fdf31443345b3f73677a26a7803c73754f668b4bbb99d0934b261658965cd

C:\Users\Admin\AppData\Local\Temp\KIIm.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\oQUy.exe

MD5 66ff244ac125325dc3aec4f5a65f592f
SHA1 9e28c20cf338d3e95b489d6aac46065176114bab
SHA256 28b48d753620bcea8114cfdcde2f7a5df40baa0b1bf6fe90bec4ef8850d72fda
SHA512 9d1a1f9b19f46ccb8e2c8d590cdbd011bdbc3cc43f3fc7601dc334f1120425ebfd824d22b6b4e5ab1999c938440c05d7bb284fed5a90752f5e128278a3950bc3

C:\Users\Admin\AppData\Local\Temp\IMcM.exe

MD5 eb57a84014a3eaa2e055ed1e1c43bfcf
SHA1 b4a7b00125ffc1e1fa874c79c323f7c82fe2ce01
SHA256 5dfaa99c458a6b351664a4f171d48d54f718c78fa747e34ccf53d180f78576b3
SHA512 bc1aa30123fdf3f9010c48f13818ddc298713c979a945e4b01ef11eaed72cd4147c3266f45f2561f36f9010b78fe6ddc73ac9b49cf4b47e0dc580a81072bfeef

C:\Users\Admin\AppData\Local\Temp\egkI.exe

MD5 a872cbacf00791e36b4a3b53dceb3c8c
SHA1 d4d20ec63b917246fca805635178166563bddece
SHA256 54cdac3a701543d24f87bf1b64f26f98043f93e6041d45a19afca6ef9a6e5e9c
SHA512 851df771ae9626d171b037d135539ed89890208953bac0f0498e07fec2f9451ed2cd086e590c247b4de8e5bc640eb5bb8f135a5621944bb720446ffae062a26b

C:\Users\Admin\AppData\Local\Temp\Awgo.exe

MD5 037922ec340f12c11a049ae9766a43f2
SHA1 b43c7303490a13e77746a067b1fa8092cb3400f6
SHA256 b382e1ae46a1736281b4a4ce180a334e2d6abf6a1878252a640274d8d01077c9
SHA512 8b61188f8f6b797c966018ad15404c9f5f6f9498f638d739662c465b0fa0df38b5940fcddfd30f069bcf68e803c2b1c0a53f3a76749f2d8354b27d112fb36a47

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 2b179abc8e461ee313fdc4b6d3ef97b8
SHA1 28c3008e4844a728550d4a7c1e0ea6f003aa4413
SHA256 0154513387c9d0262c597b6e0efb3cf2448da2022b60e73fdb5a8b808c204c26
SHA512 9c65fe6be42783e5bf552b546e661e348e711506dbce3f7f81dd2fea4d847f763ef8c2862d3c8b24c712d7c0531d5691add1799064130c889be294d400a8f5c9

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 f043e02239198921ba38d1d86bf1fafb
SHA1 5dde799e9922b81a5046572c7d2ff1c3131f4583
SHA256 137e8fb8fe6cc38e0c68cb575dad89f7667c5a394efb534eac38b6ac60897c8b
SHA512 a99bdde1fc1e83bcf317d96171df9394dcaeed1e2e8154c0857e9df69f9d7e7f879dfcab0f1ed39ed2f21c20f22ec76244ebfa9b4b3c9270161e577c9a6907cc

C:\Users\Admin\AppData\Local\Temp\Qswy.exe

MD5 5ba4322f24c581dbe0915479375b09e4
SHA1 d684f92fe355e642d915ffb0bbb80c2c4fbe4c2e
SHA256 640d73139fa28ee406a397834eb1b42e41e3280f4df03c377c525038a4126e04
SHA512 cba8d6c100d77fd0933abaf1bebab9984a9308a35a45900f7d2851ab407a67ca77747830bb9f6ba419e962aa7e747c6042053b32242b826bb980ea7e84a3e454

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 3bca57c7b45e630e8e0f603e7e4fa1af
SHA1 6cba8bf54429d9e15480cc980c462deeb1534611
SHA256 07012c394747dc2798c947bd77dc6be73dd08a3a42dd6bd912137da7d3c35afe
SHA512 6284a0b3dd8f014bce7e85f79fe1404ef800b3d5a1a39cb54cd2da8456dd76057ab82bedff1bfd04c67e5d3d617ec14638a778cd3e4c2582e5a4aab5843a7dd3

C:\Users\Admin\AppData\Local\Temp\SwAQ.exe

MD5 0712ff72a8e7aa979291835b7856a3fa
SHA1 1c313cfa6676362b22ffbc731530e82d3fcd3cb4
SHA256 7e9d7248bab8084f1c8fb615cf0775a979bf315fc8933802f9791327d1188618
SHA512 f6aa17347b4649acaf3c8c8f8fa1ebc860a1f01cc2150065db8267b72536d6d52b00c669e2dfefb5ca8f61a7df128172dcf295e8e438328e4fe1c82b05312d61