Malware Analysis Report

2025-08-11 06:22

Sample ID 240403-njs1msda27
Target 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
SHA256 72e28253024c7646b511a5ed0c0e675dbd21983dc000a25cd073e41c76f07c71
Tags
upx evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72e28253024c7646b511a5ed0c0e675dbd21983dc000a25cd073e41c76f07c71

Threat Level: Known bad

The file 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

UAC bypass

Renames multiple (83) files with added filename extension

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:25

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:25

Reported

2024-04-03 11:28

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\ProgramData\RgYMsAYU\IkwsYEcM.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" C:\ProgramData\RgYMsAYU\IkwsYEcM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A
N/A N/A C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
PID 2456 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
PID 2456 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
PID 2456 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
PID 2456 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\RgYMsAYU\IkwsYEcM.exe
PID 2456 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\RgYMsAYU\IkwsYEcM.exe
PID 2456 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\RgYMsAYU\IkwsYEcM.exe
PID 2456 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\RgYMsAYU\IkwsYEcM.exe
PID 2456 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 2380 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 2380 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 2380 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 2456 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2388 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2388 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2388 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1808 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 1808 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 1808 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 1808 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 2432 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"

C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe

"C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe"

C:\ProgramData\RgYMsAYU\IkwsYEcM.exe

"C:\ProgramData\RgYMsAYU\IkwsYEcM.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\woMIQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgcMgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIIEgcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoQYwIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYcAwYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyMkkksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcwIkscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCwEIAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIQYEEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWwMccgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "521224872-3000722171846578990-939840330-1580424658-4685307265581425111378813322"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIAEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5832202344695650661630872421-1022577799-1219190182494570834835630259-1178535928"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoQQAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-47672146218164241683217733371533781049782903594-1672307064998293440-953456791"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGkoIgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwYEUwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-779047033-2079758537-7449717361200222330-104426621-1701565414-2696019911454972241"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-71732206-198848081-765210630-322109440-108328752-293726521720666320-1751298060"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMMswwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSokokcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-332725593-2777766311812288265146321060-7927014539790636122136272957-2100325901"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5868237291954621825195310975920512604221818431647-17870912381225500217-2143853339"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\feUokYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViMYUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYYgEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQEoQsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-301444709-820695885-1192282001-1802336029-1569981694-855716448894566686-1792996214"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WGgIoUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-797404462-1846220925-327227904-17281526192134788191118077413902165170-1071566319"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "586811734-5138252065475456-5941756942020511901-3448562851609451371-1722138201"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmkAkowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyEQIIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwsAssok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "463688800625935610926226192-102207803918134144675219956921422914553179470821"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "467156861-9847454751937218505-217554641-1448528707779723462-1888706516-887104846"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWsMcEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMAcQkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1051140295-20037033291688515242-99631153-1928838750-902845854-1042303766115654415"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUsUkowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pawEEgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\noUEkcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2082783738-639383184-1566631761-610522791-17208218171592608010-743611361234706796"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-196211683014268394651749364556-15189190361130771678-190081212-1281495930-2021819436"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1716482163-1984522830-3272747701251312719-543829336-2138074755482544244786144569"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2772871109837441151970431163292562745-66318093014632371132064288342-1221912282"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syQcMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1315874266952099567862651031903199321-83646392-727736546-15674350461383989698"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIwEQwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2058572727-12589877621057485595-1798146021938526827151848349641119665-586387821"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQYoQAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywwMwUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1629637327-913591629-1670360587369913718-159433987-845215993-724175802-427447183"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwoYwQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOscokoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1165139576-141105179-41707651-392587140-769907033-12672108462115934319-690927017"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYookokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11350076241851667113-103703125773687941826078749-1386496434-785379364184604140"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKIAIYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6724759698615988561885251202329319454-1722368172-1128135829-693414906-1764926215"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LesEYsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1255441269-661946340-1973351835906332292-21459728307297126981640645803-1668184503"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkgEYEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1036110740-1085092043-81330633-1294776484-6351222844936105215594959231672719584"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIEQQwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "650169799-8206481044920234101167236150-11493990501127588835-1542643523-577269262"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-869105970-2041330957-1590535786-399975961-297287999112997978319153967091371964508"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "252524143866359048-1693036867-1823771475635339124-1313663463-18416906471746615393"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoIUkkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "37228163515654650661350013051-1924087810-1403326567-523954960-1263787776-787339343"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIcMQcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-490141833-1638833977-699274584892243241-2112736249-2011158420-818635915419132689"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGEAQYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-180225335-603833432-8170596661955629534-1442060100-17917995661069920234369125736"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWAcUgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsYMAQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1458528932-1648182887-1604458025-1916713931-2044688092-774587607965498382-70875020"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViIYcIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "399937434-9863245535593426502117665846-88649671613253157401013786127-199566367"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQUgswIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkwIcEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1516633724-1949329311482524463-510764814-18456081222039220548497241698-1647174109"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1255047875589744992-6380807722126842860-1268836319232656247-20011322181675236726"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEQQssgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14190573811374802118-1524014583-573380664-426176283122566995217339810811277760921"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3236885771807019705684454651-2099818358716419010-10213036961063450800-1566359621"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkQEoMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "446696111-11848915541504003297-825084491896924321739524606-5021772771900200223"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7556301951821001160-1791852803-18317414821452792788-1523016960-5716464161225660645"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1660300030517550233-16918182051060440324-478956279-18303993722136145521-2000323852"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuMIYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaIsYkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwsQkcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12091912701163803384-1635260754-150697108112110396861755606697-1535199182486143945"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\okUcMgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1783987812-1646827493-1357751241-14211751082021826399192162404598045127135491044"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "141025176816931707791088815671-6368865781482628570-1277316773-1170961002601348651"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12297269571284894251831128347556714095-970057075-759188371757189531668597945"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1666392322-15084900251613835979975412092-2064316786-1670977648-1622752423336700564"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcMMYAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10745182826435243231321511455906633043-1200232341-1527447669-1084282153-843534326"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1906933944171185342013675294131112874181698365021-1935597256-1221589330384886770"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWYoAkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIgkkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-955320108-967808213-15204619712291634771214700403-106658549-662375123-1793017766"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8859402661893283004331175652144055350017297712582058216439-5297266962043399047"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgwUokEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1677649142-432502847-2105670002-84459751-17706223611227938147113429525-611106132"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwQsAAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2092304000317829866-1939550855-1223055231112104908-2715590781124615731634898232"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYMEYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykYUYskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "154860848616699963598247709332777692461521155981-1959949907-416445727-856029562"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWIcQYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10939549831775744015486422394-2131438365578487918-1936310823-21447267891448190607"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5266683021858393527-709924419-107532137620205381761688447986-18687102941156880188"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqEsIsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17843998112495870319074479061358820755-5091117601134529005-1170783263614017182"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14191271601672147867-2069354883-21297832331711024399144409490216103394331912373677"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgsgkMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYocUYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-469970273-82917182378590175730336810-1735329221746844061-204694751268276577"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1661278959-586722282-2122058022-872510097-2942082321020385196-7078624771660531013"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2023338614-1069193704403028181-1645748158-1112994542-546546101-1398548039-795303362"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwcMUgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8379907851577509218632975425-15054485091725962340-1354230445-2052027431653397455"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-545334474-497064858816172001260723973-6406149931714435-494776987-764904160"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XygEYYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "464940180-948053771-11627965211109890578152454843392703612-1361477856-797530851"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1790184309-849634963-63755610281820213630997131707736955-1669555282-1399695128"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "338011546-563106185-1825142490-101364306612261871951868373498-1873426779122219968"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIAEIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19456826611397042522881221315886168012-3355188641790598126-742250687712666834"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1529920872-105073632220047880301196639274384147038637805693-287553861-719138577"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\csUQIckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1043435351-1018742145-256563026-166931636-7474911914136781061614583247-245273703"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1372835246-607239625-179002565-205552778715652371258583191-842032315-1298076107"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19725441141601181487-1640470065290387755-1400125179816384423-453581330258777454"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsoIkMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2076527574501746639-1535006761944553083-1068254971-175018091413711648471320199566"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-282362991149817565-94584407610438489271453747356-1658412820-1112542573-1510312053"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGYQcQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13188808481557795527-1338284915-583553024-707696920-783441987932121873-1182958366"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOYUsAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5074500851665697027-17699576399960832469498042201639787501-16885218941179065746"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWYoUYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15467026631557037150815900511-4976777479080575431972755561392953644-847680539"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-821841298831690544-172099122-711190262-65132963415075869515647927-659962061"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-487230236-816488418-827666282-1887051428-78519716928090999412949819231137263564"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsokoYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15317863721759383602-3420108611086931672-358906302-945437030-77880631498524993"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-711163403-14482421041200454524208214276110454403371447830784971293382-1998562150"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "21589046-2073627198550654787182605373-655562706-1824395605419171767-308942520"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1617342770-332458396-818707267-1113842353-199975169826338974-1579409795202973105"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGgAwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14442582631781756759-778143399-1920962569346333316-1503221686-563580098-705889350"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMcUkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-890613410-37468764520299438181292529581-879058797717910979-1704182743283163170"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYMwIgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-182441046-19253491491455651045575648542-7698619201350968529156593438-655718593"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-216832412-1934618361-5613793721465429302863651045-2253442251022862113379773384"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1381688190-12275179171597618972-448083579-243502607487390010171182941633058206"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8200119681513448666-397651646-1138815654-2127333302989183090585565831-566124338"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMgwwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1022178101736214908-89094490-1071673740194166276679402723-125395589656291878"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-596245064-879977205859694465-210453568-1489743037-1792634919494672522-1209113779"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1131918647-739964504-170538890-1167258560-25516058741212003-6744607861014124798"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMQEYgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1832325368806301745796211525310434122-522333450-668880988-1762812699703426290"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "798497448757438621619055164-2142816981-16352670011813122856154003586-2027073214"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "27169384419566712552045860954-2084473496198708039-81559852-305626311-1116715928"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAUckYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4780738551006349742010807147-15677984591104582964903777517-233371897-873959061"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "685336216-9114417791798640847-1471422173-1256048437868303047-1277930630-1047469040"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWEsIMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-321258815-107924406818503398901399741311-1266106341169033565874128023-305667975"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16232587231512473936798101397922239231-6142612711491224173-8763525341389097058"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1687507302-9610209421775814289-1506006689-2716372931595886257-143914507024071927"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "713697948-13707238941146454419-502789936192120599-1578198980-948936351657861417"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-48103006712213418178523799238851316815646098519281770416895723351166593572"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmgUIQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1015626579-791584197-181727296-936250009748732653-15605448521508569645400406235"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1120828876211016909-17552382571432244421-1871657871144276095-266030787-300937226"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3357632541758175195-340256287-1172118987-51517251-65536005574795138206897130"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1716517476-626111087-334318711-753127556-566436373-1136708735-1444011349694117097"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWIwgEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-300594708641278216936752286-1859096795-1246655703-1018444267-977432215-1593900249"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1895180236-543164340-1541991416-20047157551973821747-1894287367-1816342997-481970621"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "115280286964826799-1774820193-786636863630766869-941849288-16942400775969855"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18412145991447011782098398737441291951576970717462806760664831847-398813549"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmMEkUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1408136986-1255399445-6677202445410300991336128278-1722899219-15163326641469057828"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "367195970-368494240-1324892303-2072375208827396306-19467664999737447471513867"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "264091211724245329-169670007-51612851229034405-2009892875-139783798-1438462491"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQkYoogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "457079623-800149601-2083973632-314026869-1098621434-1999132301-789885415-479418215"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1896318499-1927274576-132174779-398741936304608276-1710793783-616077796-1270394500"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "410121189360215036-1243847866-1531256025-15299419131911017818-2121357941250194284"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1917752197-378372062-42467010245584635-53826425-87041184310215674351178880975"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 216.58.208.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2456-0-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe

MD5 ef94fdbc9fb666dae9a6a4db0d331e13
SHA1 dbbe88d2c30ea82e766c1b8640fa76d123543bec
SHA256 cca5e4212cd5fa3f5da940ea55dc1d573968c06dc9fa933d5fe9b57185b1aa36
SHA512 50726eb08756139b5ba35bafc2b661fcb2709a269625fec930406cd6d083038011e2e9fb1312cd4fb9cc19484dde85e574487bdc1bc3d123656697a83e05c046

memory/2456-12-0x0000000003DA0000-0x0000000003DD0000-memory.dmp

memory/2456-5-0x0000000003DA0000-0x0000000003DD0000-memory.dmp

memory/2560-14-0x0000000000400000-0x0000000000430000-memory.dmp

\ProgramData\RgYMsAYU\IkwsYEcM.exe

MD5 6b038f1399bbb967aa9ce3704da5919f
SHA1 cfb0d33d893af43b15920b9c8a55f009b385fbf0
SHA256 2938c963ef9b4b478149ef530df6ae4605209a9b8413ca55e026837a21d9522e
SHA512 86ec9cc4d2099d54664e311771aac4de63f1eb164e60204e7efd870536c3a64180ce28c6b4cfd960bc1d2a4af06cb365c43981e6db786b7b8b75309c6f48ef92

memory/2456-31-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

memory/2456-28-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUAIIYEE.bat

MD5 de92ddd43d8cd88c610682f9b46717ed
SHA1 c75c7b0265d7d78be46ea5e082351c76ae1fa101
SHA256 3b5b7ea1e88969933485c732e4c3b24e33bb6fbb706cda8aa31a8832c8eac8d9
SHA512 dff4c2746d0f93d419456735134b1746bab8e16176ece185a047fb2abfff0f0a2ced1326cea4e90138838b82cbb0e979ca483b3f9e4d7998661d115cc3df3007

memory/2480-32-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2380-35-0x0000000000120000-0x000000000015C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woMIQAEA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2548-45-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2380-44-0x0000000000120000-0x000000000015C000-memory.dmp

memory/2456-43-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

MD5 588e8e645526676ae2f8644d4dd82f06
SHA1 607f0d19028f909a02b5a4b00ab7096dfb7f30d8
SHA256 46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c
SHA512 69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5

C:\Users\Admin\AppData\Local\Temp\hGQoYIME.bat

MD5 986d86df622c41d8c3b8d100696ba805
SHA1 60e6f10b99f4111cd1dfea99872c5f5f64b88a8e
SHA256 fd95b1d4e01515700f04fbecce07a34d1eb1420d11cbacd4bfd946c3607053c7
SHA512 01d09e271a32598804e127f7b0bfaa7e3d2eafa42e4ec1f0dff28ef55ea2fe81b297cd912c0309c663460a5b06544713e02dd703147c6eb61c01df12f93cc1de

memory/2548-65-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1808-70-0x0000000000230000-0x000000000026C000-memory.dmp

memory/1808-71-0x0000000000230000-0x000000000026C000-memory.dmp

memory/2180-72-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vkYoocIU.bat

MD5 f0b66070246eb8d2d91a6fd61d862442
SHA1 056adc7749c330be7ca9cad37dee4dfefe1c8fc1
SHA256 739eba46d011fd5ff91698eec0ad14742d7d1915422b0936a02491887631c6c3
SHA512 907c872c8ce945136d311c97875bfd36124b04b203b5c1b7ef2cc75fc2d350d7e7a0c3cf36a3d3a63153ca62f05a1a39477d9f7b8e03322dfb537dc60cd1cf18

memory/2180-92-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1764-93-0x0000000000170000-0x00000000001AC000-memory.dmp

memory/1764-83-0x0000000000170000-0x00000000001AC000-memory.dmp

memory/2272-95-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TGIsscYs.bat

MD5 66d83b6a4c34d451a73b69dd53b58bc9
SHA1 02de724035c41e6117e889c86859d71034743ccd
SHA256 dab12bc8660707c965abd42d3b72b16e2f7d518e4da67aef8dd2131285815cc7
SHA512 954c6f4ba53b13927aba102c58d6f416cdd5450f3502c1f078fe28e0b879c79da35dddfed682a0aacf9c60354cd3dbb26e8bb05f77c4bc992ec54239bf25e18e

memory/2272-115-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2472-116-0x0000000000380000-0x00000000003BC000-memory.dmp

memory/2472-120-0x0000000000380000-0x00000000003BC000-memory.dmp

memory/2880-122-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZSocQEoE.bat

MD5 2eed65291e9e8028b5d2ca62a22b0262
SHA1 dad9f81e44bf130476657d531c4d4c8e36415a6f
SHA256 c7eb3bb61bcd9b17793f75c87b00244692ba73015d7e2cb491a07e8edeea1fd3
SHA512 b6c4bdf714e50ffab408293956fca886179261a994eff3380ab94281feaf32134bdf89f62927015d2fc4a8ea7c6f2096197bc6b364e646c07c23a2b798b1d7b2

memory/1404-134-0x0000000000120000-0x000000000015C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCkMMwcM.bat

MD5 91388cbd3dcde3024a6f57a8a4bc38e9
SHA1 472ce4b87674f6c9f6bdaba54f7adf75874ea242
SHA256 ce0469b405d2ce3fcbef6d1f1b713c6431f84a7ced3a9898143441e2daeea4c6
SHA512 f7f9aadd7e300d2416af28228627fbf34f85bace1f3ead67b1bfaeac5146b6870e5473761080a82343f6868218a804e4663e0813efa8d1161b8ea676fcc096c6

memory/2880-143-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1232-142-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1668-156-0x0000000001F20000-0x0000000001F5C000-memory.dmp

memory/2016-158-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1232-166-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1668-157-0x0000000001F20000-0x0000000001F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HYkEQQMM.bat

MD5 cf799acb2c9c214bad9733c9e4368249
SHA1 4e055991e4f07aa104b3551243359efd34a75c8f
SHA256 bb5744d9ccab500b60cb1488ada5218e3e8a82170deacce7e6b571fa1898f4c4
SHA512 ea82f1f715921620ba9e744d84ab9a12dde39c136b54dd645dd3b2476f7a5767ea36508dcd84154b1d88489a64234fbad8641e3a3817962363196065744c151b

memory/2016-189-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2504-188-0x0000000000260000-0x000000000029C000-memory.dmp

memory/2420-190-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2504-191-0x0000000000260000-0x000000000029C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYwYgIAA.bat

MD5 75769cc14f66e3c56089351405187a35
SHA1 c0bf4282810a44516db60c4282b5c0dfb13b0ad5
SHA256 9333bf16367471d59426502e46454a26a676f1a926b0b4ebe97a161f4c77dc0f
SHA512 ebc0c568e8f9b3c12b0fee392e8b327c47da9c2742b182f4ac5b5feb912268b3fe1016ad252cc0b67f36b207d0ccac9168f20420009201dd40c629a9173ff092

memory/2420-217-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2492-209-0x0000000000400000-0x000000000043C000-memory.dmp

memory/760-207-0x0000000000400000-0x000000000043C000-memory.dmp

memory/760-206-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgIcYgAg.bat

MD5 9234d057fe8931bcccfe84a3d49c9edd
SHA1 d8b0e52d5105e19bf07baec9e6f9536be0d70255
SHA256 0829a14e7a2088776ac1aeb803555b020b02c6368edcbdc072e6abb370ed2efa
SHA512 7ee33a7978af05757bea4048952d0f46630acb3af62cd3d92bd3014f4a9c07c8182da9c5ae1e5367159ab3d85b4f26043e9ca62fd3af0a2afa284123762fd4d7

memory/2492-238-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EcAsUwwc.bat

MD5 175593c1b3864064e9558e6ed29ee39a
SHA1 0e0e7385517fe1326eddc74e4acf0b7222ef73f6
SHA256 0d9fc9bd534d7f24546c161877447f3f5dd85803c9a07a98fe64e1cd02e248c5
SHA512 4921efbc03b32917844439b27345b3bdcd05b79ce944710d266245919191d5a1289a0372a7d524a33f57bfbcc6b18fc62d29506dbbbea565bbc1e10c78fd95e1

memory/1292-260-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2660-261-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/2660-262-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/2132-263-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gMYssEkE.bat

MD5 5350c7a604b3a677126ff90b1a7c2409
SHA1 bb3e6154757530ea46eb590e097467e3e060b55b
SHA256 273497b169b0588cbe474b9bb9a7f56905b7a56ac9c29def2022ef49b5fa958e
SHA512 2129149401e5117c27508b6b9039924dd6ddeab539834006c1e47eef7fecd0e965a2f7021925a555a5b336cc236fe1c549ace0b93d5b68a4170287793601c826

memory/2132-287-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2868-285-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-278-0x00000000001A0000-0x00000000001DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YIwMUckk.bat

MD5 f8de9333945126038b829c28234d24dc
SHA1 595e5cf0f61f200a2a327158dd3ce006c241b56f
SHA256 fd7cfab32659257ecd92ba2bd91ff0b2bd525be521beb655fd03c3951dd23536
SHA512 37f0a81283edc05cefc4507667c0eb28654f2b1a109ec908c77ea0139b680e21f8ae411a5776e1b02b1bfd67ace7b358c208dfb71b6e4a416a9feb3dd6a19323

memory/2264-300-0x00000000002E0000-0x000000000031C000-memory.dmp

memory/2868-309-0x0000000000400000-0x000000000043C000-memory.dmp

memory/888-310-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LYwEkMIY.bat

MD5 d3a65ab57368f00c9990bfcd5faf6189
SHA1 0bd224c3deac655b7249e63cbe738e046e1681c0
SHA256 0720795ae79a8e9518160b58701cb62cf582058573c03aa2681c2c9929b8faaa
SHA512 5792dceea985681b189d2d96ef0db0db2e9c3e69d03b47ba31de5e5b8c224c3d5e778a4e0459f6652c04de826f866d5bb1283d1b748464f81aa5ab30a66d1a36

memory/888-332-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2384-333-0x0000000000120000-0x000000000015C000-memory.dmp

memory/1972-334-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bUUIosQk.bat

MD5 910750fc7998ed28908be8a94a5b4ee8
SHA1 9f14826ffb2dcccede1cf0268b4a5cfbfc4c8a55
SHA256 18078e1ff2ab55b48672de810ae632dda6d8521bdfc2fd4f6d1299513229fbbe
SHA512 0de7f4ca658c1523a0e5651d638a3d3e942919ab5a8fc3fa15cd1c1593b8134d93581c3772b7bff264c84e128eb6d36bffd194a4dfb2281e996a5a0067f119c9

memory/2184-349-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1972-357-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2144-358-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ROUIkMIA.bat

MD5 1b201877484a8f9b917cad67cc50a894
SHA1 9830f878da1fcef9de7449bab1067a09b7b98235
SHA256 05258493af10d9b57b99611fd75afa887e967f08b501d3dc10bd53a825d95bc9
SHA512 c6a0a650e4567733b05ae635f6508836ce2ea8ac3faeb62c629de66472351e9da57766d37e818fa2d8876c7b25f249268946acc71c5495878190d5e5d50a7acf

memory/1540-379-0x00000000002A0000-0x00000000002DC000-memory.dmp

C:\ProgramData\RgYMsAYU\IkwsYEcM.inf

MD5 1f8ab40f96c22b5514315492afd20c3c
SHA1 0a57bb2a49d2426d17d72ecdb79932a8e307dd8a
SHA256 f305c87a26d62742dceb4d527a3ae9cdbf0663c61ddb2bf059d7469c1bc84b55
SHA512 b8b5172e2be4212343cb5794e299d2f326b32d0211016b734a77f654a92ff84bf99822291673b2d0aec14cb3676c1c9384ea99a4766a7429bff4c0396597c6bf

memory/2568-382-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1540-381-0x00000000002A0000-0x00000000002DC000-memory.dmp

memory/2144-380-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FMwwQAMQ.bat

MD5 e69cbeed8d8cb47a3532937b702baaa9
SHA1 9ad6c8ec019d31b1e0fbe52ecc73895cc311b125
SHA256 6be683f1c384fbd0e1f2fa9f07813dbc34e839d143efc0ea75670583f96706a5
SHA512 c9121f8b92e7e65dd3891505407554cd3ce318d83377f05195147f02330badd29797efbd5461f6787c11f8f55193b6cc1f4897c74f1d0177cd1f7de289a0e5ad

memory/2568-406-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1440-407-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmAoIckk.bat

MD5 b2f0d751845ebf27577d23dc23762a8e
SHA1 a7e2c6cf6216f6d45b955b9d0310ec0d032b2608
SHA256 ad00cedaf763891ea7ca0f19a1d71608ba3da0de84c0bc5fa3121dd75710d27c
SHA512 c77b603a36ca20b9ccd91c9e8c6648694720273a071aa80a9ddcc952d100b338cd308418ad99e6603926abd0a68619550736d898e9424cae089831c0d9a49e34

memory/2968-430-0x00000000001B0000-0x00000000001EC000-memory.dmp

memory/1440-429-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2472-432-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2968-431-0x00000000001B0000-0x00000000001EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xqAwIAww.bat

MD5 262b47a9312977817507627a78a8a89c
SHA1 6c2d1a27992f55b8c19d861e66e2d50d4d38890f
SHA256 8b6efddc575c0bba964a897f0049d4430a7578f7bce83637db26f4a6b61db184
SHA512 21dda0e6aa4b4fe6cfdf738ad02a12287604616b9656a5aaff294affcd65eecc76ef8b61ca02de8922267a917a159bc5ca6782bf036e67c7fe476da8bdbe713d

memory/960-446-0x0000000000160000-0x000000000019C000-memory.dmp

C:\ProgramData\RgYMsAYU\IkwsYEcM.inf

MD5 9ebc5d27b14575eaf23f89d34622f305
SHA1 8a3d616c4157842d1cb14f04a78389df554fc3d4
SHA256 fb12d19b2f4fc7c745743d6fa2b4119fa0267447b2d728a97710056cc4fbb924
SHA512 728c52add818ea4078814d6a5a31fc30423067d361e438174fefceb188172594870f3c90d054f4546a5d841fbff8d50006098b59824019e2e5b6f6928feac2a5

memory/960-455-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2472-454-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2684-457-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iIcsAQEs.bat

MD5 989c8121991024b29bd27c9b6fc3e1cf
SHA1 7e13eed86cc7c86e5b8b4dfc581e346a11dd0af9
SHA256 de01b24622469c66305e6a18d231ce81203eaef6a66973a4de2e804c15c26a25
SHA512 46958b4deff82d4031b15c6f1199c7c722bd1d1911d811b60da396a2161fbda8f4b67414278c038c49a91a4b3d1e668ae691cdb8b85e594d22db63b0bc5ae0cf

C:\Users\Admin\MeQMUcIU\YCQQcYYM.inf

MD5 dd25fb4db75dcf3901c5fe8b5a52242c
SHA1 2fa9d2e7e6a87f0d576c20cce3f89b26adcf79fb
SHA256 1f406e4b453551ea2880d423855d0350ddf38b6d0108695b7388743817d75181
SHA512 bfbe0d13f029d6ae32fafeb5da7b719c270675c71fa59f041b2371963ca9f894bac15f712ba0dbabfac070b42c79c927e8b31ed6f6c355362ad6cfdf580911bc

memory/2224-481-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2684-480-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1900-482-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEQMAksg.bat

MD5 ded1fb932802c9ef3b223ab02bc939b3
SHA1 abde9090f7629edc3aaa22b9d0b597ad7d4dd793
SHA256 6bf40516bd960d10c3a8e7895136915704ba81b686e177faf764664ce5a96d17
SHA512 87980311b4f55e5ddfbf0c045f1cf1e2c4ffa6ca901c6dc8bfa8f4087fddd6e6d878c8d92a7271d68b12672287fbaefd91eebfb9f4f761e724f53f964a89065e

memory/2140-494-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2140-503-0x0000000000160000-0x000000000019C000-memory.dmp

memory/1900-502-0x0000000000400000-0x000000000043C000-memory.dmp

memory/568-504-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QagwYwUU.bat

MD5 829ab3ae782a51f0fcdd477004a2dfd2
SHA1 9ef739ae273e6da95ffd143b9b36469e8443ffef
SHA256 7f91f68f7f7cbabe4deecbdb211367bfea12afde9c64fe234629d9c1c062cce9
SHA512 2626c15880e14a068c8d8f209e985a65746b48e25d7214d9217b26e44a1420c235cf2f5257a5ea3c4b2b3e2cf6abdc41571a9de4b14f51133ddbfc4355be323e

memory/1700-515-0x0000000000300000-0x000000000033C000-memory.dmp

memory/568-523-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1700-524-0x0000000000300000-0x000000000033C000-memory.dmp

memory/2208-525-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAAEMIUw.bat

MD5 6ef469390d90564eb5b5988591d5cabb
SHA1 e5d09ce913c24ee5f90bbcbf5987bc766bb106ab
SHA256 de63cfdc218d66d526e1829f0341fed1c7057fbfd51c0de41b10983a861a7e76
SHA512 6c39b8bbfe745316b00940056fe2262828d611c09d591c62ccd244c9d123aef104d9736cd0eadf3e2029ec4339022cfc9a992b597e59fd7cbb78dbab65b929f4

C:\Users\Admin\AppData\Local\Temp\okoq.exe

MD5 0f0b5b4581db0fde7c6dabdb58f0c3b0
SHA1 acd5e871ee7249b14a1f3745f3bbee5b841ba3e0
SHA256 980483330b1d84b1de8e6e1f5b26cf3dcc6f8a077bbd7f83dabf5b9f08ebbe1b
SHA512 676a450dafc06192608d6a389eac28ed3108efbd16dad2215cc64ad3b49d26c8c247f639f642c4d0ee70d51bffb8d35e1385e3a4e292e7ce55342f53887e65ff

memory/2208-549-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aokwMwYc.bat

MD5 1843e229b8bc3dd6f0e2e4471a448526
SHA1 d0cf32740bd0af477fb8316e19b3d52bf9680657
SHA256 a11cb6b1c1daf1eeb817b019b691a8123ddab2e781ed65a8ff09a97fc054f9a5
SHA512 db4828fa02da7421404347a8949471911db5847aa874be70707dd05203fe3a516ce0d0e9b931f2b9d52859109fefa4920b57df7def5d9fdff8bdb17e96bd67aa

memory/2028-578-0x0000000001F70000-0x0000000001FAC000-memory.dmp

memory/1248-580-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1676-579-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2028-576-0x0000000001F70000-0x0000000001FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QeoUgwwY.bat

MD5 0beb0608c96bdd3948455a40880f215c
SHA1 5339fecbb50c210705f6417a8c7a72dfe2448b79
SHA256 76e1491a5cca312364c2afd83f18b099da4d88c6aba33ba3e7f85ebc976d3f73
SHA512 49967cbdfcb0773c5f75279da0388476dfa6808a52024723cb83c13763d7c6866802ef09af761d3de9b3da1db9afb98512b09febaac5afeb412368874de900db

memory/1248-598-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2584-600-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DMYcMQMk.bat

MD5 3f8eceba060e1f517cf8535db7b2d1ff
SHA1 797498bb221af6575e00574e26ca2a39fcea7475
SHA256 a5f29f83439fcc7456f46a5a34ed43808f3de7ca69c2d7d9cea4f4763299b949
SHA512 2a3c4c02f1afe891c25728347914ee0a7d55670aafcb4bffff9446c3b099ed50170060196a15d69dfdc059ad2623613fb16e2a0fbfe93669f4b9ee2dd8bcc03c

memory/2064-615-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2584-626-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lEAQMMws.bat

MD5 0b6af5c14bc2bd953e2ab2492a6c2967
SHA1 7eaeea47e71859f04f866deb8652399671510eb0
SHA256 8ca373fd9c8883f561231bdc80bfb2ac386cba2b41efb6e6333fe78e7e78cc5f
SHA512 8024e4e4f0b2b47776cae9da712ae250ae7b37e4452e5441a23878c8a2dc98d1127ab802b699fd9dbcb4f1db7fd4fa176dcdf5ef8e32f23e460ebb78603fd46e

memory/2576-646-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zYcIIIEE.bat

MD5 845662231c7d69e0269105bf9815b5ce
SHA1 1acdfaffc4359bcd40c79af553d09bb0528ecca0
SHA256 6768143bc34cda79707d58f2a3078881ea7f15c997c59188e6f21951ab526141
SHA512 60e77d382fb39742f0a4c8944f2eeb2cbf8a999c9d381670d1845f740767a8ad2d72a71ddc0eb6d7eb5f748d6cf789d333d7d9d36b14ed60038a79126c8168cc

memory/2280-666-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FUEkkAYk.bat

MD5 443ac0b02b2de59227dbaa108b49b167
SHA1 95f3c7c03b8bd1b00d0b7cb2c732658c186c19bf
SHA256 91691c919a4a21636ea876b3b701e5dd130ec35095c676a777fb3d7500eeb18d
SHA512 228e7e560a4809254eaa0e644336f3b702156b2f23fcf86db6db7c831b9b1f4a2f7279b8c0be8262f6e1cd769129b33a1fc14b19597140ae07bb021b87eccb01

memory/1760-688-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscEEMsU.bat

MD5 10951e4840dd35b26c25240e2c8bb772
SHA1 0d2d187bac2b7729f8cd477d8a08cba234ea7757
SHA256 16666c3a5f7c79bbc9df387e60f153f28004bde009d2a6be5df3196758e63e07
SHA512 3f9657fda3c6f6981b97e9e987df66143a3cc82e6327999c8f9bed6e8c932615e1fe01438354ba51250231cfea2f80fddd8f502a96794a0eae3589343f6e4ecf

memory/1160-708-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uKIAskwI.bat

MD5 dd9a3c9217432fe79ad75a7f626bac59
SHA1 e90215c5e8e6e5ad49505b29706c5c019e99b0e0
SHA256 4f0c8cb82af02523f7d101e51b5a9376dacfc5cb63e174ef0e1f2241ff8c3ef6
SHA512 db1ce71cbfd1250ba295b034bf308dcab6fb34986552051e04b7e94290cadd63ae3d78b91a671277c15391b0bfa68e3b5010cc6d571cfd4a76a8c7c830a56efb

memory/1704-732-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KqYQAMwI.bat

MD5 fa5b0b1c68b4292e20fc7d34e6d94677
SHA1 480f44095ded3c6025992ae193c5fac362edd2cd
SHA256 dbdd892495d1b4a99bab30cdc61e444838b6ef330cb595555f8ce58cc81fd682
SHA512 88ae5227450105a399266f41af27c141ced460dce81f2b25625347419474ecd52c89ba57719707010c4c4a9f9bcc90856c55b21ca177ec4fb82afaf4fc19b839

memory/2044-752-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIEkYIwM.bat

MD5 120fe7052df547c72940bd4429a1d722
SHA1 49eedc45ce60b7c4928fa82c5bb4062c19e1c118
SHA256 2e7ceea007822263d4edfd950f20aaddb7c18453f8f7598f9f772ac1210697f6
SHA512 ba12487a5207fb68473b64227b44ad49b460c9f5435551126edd4b40c6e9be6462e42275c6ffc63f93f8eae94c1a82e908834acb5f51f5603571b91472b33ff5

memory/2988-772-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsMsIksQ.bat

MD5 b61ca101ae42aeed72b3c6d3c6f468a4
SHA1 add8a9b9d2d4eaf3a5fca66fb778975a856bf080
SHA256 5300a352ec27c423cad7b549cbb213a1aeb12cc482bac177538f8026c8f2dba9
SHA512 6d43c447aa90c6f31993a7067496bd2d224374aad3f36c5cf6d98dd3408bd0ea93d251c3c537e23137774105a9daecfabf17bd1f7c4e9038819ab2239bde9a9f

memory/2488-792-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQEMQUUc.bat

MD5 9e8300a67c2eb611d68f130436fc6228
SHA1 ca22aa3eb6ed7375ad78ab0105d7a05f752a5078
SHA256 ee9e4779152d9f28a3e65f21fd118855719be1c7f63a0754ec2b40ea87cfb6ac
SHA512 b4badce60a1ecae29ebf86ec5d0d13ecb8e5ad9c485a58babcca651c6df095ef58597e391681f1668f79a72835a7906ab88c3a121be986ddf85eac8994d7cc80

memory/1752-812-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQYkwAsk.bat

MD5 df2b89794a02562cca2a6c71d819e8c7
SHA1 f549631fefadb8f7fbb680bd5e0fc74e25121ee2
SHA256 4132cf8d948428a039ad03665f042ca267fa124c98dccb469a21560a9f15894d
SHA512 755ddf6fe61a7807f8d65a94bc66f46d209591b752199f825d12a51118f3b94bd969510b49fb1d30848ac541c5bcaa3677b44894515a561369c3cf346a2af8d3

memory/816-833-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omokgAMo.bat

MD5 429066bfb6f02fc9cae7b065a741e64e
SHA1 68d1b4ce51a85d4ed519f552f9c79e06557ef2ec
SHA256 48b956dfdae22be26af551241917e4aa50fb2760474044834e494e4a8ee8b861
SHA512 96adf5f7d1b4d8c55ff6581c827fa5010617ef04b9b95ac0b05d82a897310f04ed9d3756649596027099bb7106939615947ea49ade3e8e2dcf4dd191969faa64

memory/1448-853-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pGAIIgYE.bat

MD5 95eb353f94fcb974b01d5cce15b0ff56
SHA1 9e8081c8abdce249238c6cf960bb6ea5e41e15d2
SHA256 bba10eec4c8869fba1778fc5d379d09aa5dba5472a3c7f7ede304cda6cbed128
SHA512 2445597461373ec7de7203f1f4514d4b938b539025e81982f740dfd22e18e4ab5af3c6d1f74cca79530fb8273bc9dbca7c172ea511fb90dee1910b5922a1eb4d

C:\Users\Admin\AppData\Local\Temp\AAIc.exe

MD5 caf7da080b1dd779594682c6da334047
SHA1 4983f155f04d8cdf005ec25a18abe61e1dc5f73e
SHA256 e52eb853f5abaf165893b3295b78fee5ee786ffb1354df6b858714a264047ebb
SHA512 ababd53e4a7ff7435452897e877cdaae41b5bb45386a923478487ee59230b7f4e02522267af1240a8ff7478245652e251c112b3d0019e726df165ac6e55f92ed

memory/1980-875-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUUG.exe

MD5 7ad54d052572e081490ab5846d69f0a5
SHA1 89dc698f53adce0d61692aab2a7c6ba3770cd6ae
SHA256 cf3629b236f6856ad9653db35c8442542ffe62d670e4eebe93ba4f6a74c179c4
SHA512 77791d4099aa0b0c8812cc470b18f7544aa2b564ee6225a8e6fb2ac238772d353f80afc98fb8816d3d1139246fe134978609c133976ad68f81460cbcdb06da04

C:\Users\Admin\AppData\Local\Temp\AIAM.exe

MD5 4dc979127e8a6349de3d9a4bd1189f42
SHA1 1be2dacd06d285c6bee0455d02ea0398c57391dc
SHA256 662c86e184a776e88f28cdd77154e619a2197f62638d793bd54fa943216dd33f
SHA512 7c88f62c17675f0e705be34f28ccd9864d32d35760b3b2a4f7f5c3aa7fa6370eadcc688552e7318aae47e3b11aa0c69e29df78c96259bb9edd2bcca35566aaf0

C:\Users\Admin\AppData\Local\Temp\noccYYIA.bat

MD5 9056b26886c3eb2f8fafcf417eb8dc54
SHA1 10c0b70647eee64b876b158f46c28b850388c1c3
SHA256 5340531b341c7d0c69842dcdfdb13c4b2dfa6dfb6e71a103cf3082d6b4d2fc8f
SHA512 b2c80f85b1d5f269f28b785330f56d613de6afa2c1112133c9e76ea36ae28d79d3f5271c9a46df787aab7a0f7d5e41cf4caad7bc6e5ac1ba8246b84f8fefffb2

C:\Users\Admin\AppData\Local\Temp\QMoE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\Mssy.exe

MD5 b59e0f1408bec14560ce79218eb26273
SHA1 eb64b3a3080c81b91df5807145179fd53f1311af
SHA256 db7997c7ff6e9f11039bae63ff5e19fa2f1593d47082d84d99925d529b348b47
SHA512 2f33508ef995a242d26c57f0a15656ba43212467a1dd8891b3cc97332104896e124fe8d0d5f3aa78aa15f75a4ad3a98b972b2b1ae75c7e1ecdc1a4c5be861722

memory/2556-945-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AkAm.exe

MD5 5ba43887febd0eb219f68cd7d06dd7f5
SHA1 ef662da7b0d266857651973216db31b113be6c51
SHA256 014d727729803680af35afbb450a482d4cc00e97f28ae5339f6d784ee7296c6b
SHA512 9532c3a1b6cd13613bab98d247197c572475f37b4fc6d54b62c084e769a45704def7c771e7fb5fdd56bfc0edcce52cc094758d9dc9d0bcd25c7279fd981c3ba9

C:\Users\Admin\AppData\Local\Temp\eYcy.exe

MD5 1e1d8c6788258e3fadd2caab0fe2bf81
SHA1 8eb64878cb13d102f2b63738c93268e5a166853a
SHA256 a56b5cbb05ba20e4401856cf0949d3ca4efe2be08ebb0fcd1944d6b46e003b07
SHA512 de8a2dee273245b7241263d4a53d6db4b3ba097606135815f044af9daf2653037c9cd17996ec0e78a88a7eb4e514fc71e0f0ac5306d4d77ed5cbdaa552bde02b

C:\Users\Admin\AppData\Local\Temp\pUIIwUcU.bat

MD5 61c2996547ac71fe347e3b508378667a
SHA1 3476e0d149d437f3fd02aa2e3c78b892bbfc2d29
SHA256 21ea66307dc0ac78ece9c299d5f6bacb0c56c5ddb84dc53427117ac883e5d351
SHA512 68941d08dd06131b62e4b7610fac40282ba200bb91ece6428529b7d288b1b7d5e81fbfd6e3a97a90be32accea66bfdb628a74d4964c4a40dc75213604caf7449

memory/2376-998-0x0000000000400000-0x000000000043C000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 bd66438c833e7fd5eed1f57bee2a86bb
SHA1 fbb9c78eac8201ff7c8f72634e92d2c3f97d1fc9
SHA256 6f1ba1d45641d112f8e297d8a45fbc1fe8cedae639727faf0b61947c60cf7b68
SHA512 582b62f1b5ffd23e587638049609de0bca3ac1b9786c7e654eddba581db958227eb9b1840bb3445e561617671564be68d8bf6729f39b49ad39304b92863b81eb

C:\Users\Admin\AppData\Local\Temp\ysMG.exe

MD5 3e9266e16b34193de01cc3ee260fed09
SHA1 738ee42005fffe9e1d7f248753e072b8ab817717
SHA256 87dc707532fabfe899187713c237e4dc51e98af7f3061e01fa42d45b49f3bf94
SHA512 d1f4b9a308f10885b5300e36f5b1e2c3be6f954d30f4406e507d63c80029c6786918f60c39e4ed6b0de91f60c72b8cf719f729f45067580fa8db95a7cb0d212a

C:\Users\Admin\AppData\Local\Temp\GkAO.exe

MD5 8ea31fbcd3262a8efd59c8d115e67191
SHA1 b9639b020470e78f68ad6c7ff619daf4698367bc
SHA256 266b127664367c09f5645d2a2782e3fe95d17a0484f15ee9fd7d4088281896c7
SHA512 e54eac2444ea3148a3b373f49c4e2343e592f7be265217be837b9d2eb0723ff7fe03fa93f8c89c0e91f95358b881130db76768ae17af410963c72f57efdc8f4f

C:\Users\Admin\AppData\Local\Temp\mkQW.exe

MD5 c04b6c8b1df4beab1530546cbfd80690
SHA1 c1e132e1cc4be369ca4c895f533576b3a4686b00
SHA256 29b795c7940b24e3599fd7559b830b6f53cefc5d2cd58764a5b2d20ad7f2716d
SHA512 1b9da6efe1ed447b48b40053fb6b50105908e4fd71b65ecaf76d76c7295875a76324afad10ebb6c394b820816df18fa2fcc7710f1110f74a0d85ebeac34266fa

memory/2216-1049-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QswU.exe

MD5 d7053f626afbfee7f82a683c1bec0dcc
SHA1 2a4704a0610cbd3a266a05d343868980681666be
SHA256 5ec0624d6ba66fad2df6171349acbc807386fe904cab45054eae481db12241cd
SHA512 0ccbafb5b6cf979cd9e6095d46cc83a47e81b929bc0bc713a2a4aaaf237301b0a603517d6dd72f244396ad0f6586a8057e2421f8637f91f417663197355999ad

C:\Users\Admin\AppData\Local\Temp\DwEQgcMo.bat

MD5 c1e13ad20cf8e759b7ccb2354205451e
SHA1 0f55faeb45cc433c24ed9656d5d33f87fff7b88c
SHA256 79772e4b38c5c20d0d4780a74d0b9ae24008584d78a281155885fecbabe64afd
SHA512 918f65ecc0dd5980a25fd5cc67d5b9c63725959403386c5c8d8a77c3eab871349ba5f818dfac0e99dacca46ae72d6e22b1de58a7fa186ef2799d3f486d151de9

C:\Users\Admin\AppData\Local\Temp\oYQi.exe

MD5 99121095ece12034986033ea1200b113
SHA1 1009b7c055441e262402714298cc71183afbf4aa
SHA256 57f3d040a26f6f82f432860299131f88d2019d93acd1a3ff4a38727a884c3314
SHA512 7985e8890636709d6ae4e8766f70d8a49916842759935e40043f42a20024f5e95c313e144cea52a0a8921989362358b530ae55711aab2521e07abac2a342b751

C:\Users\Admin\AppData\Local\Temp\WUAi.exe

MD5 3fa4ce4678f78262a5421c306cbf3f00
SHA1 2a3a7e1f7d759c895e7d4ae4de39ead91ba7df8f
SHA256 9db8031dc136a864eff9dfa280b7f9a92b3f9b0609fbf05401a0e74c3ba577ba
SHA512 b531c82041aff8d3c15834311b03e7a320541ad70ca08a7c071a8a4cc64095c42756e09714683b09f0bce09ffab1012477a97ae7ec8cbd32c9ea57e93811880f

C:\Users\Admin\AppData\Local\Temp\wwky.exe

MD5 75ebbba38a4a01b1e8e1e461047509db
SHA1 29d94591e02086fcf2f14dd5c5eaadfda80381b3
SHA256 ee0cd61d71683284ba448690a0c7409a6867f119967566ac26984d4a7a32bff6
SHA512 24658888848a586fd1e2c865433659a3c4556e01861d237141b137e0c340e277436cb347f81380e3151cf0a5f86a6906b10ab783d173d9de1c0131efdfc4b6f5

C:\Users\Admin\AppData\Local\Temp\mkoA.exe

MD5 83462cd26d6a95f73f2b8c9d826a5bf3
SHA1 811e9ae29bbf5329f0549ba2046fcfff5f8e7bd3
SHA256 2e8ba011478b80421c13efe4c2a32e104fedfa74ecce48d273ea2bf7fbdf0658
SHA512 96ef1ea38e8a80992f0a692c5ce3a91f6c62eb140c9e999aab20f63bebb7dfcdd143a24e3da8033f239b7457cc164c3d0c6c273825dfb4496011bd8ded3874b8

C:\Users\Admin\AppData\Local\Temp\ussK.exe

MD5 bf46a0f011d1cfc7e1181f3f4448a0ef
SHA1 a1d45a5d3703112d780e2bc2100cc31283c5e6b8
SHA256 e88c339b8061c081679feddcf444291e44d787a550b6df685f99734e3f60d553
SHA512 1f9ea98229ece38828adb4b5b484db1a3e409168414deed0916f54ab1ca3b9d6c84487f9a1880632cfcafe587bf0123eb181fc5a4970dd5accb20662b327ee24

C:\Users\Admin\AppData\Local\Temp\UugIIUMI.bat

MD5 17036ae51026bee3a4acc7a348def9d2
SHA1 afb6ae21accf37c56a09ab39587cd332aa02a09f
SHA256 c837a15b5196c642758209b04fa225f7c7888aae69a1e0e341ae3b84d42fa9cc
SHA512 046b1ae90daf18dd6c96b41e31d676b1a735d53b3a6a1916e012d659154150e30ef9b5b66ac9c9269e4be4f36d1747f3251137db0430d081c5de4de00f87e967

memory/1888-1172-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYMo.exe

MD5 7f25cc7f6f01f81421a8cc6699279efc
SHA1 56803debcc64343927486e7ff9078c2f5aac263c
SHA256 e0383938380269747de6773ade6e63fa8e5214fcfc3f0cd943c212d0f5d35243
SHA512 85df08aa67b559f43f79c5b2e1b524a938427eab8f87f8bd7a31de2702d52c3acbbdf19ae8d1f1fca6e007d2b6d8d10d35e2cb6b52c8dee93959ad23f878c269

C:\Users\Admin\AppData\Local\Temp\KkUy.exe

MD5 1a0bb3faf106fc2a4cfcb53d3e03978a
SHA1 692b143d1d57c338bbfa457837128a54dd847d2f
SHA256 d66be4e4ababa50e4f76418d07d430aeae696ef9ffebb4d5e47caacd13717743
SHA512 d93142bf065a490c5a4634befb96c138bc40227f9619bb9c35145e614b9cc0f209975a94876ccaaef14fadf11732d411fb29eeb74072079cf19c866d5fcfbccf

C:\Users\Admin\AppData\Local\Temp\mQcK.exe

MD5 6a42971507b1d44d1bbdf2772a349abb
SHA1 a0650e3b45ee089533f9945b30fde99710ee962e
SHA256 b0275983758c3b86c2a2da6641d28d5f6ff8c612a7a179b0e5199225740f159c
SHA512 791e580826e856f80e95b371dc34106f0c816f13b26a855e772330400e2730373898b93716e9a1796e4e0876e8db6d0f8265a8276d431958233063f4faa862dc

C:\Users\Admin\AppData\Local\Temp\WQUO.exe

MD5 7dccca7f99f254aafa5cc3fff23702a2
SHA1 1dcc0d0de3bdb182c7d3707c5ba84b9e9ee4b3a5
SHA256 b63bf9468d32cdd05acee9a69864b59f69a6c7c476b8177b155ebd893408729c
SHA512 5e5b284d42883b773f9049fc2d6a00fc90f217063bba8c27a067c415d1fe3e960de2a93fa14f655cfa097cec3b2c76551d03932759abdf06bce37dfa665dc624

C:\Users\Admin\AppData\Local\Temp\yQgkAQIY.bat

MD5 ace4dfb4f02331dc209627f90680e871
SHA1 9f83fb099bd6736ba10c2d69b5cf189340ecaced
SHA256 32f76385fa947512e8dc4ddb5c8584d4ff332e3a5ad4984b5ac3dc3928b145ce
SHA512 91b9efe70115934b46e25afa837f8be601fa65de2fd13f673ad8d1f3c09710384649adb61469d723ac61ff8ef1d6b76604039afb6cb7e0c101ebe8b42d578a71

C:\Users\Admin\AppData\Local\Temp\AcAA.exe

MD5 206f4ccc2449228d8913d752b322839d
SHA1 2a7a5a3fe84cf519385609b2056ef57d2a020066
SHA256 19b6d50ae7a629a4b6037507d7f1be8f402c2569c3a96ea16508bc6705005d5f
SHA512 da934c49190b925610dd44b28740f6f761db39d3f4d56769f8d48c12947fa9777cb101dda4b2307904f773dd56232993b4135091f5f256b4143d8c9a590e31c7

C:\Users\Admin\AppData\Local\Temp\YksQ.exe

MD5 754ff0549271cb461030c09589a76526
SHA1 b19b8e75adfc3b305921b3ed005e772d4184f3b1
SHA256 98d3c0c5ed9e39d44645374c91233e492a1ba91effe9a53d3348b4f129b76c8d
SHA512 b44cbc9b21cb90446c3ed6aeee51c0093018da7ac31a00714ad64bf2db7088ccbcd9231b3857d8ebb7cb1151014b2c0fe700e663e282e48fc784d3fe86507aae

memory/2688-1243-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AcsI.exe

MD5 7cbfdfc1ed62590048660d80594a20b7
SHA1 69ed0f60e05a92982ee3aad08f965c4a5c932fc1
SHA256 f4e33fd4aff4c187b81385240795a22b49afd8f20c9e36ac1d31e16a2bec6c4d
SHA512 9ae767311dfaa333968f83d840181b42817c83df4c16ac4a831a0145f892e4092b78fcf7c0773d0153541a08cac92bab84e56b873b37f2290bfda8658fae9078

C:\Users\Admin\AppData\Local\Temp\oIsM.exe

MD5 525076748a0158a22fe8e43e5222ff74
SHA1 19025c9fc77c1389aa97e88d079cb45500b32886
SHA256 05998de93cfbb22c5d68f6d07a1b144a294db5f992e007da12f7a54862ad146f
SHA512 f7957a15505c3740012615fbede14e3144457628a0d684dff4ba0f17bdc73182e1bd32b5fb12ce7db958039a3dc0afa961c66af7d5a2d7d9e5a89f8792d32c3b

C:\Users\Admin\AppData\Local\Temp\AqkgUQYM.bat

MD5 91e9fa4fbca07813dbbb8c4d4abafea6
SHA1 376615b3d04f7eea39848a64eafd1770d2d3d047
SHA256 4ba7ed0da8c8dab22bac422f206afb47e8c37852d21c3edc41a0b44a2e38ee20
SHA512 d40097e7883e728ef375dcbee45904e67ab00525814cde2b96d09a821ac0bc5c903e1f2bbcca5d1d5a0bc9b331c078edb8e1e8a923b31d01417c0c2f27a7e246

C:\Users\Admin\AppData\Local\Temp\Gwou.exe

MD5 e5edc14130a15e0a89121904558d668c
SHA1 67ccc117301d78dc824356180497a7ddb71bf653
SHA256 708db246fe9f4ffca8a5fcabb069fba32b64460285d316305a20c3d89f325b93
SHA512 b892c327a9008c0aa4359f801b836879568c9ad2921e40e34dee11b1335c9af6833ca07e2cf065311686064d510b02f068226dbee91ab28db4d2ac2768f4630b

C:\Users\Admin\AppData\Local\Temp\YgcA.exe

MD5 9da2d6e4a3faf50603cbe276b84d3cdc
SHA1 8a33b903be4a608a2869cd8f9e8246718f7f8603
SHA256 23e80a81db5b0aa18868e52b2d2cfb420cefa1663cb4c5e07915100a531532c4
SHA512 0005eca563e75be8e70cd7403bc703745e3c9b877cf8142930ca990254dfc42eea271cd0eb65c33f567210832b77c9ee36332b7e27c7e65c13192f8d448e8f69

C:\Users\Admin\AppData\Local\Temp\GAsc.exe

MD5 090c66208297b0a941e0c8a27da491d9
SHA1 68e357aded765fefcb61c07481907bd35f29399e
SHA256 4da705fa20c57cd4bc3374dd6bb4c22a5c4ac05b8617f253ec3a77628021f502
SHA512 b4ca5caf671895615a36123a3f2617e65d743332000458520b5d9e6d395f0e427016919a5b35343afbeae07956121ba0f8e77b6bd09c704acd69e995f0358ef6

C:\Users\Admin\AppData\Local\Temp\KkUK.exe

MD5 6c020b1ebf59209c7186d48e0436d898
SHA1 978cabfc25dd8ca4d2fb127df11bc87cb9aa1267
SHA256 7ee23f78520b8548257938061bd898d3318677d331e4d96fbfe28a169cda429b
SHA512 2979cc8b9b1add12575ca84e95c3c5a2d0d7f531a09b030d14e454ceca1f400d9c38d90ad435d6269e693222e1657363abd7dcf86ccc7c80ad0cba41b1a36597

C:\Users\Admin\AppData\Local\Temp\csws.exe

MD5 59842ee83b267d6c141266aca0142fd0
SHA1 672e8c9ef453cc626ecd8705c7d161edc8bc2ce1
SHA256 188d100a1919767f86e37477d40302095c0ab1a34dfe6ce130911f30c10fb72e
SHA512 a86d3e65c332c1c8dacf9390c1b2d6576e71226f7a621a28bc2ad7e50478eef98532224396b5b930659a24e1b3d91bfd2e6c7ae295f6058cfd2a0b7ae05ff1b1

C:\Users\Admin\AppData\Local\Temp\yMge.exe

MD5 78d992abf3dafa06b1b682bbd770c193
SHA1 02641c0f4f487da849b235059a8d837bc6637c7c
SHA256 68ae112842f30e7c51a595128d6b5db0c0bc50eb124c91fcde7b6992cd7b97ed
SHA512 cf729b49bc2840499aa0d7b5a0699f395025db6203297bb495160ea9d89c6c7af9a405dc9c7d746885cdf3fe1fd968723274df45f3459872d7c430ee770e3e53

C:\Users\Admin\AppData\Local\Temp\KooMwcgE.bat

MD5 7a5f919ecc27e4db1d6f8e9fe0c8e909
SHA1 b6f9eb80ce5516d8323bfba92dc415a46ac9bdeb
SHA256 7d6e1f2d4ef03a3d179b1d22bef833f539d7496a5fd0d162b3e174e2001721fa
SHA512 d631e2930a78f39ccae58e967a373609f03fed1a23c95a7cc1ac60d8ac4bcae88bdb28c6bb4bc10401a01fd5d25e3de4159ae497b7e125ce8bab52ef75e8072d

memory/2028-1415-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUEs.exe

MD5 68a6f7c1a172b1668c9305e5a348d24c
SHA1 8c1a9554a659ccab5c8a95112cca21ee7c1ccc8f
SHA256 53642d2ed891f03cb96c5efe16fa093edcb9deff7878dd7cca1b31fed8bc0182
SHA512 9880d054cd5bb392c97fa7bae70460b01caaec2a4af6cfa5973484ac2b9c3f5c42dcc35d31094ea06b5bac878087dc0dc141cd4c9bac5c8cc41268359b9c227b

C:\Users\Admin\AppData\Local\Temp\MkMs.exe

MD5 90efa0a135d6a2f2d31dafdc0e993199
SHA1 5f02218db48832b4177b040ae258af10aa95a3f8
SHA256 c3812e33228cbc2db519a2d7ad0d654249e8bc7678146ea2494cad0a02907e10
SHA512 ed78d8409494ccbfe73931fd4e30912c32f8786bb8e4d5f35ad6ade6d784e3d944602af3bb4e5a560cca208324944d85e29890bdcb771acd04bb1c839fe1ff8c

C:\Users\Admin\AppData\Local\Temp\KEgAcMYI.bat

MD5 ee567168e3e42eeacbcaed8e2aef592b
SHA1 1a28056f2326e68ebf83d041bc00272cd200e291
SHA256 6adf1bf09778255d9dd1447e49c01540b475000cb01bbcbb462fdbef85144f79
SHA512 5be6bcff74d1a17168e6be887d81f25830f2ddebc68326aba7e2aae852b308b455fb4488d64638da76144dffc46df9790fde927a420c8493ae5d06d5cdc76d34

C:\Users\Admin\AppData\Local\Temp\GkQw.exe

MD5 739be0b96386097fc7358307d5b464b0
SHA1 6a675ebe8a85b67ed75972db0342beaf70defe2d
SHA256 946bb5f642de01c5758f3a274d21fc2751633d379a859fb66aadd7082133afcb
SHA512 1a7e66096316451e6d0713824dcce01e1307ba037792cfea01cece7987f28c7e14ffb1df53991741ce0c03d5c2525b8205f1f4adbf24e97ac1a0ede884d746e6

C:\Users\Admin\AppData\Local\Temp\GAoS.exe

MD5 d402d3dedccc39fbcbf3173d52d19e37
SHA1 b3bec6ed535b960305fc342d295f9d3e6fe17b22
SHA256 e2886c9e628d8b27ce0c25f4529e397d98938fdaa565ea65845b7079c982e4e8
SHA512 a77c692c8e4f3224c9756d36f1d4a9364a06309bcb743a7f0d063b24ac80f199e50d31b4ddddc0da2010526a53e72a10c8ebce62b34cf5f8b2b3fea3ecfef07c

memory/3068-1460-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMki.exe

MD5 a1653c8ed30f09c74fbdf6779a700d75
SHA1 2b38c978a15dadd843256ac22048822e272ae0d5
SHA256 06baea9132f06a3165e8ae9adb669ed43de37948c730597494944e4c3a755172
SHA512 42cad277643e91dbc13ef28567953fc1688c24141e89ff77c64ac193168c3d7f6aa896031f43d554b60fccc48a172bfe32c65afab0c95f257fdb567528aca158

C:\Users\Admin\AppData\Local\Temp\Iooo.exe

MD5 fb5dd7b5a5446006d6a367942a987c60
SHA1 1f5fd0df0bc3118e90c48d5856f41d54c7659fec
SHA256 7cef26faccbbc37e2d8a7b25193cbf67227a169a39e331d843174f8811ab9aba
SHA512 bbec1b83fc48fc77cc1051b3083943accc40572f6d18f6a94479ebe3c7e0b8cdfcef9ce4f84efdbbec7a4db2c5b444e6900de5978c387d605c36353c317b86b6

C:\Users\Admin\AppData\Local\Temp\aAQu.exe

MD5 32d3feaec503332a9309f0a62693b0c5
SHA1 0e08b40325d3297dd4b2ef394723b8ae57051096
SHA256 727048d12951ae611713f7556a79fd41e295d6d622d30bf5fac19c7d401d1fa7
SHA512 00c34555dd0856df26f734ef347063a6abecbf9cc67c033314071e188861949d01f445c2f7bf6f1b74b384ebebaa6a53fe5ba045cedef1d7702c0f4f202d6b84

C:\Users\Admin\AppData\Local\Temp\yoAo.exe

MD5 a647364441688caf4be6b8d49f49662d
SHA1 23300005095af4d9f5eaf352fd70b66a12913ef5
SHA256 78fe6f3b8e38127725b64f9a61ffb4e1cffa18fe23d9cc807c43bbfa3b832ad0
SHA512 2235758b0cfea96c3230ff2607f05ae67be2ec4e834e8e4ae45f5f4a188c3f6ecf17d6f0dbf217caea7f120a1f8c3b641aa2c67ad3190c0627c3c435c3a8b10e

C:\Users\Admin\AppData\Local\Temp\xCUAgAsg.bat

MD5 6024a8d31daf319174425123b39fd500
SHA1 35be81527225d0f99d1debab965b173270ad51eb
SHA256 be0124e726f3ed85a368063edc98fdf0eeede14691a768038eda26c1edbfc5eb
SHA512 48631fb7aac70ea93e78d68b59d23866d2433d8443df85748585071c30f894244f9f656780ab37808d2d93398c738572190969d0c25a44a0a491e1e741c8b70c

C:\Users\Admin\AppData\Local\Temp\Uwgu.exe

MD5 5c77f95990a2be14896583a11f5f4d94
SHA1 ccdc26cf16055b90216acbcbdd34b30db91ef771
SHA256 3ebae033dcb8b46b926c67e90a1e27f160f58cb1e18cf4832b2819779f370008
SHA512 3ef7f35e94aa1d41f184374a0a53501da2682158163c439262c5a9dd805940090703e679669b2d131a17c573679b615aac4ad6a165ded92193780344adca6cdd

memory/2484-1557-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kEMK.exe

MD5 07861736045372519d7483cf4469f7d9
SHA1 1317a4638107b8afaf0261c7b6631f93eecb693c
SHA256 9fabbe124e5fd472e31be8ff6bf43051f824397a62e51cab80db25c22304df79
SHA512 9c033bc387c40dc1fd1fa5693fb3822150dfc47bf477d223b78d18776819c5a239536713a0e2d3ce3ec6a78f13c3035de03525830cbd6f39baf4aaf0311d3cce

C:\Users\Admin\AppData\Local\Temp\YAIQ.exe

MD5 08d0afa4b0420591a549226878a49e58
SHA1 d3b73a36b53aebb2a2d1724ef242507ad13bc3e8
SHA256 39a84c917360402304b2b9dacd318011031b02aa1c12736b431ef73dabb814e7
SHA512 5de0ac19922a6a65edc735ed2d8f6e03a55c155e7b39d2900b68af1fcb09473f324b777098037086450e9443ea282bde371dec235cf4b06a8f31203ba44a763b

C:\Users\Admin\AppData\Local\Temp\GMEO.exe

MD5 f46c341afa0be4b2fc04fe3296168412
SHA1 581898c71a3793d66ea1910bef5d768ed4c499bb
SHA256 9207a41038900519fac5c041953222e4cc6859f6b1534d697a1e0ffdd48ee65f
SHA512 79bd7b1892109052ae86ff147f2c03bd9073cd2b76a837fe453654455d4ef5296a429d903ccbff0866ef2d1666b32761b1088870007b16f0766904f50cb70196

C:\Users\Admin\AppData\Local\Temp\uYsW.exe

MD5 bce126fd1a05ac3024fcf8083cd815f0
SHA1 2b77bb0fb1728ce74c7ddea29c40c2da71e4623b
SHA256 bba580805b8242cadc57a237db3c38ef5b9d801ccb0087eee323260c1f99891d
SHA512 8ce7fd5837d07307e58320728286894e8037e96294a5280bf01d4c21ecdd53d929ee8afbdcfbc66c488c7a1dcac2fa8d0f4a9f012d375ed564103c1fe8915ea5

C:\Users\Admin\AppData\Local\Temp\ZSoYcwgo.bat

MD5 8daf0fd107c9b5ba59886578e7cca3c1
SHA1 1cba437f40273e14742b418e8e20c8c7b64cb50f
SHA256 1f4c53096ea0995fedcbc47f50c7a2aab6beff5a03b2f9d06cd6eaee49785707
SHA512 664a3b87ba60104b730e57a15a1925b45910021f1b7538af246b6b16ab6a44c1c0bc4279b4ff4ea5cc771a5a7300a79700d330ea0d17dec6f22f9bcb05dd01c8

C:\Users\Admin\AppData\Local\Temp\WUUa.exe

MD5 892ab23e2fe232c32c2195feb220e895
SHA1 cb481067dddc656792efc8ebb3eaf044c6394cad
SHA256 2597312d9279c62c0db39392555ebba4301ba5148472eae372e57002a16f6396
SHA512 73d73f9b602074e45b570552092bb284f70e1d9150ef3cb93866f38ae0871c523e6f266b0d944abb7d10a4579fd6a4dde3da05e3d0807de90506a220bb2d1f21

memory/2724-1629-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hyYgkUwM.bat

MD5 f9218334e34bfee1260d4b2fe9c92bbd
SHA1 c037b9f09a89a797297f3bc00e5e68d9ba9a6af7
SHA256 2a0172c02441fe699b0a1899532ffb11f5e220e95ddaf17292dea36525d3efcc
SHA512 b93e53b9e651a2852b3fd21509f87f79b7794178870a9db49a4377a57a81e84618b388e62b254d2802d6ce94b352b9e77163be63ba7ee2404363acc128bd891a

C:\Users\Admin\AppData\Local\Temp\goES.exe

MD5 f628b224c572f55e5e200bd9a28f7b6a
SHA1 39a7e635c40c27412346e00fdeefad5387b6ab8d
SHA256 9f38d94a879b3b37e90ebf8486432288b169c5c3f394594b08f83545d466915f
SHA512 f093525a1ddc7900c848cd173a916d249c2406a8ffffe5aaeb637be977686eace51f4d6bc95f90d469f6002c08c4adcf521f581b3edc75a5fd69a208d7cfaaf1

C:\Users\Admin\AppData\Local\Temp\uoQw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\UAom.exe

MD5 bbd9e2607614a52d91ffa9604db0f680
SHA1 ff669abbd9cc9e327f808d8ca9fa85cd6e18b7f2
SHA256 1de4ab60b4528ea7550132ef1f92a1b5f108c6bd398028b53d712a5b74b8a73c
SHA512 3a71ddf0299de472df27e289c53c3ad87d288a719ca9bbf66ea3b22f2b1a806c8d680a818004b3200aa4a6c2ea7f6aa1cff2cca416e4810fc509b65d0fbcbba3

C:\Users\Admin\AppData\Local\Temp\wQUW.exe

MD5 79c82f74ffb2bc17830a07199ed8f61b
SHA1 2752b7269e4acc65fcface50aef8010843038d82
SHA256 5b9bce083c9888959939c5c051bf66c64e9598f3ef4719f9f57eb2abe280d72d
SHA512 6fadbf20b22831fe60d7a30f2dd80047e05d76cba9833c2d75793a7bb50b93c855a91de39ddc7e1d4c569f03286bcf7fc819babb7fb1b4618ecda6f32cd462da

C:\Users\Admin\AppData\Local\Temp\OYUk.exe

MD5 c73c90ed802541308961b6a00f738321
SHA1 6f4d1db52ccf37cd3774556f867c254d22f934d0
SHA256 f0d19f8d3fe4167ecab4b0f22db87478b188e3dfb5f18ce466ea006abfa84ab7
SHA512 f6f41f0d6077fdf6c96d1ded28f2eecf7161ab685826687f3b315b6edf1f5b761582d1b232a230a7f6e17e605ba9fe652f630d39233644cf415f0b30eb8498e9

memory/948-1746-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ogos.exe

MD5 ac5504a98ad6e1e4d8706fd943449fee
SHA1 12e68bcbdef7a35cedd1f6da7b294eb005973dfa
SHA256 4ca0c14463208e549cffb1fb814aa31daf7caeab8a1a5e80ee3d6721e6a92fb5
SHA512 8834c38397605231a1e77abaebc3c63a6ca61ce96b7382e6d051c436baaccf8c15d4ff9f27bd325ff85551afdedfbe89befa91df4635eb93c1b745e4ccc01c81

C:\Users\Admin\AppData\Local\Temp\BwgYMAII.bat

MD5 e7c8b4455929ad929d84c51563292096
SHA1 5bd9cd8b5021c69487214b928cf556e3eb7ec47d
SHA256 6bf0ab69ce1e851efed558e4261b8e6f44b4a5ba4e45e0300bfeb4bd044dce79
SHA512 451c3d92af83c7669ebd5cb01209479e96d10312b11a85f8230fcacda0b2f215852bb2b001206cccb30fce68d4162a39f5d7ccaac8231ff6cd07ccdf5d2499a3

C:\Users\Admin\AppData\Local\Temp\iKUsUYwc.bat

MD5 c5a9ed974333b0d6d105b97bfdcae79a
SHA1 4a8913a19bab334e2984ac36375214fad2694d91
SHA256 f8191c2283374c5af058bfffa547f7368eca3236491577f55766c7e40320e082
SHA512 4ef823297253ce259d50d3485166f11d66535f11fbaaa8bbeef97e87bed2fd75032d7b0a75555b784dddcc62c4052d0f18e937a674982c9fb367a98f1866a899

memory/2096-1766-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AKMMgksM.bat

MD5 78db6eb52066231b6455eb51e6a8e02f
SHA1 b46f3b9d8fb56380214ba8fc1d6946f022493a5f
SHA256 626f44b2518071683efacd8b39659e15f29d6c0ed8dc54665c96e79464a3d48c
SHA512 2db8d0920040d12569cc8da017260109ca66ee3118bb806bdef886a4fc9103a117e8144ab464c51a6d3261a81458d663731e38be7151e0c42f4b06d506b401b3

memory/2296-1788-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\COoUMgcg.bat

MD5 b72aa92c706d412a6a04fa90d3daa895
SHA1 e897f8d65f8264be101ed8b9ed4ba446c7b1bcb8
SHA256 04633b4fd648b9d4d8a8faca77a47a2429fbbabc00cc0d493a8f7bec663681aa
SHA512 fc0b00aa6d63a8626f11155825a7ddb2549cd0586b497a1ab482f3cfdf4a0a64938fedd4a0baba7bfba2f4d7833845fa17c71a340441f460fd57c3fdff3e05c0

memory/2752-1809-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yKcIQgEk.bat

MD5 ef8eb285d22440da118c8ddae8cf28fb
SHA1 d4aaabfce31a97fb7da862294a264bc24e49b966
SHA256 eed648a667b5f820da34888b30f63573eea9c9c821bbf0d3b4a1113840bb3435
SHA512 6418f7b2c7e1bc44ff338ca6caccb41d0c495f1d7c56a7f5ac8d60f693263e5716a6de8d81b2cdd7da1f46f8c891dce53954bffed24aa441083d0201997c75b3

memory/2724-1829-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MusEwkYQ.bat

MD5 ae5249b0698a8738f2bbc55006314abf
SHA1 4c1c8b9ae3547c0a90c1b897d7bfe71351cad999
SHA256 f1657cad2ccf66bd3f99cbe29ff3a602f19135613fb30bc9126b5c009ed8b683
SHA512 0f8d2aed8ce7c31e3dc704909aff632056576e2027816d1857b1bef2f659985834134c51e36b2cc8c3c6e6328b1b2c176d5800e306c1610cf81d88db3ada947c

memory/2820-1850-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqAkowAs.bat

MD5 33aa8d50baa9727ae1a6bdbf31ec6d94
SHA1 96e8c516116031a37024ec4785f2f4a59cc203f4
SHA256 25a83a51571fa438ad9b20ce36165b1f6305a1f7d2804eefa4732cb3829e82e9
SHA512 f5b79601dbce94285399916b56e64a48bcad47e2022668b85a41c321fdab65429cab0c6a6f5d0bb2a722518089e0fe96d6eaa0b524f165bad4ec13326301c219

memory/2980-1875-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XOQsYMsM.bat

MD5 91ef3c9c488394686daf9550828035bb
SHA1 858724afeb257ed1be9a129c997d1515c37f1321
SHA256 e96fce450e6f4509a61f8c6f6239d34b4c8e4afdec26a8db81c21117716cfc24
SHA512 c02be1729a89c9265131db579cd25b8d64c758061806c2d6b1a24343d6f06e04da1eb333d20cf48ddd4f7f227eda99929f5282d13fcb6f17aab9cb15c82db050

memory/2476-1893-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\piwwsIco.bat

MD5 46c3eed66a0e4c4919b77d94fb298f16
SHA1 35ee74d9a49be748fa14fe45f24b8e87f35f387c
SHA256 02cf34d2eac7ce881295c0b54eeac7a48d3817f88864bb340936b28ad2841a9f
SHA512 f33ac5a54ff018229bf634e292b0c31ad3bde8e0d8a0a7e9461f682669a8d9669273247374f16d954402c8bfd553a4688bc15bca75192179db4f18538866856c

memory/816-1919-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vyQwwQwk.bat

MD5 a7b88dc76c0e0458b244f5ab8cf4218a
SHA1 a3de441e9551257a41f0c13ec95015ef61df890c
SHA256 9210b4ee5d656b3e13bc1fe5f90f3ef64c87c8f7b1bf65cc8159a56a3b5f6829
SHA512 31d7f7016eda6fcfb8aa85cb1e6d60c421a36a0454d40afcd8ae94ef3c0d760b939dc057d9878cf018c1b9b7e03c8970462769d1475adc59baef9a8f68780547

memory/1732-1938-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dSUgogEs.bat

MD5 6fb00aed4bfbc28f038cbb185c1d3d59
SHA1 4caba1f07ffa2620f5aa7871112ba27acb254f04
SHA256 42972bd0fb27a3289854409061fa4669b4b6627a195d928241649a03b9ff8849
SHA512 28e66185faed47f850c48df5b8c46749e500b69622aa89acc95ffc49318e0180f0dcd6bae6df6ecb846b1dd9dc72e3b178644379e6663250165cc80a19c80b3e

C:\Users\Admin\AppData\Local\Temp\kocS.exe

MD5 d8dc7d490b48c073e36efff3a3c40c04
SHA1 cb99fea5800c5f37a763cf3bcca6627bc5c9988e
SHA256 e6e6c6359639aa7922728364dd55d5ba4f4f7737162949a3c2c2adbbf14dad98
SHA512 8aca47d760c3097dc4fb42de58c3675239893dde3a30943fb3cc18e52b23a652cb0a948df8f3842b1e9caa6f4cb1164541b6a6305cd8ea338687ba524d0bf7cd

memory/1512-1973-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ggki.exe

MD5 67fb3cb623fd3ab709c6aa3a7a1041f1
SHA1 0ac32b4b427e330839e0b3b730106302f6e3087f
SHA256 7414d6d47e30c3f2ee43628d9d64b3a6e46b096bb186e1f0dfdd7ef5ccff4522
SHA512 6d60c38a2edb48dda1ec263d0423026dc1adea31c4dcf6fe8f01e9a7ee0db87816fb1f0935275b110f7eb7f1a68a23fdc82449b25a28d44d005572b36fc95d0b

C:\Users\Admin\AppData\Local\Temp\dWUwocsk.bat

MD5 a76617e51596cfaa716cd4177fcf47bb
SHA1 358e9e34929b6bf7b4051c7f15e6eeb45ac6e35b
SHA256 05f2c6cf1c9f45181bd8c01680abb19e2f53c6cb0b348500d2c0ec4a251043e7
SHA512 95ecad2512b7ae3260e85d4d7d28aed698eecb1d5ca78fd079db58493cc1eed9afc36b9d3e5b504f750580381bc741afe81358041eb1bd3b3377eedac0c18ce9

C:\Users\Admin\AppData\Local\Temp\yYEK.exe

MD5 fe6afb6e12fe5129a1001527179851a0
SHA1 9efe5e406ff4733c8d7871b0a102b1f7b4a01eb4
SHA256 73ce8a2b966b21ac292ecf6d4077d8fb8fecf4aee572bf556ef9264d76cb1424
SHA512 11cfb43a5f8ccd47ad185b5f30744f34fbf236cdeaf217a3ba563359c12cadec0af41e731a6bbb27022a848f7d6ccbaef8c8357386f1111209bc0b108f0c7bc3

C:\Users\Admin\AppData\Local\Temp\MsMA.exe

MD5 925d6c109f03ee5335141a11d8c3dad2
SHA1 7691bf2ad6297fa05e948e4eaaa185b67e1c1a02
SHA256 07ac5c19a588fe8424abc58b6ddd9e9b24246deb653f5887bc724d2f08d0ffc6
SHA512 38be64c97c3916fd96a638dcfdf3605b0f756581e6b31687d15f0192f34f1de13d4b4a65ad6c2847b96172248d84925fcb84246f8660cd525c160e089e13a0ba

memory/2576-2048-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoEK.exe

MD5 213e3c6f889ea32be7ec2f4d5329fc21
SHA1 0a943f5221539df11cd8e4026b7451722adbf9cb
SHA256 fd8cb44039c46734517b489531471f30fe75d803ee5ff9ee4822b814dcd23f73
SHA512 c4541285511cfb29ee64251dd17ff01ffcf02f350168632751757943bf674a5d4cd80c24f5687e869576bb2f37d87426d56b1eb85106a36886beb6ffa1182e6d

C:\Users\Admin\AppData\Local\Temp\IkUgAIUQ.bat

MD5 5ff993ce518882f5dc062fc4394d414e
SHA1 113e9ae822c0fac3a01a2d9562f575a368215503
SHA256 c8bf2f74eb2498ef77426828ffc935889eab4af7c30e3e33adf39a7ff3e1fa16
SHA512 bfd8ab15a49214d4730cfe818702874b1113a7c2d6d480beb5db16004208e4c2f60fa2fce9a9a2b0ed9d077afe9da470f3deaebf25d55a863e7ddc69f7800db4

memory/2164-2080-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KIUu.exe

MD5 b5063a748630fb0f892fa38a7a3c30f8
SHA1 ebf534517559d7b7dcfa2690916edd4338c923de
SHA256 a60b254413f2903d10b94e234a00e8c9e9fdd29bf7b047cf01af56e0bde024b5
SHA512 c7333b48f7f9d1a761e84a5cb6b30fc120ce82176ab0478738f78535c9d64ac1b228b675396da0b4d13cdabfa2654400c5fea178159e268ea8f826146187c8d4

C:\Users\Admin\AppData\Local\Temp\ecQG.exe

MD5 1d2c3918461320935ef5b8711f192c0a
SHA1 2963f5b368f7c56567fedbf3506e26c73bb9c286
SHA256 aa792d9a1ce039b88d19afb102c93758aedfed9a7a530522747425be8379d038
SHA512 962f9ec76bd8f57837eaccd08d5aa095bace7751b04c938561467981ac6e128ab8ae318d64bf71b01c7521770a6c087507b114bad029cd5654abbf5856770800

C:\Users\Admin\AppData\Local\Temp\MAAE.exe

MD5 042b2c4e31d16b79147df3ede64e294e
SHA1 718985427c247218defc05516691ede3210701bc
SHA256 6306a5d275cb70d774abf2aa6181a4237caa5c3084ed326bc2d62862f1ba7b34
SHA512 dc00ee87c63f9001cc4785415682c14d16ac86c53a05db21388072c12190a4016f1aa3265051f664d85e19b54bf9df422c436047c41799d9df8454b8d0a4797f

C:\Users\Admin\AppData\Local\Temp\mUYC.exe

MD5 094fb2681e5df479a3a5fdcd607d72c1
SHA1 c052a9fafc4233819a694528fb7437bc4a8e9957
SHA256 87415f2e38e33689ad29363b693a11abb4b32ec7c415e24b7f95e9ec01f7fccc
SHA512 9dc25eb9eeeac256cd612c4aa011482145cd2bf5cdf013519f8b6c33926e739f701e82a99175aea0e173f842cba012f3e9ffb1dcad4fcb24dbd9047838195e9f

C:\Users\Admin\AppData\Local\Temp\kQAwkQYc.bat

MD5 7cdbf77a22059887dea21a7b1b18d0aa
SHA1 cfe905a9a2154dba8be6ef52072eea10a3974f1f
SHA256 34e58ecb06139e8ef89fc0bec90ba32dca621a4c418307175582bc27beb19008
SHA512 414fb5a16c7a67f5174bc6ba04ae4037975302ee12270e3a25134e517e7a22fa40ebdb31896db60ef27c3222242d462b61efbbfe00b88298de4eb3a96ea96a37

C:\Users\Admin\AppData\Local\Temp\uAYo.exe

MD5 cf905a0d0bb32264877e836455adbf29
SHA1 ca9f507dba18450d1db5ac88c83d2ebb2e09bcfa
SHA256 9ca67df502c420a17f4624a86bf5f400676b482a4d4564a6ca8a756399a4e7a8
SHA512 117e1d53e8f5a5d10c1dde06109b7450eff56f6ee2e195619ad2bde61d7fd28b52a5ac378a1549fac0b590eba12425530147d17bc9bd792ead940892d51272ba

C:\Users\Admin\AppData\Local\Temp\goIw.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

memory/1752-2152-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEMW.exe

MD5 827dd0fc985541d92b5fc8b24b526b27
SHA1 21db48fd2287652bcd3752b0b7527e0588d69183
SHA256 f7a74622fad45d4cf61d856352375479c28114b93784dcce7a4dfeb973ab6f44
SHA512 0c0a8f09c2330aebf7946e7ff9e11036ca63ee33f5b119698f825de0fbe04f35296f3258308132e110e217fb8973802404e408490d563b11c9dc867c532691ed

C:\Users\Admin\AppData\Local\Temp\ywAc.exe

MD5 cf68f1195505c9b31c39732f1e616424
SHA1 7528596035f019747d8ed93e4d7eedba79ab14cb
SHA256 e64c62e4e0809dbb2c9533c837fcf06f529a480df6f71aeca80f885cdcda84be
SHA512 11d1c32171a1fbb0766c27a37f1210c4bf7f6e84b1013333d3037a79cfa4bc6680d84358288d1073bc542bd6279708cd8bdbb4acec18105c08c4f3a17503e9a8

C:\Users\Admin\AppData\Local\Temp\oEUy.exe

MD5 302a602deca962e766de29d054e63aa4
SHA1 46969fc250d04cf4211a29a5913f848da97b2c0c
SHA256 aa66583661f6bbfabe4cc8f943788b3980408cf1d99c768f4d8a8d2cb23dc559
SHA512 904fb22e6593295256c0d8bcad8e1ddde266f19e8d06e7aa5d970a6ba797fa3687ac8944746a9e817bf7bc6fce80df26ceb53f314a6098d6fd2fba7c759ead82

C:\Users\Admin\AppData\Local\Temp\AqAoUkQE.bat

MD5 ab5f67c9d0bfa89c0563e55e2bc72ec5
SHA1 b79f30527c9096c81f577073cc75a9a2036fb52c
SHA256 c195a6d45cfd152eb0cfd5cabef3fb848c70425be7ec1740bb72bf684f9a16b3
SHA512 a76b2ff20689b3d89e341cff26ce8d386ea66dd2955fb750630a857029839c18b18a4c61f47fccbde7e65c6cac337bd5c8bd8b14ec939a2f16638bb6204afd5b

C:\Users\Admin\AppData\Local\Temp\mIQi.exe

MD5 4e507efb235994d6ea7705e21374489e
SHA1 de83854929235bcc64b4687701970ca0965daee8
SHA256 4517144a2d8bb9075ae7c01a42394560ea02c5cb4ddfa55f5a2845405a3873bc
SHA512 c7ed036c6b685a6ebfec16937c562e852ce817fc5e0d57000b867bc8c13082d2ce1102108cb260e3962331a6d0a8226f94129f9d9c7fc711b89bfe332789caa6

C:\Users\Admin\AppData\Local\Temp\cUws.exe

MD5 8dd00e482843321f355bb642733d4e1d
SHA1 c61da14b841a246974ed89b2d84001bae21825d3
SHA256 3b35b4893d97b8e2089ece35e662283bad2cda424b4a9f59e3bac909700ddb4d
SHA512 3e0b62f1d29b0f5c04ca1acb66f1ab64a9eb638d40d391c72a29150a3ec4743c48b716734c54722517f456f3b8a94a67d8417a1e73f194990734d8496fd291e0

memory/680-2228-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WoIa.exe

MD5 bf697840fb8d6be4c09c93cd236d69bd
SHA1 9fa7747f1d104aea139c92d5527d7867bed45c3b
SHA256 36d77bd0ba61c1c8e84e9d4d3af39f76a2817b72486002393cea23d07755c2d7
SHA512 6790e4f7fbe28a73bf90d7036757cd4539968013a8f2b2489232989ac18fae488c7a172cbc7307a742588cd5d2f6c7f01583906dbe413b918d7cc6b32a5c664b

C:\Users\Admin\AppData\Local\Temp\ZUcUoUgI.bat

MD5 b651c4c1ba08ef526193100c5f2e0545
SHA1 c81789c9e3c69fcd34130365d749040a6c98153e
SHA256 c18d4eecd78bf60c078ddfc10d1413f5e435585c4bfd3e1872e212f04a35d3d4
SHA512 e18184eebc826359d6f5e23a7e791bc75dde0c4c36eb942fb281ab37815fead4c6fa8574fd1980aa8444c8587713d89f46d83b5b1dab8f87e28cf5e57fcd0c53

memory/1176-2291-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mQAU.exe

MD5 72d179677b28c215e3b68c97da22f6d1
SHA1 50b9054a6f73a4cd79c0dfdf4db5c5fda4192e9c
SHA256 874cc2fcb25abf6c6870051fdfcf10453f8837d84c089d3e9b95b1d210e3ebdc
SHA512 430a19298544601041960090d4edc8ae7e90dffee3b6541cd91e02b88c1b6e7312139e1b433200e91f5ac9d16886e73388b6a327dd47a6164803769de191dd72

C:\Users\Admin\AppData\Local\Temp\McsY.exe

MD5 07b0b8785d5a983cd328fd56ed237a96
SHA1 8677dfd22369f5698158b0a7d4f188c886054207
SHA256 05f7052ebde9253c18df6e63955c929951a3975149657e3f3b718c127918f928
SHA512 5390798cfc5929dd88bcf6f7cefd84ab3a77a7c2c35fbeb1b778467bd86fb8fb4b013398e1b829a7e360e7b9817d9ebb034f56c99a8f72438a6c94eb12c187d6

C:\Users\Admin\AppData\Local\Temp\PKkYoQYc.bat

MD5 4a38a22045ed55dae57dd018d111ca24
SHA1 8834367b9890fbaa05cabab309c13b0148c529ac
SHA256 89f3d087d7cb8067324471878db01b38d1ca10341a4f3d953396dcf5e8a24719
SHA512 7941e172e770925c9ed52da73a3922d26756a172b5cbf78ae1c5aa2b1ef3aacd7b1221bea9958311c190e1d11e0d661e2a3c7c91a5be60d1b4f0dbebd0b4e5d2

C:\Users\Admin\AppData\Local\Temp\Ikgm.exe

MD5 85e766145e503477199aaa4dd7a92259
SHA1 a3b3c54a0df311a939604e976050e12350d46e54
SHA256 b1e586492f6c11fc24a7b93eb9d55650e82e51bc51c10c85b615fb79d03850f5
SHA512 40eebb6c8092b84a07627b96607145e2d0ddba7cc8b3284074e5872d50ecbc38d5a9bc94b722ff02a219a31d5a171ca2d80c5ba27b4e21aba64e2c085e5d2246

C:\Users\Admin\AppData\Local\Temp\SEEY.exe

MD5 e4c5432b8784b419b39a5b3e9d1504e0
SHA1 ae63767dc10265ff79959a88b042e7ded8ffa18a
SHA256 9e0f2a671795826310bb4eeece4a6f350356f2b16383996372e8fc5f205cc238
SHA512 8c76f4cd2792c3ecc4685c16876afa270f749d88bb6ddbc48b6bcf97633a8ab890adc0438d207c43336e1e57b365603453f50b9653cf2a8cfcf4a89d5acf7068

C:\Users\Admin\AppData\Local\Temp\iEAy.exe

MD5 b72aaa7c9e68a75d4ddfa76003589175
SHA1 6dbca73ba39ec4b454f5ca420a1d83b9fcc64999
SHA256 385a4138ae224af6ea2f3ed2e121a0c14d734f48586b87e6e1c43fc8e66fc897
SHA512 9a9ab437ed97c0dd99f5bace8a29aa1439ae67546b5d057b823e8268b0021e636124be4561cc96e788b645fd2bdc35780ba33d8704a7988414764ab95638e4ff

C:\Users\Admin\AppData\Local\Temp\KwYS.exe

MD5 74cfe8fa9ca6ad096c6e2d43c43f3570
SHA1 da691a1755946770d6b56af568988ef868537524
SHA256 9a1c84f6ee64071aa563971f3594179e6e7838a45384ce1c225286df5b1b6b3b
SHA512 f85bc8df6f35bb79a53fd9136df08a17d4cb8ba9c3c751bc5d9692828681ef81cb04a57f98e0e274d3a903a26dbd706396ebb9def697826f97bd032979993ab8

C:\Users\Admin\AppData\Local\Temp\psAAcAsM.bat

MD5 5b8e220cb15bfab298c1c5963a7ab411
SHA1 50012989556e5c46dfc0a09f793489bf690bdd3c
SHA256 6d5cc466760ed759fe3e4d3c8ddb69a790ca67704bc9a5d38a8a115ee3d88ef8
SHA512 6696878f7d780d4eadd94abb4d99014b2b729fda89f9d224bdf33781dd6a01f1eae6e134c7f56000fc05b9f08277781cfeefdfa7c498719654d908b9810fb790

C:\Users\Admin\AppData\Local\Temp\sook.exe

MD5 304852e50b90cfcb7b1163dfe63c751c
SHA1 bc05a4cd3964c8a379a9a8509f88cb60a6057842
SHA256 7836c216131f254599e146bbc971cb16c0faf26aa59263697edf5db766bcc46c
SHA512 10c06cf7fe1d8852b74a5f926936d750efe1ca708b92230d053dd00dc398492fb5ea3d1210de3a88c7c9777f79cb06042ff7212c45c8d81a7af6f89a2c16e849

C:\Users\Admin\AppData\Local\Temp\awAU.exe

MD5 0ff2d2a81054c2a1f12d43fdee32c3c8
SHA1 b2931cc4bac368f1bb1f7f72449a207be2241fba
SHA256 cbeed01f2e3d1c2f9f7781787306f60c98ebc1124c33c52ac876443613ff3324
SHA512 9db661779502ca01964b58e1865dda2b73ac7336079ac76ba3b4d1f5c8a6ea2a6e2a9d32d573d737c6a9e1a4e2f15b6dead1390bca3430a2cc98b652842e91ca

C:\Users\Admin\AppData\Local\Temp\XqYoscAQ.bat

MD5 bafbbd33690fd24c9a6257fdec83dd2e
SHA1 cf64525f9e862b84a6b827d0b8fff7435e2245e7
SHA256 03fad2dd734cf012143a5169237fb0c79384f6310f28cccd66a49daa24244929
SHA512 9746402687c2cec3797e1cd6bf9490935225ef16856549ab493f5c809b4be21d84baabc0955ca2f88c9d193d4ce33067c3bf8cda9db9d214c792d77f11fc04de

C:\Users\Admin\AppData\Local\Temp\UcAs.exe

MD5 52177577e2a790a0368908e2f19999a4
SHA1 c961ffcc7473de3475bbfaf3cd448f08293daad8
SHA256 4c1c5c0a6e51af1dc7f3b17edf4e09de479d25bc0471ee3ec4fd2fc03c5b2a0f
SHA512 b12c76ada1d3e9b857e323dff6014784605bf61631e09e6d680e4fdcc3d358fedc99835fe54b43367250e18c9fe35ebcea98bffc47a15483e5d7301f748026d0

C:\Users\Admin\AppData\Local\Temp\sMQEYggg.bat

MD5 8f2281af631c47c6088165d04419b8e0
SHA1 d5e8a0289fb7c427703e343cda0ff8fd13723b7c
SHA256 f4d139cc9f95128a357c3cdb50666e5434905ebbfc9626e7d03a9d27c65eb6d7
SHA512 153bbb1d90266a727af525361c95cbd79d7482d5bf9aaed377c3b62563aaeae8e5fc6eeae5ac175d03973e4bc77356f0e4472821b7d01b423b5c783e6590e460

C:\Users\Admin\AppData\Local\Temp\QsIA.exe

MD5 cda5b60382ad3d4cba493f04c2f937e7
SHA1 2808178d202e42b1091b1731f9ad806712a0fcb0
SHA256 e4491b1f0669b51c26824d01731e539abb8f5a78e6ebb4b9e2b31212d1226180
SHA512 dc85cd230998f53c4cbc7fda8662334ebbca191b85a4533dbfd9f0114ab0eb1dcd020594ea9577d3863d4fe2f785888e8ef3d4073cf086744394a8c0bcefbb73

C:\Users\Admin\AppData\Local\Temp\mWAwMkEg.bat

MD5 38a4f916b31ad9f2033b69d047692646
SHA1 ebfc5ee84be87bae00c64746bf6cb4b6d6061ff9
SHA256 43674509888d89a629710e5198dcb9c61d6813521ad8479758ade8385425be51
SHA512 719b6dd68381ed54f7724cb791d6138d4ae6564f05e72f6e051b26a25b12bbdce925a97b7f7aec36ee218244644d3a60b52d605c0b7f70b7c4aef9cd06e9c8e4

C:\Users\Admin\AppData\Local\Temp\YUME.exe

MD5 c8a5401416b7c2e4c82b907b5282d053
SHA1 10fb43acc25a6539e108ecd44962cce8bf84b0a1
SHA256 aea727de16c27fca253819fe582134ef433653a66db74dcbdea9a68f9c687d84
SHA512 89afc41530a45ef0729dcf1ef6f5251a1d5d6f0e48825b0bf57cc50a9129da082ccc9bb3ff568253f8da587a44ba10a5c1e97ed640daa3d6d70e6d5c262b6c2b

C:\Users\Admin\AppData\Local\Temp\AcYS.exe

MD5 b62e36a897aa61bbeae04e59de4ebbe4
SHA1 2e6bab3f0166643ae435652105dfbe1a1f4439f5
SHA256 5122beedf479c3df965a2766b473fcb727cbc69303ba3dcb34ed8e9a7019f614
SHA512 66f4bd2e59285e9b0b61ab5a9dbf9b96ef7b040b03563aa7d2635fe8ed71738c4f3bfcdfd188cba94ce6962cdb4dcbd619497965bb17621f6cf9d05029268c3a

C:\Users\Admin\AppData\Local\Temp\SgMm.exe

MD5 262cf79cb4f0911e116721e7254d9713
SHA1 80271b5205d0d86002f19f7d80ae7ef921485f89
SHA256 1a2c347a30a626418afe8f38513bd8a6b4c16d8130ab5923dc56f8cb429a9c19
SHA512 fc8a044b6c6ec5c639db4802c3ea22e09cca949db388fde0c5b01f3263b68bd9e6493e515dca4b2d77b4bcb568bfc92e2453f139d3c62632524cf91094b8e14b

C:\Users\Admin\AppData\Local\Temp\iIkwMogQ.bat

MD5 9e384551213eac561a452ff073104473
SHA1 8254a5ad8e2e34a5b3290563fe4c4e4bc4ab56ab
SHA256 8ab4111eb918a843d88cfdc15c4ef078b51baa3fa1e11f6847df4beab1234b2b
SHA512 f1b25715b12c4a0ffebc7f411ea959c93013182e6debd1669f96c95c4f99706c0de84c8c3337ad72c0a361effe9dab9c0c789a6e25dcd775d8594a4cddf33e3a

C:\Users\Admin\AppData\Local\Temp\SEcg.exe

MD5 804b1f4240ca1ba8527e920b639291e7
SHA1 ff770d31821199c4728c0cf9aa295a513826f6c8
SHA256 6f679d32000346a4337fdc43e291367026acd37731266b94cf224f52e5bce4d4
SHA512 ee06c0809d57f2a09bfa84124e52fa96c74f4e25c592ff45608a5cc1d462dcf7703b8abe9e417b54521af4a4ca648fdb0d3f5bee50d4addaa862079f35e76c9b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 7d943abf9e4412770064f9f47ba55faf
SHA1 144d3d6f34eeb99b3709ef3f1cd70e9376a31acf
SHA256 62065c110ce67947dd2e08bcbbdc5d2ccccf2458afcaa688131aee5837f1d5da
SHA512 046bdbe3ba16f68969c3db4d94fdc8423579d10c1bc39a8b03e90459344d4e6c81916ae9048ab65ce034a1ff09638ede3bc151ba05280403214aceb6f800cd0a

C:\Users\Admin\AppData\Local\Temp\wKsockEU.bat

MD5 1cf99b2242421eb1770203e2ded9e6a8
SHA1 fa572e87c63c35324bd78d931f1aa7d7b0c2fbc4
SHA256 26fd0a9c6e4a5ab3b4b49cc22d78167a36928b231e143ad32a0fb2470ad4c466
SHA512 f401a585dc260dd03cf73e21f7d8b14d03394b0ea43b46e305a2cd753ddf58edd575c9f975ec8e533e8b179a8b80a61750ab81249b0eb55a2f011d48cfec7b0f

C:\Users\Admin\AppData\Local\Temp\mMUI.exe

MD5 67f1d543f98d6ee2e980be5fa825807a
SHA1 b014ed318862d5d4378aef2c22eafd8b2986c30a
SHA256 6d08e0a3469b3fc3d7b2c8daee6299994833b808f35ca6950e45bd110d162e8d
SHA512 7e5e2832a792d33a14c17ee9d8b6bea8c899178fa09c200e3b2d6effb9a605ec56e53c94bc45266a4881465f0ad170d6aa31843a2c46ce436a224820fac262ff

C:\Users\Admin\AppData\Local\Temp\MUMK.exe

MD5 30ac3c547a16d5726ebe8c16c50aeca1
SHA1 67a5602562f50677f23050eb115f684259943021
SHA256 7fd2ec32f12b3a1045ca56d796e2e356378a1c2b7d50ce85e0010bb51d607ba9
SHA512 0b859e86185206433b94f91651bb652c1bd743023852577edbae05d05bc52834151a29ca7691dabe81562878896d9fde4fefb42c42393455ba60e11854110fb1

C:\Users\Admin\AppData\Local\Temp\EMIw.exe

MD5 8b3f2c9079dccb8c6b7659c81d3306e9
SHA1 e4fe59ac6714203ebb4489af2a4c52cc20bb23ff
SHA256 7cf25fe06e954411a6a95153ea34454637a00e351c51dbd61eb0d6a4f8120a75
SHA512 9940c237204ac4d8aae477b4921bb1a92f00ff2985fa8cc504145128d13a9d6c1e92cd098f33c9128762870b3a6274f0ba6ab6d8847b3c902596a4b3496dc595

C:\Users\Admin\AppData\Local\Temp\ZGckIsQU.bat

MD5 16b403c483366bffff806005043ec7a4
SHA1 5932e6123bf7f7458b2db5183e4abb00819c41f3
SHA256 4cbd1bd54fbd1048a046a3db6480e7809a3862d9779f2b68b0cf0a0d71f18546
SHA512 507e14362c8ab9485ce7ca76f408d39aa2160a095374ce64947d3635bbc8aa5be60ce52a4859eaff640683f18f62c9b0dbf6f5e9f15c5cf243cb935ce50610af

C:\Users\Admin\AppData\Local\Temp\IscW.exe

MD5 f45d37434ad5b6b533c5b1b31914b5c3
SHA1 53ea13e2debc4958d318a6336b89c54a84d51c0d
SHA256 19973e0336db651681aa83ed7ef40927fc68db053e213811b38f8dd3bff2561f
SHA512 b475856b89d85c35b2758610a548fec8629780d788f3b3c4e3ba5ea32b8f3c1da3d1f10a21c82733b6faa144cc9ab5d5578c12e8707658ee764c0a7a773ed684

C:\Users\Admin\AppData\Local\Temp\OMwa.exe

MD5 d1afbfb402382a81e3d6bf5647b5fc3e
SHA1 b6a4ccf802811d2b66060dcc7206ad7c9ad26fe9
SHA256 1cb590b6173c9f7968573d97a8352c4d479d3135b6be32efa83b61e4eceaf8ef
SHA512 c7db5f813c3bdd725065863168b3afb1a36e4a5f6461f28a1576ded2fd303b354a140b94f4d58941ffc52c34f7b5e4a0d1361f4598371f1a5cc86aa7b6ef9cca

C:\Users\Admin\AppData\Local\Temp\rUsIQMYA.bat

MD5 e8927a0f5e3db52faba34d2958f6ef51
SHA1 ebad169e2e201776490238606aeb857b4b1a7c6a
SHA256 10be8bdde215e2224d4c935e76b5ddb6d0537a194886861590f02f345f1bd435
SHA512 c9d6a2bc146b5ae8110c5c6c837b95dfd058b75c92cd1140f181b94fc00f5b92bd99426f359103a78c02e92c0b118009dacbbc6a2c8293732fd526639790544b

C:\Users\Admin\AppData\Local\Temp\aMws.exe

MD5 681529e6aea74b1d4834a3a66079a04c
SHA1 37258ecc08ab6c05460fbbd7596e04f831e9427e
SHA256 552125db9fef2036bf7fc327d7a4baec2968837bad3d66aa1f291a75c577acc6
SHA512 c89d8c096d88a255dc4ae3a3fc9a17c095171d07427f574556af2f74d9938c434a27ec84c6c7b8bf55e3502b7d4efb40feb8d67b35ef48f6159d42e7aed24d5b

C:\Users\Admin\AppData\Local\Temp\Ccgq.exe

MD5 b63877b2e281b8044c792a61ef2154a5
SHA1 99c5ca8aaede98e4a68d5322beaad1332519a2ab
SHA256 3e465665a82a1c1f841aa34aabe77842e77ab805214a2769dc4ec5538cb63c8f
SHA512 3c05a627fbd93657014e53a7498ea0b62704f93c6b28a77414a7c5c87a94064bb13bb4b0cae24e5a16d1690fd6ae11525a0d8df1b465ec9e212cc57e096c6ba6

C:\Users\Admin\AppData\Local\Temp\lCksEAcY.bat

MD5 d5c9c479cd8937da6f242cf8b03e0904
SHA1 a9f7837eed00a544842256bd411ef08263b47871
SHA256 473a16308773ff897cd5593a92357b73c30a23ea0e9d6ec0fe98b0db88ad1c59
SHA512 3d1e60d2d9e643550aeb22454e03f01083f4e41660ba1f1fc1d4acd96c34842fb1eabc4b91af18daebf8fce99ba234d9b1f0f6167956695d109e3d9a7a6681f0

C:\Users\Admin\AppData\Local\Temp\SgkU.exe

MD5 4086b0d71d14e1891348c8abf10e791b
SHA1 2c4ffdae7ea89bba6fdbd6dda68efaff341515b3
SHA256 a987d731c1d4f776c8137ac8c79cc514293aa15767b7805589f145bb8f4390bf
SHA512 1f9c6c73b27d1b92e684afafcfd0a11ed52fe1558454d977b60976f63916f2c218540343e2714cb18c5507744fb69b82f59f38379fceddefce97dc38e259401b

C:\Users\Admin\AppData\Local\Temp\AIAy.exe

MD5 f76111eb37ccc8a1c12c002fc251fa72
SHA1 2c83cf50f9c8f99cbfe5dd1e6a51b74c2236251c
SHA256 f55dae5e32252e33b69dabe7b6ad4711bf76baff3cb10bfef6387e090085cdde
SHA512 78b114547b474cb986d78b7bf99e02cb3f08c0a6d1437c39a32c488f18fd4102565827ba805a4279f72940a5d9296110e8f6457ce2b423ec75e0fcd11658b139

C:\Users\Admin\AppData\Local\Temp\CIAC.exe

MD5 600601491eb104cac788b4d72f39e205
SHA1 cdefb3f55cee01323a8159dac0bb4f0f2e65def0
SHA256 5ad189cc77ea64605185761db96afa0d0238b18e03894233edbfbc20774e0971
SHA512 a59026ff49efe66fb858cea1f7539fcbb4bde618d3c39986e0330a1ed667edc994752d4f96c34290c288148e5367e3d06050d2628551b1d0104ab8269a01db54

C:\Users\Admin\AppData\Local\Temp\LIkEsoUk.bat

MD5 e0d44cea511da95cfad829a4a483c6c5
SHA1 c9b14584d3f57a38ab496a616b06b51830960d17
SHA256 73db35d29fb9395fabf3c71aa1d90f85c5d68baa40b0df08db54097c9683b27d
SHA512 0db82060827838cd5ead7befdefb054b76f5529491a566a13aaf7f89dec60cbe0a84f07457f03324eaac7378eeecbb649f1312af279b7eda5b86164951d81ced

C:\Users\Admin\AppData\Local\Temp\eEgM.exe

MD5 f4ff388148d2936dde86300d65a32ff4
SHA1 85ef0c79c266445041a012c4d32f584be4793065
SHA256 dbd8caec898bc42d96f2068beaf9b8e3b38bdb85e6dcab6f1c372e68c5116e03
SHA512 f6070c0dce88230dd459b1bc1f95d181870b3a9dde4031e0d931dd100a4a36934af9e7f432fac9c4ab68d999ff69e8c5a6d31cd45e04b6cce805f42db2b3d181

C:\Users\Admin\AppData\Local\Temp\UAkS.exe

MD5 c1dc69931058fd85cccd0ab8975680e8
SHA1 eb924ba043d64329ee950aa963aee4612f342609
SHA256 1adb315a06cf460d3959e6c2304131b8ae613ac881ebd1a4b1c329e55f051e61
SHA512 da6e11d6c9fcf4b0cf723ebb1baff9ea3afc4bebdfec1c0958e2b2255459864bda893f48abdfe391b08ced7e80002074a65d3e427dd32354d859655e122db2a2

C:\Users\Admin\AppData\Local\Temp\GMQu.exe

MD5 ba70ea58f23d5a09c60a9b3d3490d1cd
SHA1 d5670b8f6a9303a7a3021b6def7000a037a2c1aa
SHA256 f5e12cc1ee1f25306a9b4dfbe26b3f55ce23d9499dd26e41c78ca2b9fdbbdd73
SHA512 a15564fa75968c5b696db236e0af5c9ba5c4346f26a5ee3f8a8b95833e0a7810a83ec986e7b4559e7abebb33df350fca7458f8f4e77b92d781f5efcce35ee378

C:\Users\Admin\AppData\Local\Temp\GcEE.exe

MD5 250cfba3805fb83982baaf1ee030941a
SHA1 a1a99630108a0b4cf8e21a9fa589b300aa904145
SHA256 7f33f3fdbbd9c66f95aa6273d5b8b4ffc57bea4b15b5f4f55f69274ef7802b2a
SHA512 1984d0bb15387806caf45bd59026fed74d6526f54a78c7fb730de373f051e218abb63f0009f609ac2862ddbea40e79c8fb587434d01574bef64b5af17bd13bca

C:\Users\Admin\AppData\Local\Temp\oMccwYkU.bat

MD5 10c5e03f6bbf90a87d9bd271864655df
SHA1 e95749b8d36c718f15fd8bbf4534d3dbf441240c
SHA256 e39694e4bce16819c90a1c0855e4ed9b13c00e1615247670b0725de1369d4467
SHA512 a86b5e254ed62b646067772eacbc9dce4df1a670613cbf932735307caa279767f27de8c55e74c495aff6a4dfc9cf54897953eb9d5a7ec3554c69996692024e30

C:\Users\Admin\AppData\Local\Temp\kcQS.exe

MD5 108acd4bb47b8888976248bc45fb744c
SHA1 58f9412cb04e75929e687bb540b495562bf752b7
SHA256 576eda7057b9c007771641943099e3c5b68fcd9d07de0be846b7f8b5b872ca37
SHA512 aaf1c2d7491c9d493da82ec59a80e46994285c8e70f21d3db9a878d208dcf4fede298549d121d4a75db8c047946f86e9bbf4dca642b563c7c2cc0166676bd44b

C:\Users\Admin\AppData\Local\Temp\KkIe.exe

MD5 d8f6c9734ff0b7b6382b5f4e403067f1
SHA1 81deb6b55f7ecdcd235e4c5edb9e23bcd1b664c2
SHA256 0a71e588155ca92caca5d9d084f206613a1542ea73cd0b707851cea6787a1eae
SHA512 0947d2fd4fc6f66adee994d76c5b1f3df6880cc96ccece4890e5185a6302c6a07ee728795bb9b45ebe81247e7c5fa0831be23fab4efd4a641d96095d75b30b83

C:\Users\Admin\AppData\Local\Temp\qsMg.exe

MD5 7804ef52c8af98dcc98416e27b6798e0
SHA1 c8463ce918231e7eb3ca4a5aa55fb15fc84227ec
SHA256 73bc048ce368a833177160388995eae23fce3e96103265ba66eb31160230c09b
SHA512 db591d42d16cf0061022c20b2f249fc3bd08db6abd110afcf8012f5558644c9c24bfb907c81c929cc20f7f20a502124002b8fa40dce753effffc352f1d11cab0

C:\Users\Admin\AppData\Local\Temp\UGAoUIEI.bat

MD5 842ab8e79bde33f0e6516702645dffb6
SHA1 5dfa26df17cb0de828e75f9bfca7c47a8ae3c696
SHA256 4263bc5e0fccac7a0d2568a28ac59f4beb3ac25d115bac856abe585b784ffc8d
SHA512 7d71f024c62066ec052072a564758d95a2d37f0cbe7ce5e558a423705f59a9bc27ca3b3ad9e1eaf09c4e3f1cb32a8f1e49ab35acf6236e6cbfdb357e3f9d54dc

C:\Users\Admin\AppData\Local\Temp\oowA.exe

MD5 028f968e319dad3b7a6475a29e3fa66d
SHA1 419626d2bbe1d3f1a2da11cbac9869ec61db56b4
SHA256 ae632d9c4177849f4f155cd058db4f4c773662ae409aae006b2037f4a551b00f
SHA512 da0e3a62ee82fd70486060b65a33cd8c7750a04dc1e036b815743b050a0fc160362ed8d4a5d2bb9645456350a6adac757d2091e215613161dc3f391b82d09af8

C:\Users\Admin\AppData\Local\Temp\qIEI.exe

MD5 b472ee9296f10e15167b4c0e818e9dd4
SHA1 03c613adbf94c183fcb4a0de1e4975309888fc5f
SHA256 c97ce5ac4fd7c484b80e42f7ab39fceaf8ba1d7caea1e45880b81d98a7c60a15
SHA512 0dd343b9f72263339ea41baf1a9020c834831d1d5114854da62a5dedf6073c988d2690988ab6a6506b30c435f5612bc8b7ad433b7fe9f89e0109c33935254a44

C:\Users\Admin\AppData\Local\Temp\isIa.exe

MD5 a087ad331bb2cd34f4f28a29c3e6528f
SHA1 a7337516e93962c10a1e6795e0e2953f191627c8
SHA256 7b8c49cb5bf9a66be4eb3dc46bd0ab4d3d4d01b663de8d54a5bb3be39d191c1f
SHA512 ad8e0dbc7e9e14b7a163f0bdda99f7067477346b3be443eba7bbab4f3eb3b58bb4aee653cc52c1d82d52cbe02c3ec92edbad085184292422a315d8deafb4999f

C:\Users\Admin\AppData\Local\Temp\mmQgwEMc.bat

MD5 bed2280325fe75af463ed2ba6d824548
SHA1 e356d504fb8b78d5f31e3c32d1f425d1748fe130
SHA256 7deb89020e19f2ae3d632b9872f7399aad82a987b4f802aad8b881326191397e
SHA512 a2d432690433c5cc8aa96dad1f3fc66c076655fe4ca88175235a7b4cefa8e3eb966b91b5741ec87f2a0cb09425d4217327776df044d899c9a0ef7f94305dd9b0

C:\Users\Admin\AppData\Local\Temp\uUkW.exe

MD5 1708d560d6730308fe674a191555698b
SHA1 3fbfe00d16a2ead5b0c6e2f5b7cb939920355c8e
SHA256 2678b73bcc08ee6f0b5a283d281778b4c2e64e49e519ea214766945243db11ba
SHA512 56125a6e9a2072f37c77d0c55ce88b87c050c9104746a1685c11ce3a753dc1727938cc0a247ae6a4335dd599dd83a56da76e09186c040034c4b8cc278ad97ec4

C:\Users\Admin\AppData\Local\Temp\iwQM.exe

MD5 4febbcf8fa7a6d889208306d2b29b931
SHA1 59b9bf743f274647015066f871daf9e3eb3e1bf0
SHA256 784f1321f36a2933c18d8d2fca756135bcb882cac08180bd4a33feeed44aba41
SHA512 c743f69291154ea80706a5e808d2c1cf7eb6e9ba139227ce09904f4a5aa4045ee519e5103b652035039a8d5147274b84a8ee592fa7083121c6b470dd31a330a3

C:\Users\Admin\AppData\Local\Temp\CggS.exe

MD5 046df69e0c911516b99ac554d4946986
SHA1 8bb069695d66c6ad22abd9809fdb2b97c3c0dcda
SHA256 c92ed2b5e9aafc92b1bc0d6b7e51805958736a86663f3fdd1e8b3ce026dc15f1
SHA512 2fcf90aa635a15889bb77f0a58baf87230f2cb5f2aea3074a52f6787aba2f5484a1cde36db603cd3be331bb0ad84e5c22f20ef8e080bb4f5538cafc5ce01416f

C:\Users\Admin\AppData\Local\Temp\UIcM.exe

MD5 b8198c7eb1d3bc16281241523fecf023
SHA1 7d5dd8dd32751455495442ee31b36665c9eea0b0
SHA256 80b25fc701109f6c91bb4458b5d1ae2e96c63e7ae867f4c6039f250c20f691bd
SHA512 4d19d6cbefec752da86f2324cf4a5802e02d55b300fa2f8f324287d3e9dff33811588b8f611487735212300bed56b8c04963d8a5e78dff559f5998e16eaad812

C:\Users\Admin\AppData\Local\Temp\VkccgAQs.bat

MD5 5c99f3f7e9467029b48f6b76de680725
SHA1 0e2220d465116b76e2303f9aa0226e589ba1ee17
SHA256 9afda96e5410144cdd543f64234ecb0eb15ce7a9e0bebee5f6be982ffff966ff
SHA512 b568b2f526ab6fccb951a10e580e989d42576555ff65041ecf88304bc52225875e02edcb5105e0a5323b0a7f13acb4f223764b55d80b9642e34d7a6c63b68506

C:\Users\Admin\AppData\Local\Temp\iUYE.exe

MD5 0114d7b3c67f4b3678454eed360032b6
SHA1 6af23442c6464c7a9155c6cdc1582f473b201133
SHA256 117c0b76621182c3d9e01e5761e5168213695b4d7f1814326bae317043d4dd39
SHA512 32a48210e3e808d90ac12712a7a814aa6088720b92b9609671ecc701a2de626cfd5bd11c35b1aa748aaf491f77c9b1a844f513e53fa8bc71be689755bc3370dc

C:\Users\Admin\AppData\Local\Temp\RyAQcQMI.bat

MD5 eb2c001b153770db734fcb6a5fdd99d8
SHA1 caa9dad5ef58bf0ce6f80fd02c57af31cf5d7021
SHA256 cc987d392113cd255cfaced741c6493da72fa343cfd190edfd23c260315a3619
SHA512 eb5a3d4b0124f5a47aa06527cdad8a27c002ca7e82bea58dfc215ba8a1ebfb350eafc6b218bddcfd4535433ea2fa5028a9b7dcc9a9b06073e7faffd3e167dd40

C:\Users\Admin\AppData\Local\Temp\iwQC.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\xyYMcgAw.bat

MD5 409fd33f37dbdfae35b24326657ffd0a
SHA1 3787f2e8e182996fd6739d4fc8fe63ee5720a3e3
SHA256 c33e64ca77e7289d0c112b1376ab45499e09bf00af82bce9fc44e96c8e08e0a4
SHA512 92548b4c9163fc3f9e4ba65d392b704b2d31f1df59610fa62702b104c6d0899fbd8c9c0b50f7ca09769eaeb194c91c83ebe9162bedcee815808042e2c76a3aab

C:\Users\Admin\AppData\Local\Temp\akIu.exe

MD5 ea1682e3b5b3d413fe22a64882468c44
SHA1 ba753bc048c1122f8434647754d2af04a51fa781
SHA256 c110fdeb4cb06eafac79a87cb40c77f2d6076122778e99a573b37419e2937892
SHA512 7de63471a0e529329b88bd8d38c8a9ad23d87e053a330604da6d3774b4b469738354d0fbcacc1d657af410f3bda00ee9f98af5e070bd0522aff1745e5ca36183

C:\Users\Admin\AppData\Local\Temp\EMUM.exe

MD5 9176610204fa9ebd53116cdc21a26525
SHA1 5da34e663c01349ac6cc522f75a5be900758449c
SHA256 ecc79df6b61108930255a93cf53fd1d99f2f24ca768941bc2576a4412487adab
SHA512 5812f5b922e2315e92ddd2362d8be8a2c310bd791409b831cf07c72597d4ff3d72bcff83e3c078dbb8bf6ca391379ead201c08fdf9a787c14e36fe09f23a3a21

C:\Users\Admin\AppData\Local\Temp\WUkg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\aOwUUEMA.bat

MD5 bdf3b8956f6a9c6d22d3e0dce382c147
SHA1 1ef6c0051b6f5147e8664fc0019b14a260f8057e
SHA256 a488279950d58a12d86c71d868cc6dc1b03f99a2d78db2ac8685e20351cd13b4
SHA512 ef01437597c29d7e3549d9b5b7eb60225d46b6a6723e545ca1ab36a8199d874c4d3e900f411f14332e7178b41723f0b369bd25c570565f610581b23eb0d354e9

C:\Users\Admin\AppData\Local\Temp\CAMC.exe

MD5 770e3353ec2b74ce3036181d7e9c095e
SHA1 25c6d7efa17ad9d62c50cc351447f58ab3a737c3
SHA256 675290ace45acd8c16a020b87b4eeb21cc7f97740330e435736ab9d64136364c
SHA512 7c644c3fd6c283c15d35c63b0824c30ae466de99719e01b6ad056b57dc609d23b86e3079485b2976dd5755b3315cd108ea1a129a054a02f14916bb40e1328c0d

C:\Users\Admin\AppData\Local\Temp\UMEG.exe

MD5 9f9a17748121b375992c4c215f48227b
SHA1 084c6827df78cb2d3e196bf54e6cbf9835f97b7a
SHA256 53f15334ee60dd777554c4d19a820c77cf1e7685692dea1b25046b3f836be9e5
SHA512 2eb002bbbad11303b20b420de7a444e196df9f37511b69d840a335def26aef4a11483d6ba11206e16c11c7f76449be690d640a5a0e8b63429a9238b4eddfeed2

C:\Users\Admin\AppData\Local\Temp\cywosMIQ.bat

MD5 539d3443e23c49bfff264dacefe130e8
SHA1 7f5dd18b34963b7d59134d934af23215aecfbda1
SHA256 7062f85cd76209aaa4d7b1b87c77b0d6d55ec19604b95a8cc2d6b96affc199f7
SHA512 6271ba0cd3201aeb7eb764aafd2a61ce8efe4a23d4110d45b2ddf98c3a0fd7db8d7ea896b7629877226c6221ca7500b7c0f65551f39e46bb20d75ceb0b9baaca

C:\Users\Admin\AppData\Local\Temp\qMsE.exe

MD5 cc9542a676855cc42e89fe0f8c51fd63
SHA1 75e28e1c6b916dd108233e0fc9445bd82fac88ec
SHA256 d59aadbec126364bc8c0934852170859a2c68b81f9a4e19bdd1c9a7fd1611936
SHA512 dcffb02ee99c8132143e274ffba5bce2bfa5484f25922fa1e03b0d50f8689be9def1883cce6cc02b8baa1f66a17f3f2e0d0b43a3a959ddf9b2f5c388aa0c2a1d

C:\Users\Admin\AppData\Local\Temp\qUAE.exe

MD5 c728820a28bca1792ecf696cbc7f4cff
SHA1 0745c6f764a2a8556d7d616f7ae28a0b18bf1e18
SHA256 797e918c54ac7cbc3ac6432ea289eca29fafd6bda35be986a4fc55b1a81ea29a
SHA512 21cca696854b76a855554a9fd95697e91d801c4c47c23ec6745edf388f8ff37f3b06a89e4dff67a666dd194620938fffbd82501211656f28696715110193d106

C:\Users\Admin\AppData\Local\Temp\wkIk.exe

MD5 2b3131372cc94036fd828ac44cc446a6
SHA1 0efe9e45ba550861aa6188e68c51c2b40a038b35
SHA256 0e3ae90eb0ec0d88a5d1f4e8c3229c08112305241419b0151e290797226cfcf3
SHA512 8aa48053894b865a452c4bbe99357c5f109636f86e2a929488e32a9658cadd2d57493973edbb29d26bf154fc817233ecddd7207f26f5d7b2ec7723b8f4d13e11

C:\Users\Admin\AppData\Local\Temp\CEwG.exe

MD5 fdc3f663991b5f674e84275e669b64f3
SHA1 838c2e6c0e0c84e2ab527aa1e5695f3aeec3b9a5
SHA256 7859b85ec8a083dfc920f4bb7756e1b7132a65254188a1a6e727c79667a1256b
SHA512 5a3edf225bf602ce2265e598b788f40d602d6f23724b9576b4860c8f082a38bd5a634936d1b538ca2e2be59313391703e96541e3033818b27b77c61e4ab384d5

C:\Users\Admin\AppData\Local\Temp\zSQowQkk.bat

MD5 d0d58dd88fe3c66abe143f0ef70513ad
SHA1 712e93888386a6ff33070a33b667e0de5d0a8883
SHA256 f4e3cefd9d588a3c1871554648202f75fc0df0cb99dfed3b844766656747340e
SHA512 2c5891ce7785b7bf0239368ee09fbb794ea1c0627c4899c8692f8d8f33b96a7b37b27e44cd19664e5ba114cd9137b895ab978777cf4d6901ee226b0cfd6d7005

C:\Users\Admin\AppData\Local\Temp\cEsg.exe

MD5 800767cfb881e0518f5e978dccf00b7e
SHA1 1b6ab0f580a3b683c33e7676372954e2d98f778f
SHA256 ecf61c7bbfe07f4f3438ed95c988de6427da7cdd8e526432519b69ea48a05fae
SHA512 60f202b2de1a1486c7b151d041c94f522a5e07ff2b13b5a77ecac45582a62937449afcaa6e32579d1e958a778d8d326c871f04132f0ad8f653161259818672ff

C:\Users\Admin\AppData\Local\Temp\jEAMAMgU.bat

MD5 cccefe3f10d33b108f94bc6378a9b17e
SHA1 108738e0e21678db034d386da93d0a37bac9e2b4
SHA256 8c964d0012fb302bc6d33734fd0b4dc9d53b1be49f4398393a6cf56a95cd9b34
SHA512 83b11693aa1e657813512fd53ef9c93b98032cbd962e69c0dadd0f7de7d64c754240ef4b24f70387b0b8693190874b3be5194f2dd2d01edb8ba2b965ebfdf877

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:25

Reported

2024-04-03 11:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\ProgramData\XAQIwkYQ\zqYEIMII.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmsQIEQE.exe = "C:\\Users\\Admin\\DmQIwUoI\\bmsQIEQE.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYEIMII.exe = "C:\\ProgramData\\XAQIwkYQ\\zqYEIMII.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmsQIEQE.exe = "C:\\Users\\Admin\\DmQIwUoI\\bmsQIEQE.exe" C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYEIMII.exe = "C:\\ProgramData\\XAQIwkYQ\\zqYEIMII.exe" C:\ProgramData\XAQIwkYQ\zqYEIMII.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A
N/A N/A C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe
PID 1156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe
PID 1156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe
PID 1156 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\XAQIwkYQ\zqYEIMII.exe
PID 1156 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\XAQIwkYQ\zqYEIMII.exe
PID 1156 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\ProgramData\XAQIwkYQ\zqYEIMII.exe
PID 1156 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 4472 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 4472 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 776 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 776 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 776 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3672 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 3480 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 3480 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
PID 3672 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3752 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4396 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4396 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1288 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"

C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe

"C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe"

C:\ProgramData\XAQIwkYQ\zqYEIMII.exe

"C:\ProgramData\XAQIwkYQ\zqYEIMII.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eokQQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQEwgYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eswQEEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSEMcUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQUwUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWkEMMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQEEQcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwMAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgUoYoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faEEMowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSwssYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuYMgMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecAAQIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQkcUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQcgAIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUwAcMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMIkQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUsQMUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAgIkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccEUcIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiUcUMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcIgEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOwIwUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgIMYMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqAcIEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcEQEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSwYwgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIQoAokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUMYYIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwMIIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYYIkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEwggwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsksAYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmIEQcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcUIAEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiAwQQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSUIksIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeQcIIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGYYcIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.251.36.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/1156-0-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe

MD5 8cfa42e92c08b305de0db872a31bf387
SHA1 800b60f758d1d7cba0b2e7aada7445ea564cdadf
SHA256 ada56053fa1fa80baa90b9d70f28ce638391ed4779240f6d7a62eebeaf68f828
SHA512 82177648610158346100f1442c6c37850791ced668b7be67b86e8c253de146876ec02775fec0f914be5a136cd7f3c0368f8046601319660545aea2e062a8bc33

memory/400-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\XAQIwkYQ\zqYEIMII.exe

MD5 0b2fc3d9c3d1096726bb44e9731a6f3a
SHA1 9c27d9c42f6658ed74ee087c3dcc1e89bc6f47b2
SHA256 074f49c4562440e2b9c9144b30f425e23bb0a07e58cbc1d88c6e20e93519e3b5
SHA512 73ac953a4eca752e64b0045f2b92b421b669d64bd6d6d135c0aa984bda0073496176558108b2cfdc83e8321cd1bf754c2eeef52f48f4afa9d108abf9a49de945

memory/4968-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1156-20-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eokQQwwY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock

MD5 588e8e645526676ae2f8644d4dd82f06
SHA1 607f0d19028f909a02b5a4b00ab7096dfb7f30d8
SHA256 46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c
SHA512 69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5

memory/3752-32-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3672-31-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3752-43-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4432-47-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4432-56-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4340-68-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2468-81-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3156-78-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3156-92-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3224-94-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3224-106-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3376-117-0x0000000000400000-0x000000000043C000-memory.dmp

memory/436-130-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4608-131-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4608-140-0x0000000000400000-0x000000000043C000-memory.dmp

C:\ProgramData\XAQIwkYQ\zqYEIMII.inf

MD5 4cf3e2e93b737c75078539ceeaedb539
SHA1 f5e75df255a12d5e528a9cb09c7454af30efb37c
SHA256 50bdad765c5248784df0a262034587b614545fa7322c6a43bdf2ade48cc0a44a
SHA512 cfbb346664b804b6daa531c0d6c741cdca8599cd3e5d37b88e05e5d3709af3dc017ebf3c0c0258f21966d14e167e434bd639dd43b6e0fa8e30f50231e3ec5cde

C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf

MD5 255147fcecd08c246a388ec26519fe35
SHA1 f6c01397945e69088baffda8d586c45e4d9a8ef8
SHA256 9d146c17e922370a4c13b7bd6727970c22225a07cdd38939d9de2c01f61df98b
SHA512 6c3462b5962a29c1b9b9291f8a922a7be917c50dc15a365664789c45b39322f94c14085a9cbcaa01eb63934dffb55173f0fc0651706942698828cd85c61afb84

memory/736-146-0x0000000000400000-0x000000000043C000-memory.dmp

memory/736-158-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1244-169-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf

MD5 e18f8de57b1264024ede6cd037b37ee4
SHA1 a6983a6efc7766467d38e3774724e4c4d78163c6
SHA256 d5762b86da50a55ca995899c104646fc115fb7c2c1917ab0ddbd5ff422279c8d
SHA512 10a0ccca30691ff2f533a77b9425a057a44731ef616d4b944079f61be25a9bcfe6ff4592385dbd265fd9ab87c45451a02639b23bfa8a7b912bbb899d403eafb4

memory/776-184-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3888-195-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3112-196-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf

MD5 403ba2bf7f214c42c5c6377e6bb2233d
SHA1 df25a3fb6d66adb83d6ee7334039b6a131d5f0e2
SHA256 491d1d01bc96c34613594d87ce9cf10041825e3c6973aafe2ea41aac281332fe
SHA512 e0945935de4183516a480ee2675d446691c2f23af2f672793de80c8ede9ce689fe7a61ca70de8de108b99b5f677012ab89e8874318a36e1094bc3c774c9693c0

memory/3112-211-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2984-222-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3308-235-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf

MD5 ac7bf7a3a3c8ab65e0c3dd5c99e312fa
SHA1 e0006252aa0850eddb008808626bf713506ada5a
SHA256 7a5f53233c1ee772081286039598f0636ad8d9b3ed5471618b48e69171d08f88
SHA512 1bb7f88959fe024a3b8f29b3e972a85efbffea58783268abc4ad42c14782605fcb912f1d474698a7d223449e8b282cc3efb3a5671cf98042e1e3f9c4f9625650

memory/4604-240-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4604-248-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3296-249-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3296-259-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4056-267-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3916-268-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3916-278-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4108-286-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4080-296-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4820-297-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4820-306-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4108-315-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2288-316-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2288-325-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3052-334-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1244-335-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3052-343-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2996-344-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2996-354-0x0000000000400000-0x000000000043C000-memory.dmp

memory/636-362-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2964-371-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4928-380-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3988-389-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4508-390-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4508-399-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4368-400-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4368-408-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1900-423-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PckW.exe

MD5 67ba75b1045d86a395e53af9ad3cd9ff
SHA1 9ac7d03caf7c2f58fbbc1f22ce85ad351b8bd1bc
SHA256 b0284ee8353c7bac0cadd33b0642ea729557047c34c72624b5e1b48d5d7aeb32
SHA512 6653cae4463b9819f632400f5d83b2900483db8158bdcc1c91205495219492d8bb4f8b7d971325150957a6b41c770a59722b3a2c814dc681d315c9d6f3e41dfd

memory/2500-434-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2500-442-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4492-443-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4492-453-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukAK.exe

MD5 cd262643065a7f392c14bad523d2b5ad
SHA1 9690b833d76a4358b1de4a7acde056bc0dc08adc
SHA256 7908b97d4accf2951b550ac48810699fefdb73472494820f6a8f135b031dc8e8
SHA512 016ffe79e2383820eff2e8f8df011c059baefe19b925d34620f0b9ca6e865a0ea5c41fb594f02ab391517c0eff905f6fb7c7b438788191a78f3608c31cd9919d

C:\Users\Admin\AppData\Local\Temp\HIES.exe

MD5 53d37007306141bbae9f2075c841733e
SHA1 a0994857158531ff257b84d29734052085cfb931
SHA256 84c3412d0ae176477fcdad53489256398365b71557b89fd938d906d766052145
SHA512 24fead236323de0bf677035fd79feff6f43712e85ea458d7dd444cedb7557f320aa1d14717322a829b649e187b730be5d6cbb33241af4b355a173ab39251a216

C:\Users\Admin\AppData\Local\Temp\ckAS.exe

MD5 995dfcc0dd145fe1c8db28de3522466f
SHA1 4cd05b5c396e14794756db2a5b2b8dbe1a1143fb
SHA256 2b6178454d5174ecf97275320e900547d8e07c49e4edb247725bac674c26c9d9
SHA512 7ed2c02500aa77ec2e0ae2e3791c0d4459a050a6c8fe64ace174956c8d425ff6f3fb3bf71614084652b1ac2facec24ac8f4fd9022ae772bf639e9eb9d8b96a19

C:\Users\Admin\AppData\Local\Temp\skkm.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iAEu.exe

MD5 0b1f22264becdf266220e29a6e0e9f0d
SHA1 bdcea8065765edd3a24729303d69bf902ac6b26a
SHA256 bfe490208b949a3b4a476ac940d8f463d5786e46709358047394050c3c6a6c20
SHA512 4d6766975ee989c4b534457785c5ef1e530c73ee3fdc4a2c4f9b170cf5602a34124a2d6bab1f2bff4599162a0f3576d53edf22ddc5e2a3a5728a259d42917222

C:\Users\Admin\AppData\Local\Temp\mUYS.exe

MD5 7c3c9062739b30a020681ec627fac797
SHA1 0ae44d46436ca38dac1e59b20fb43d110a04372c
SHA256 2fd71a9c605c4f7acc793b87c06af3518fd0cfd005ffadda4ba62609d235f3df
SHA512 69a3e9fab71efdb841eb40959c8c32b1e44a0f451c212c2a671b16fec6f520694867146a39af75a7e12aca1cfffdf9bcf421d9b6d8bb7bafeec72c8456262228

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 626799e031a8b2272f80c55be048ae61
SHA1 72de2f8c7532cfef8fe116beead6e3da21636fd4
SHA256 7c6b9104bd575ccfcc6b38c84dd09c331950672782ea49b6a87ca6e78c9e2fc9
SHA512 2c6db5a15dc8fc53c099849dc0efa85dcf512805bd057734f31ddf771d8f8adf3fca7d788491d1bdd068e356df206c24e4a3fd165e49d574e1ff88d350cc41d5

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 895049926e56cc19a286b5618589d8dc
SHA1 c49600e8f1db1bbbc5d5ee6c62bc94c2b59b2fdc
SHA256 67351c41b9ccc71da699f51a099b8d9c2ba47400b652bec84962249a8401eac8
SHA512 0c3ab2ec8e8d8106025e91ab652392389125e386fbc7e8166a84d53fff18188dc1ae3a92a773f7a09ea601b3226ff4e035bbdbe0a92bcbaaaed00a7c555f6fe4

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 e74644687ee6d857bcd280bd0f60401e
SHA1 866a64c58b29b44c36573e6facb1670733210b76
SHA256 d9ac2b9567077b435aacb25fcdbc1d1dfc02c2af22d054d4a31004d8646b1214
SHA512 335af230a4a75b0284d197c2d9e5e253eff5d5cd381d153512da7d3429de9806b88d2ddae244e3f318ac68ec51b3b9ac128699beedd58ae847b1c4a3aa92d29c

C:\Users\Admin\AppData\Local\Temp\MAEy.exe

MD5 0f3338589838801401ad93016a1fc7db
SHA1 ec20e56a12aab0cc8c1cd418307dd687a8213b54
SHA256 ad5d1a35c4e3370d85420777ed259b696e40acb1e211b135ae625de90adfe048
SHA512 ea7d6e3d838f4bf9167de46b8295cc9ad7421e8392bc1ce170d8bc4705f4afd8d15ffda78cd3ceb7ea1cf6745a03c951dd29a4b1894543ccfd42e2508ff20d54

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 4893f29a237ff18f2ec74053f81a3964
SHA1 20401904b6ebf1fd097b521dfc20d32d952cb1e4
SHA256 f2657c844a6d944632f0efe2ab4d03f6706ac8cb32bb269b58b2eb0696fea02d
SHA512 50437afde9ba7ed3176ffb9e2fc593cc392d47e60e2423d41d3d7fd0def2c9b61771e836219e52949b17e53a3c74fdf8dc16584c38298084d061f0944c69199b

C:\Users\Admin\AppData\Local\Temp\QwsY.exe

MD5 2838e1f9a2a91212fe9aa317378d39a6
SHA1 036358a4f9921fb6df9bff39728adda7b2e3f6f8
SHA256 e2fe3025143afa42aa5069fb34c114e6e672dbe638bcaa2622310067708b9aa1
SHA512 2a169654f1bfab6a0b1de8efe7bb01c03deb1f02868e6abea02a251e10efd6a6e75e510a541d424d7dab44e287aeaa5c159d99f6befb3897a8bedc4079ebebb6

C:\Users\Admin\AppData\Local\Temp\cYcC.exe

MD5 36c21eb8ed1ff0f42c0fce3be8006566
SHA1 6a6b9296e7b507f494a16ffa5eccf1cfde59cd6f
SHA256 3c47313735bee0b6a33a172ed50cdb4999a43c0aaa0e1f70ca9bd0b55b9f9fd8
SHA512 5353298df2daa008861653128dfb36058c401bd208cf310e373b9de72470b94665b8adb9fb6b774d31e4f5d1f842c75d0aa15e16d14efc29aa42b16b6571623e

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

MD5 b8ec32628e286871d71ba038ea4d37e8
SHA1 d9be7b2334c0eace1e7ca705a32588ff98a0a819
SHA256 1ca8e2336187045b1f83e15a1d37bf071b26c975ce6b3b6b77fc4c9b99634a9c
SHA512 d126af86e964a3ba65e696c5551c50c17fda259cac5a36389440deedce4740112198f357b8d89f48994bcfd76c97d78465c6af07688f94c2e0e88f2b2bc26671

C:\Users\Admin\AppData\Local\Temp\MgcW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\koIM.exe

MD5 d34917b7b075a48ff527c3ab587e721f
SHA1 5bd5e54d7819b43c6775ca4b961f76d8c7bb3e66
SHA256 9dec909e47b2b79c38a730ddd48f40b549eb9f734c8852342e0c340c88105339
SHA512 e621eba3a6e0fd95b04b543514b2a8d4bb90ad45575698c3709a8ac2e618ed9bacedaeb1f9536578eaa77047a6c12817621979ffe800f6d75823b9346d6ed045

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 e742f7e5a772a5fe0c29a5ad5b8e97af
SHA1 c97c4b4f3017bd13798d1bd4f48a8dcc1e1d4b02
SHA256 684b3b8c59dc1bf2e7708f0bbb25ac796189b439a3d008cc45c8522c59bdca5e
SHA512 57d0ad4a99069a55d4b3f5bb1b58c320221dd1f550edf02bd153577d876816a487778d670bc0c520f779a872a0e7902a5c807d6aecea0f83cf489789fbeefd42

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 60dd6e80706b0cd52e54deb6f2c5787e
SHA1 f96753029db27f6f08b6346af4dae5806d5815ed
SHA256 ada04f374b6b66aaa5e7f06f7938e24a52729f5bf37eb8c2f95f613c401bac7d
SHA512 5ab839d86e1e18498bc6a8e29babd440feb94a2282d3331d649d6075e2785c2ac836fb8f96dfc3560d55d6923bcead35ca9bde3eeb2957996cb3966a44c0a5c9

C:\Users\Admin\AppData\Local\Temp\CMIg.exe

MD5 b238b9ec5088b951521d19ff6cfd6999
SHA1 ba6bf7b2640de39682a144c4d7ca2cac32e5f449
SHA256 4ac9499fac77dd83ec9a227b86f8241ddeef339742d7dda363a482610a69dd15
SHA512 efa802554de6471aaa7207ea9c62e85eb3a13fc100d06090234e134fa5156eb7df68445fb27517e96bffa7c824a52de97556d55225e2ebf4935770a7978c4322

C:\Users\Admin\AppData\Local\Temp\GgQG.exe

MD5 e666edbad1dd0529992e24e0bcda857a
SHA1 be790bbe55ac37d3fd15831f72e779a0408f676c
SHA256 5c69075d859160654ec3404c8eb27f07d4b74c4001957728606c0ed8ac3f6fb0
SHA512 9db622896f350da6853226fc98c15ea8cd9adb49ae9b3b16d936a97510acc83f3877f77637f70b57ef472d58f96a85eff46e6d7701c47bfaf2b6f38c540f312c

C:\Users\Admin\AppData\Local\Temp\qYgQ.exe

MD5 d1e34ba9073da00650612401d4a40dbf
SHA1 587eba36f8d40d43f0e34528b83731f2f4367c46
SHA256 852b70de901038f43314271b7110cd1554077480fbfb6e07dcc027b17955d124
SHA512 997d85eea3dc5e65dafe837b8adc2876b715a7fe4fd12a141fe8371e77b12fcdce5e2506d72d42407bc611ab8956d4f7c60da135df3bb476619d02c809bd796e

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

MD5 ba430e0c79797f17c8f636562e045b74
SHA1 895ae49af9efbe16e3e312f19524865ac714e38b
SHA256 977f20c33d4d77f3d460b321461b08fa6c4ddc41d80f82f6d602fc93ac208319
SHA512 bf9a0721cbd9c7b717192c551789bc8b16993c424f7b9ab4e4f2a7953cdfea1db36bb6ba87052a4d3d5896ee7b3a0ae9585896b90f46e09e791f7f0270c39984

C:\Users\Admin\AppData\Local\Temp\bkEQ.exe

MD5 74acd62c4702bfef17c11c60455b7ef1
SHA1 583eb9c5d71407095c5ddb473dfd97b916898688
SHA256 d282cd79b91e05d55b43030881bb0edcb8e34de8f51a12f3c5fafc364d5e0f67
SHA512 81a4cdc2cca56d05603fcdf95b097f2706814d30b003d02cadd371f738a664ea0f28574371b6637200371d0ee7a090e33804d5aae27ef7a5d228a4baf8384319

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 fd8527d6b4183b6ce454d952a3041283
SHA1 5659b232763ffe31bdc52f06b76d5153a09d5548
SHA256 e94e991bb2f625ea793cc154e0616a1c7eb1577eec3502708795889cfe7b3dae
SHA512 64d23056da81d30bced138a772f8b0608eafeb953abdbb89effa6ec1d21487eee4fd1e3a5e88e0bd6dab3ebbe8151b011671dbfd7173ba37ff05b6b153908448

C:\Users\Admin\AppData\Local\Temp\zwsW.exe

MD5 2f6520b78d6b1e1c1ac53603dfae0594
SHA1 1ecc502bc5864aa3051d6e4092d045b3413ddc33
SHA256 fa96231a112cbb130a4306b3b6870bac43a23a036bafa94f7cf6d0886dbb4818
SHA512 254c310cd9c28c5b145da232835a5552d199641abd722e8ac9ce9537c63254dfbf489fd06565cebd9647e82fd504ff130dfa49dd4e5a872d485ac86623215e7e

C:\Users\Admin\AppData\Local\Temp\vIEw.exe

MD5 efebd6c0be9c5a752e128b926974fa7d
SHA1 f17d2538aadccfbe4bcd27d5490ada63cc9322cc
SHA256 c7e4390ec06a6c0fb21788c6178a7eafb6850b1e2823272a9b1499683a6a9f1c
SHA512 9aea2981ac1da4f8c7f593fe4cb2ecfd6a2fe65c63b5dae21a1aa2b2a0c7a9682805bbe7af38c843350121db99ab47f46601cabaf10aa1ea22e019ef74579bd6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 39bac7e1b8a250da1fdf43e773e6d59c
SHA1 027bd0ed0437873925ec0f26a8ee223ad2321dc2
SHA256 b7797cad5769ff2f79de81219c28bb410d69b660bb0e4b7edd332345b314177f
SHA512 7d724df76b231d82c3e89f895c90c492d43c7781c4cc503cd098689b6c318c6a6d0f9c4864fd5f8e00f73029e86d724be4d656d4c6f032eb83624c6af2c4af10

C:\Users\Admin\AppData\Local\Temp\pscG.exe

MD5 42b7ee93e66750d65e10d5171ec15395
SHA1 1277cf0ee8cb4f96d6eaaa623e195aec14e4180b
SHA256 7b89ea0781f42000013fd55249eba24eb2f958f9610417d4ff0095aa3831451c
SHA512 8d380dc9073fa68d632719308902316e7716175fa1ec1ed8077c553e65b85a4e35ee19333be6f6f5c0e92fa2a62820311305506000284a17f35f73f3db07957d

C:\Users\Admin\AppData\Local\Temp\cMsU.exe

MD5 9d75ce4c83c4772b76612dc5ba43dda6
SHA1 351457c43eebc4a8efc0315a7700962867cf5666
SHA256 d020702c3a4361ef7a91c2cb46013306245161e21fb337fcbf4b1d95e20b609e
SHA512 98320964015e7723d2ad686d3b2d9ddb0000cef5deb8027b160974c241ab16951bef62c763bab3c85c8c45544fa02665f854518f0e031c6f17a1dc5c77b41103

C:\Users\Admin\AppData\Local\Temp\xcEo.exe

MD5 304e8b21352828006b0e985a9624ab0c
SHA1 0b1a844499f2bc25ec6a0f968e79a76415c5c4b9
SHA256 6fc80d43bca9c08732adcd625736512d8dcd9dd4e89ee2c8a869aaed92b160e2
SHA512 6ad28d8f1a73a3de87cf6d98f5e389fdf5e6f89ea8b9f6c4d3eaf2991488935961833ee5385e38c4509b36a4b5efe5601257edf532eaa44dbe4c16465b893601

C:\Users\Admin\AppData\Local\Temp\wMca.exe

MD5 803226c9de2cff9c4948c921a31e28fe
SHA1 3045478de1491cb7201d8262f4041cb73e36cc2c
SHA256 401f82f662bb301741bad397634f302f6e3795997cf6e83062ba5c030a090a74
SHA512 fe7db99f9c7467743db1ae13eb2d9594728373e3735d4f35575940b9c78ed048d45f48196562ab0f6510479428ae1883c99f13258b60c112ed3083d453ae9965

C:\Users\Admin\AppData\Local\Temp\Sgsc.exe

MD5 91934bdcd425381b5bff57c2a5dccad9
SHA1 7f7cf36a1aa5a35fee5a1bea52b20b1c81feab17
SHA256 b9cc614fd123997244515c78a22dc3fb216531566aac9d085153fb1d10918344
SHA512 7c6ab6bb042bb6c41946b1573e14e8b5f607abcfe1285704ea9ceb2d6c4ad1f1f6a5d9841db65bf7782d32b7a5bb4881ac6bf615006b8f07e62e5d4b4b010587

C:\Users\Admin\AppData\Local\Temp\EIYC.exe

MD5 04d8719f199a98e1eeca1daa551ba18d
SHA1 5e7bf137ef97d303e890937749aedf8523b72a44
SHA256 347aa46004a908d6cd5d5a9ca91f11605e793f8790130ab5bd814554992201c4
SHA512 7d3c37cbb47a59459fc80aa00c6e3813ce8e72883f4265ab3f4c9e40438e175a8dd6809ebe7812cd3926aa4071c8cf1f21a126945971143b282e800a7612514c

C:\Users\Admin\AppData\Local\Temp\RMYe.exe

MD5 be92bd7425afb40b600434e14e45882a
SHA1 35cd8f056eee77580c09b7292b687ca6e9df7d0d
SHA256 6e4151518c5ebd0f29174f3ff5e8282cd9ecce889a0d7ac919abe2256207062b
SHA512 d856a65be5b100b059869b0d78c6f321c60412c06a59aa5b97536f68eeaddf9655c2b7b9bf511b6986115c2d91bb23deef6c834167a34d5e603f0788cc15ff06

C:\Users\Admin\AppData\Local\Temp\rwEq.exe

MD5 d758a10015b5cb78773f269b8bdf5f16
SHA1 a5af57287b144bad7f9ff87339eab7f7ca13853d
SHA256 c22b4d0ac99bac8ccd361ad687771b3464c3ab5c358b9eae2df6da3ca8a42506
SHA512 12e44a24954dfc849f1720698407eb4faf0acfb923a87760b9576fd37dddcd50e779d689da77b1c76ed42d52f1b76964593ed95818f8959c67fbeb2e485b7fff

C:\Users\Admin\AppData\Local\Temp\FgUE.exe

MD5 5103affc66de2d21672e1a1eabf2f6f8
SHA1 79abc39e23c68af7e6923bf4b42efe0c74a47507
SHA256 c06af98336cbbcc464ea818a48f75b57f816fcdc6d15f84c82362c59949764d8
SHA512 23ea33eca85dfdec70446b3cd1b3bbb5116b0123c8dd2bc77c7db0e4e9833cc396f984c15ccc21d88d08dbec1bde5357aa41cd3ec8304bed20091400fa3885bd

C:\Users\Admin\AppData\Local\Temp\CEYQ.exe

MD5 6240e19293f45c6cce5ee457c8173d35
SHA1 5d49b6ef1567ca0420e98fb9102d16a523bab3e9
SHA256 e47a44db20831abe2a9d826d40495e845457258cdd3c73b9dd46cc18c093b6a8
SHA512 50c9908551f10391f95b28580ca5cc18797ab8c98c0f63a1d9087a8a8f0d1886185e91eec12de312160147facf5bf2359a7f94724ed45d6062118d54da9a75dc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 c957b38cdc8b6bf542a1d61a0561e045
SHA1 bb4fec529ac3bbeb0505d29f2365892032afcb24
SHA256 4e7105e619de0b26388d82c48d9b1607bf93d16e8177d991613e190b83e40ec4
SHA512 e9768ee9c8215fdf74bf728873148c656ec9ea0a5a93dcb82781a82218b73ecc1f1c2012d244dd101026ca73ff04efbcd611102f3efd5798d95d58f5fefd5814

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 b8e63887c3e82b3b0e0c674e0716e152
SHA1 eca2fd4cf6c29f11ac1be468cc15b2e7564caf70
SHA256 23879524600e4eebb83c7181f905807c5eb2677e8214fc98cdec7b95ab2a4b0f
SHA512 293c2be501b5f2b9e093122bf9ee20863cddf5003332815e057fecb7df12549d2f8313d95ba2761cb7868be192172e8e935f07060d691f974ddb88377f3a502c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 a479a7cb261c06243cf59a7cb8de4fee
SHA1 ffeea876fc4530c4504b891288f26abf51207e54
SHA256 bdc0ee75eee17da32b1916e523c945d90de9343174b4d89f722f749d544a5c32
SHA512 e459ffe4bc316857a68ef6bf7fa7619124be56faa56152fda602a6378a2ecbf6a2f22a6fa92a3facaf063663fa2ab491089004a2065fd62e5509c5709c353844

C:\Users\Admin\AppData\Local\Temp\IUAY.exe

MD5 1824493776e0c88cae7dba72f35133a6
SHA1 69b1c0ab689a5f4198fb017997f453213c01327d
SHA256 dc2bbddd480a3cdcb71b7a364ffb3019d33c99d131b9a6341af437273e1d40fd
SHA512 75385aef33ce6840f85f5912d632567f548b5d0312228e6b0e599748e1bc7be0150e5760b4b4aaf562e211724085d6b22e1bf3fabc5800654017fc88d2be7ec4

C:\Users\Admin\AppData\Local\Temp\MkAw.exe

MD5 ffab948a0075e208128c3338fcc820ff
SHA1 c59aca6be132d010599edaf85718175eefd5faec
SHA256 76916b2e87c91567bc0881b0654bedad1d7a1bff5eb640bcc7659f2010e14a98
SHA512 bf8a2170b4169e3cf134624d7651f1666ee2c6bd7c5b8b30a741ba34dd491974f17526fffd4940fc6ed993aee3558bfc425ad1cd48c215a33f3a0f7c91a4ece5

C:\Users\Admin\AppData\Local\Temp\GUYA.exe

MD5 f4d1d3bb3a133c94aa0e6d64b7500103
SHA1 ab455a072f47b6d817a444ba765fb750f72282ea
SHA256 cf4fdfd534421a546fa70f77b0fc22395b92295da25b0ce5c171d2a9093991f4
SHA512 0f32a9d8e73f857a2d3e1bae5f3865016d0e44e4fe49ccbade579194d85be7f8f959512df2c74c6830e67404a0a46149fe57caf86f41484d14e8671ef3290525

C:\Users\Admin\AppData\Local\Temp\zUMq.exe

MD5 0e4941442c71d8a68d375f96bb9eb93a
SHA1 641eab3dbce97cba63719c2926d35f1b057c21b3
SHA256 6724ae567891f179473546246f14ea146206aa65a80ea32601f4405344c19320
SHA512 d9f85d485958c4ecbcddec24c1f526a1d7897a4c2aef7cc3ae7195f0c715412739274bf17845c87b14f5bed4dacfefbe67a8aac1f24b4c4cf50b57fd059b7819

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 f632314afe7983564943216f0561bcba
SHA1 227e692e38b52ae0c9e9c6915fe4460521d9509f
SHA256 fbc7a0db9f9a023ea86528a39bc0249a4856e1370b74959d604ae51590cb3c2b
SHA512 6f3a11cf4f31a6e4bcdd5cdabecbe2bb795e6d0bc20c83af13a0062f77de299f4afe83f74109a3ddddf8c02ef219ebbdbcd7f8ede6d8f84bbdc4face1b814e86

C:\Users\Admin\AppData\Local\Temp\GcUi.exe

MD5 3d8fb8aa15c05e6bd4f2a8de8a79450c
SHA1 a0f31c1422a22111c584fe2a8cdd2e54d861b8a3
SHA256 09303e5b1d96ff83f033f1b55e67b78467c58803c7f81fb654c09a7b61ced017
SHA512 14337147343d4a739a661d592eb3de3c387444a34e9dda0e2942ef13b9a16330628814fc860f39d3fc92a6b067709e75461379fd8858f7eeff7b5ba9062a8855

C:\Users\Admin\AppData\Local\Temp\QEkq.exe

MD5 a248ebc65664ccd78e1b61efa715c84e
SHA1 a1aac75b456dc6749e98f02db8e2461e1cbd24f2
SHA256 83d47ecb16db7cd6bf2d6e2a866018ad4b811b32585ce6152bf8b918a0f2d335
SHA512 efb66b119a40cdbeae065417157df68352e2ba2d5f062a5d3917aacdd015e7a13f8fbce1a14001bf0c58926cdc4728a1ca347a01e3b5028de74b95e41ef36316

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 a3d5c94be270c6b7c8a08a9e8cbda93a
SHA1 24189af7980d8956cdfe8cf081c7e3de634fcc0c
SHA256 42a53c1d66aa3452d31ced87518c876e1a79b4e980f95ebb7b0ead3e1617a51a
SHA512 989794e53f4d3f62cd197ad0d814b3890c0e7577b0b80095ac77f15fa3aa344f531bd8f48164c67a895138eb8e828d5f544e6b7a6702aa2dfe1b11211186533d

C:\Users\Admin\AppData\Local\Temp\DMok.exe

MD5 5cf232125e7c6f950f839f52616bbac6
SHA1 b122d15f934a510e757e98ff6071d943e7de998f
SHA256 008351ca523bbd73bab9f9d54abe462776a720ab93fc45f1272b8afe318a542d
SHA512 1e7095a8f59b1e4d6fd353fa1baa5b8cf7b35d5817506d893ef37d0ec5ac23ab00622e9fc18136ef87762773780d5e1593f87c8c181c8523074bf1d219910d20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\128.png.exe

MD5 7a6131d14a9c6cbda8cc4775b356c655
SHA1 edc024fdf18dd0303e91fc2b9fb63d8683225d2b
SHA256 80a16ef98de629b32ac857bfeae14c52db04333a4ae9965ed7527ab616bb87b9
SHA512 efd5e881982230a30b8f26e4639091de96a1ee990a29440578b0bf8be52bb36be48529adb62d1df6579d3927d6e001952155cd01545d090f0a05e56ad3642e1f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 6757fa2f0539d3ce6e99eecb3ceb7457
SHA1 af831a0129fd5b2f0bba2a67f32ddf1b26006097
SHA256 b2ffc4208685cf77ca2d50ace62123620831107c4099e3de6e157255e0afdecf
SHA512 fe9f9da62e32b687f674f555fa92d65387cf80777f2093faee020123c97061be0b7c98beaa9273499bd98e1613df8cb944ed97f58caf147e96d3a03151732179

C:\Users\Admin\AppData\Local\Temp\IooK.exe

MD5 965a25b90045d999b41efd9c94d86f18
SHA1 f06469f336cacb3dd10da12e4e426677869defd2
SHA256 348c3dbfc432349bfa80f821cc8cc6ba2eb8b949edca5bd323989a6f974a74d9
SHA512 c33819c9855c5984184d33f023863d134ca22723199c89e30327b950c0bb2bf4633c93eacccce8e83a2a41d2876a7d56c352a9651dc34cb05004a9ed6b14c7d0

C:\Users\Admin\AppData\Local\Temp\UoEG.exe

MD5 32bb2bd5d9d295549d5feb18cb7be859
SHA1 d7800d18fd2843f7f0409ff15d8266a537dc4f09
SHA256 682635a78816780f3614699508ab28fcbea7db8e21750f719d05fc55fcdc5bda
SHA512 cbbbe78d760282b250a16f8327982788408a7deaadca29fa5f2fbf00451d475abd25d89bd651d51d67a8cb8bab18deb963adfede41995a0a4e8e314aace3a0ea

C:\Users\Admin\AppData\Local\Temp\xUks.exe

MD5 23d9a46b6e23148a115f8eb789553f50
SHA1 857c631604996a1a7a3c157641ce4dded11eeff6
SHA256 4fc53123bdf524b44dd37df1cb66e43109428a791187ab3534c3722a2662a460
SHA512 814da65492e019e6bfe7466541687f1badedac5d6851a9bf4674a776ac24941c43b10f59a39db60fd3d4093b5fe18c192952a1532729bcaf92ef6c1d96d94cd2

C:\Users\Admin\AppData\Local\Temp\MsoG.exe

MD5 d35c121353db9b26489c800f453ac2cc
SHA1 0104978b2041ee49a5ddc15614adb5685dc6f2c5
SHA256 b6c3a90c9b7007b503c3e83cf675b48ddcacda5ee4dfb73851776c297643446c
SHA512 b64b12c863a0f57a6627231145e0524876003ddfdedb2bea3fa16ff21a6b9af7891eb09abb62b92d048e56528275e0b3a1762ff65820111b1fed7f983b9f31f9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 6947f6a805254271c2f1a090a45126a0
SHA1 209e2b135a2d5e476467168c59f5f5edd1805963
SHA256 5fab7a0565bda75b49ec8558f47407c0882fe1d307cd7d1d50a1dfa9f49f37f9
SHA512 13c6dc2481572b5d82b116366436600f3588b4d7021a816f7493ccc1f426a3a2b4618ae44b137e9f2ec04d7ba4b66f7ce029c798f55012b3c46af112db2ecea4

C:\Users\Admin\AppData\Local\Temp\WAYK.exe

MD5 38389d04cd4eddd1d35218f7018f9ef9
SHA1 e11867156073483ea49153bf8f9e5c53f8c25dd2
SHA256 1b6ceff4f85c492c477ea52aff654555e156e9fab84ca589bf6583be50de430c
SHA512 f84df6b19214d5ec5ce866aee052964d66733dd93933fb8c6ec8fbc2af00c12d4e54383b78032806fbe3d78e1d4f73558843f6c29d87f507e4ed2dc009964452

C:\Users\Admin\AppData\Local\Temp\MwoS.exe

MD5 d5a6c58e417568743f6fcad148c33ffa
SHA1 ede57fb0b30502f0ae1670b6089f1b3212e11322
SHA256 c25ae99e843842f94c87dde1d791fa30c268f233724d8a1c97efbcb3159ecdb0
SHA512 7631242fe295ef2e2faf708aa7fee942e04a49dbf265eee91cafb94ed20d993238e4f306dd31f748fa2bc16afb95ce2e25d9e35c671be508c77be10a2d3598a8

C:\Users\Admin\AppData\Local\Temp\fogA.exe

MD5 2e0e668b7bf4077eed301a2739c4edc4
SHA1 f90a335594743f2c4d45e9510b5b3b914de47e2b
SHA256 eb5101bd078a4c9916a5f2de9b9fbde6cd277f1d21922e453854fc79e7f3aafe
SHA512 aff1408b9c4f24e5965d3ed7f8a6eedb0fbf713927b9566a845418f880c2e918fedd19d1f98a487b62308cf8688ff444d68cfb1b3533ac3058fab5169838bd8e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 60bbf84f4a480e04d8c9f97c4ebf9309
SHA1 74ba150f5093c29011d59eae79f85bc03e3096c9
SHA256 3c2894195b990e0ade235960a529c84e1e111a2116addc527ef1dc9047581d9c
SHA512 a5cc9bdb9131a47d989f8fe84de4e620b8127529188dad81bf6da25cb73c12cc4938ce14a2a84ed7bdee23a28abb4cb8acc57ec5525d50ee8adacfa2bffd675a

C:\Users\Admin\AppData\Local\Temp\mwUC.exe

MD5 03e05492caf2226eda4475fbbf26e173
SHA1 e8fe3c6dd8c806f6da50f63e916e06f11c0a61df
SHA256 4518698a52b9732d0f6a52a5c3ded820a5fbf9930a18cda2e142bb643a63b43f
SHA512 7b401fd176f0cf124d4921983e90646285356c6dd3b8caa36ef072034488a592996ea6714f501000dbd090037ff0bba217d3488f556bddb732d91a1280887229

C:\Users\Admin\AppData\Local\Temp\IUwm.exe

MD5 1e50ef1bcb2e7abe7e8822fce2b4563d
SHA1 9f3fd687bc36ef6834b31ce7db573b9d1b3e80aa
SHA256 f13e6d933d1e77e422cbf66fea98abce17add42e97f7813853fa0eec0fbfeb2c
SHA512 e0b238eec4c08039af45de27af2d09b0215fec93c8b58cd0a4f628c42935009eeeaf1fcffcd92b5795689089df78e372f115fc1f8c03071762c139db3ea475ef

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 bffcd4d3fc1e2779e89f20536e529b8a
SHA1 67737b98559edfe689e895feae025908e05fe3a3
SHA256 5af0cb2798210478e568c0828d53c97e1545a91b470ddddf38f5dd83c1c3e39a
SHA512 1362fd3760f06d265b2f2f19ce2d1ce9d16c7567c9828d413e112d3ffc1ebb1e4f881523cee7db303d3c7f40644ff5c01a4f5cb6d136e1132246449260885fdd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 5b60c14d7a94e5a806571b45c34ec74c
SHA1 df6f2bb9efcbcdb4c41105e1d423eacfc2139b5c
SHA256 0850fb1418338eade201263891091b4758a071bf0b88cd56839aa7696559e8f8
SHA512 4c77113ad9fcc6bc27fb236d06923cd7931163a9db2bc7526ace80b09b9269f453853da904ecb071de60e512ba2142c3b0936caa6553bf0f658cf2821115c4e8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 146d1dca6b6c2fdcff7bb82ad0d9d780
SHA1 21f4bfc0fee83767d10abae1a30c329e558fbe47
SHA256 41be42dfd7f0764cf9f2669013f2849d06aa65ae0e89a7929be33abaec55d53e
SHA512 37941f40201fddc66ed4d506e5255492527ad442d6777a966cf9d60327f9eb43ba27378744e652be491276538c5e82ec359be81c687b9c49076a368004d40b79

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 43d312a2bfae97280c3e8caf5e291a16
SHA1 871baf8b2abe8f3ad7969d503a9ffe68960ebcc5
SHA256 14740a77c165d921673f15d0a12f8a90aba3de43a3d2236e8f311bcdc514ce83
SHA512 59f7bedd035302a8e270050d885c0c9d85d34e14d25172c7dbe508f7c08a95befb6410431eaff53e26338401df4fc7254ba151f601f2b42ccac5b667c94638eb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 92dcdde9b538abbfc0ab9249c903ce11
SHA1 705cea2bb940c509a0a8b1a52ffbe7b3eb858031
SHA256 1129f6dd35cc53245f750e236beca15aa3d7f8f38a03806e6f43e4ee72ca1cb6
SHA512 9b0ead280860cfd42f76c673ec8c0b6cf0e71c8361bbdce61f485d33663747d5a4e9cff05633bfaec878588fed422ae39529bf8dd5c58d96bad0afdd5a4f7950

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 4723f250eaa5378c10cbbbc4dd32c9c2
SHA1 7eca84eba1278bdc4156de2bb1410b130bae1991
SHA256 933c05476bd1718e57872e4d2d18d6b4468cc5a695c48a8452f15ecf62a70c93
SHA512 08a587d695ef9ef4f9d6225f0fa2f5fc818e30e4a433f0f75c3f916d7386d493c535af8477d5c1b9bc49976e0b7b71881931251e2c3bf3b2b4cddde38a27dda4

C:\Users\Admin\AppData\Local\Temp\fAAi.exe

MD5 4d97a0d51d04e6b7ac062823aa2fac4e
SHA1 e1b6d9bc4f0b2a30e950272ad903e2ca6b0b4b3a
SHA256 e19d9c1d18ae3cb3a1efa48da28263af2f252e0ea378d340ba7e027b2aefdf5d
SHA512 02161d4d8018d91d47a960974fae480d8b4bf8e8bfd2106a812ec5b264e27955c83a3236948b9cf60de177f93599b63d51d0738a11a1d029f5b4a2a54f3af9db

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 8af2cf4c294d38d00ec0e0cb0dbca59c
SHA1 85bc7518bd5c099fe4520077fd751e6008a0bcad
SHA256 7d2d2d26ad97218dc9569c3ba1cba78ab03132816f862bd98e3e68ebd225a423
SHA512 a363fd19c34f65b8e1cbeb90d1d01ea7bdca924d885e08b11f0ca8d12569fc6e0df0a4a06cfe4fd93bb93a21df3ddd2d6a626f03a497846e7e208d4d0e906c84

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 8e1f4b2d55954bde2fd2d9308e910586
SHA1 8fb784e78c82656434fd217d08014cb4604882d7
SHA256 60b9a77a9e1c23d40270a5bcdde2a4a1a498fe21613de44c5d113aa97cc3fdcf
SHA512 6217469f9233f6207045ebfe326d26aeec0c3a28d5497e769628a3c047d2c654f62ca848de53324f964cdab567898039076dcc3ab6e56e02b206747c8f9f1778

C:\Users\Admin\AppData\Local\Temp\koow.exe

MD5 d6520ff25d1eab6b0a705dc979cee288
SHA1 d218cae2ffaf4f36b08333b298ff8e2285a963a2
SHA256 d48e1e4ea45ff0ba1252b5745b745ec036853b15de71e25cb68b9e733db048d5
SHA512 5e56553d435c53f7c7550b53fb9057ab41698ce79820d97c77c7812a0e32f5a923ec62dd057e9cea3f9b3b2992b6d0c1b20cdeaaeb032e68ffa61fe5a9d5732d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 26bad2e3885bd8835e5699ceb799c861
SHA1 adb589011f616ad1806fd2a12f5912ca8a7fb533
SHA256 90638168ba0652a7888e0ae59978bae9cd2fbf7e1a525abe6badcfc6707fde2c
SHA512 01072a3376bb432dac9e36812b63315787f120cdaf7647b15d99c314874df95cfb9c9ec848c90a5cfc374ef57dff7b4e1fb1b1267b9a4f05d892349eb4d0648e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 2451f3f9595d601599c10b5002027f52
SHA1 5c297cd094c35ac19d406f54d8aa52b2d8af683b
SHA256 b2efa65022118d4c0a168f2fe212826114bf757be87354ae4d33d8a153a2e19f
SHA512 8bc9d9c8a6e8d564fad799add7cf025490c498b1570ee5637110743fdf12ecd29a6c64089f5f81bbcace639906594a750483daed99a59bc50037d28c384f9569

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 b2f4d8fcf875518de9b49eff8940d326
SHA1 60c3c82f6742188b683c840aa65a271abdfb001b
SHA256 fb04f8b8433bb1c2c0799fecc65d6e46cdabd27ff23277c3c4fd4902b1edb48e
SHA512 a5b8ecae76531b273f56447a51aa5b7dab7a99af751347fbaf73ac40076fb32844ac281a04b190db92bcf72f7b05c41051001bba597ef9770ac3949efdba07fa

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 19a1c2a7d9a9a782fa0f06ebf89d1cb3
SHA1 4f7b1a8b39eb79828c792f8492162a752df0d78e
SHA256 b3de916fbae68e5aa2606150e732c129fe927a59767148b1615bfc2294c81d37
SHA512 0beb1cd02b179cb7f20081acc7a227c5f1fd6cc242e28fe2704f9a2950b8d65d68e5d1975fe37034d5dd44a91b6f8050ab1d587bcf1595937b5198d80366e153

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 1e41a8ab42526918f6cd066a697c44c0
SHA1 1ea438abae0f2d2e66e05b3652fca6034fe994ed
SHA256 39ba951de06c57197d3625798b2b47bfebaf9e3119c170087c88b855b684e782
SHA512 cd98e41066dadbf461b67b82104b061e37ab39915d890e0dfdd418c602d23df380d174449e8d26a66b2e739fd84f3c04052db1ecabd3b7eeae20fc6c03217e46

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 1a788d46c1238354159a895dc174f5c8
SHA1 be377c75cd6629f2cf0c8681d6648de726b6e6df
SHA256 dadc6a02c2c7bb141f4baa376666c42accfbd97391fe62634571aef096b2843b
SHA512 1008edecbc222296b4381228836fd07b2e7961b77612cb8aece8a7426a69f62182b4e14a4a8453bc5db4b62b88c1d6c125bf797587dc4654bc3de3b8457d0076

C:\Users\Admin\AppData\Local\Temp\AcoW.exe

MD5 383bc6f77f128d82cdd2c08950b8ac4c
SHA1 152eadd59426326f30c5edd34eab1d5ef07ec08d
SHA256 1ce1e391b62d3944df172752588a453f454b968eef23e4045818602782bb1648
SHA512 b1b85bad6df6bafec8aa420ee9a8b2da5d1c7befef5b42a896b88a409d9d213ce220306a2f4d10b595dfb17f6e8e018bba7831f56e483261e8760e973bf3bbf1

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 47a5d7a4171c15441fcd7d40b5bcc496
SHA1 87747171883e4f3978479fb053c57a7dd074ad3e
SHA256 55003527634479d3206bf6b2de33b74e41991cb45bc6b30d6960bd47c979d0d2
SHA512 7571ffdfd660776d54ca2e32fdae4290831c7ae0a28eaefadfb23074712e36441275b0cd9fa74eda0279b327d54071f7f651fedb70be65b410b726df2b9860e9

C:\Users\Admin\AppData\Local\Temp\YEca.exe

MD5 4ce1f94a14baee12586a946282ee9608
SHA1 24be342e0e68e263b633d291868111d477803fb8
SHA256 32db0328785f38de07a0579a602435af2a6481b44f7463c3f3d185c46d4543ba
SHA512 9a3ec5927ee50ac5a87646aed2bc1248b333bd0c573eed5e8186bfcd2d7ed52a75cbd263931a4a17c0df99cb5cdb9717a843adfe67d9fc363b336a29004a87d4

C:\Users\Admin\AppData\Roaming\UnlockWatch.doc.exe

MD5 6bda564f5fc51e5848f6862364aeeaea
SHA1 24b3a9f57f106e24f2788d7b310052dc68d82476
SHA256 eea2fc8084d1c79ed08b5e8f538323c76aa5c1939e7ea10934d59db039d87c3e
SHA512 2739a4736a92754ebe4d713af1d68941182fb820a8b3545a45e64dfd0d1c92729efd462a693bce89ac7811ffe3bd3aa01dd095c4edb9cff4a744df115e1aab61

C:\Users\Admin\AppData\Local\Temp\AooE.exe

MD5 26a0272e689b885e3304db408c9d668c
SHA1 142019242c414d49c93755c4397ff16dc1c6c6cc
SHA256 2bde2cdb6100ea0fd1a631bb4095512411686c049ee0a5d6ac30799f183e438d
SHA512 192e179b99c3431b18a07fbd5d2fc83e6b939493081f854606fcf6bec70ec0b27f6b3e91e4771adbe21d3c51c68596faeb0776a86b6465c20940c47e6a61297e

C:\Users\Admin\AppData\Local\Temp\UQgu.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\wAQM.exe

MD5 5e30b5fa73ebace16ae4a361ba2aee1c
SHA1 b51437950d433a2e3748810bec5739ba0ab3379e
SHA256 b0a4e642a40771d33ccdda5002c51a3f31a5ccc5e2448ba02a357cc8cf7daf47
SHA512 4a05da3583f888d7f4119f3b614d0ece8fa3f1a51b92503d30cbf74c214de115807851e67d2c96fc27f0f0bdd3dea86233327f8d51c9ca3b61c08685b7968295

C:\Users\Admin\AppData\Local\Temp\zAQC.exe

MD5 35b917733dc1e8e3cc6ac527e565cdac
SHA1 747ea8919ac00447561fd193ea7a62f4d08c4f2b
SHA256 ee4acac9d8b3c5a20cef97ad4a833f574f13600cd58d346d9a11f1586917e0e7
SHA512 00c0c7f22a3eefcd4cf5acd00f38e1701fdc151a6cab9e5db7767caad8355944f23131649ab615ff05100f8b9c3aa57b64da33ef35d79e25d1f8e2b81cf1d4fa

C:\Users\Admin\Music\ImportResize.png.exe

MD5 eb434b1a9bca09f399844647fb8dad71
SHA1 b3ef2e344a256f8502d7e585cea0bf0eeceafcb1
SHA256 486aaafe8c3909b01cbf70e9a0f76ab7aa2d6103a16cf763b87ad294f183eed1
SHA512 3452ede8077fa708d11d44559564c83589632e3ebb6c480da7b3ca63773c2a1c3e233f262898894e8193199c69742c891d3dc76b7cf3a3d93e747b49998a7898

C:\Users\Admin\AppData\Local\Temp\uoQI.exe

MD5 18d1e12f4c5f4aa6dfa868a03d742726
SHA1 14ce11fbb971dc1c9fa92387fe6e5e0c715da78c
SHA256 1a155bd067ca2ee7b340e11fa51d66734322aae16c8b853760ecec21d503bba4
SHA512 ffb37e899a10e0c4da00a8fab05e3f4e065767979675fd6df18f5534ba267f0989eec15772c3196d1fadb59297e9403c2d302edec1e75f5f96229d5b8cb4d5f6

C:\Users\Admin\AppData\Local\Temp\cUYI.exe

MD5 6792a42ad156a56ebec3d94bff99c467
SHA1 0caf5ba5c543659986a8a7a82391979f936c17aa
SHA256 aa8028564ba5b217cdb694f822c183e261ebc570594c574f6cfb57000f89e4be
SHA512 8d86b277aaa4329e345282ea1fcca151e6e93fc1a1e42b8a32339d69a36666d7f82def2fcd50d10f9a7a1cc525ccd10e3d9d09a4a55d21903d0a687871799fd9

C:\Users\Admin\AppData\Local\Temp\LUcI.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\xksw.exe

MD5 1e99cde2b552a42742bfc27c026d507c
SHA1 972a45cf4147884a77940f9b52021ac03eb48146
SHA256 df22cd6bd514911e6f5b7a55078692153420872c36f91fc8008e0189e2cebb6c
SHA512 64195317bdd6f74a64eeb3ccb3731debd03a040780ef3eab75bd286e15ae72efddb2f785c8d734ac820a815cd38c10065da1c5aa13109084866e35e9f21202eb

C:\Users\Admin\AppData\Local\Temp\ooQS.exe

MD5 8317a50d38d49aea26135b442e960c55
SHA1 9f968c260946d6ee31666495cb06bd02b2f7b920
SHA256 61bad755f061b95f0f3bec0a79a9ad9f98731d1f87a09f7742a4978e7c8d501f
SHA512 4e4fba5232e478b91208b90bde1563f06a2a4b03e309afb81f4a395bf3ab5083cdb96606ea860a9ae718c73da98d89e864d2cb005b0a565e28712a067c4bf5b1

C:\Users\Admin\Pictures\ConnectDebug.gif.exe

MD5 b96c5d10edb007c1b57e044e16be9e16
SHA1 a1d617b848fc3bbe0ca2824c0e3c13a1c272f1e9
SHA256 546791998b0877428c23bdb9009f658c7e4a8bbac1732b8dfa20fd3c1ff728de
SHA512 d93cc9af3ecf2d6852ec5f880c88accfe57d203c9074334a00c5d8ab143abeae67734a697466abbd700663e84067cfc5132bb68f8bce5eeba0ef11d39377362d

C:\Users\Admin\Pictures\ConvertFromWait.jpg.exe

MD5 a853d83fd46e2db6de13cebf54ec452e
SHA1 f8c8be6c24f5955575627433f319feecbb271075
SHA256 acefd3522060c23309ffda1622dd5b6e70c97a55f9e77b5acdc7eb1d73f6fc7b
SHA512 16a524417ba6c65fce7e4017bbf0d4e04a73f86a7c553cf6726191dd6466bf4b8530f412bb047db880cac0e6d915d70e0d6369e490b2bf8084061230fa93682e

C:\Users\Admin\AppData\Local\Temp\vUIS.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\DenySubmit.jpg.exe

MD5 8b4c928543602c1f986601c3e97772e1
SHA1 087e02c812985bfbd8f268f45ddaea6ef892cdde
SHA256 53eafb6e9c70ccfa4e4e18c640e9334026c74e84a3904e0dfbb40511826a4eab
SHA512 6b50470cf0e01728b498e12b028a50f5b63bb8defbeebfb051542e94dd66b52599078d557fc40e78a107634907c3efe3021015ef3bf249a6c2720d2c307befd3

C:\Users\Admin\Pictures\DisableUnlock.png.exe

MD5 dbb744b9efa4e071a81395fc1ea96ae8
SHA1 8be21d27801e3389577e3077db016ce5330f698d
SHA256 30a00798807b578a0ced5b28b1e98204c7710872b9b82b04b9e0a8c74ac5177b
SHA512 78592a60314b275f27d6b987b87ded31115c93e38713bd2f00d0919b52207feab67f987cdbac68ea485054ba376cc93cb86ae144d4fe42d78d2a226c3c40ccd5

C:\Users\Admin\AppData\Local\Temp\VcUO.exe

MD5 fd2ce97cc80fea7cf7391d1c41366da8
SHA1 bac12c10521d24c40f34011e3fc410f723267365
SHA256 11cfd3b39753cff36bf647a45d570a0b0eaa7679b87b9a12382eb075688f0c4d
SHA512 f7cffbf6c413c51f7592e4e7e0deef912b46a7958e82711c40135f121db68ea8aaed5a305061a4e781f76c44e4f983d1c73dc4a517c73d5c3a1a66405d2a8344

C:\Users\Admin\AppData\Local\Temp\eEQA.exe

MD5 7d3f9b2d49acbfe10ba2f76facec7d8a
SHA1 bf0bf7fec2c13ec017b325357f9ad1f48bc85f13
SHA256 aa4a7ae3e4e88e0469f26225700a0257fedcef43ebe0fd8ea113c785bea8117c
SHA512 b5e073aa34044afe1c97c9ac240649f6cbd769688d688ac15c0b276e26a2a30ad29dc77b68370f41a5f952b86f985ff4fa8cfed1756322acf89eca93228ce191

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 a22b28b3d00c68ce5a2882cbc18b5e22
SHA1 a7cac59d625147abaf397af78209dfed2ce05139
SHA256 9df5327062ba49e654641e61bfa460c24abc4c14bad15c0325794faee95c6fbe
SHA512 ecb463f5fcc26e090d268315ee6e17c6aa572f5d9547b7b0ee42ba4173f056e04769ed173c22154e9c760385833cc74e6c543b9105908ee1d41beb79cdc9dfe6

C:\Users\Admin\AppData\Local\Temp\OoMQ.exe

MD5 6b777306d515b984ef2419f1e17098e9
SHA1 ed5f12403ae08c0eabe0f7378a98c91865f2dccf
SHA256 aa9992d89786646335a390ebf3a658572825c328439315df435cc74eaf59eec2
SHA512 cdf8386f28d2908dbecdd050441eed621e3477367a9e0869469c070e2f8b0c3deabc4adc146721ef15b424b7f8a0db8f7816ddaed01facbe8051b363cd58f3c2

C:\Users\Admin\AppData\Local\Temp\ekQQ.exe

MD5 14074f1b1d7aea8a19925e598c39da0b
SHA1 779d65b4cf5f5e6f33af4895c7969e5d935117cd
SHA256 43572b5033fc5a4d0fd2599b7d90f3bb13ed80cc3553a6687c63de63081fa252
SHA512 6021f1ccc4a97001f4525932ffd1fd8a2eeed03a692c610c347971f834b122b76497966faff3404660cbd97f27c4440c2a651ee0080c70243421269a2204f1a5

C:\Users\Admin\Pictures\SearchRead.gif.exe

MD5 990c9b45155467fbe47b4389afdbf764
SHA1 c7a8c5413801ed9f0a0d606b4e099df20e9eac36
SHA256 cbbb2f7bc0a2d879c7617869957237da0516a617d1cca7d83c922ebdb1776994
SHA512 ea8762e1ab8ba4339d507daf37069e52cb6a182fda5fbe4dce78ed2a68c4f21d5f7083ba52b29bcdc82d137ac7c9aee4d69c2b4ded92173c1e7b44866b8c0e08

C:\Users\Admin\Pictures\UnregisterGrant.bmp.exe

MD5 eb7afa93f07bd9059afb936a87cc99d4
SHA1 ea87a15425359f9c55abcfcb43bb352509850b93
SHA256 d7ab2d6f30116f81299c089daa8e411515987133cd0ab14ee3af432ac5764877
SHA512 9d561b22bbce7a902ddbab4bf65ef5330d4c1d0551d4824524fc1d7bc6a7700d6c04186bc75847492affaa4010135aeb466ee86596c1925b0bfa0b94bea7df4f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 421e0957e57f41ece00be3b218f7d67a
SHA1 76d7d4e1d707163c79f915964d7a9312609b4dc3
SHA256 e1811555236540fd17b84ffc6a61beb53fcb44c49d314f52d2f3bc34893d92b6
SHA512 b86df142c5437dcee087ee3edc7f0790a3d93e317efe66b838db6d1359aed50a8ff853fb7e0846e4a91b08e9e98f9b02ca7149c5067a6bb302c91c19172ac927

C:\Users\Admin\AppData\Local\Temp\fcIi.exe

MD5 2869002c856db189b6c4146df224ffa5
SHA1 5b811560bacf8ff90bcdeb6416df29b4d57397e8
SHA256 4a9265c05e0052c8a8dd7c85ddc7de5f6f0a321c21e07e0ef9bc48ccac0e4de2
SHA512 7e161f78e6b771e3a1b55a300a14ddfc9cb013ee1914381612620c4b3877f9edac1ce491042920745e9995841d9a78ae31097d47af64900ca12cc3b63605b541

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 c8d2357aa0d924a1ac32e80b91dc8913
SHA1 3552d2c55b9ac8c311452abbf14b5e22c6e8350d
SHA256 a8a37c6796a2b305d21707b8c950ddaf229fd8d304d4b73c45b20bc405088ca4
SHA512 ea13ab190e499ec4a2dbc7bb1cd84f73e0ca59ca0ddcea5ea9fb67e4f9ce7d884d19154a865a2899dfd9f27c830f02256191bbee28e25a2f7630855d786e8d0d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 823b989fa3aaa83dccd031fb9ba0bfee
SHA1 08dae482ef1269056b477fb08e7db69203a5553d
SHA256 ca6c79402ab1afd7ae1f9588cb904c533f994d59c932d2c76c8465cc57109eb3
SHA512 da3791d715aa39a3c11b7fc9cffe7e42465b699e1a9216a2c5938abebd5d8b7261c2340a007294f2dd820b9472f64c2c3fb1cf556d5691d6b179faed27581798

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f4ce1b192c630d06b6ac48974066d285
SHA1 9e5f322e4db39973c00cc09fde413f4de74f83bd
SHA256 1f5cad478d7d9ae2d4b4ffbf1590c600953fae579ab66822316df2247867e9ca
SHA512 6e67786c613a30e4619a1f7df5956b1b2e3cc3aead1fda2b576ad7535ec3e736595d0b9109d18f2c496338a4f3425015154d56e602a091e26d2c9545e6aa35c9

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 54a6d18a64982c4fb4a62f490feb96ff
SHA1 963de4739ed03b5ca415b8b52bd006dbebaee84f
SHA256 1318fe05a1764840e3aeb300885ffb68a49a92cae20dfc6cf56628a36697e32e
SHA512 fc2b18f8d3463492fe750a425d64c4b2c6a7e5b865e74611b54be6c5c2c05e18503b95aacb772a0dae31fb8d540905ddf8765adfee12c2e85099c28759330fc6

memory/400-2160-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4968-2165-0x0000000000400000-0x0000000000433000-memory.dmp