Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-xlk79ahf4v
Target 2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
SHA256 be2a06101382c105d31982aad11e308d36f5e110099b0e78a2ec22ba486c98d9
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be2a06101382c105d31982aad11e308d36f5e110099b0e78a2ec22ba486c98d9

Threat Level: Known bad

The file 2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (82) files with added filename extension

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:56

Reported

2024-04-03 18:59

Platform

win7-20240221-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\ProgramData\XUUUEccc\LEwwEsYE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LEwwEsYE.exe = "C:\\ProgramData\\XUUUEccc\\LEwwEsYE.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\iYsEgEUQ.exe = "C:\\Users\\Admin\\JScEcAIc\\iYsEgEUQ.exe" C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LEwwEsYE.exe = "C:\\ProgramData\\XUUUEccc\\LEwwEsYE.exe" C:\ProgramData\XUUUEccc\LEwwEsYE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\iYsEgEUQ.exe = "C:\\Users\\Admin\\JScEcAIc\\iYsEgEUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A
N/A N/A C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 460 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe
PID 460 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe
PID 460 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe
PID 460 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe
PID 460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XUUUEccc\LEwwEsYE.exe
PID 460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XUUUEccc\LEwwEsYE.exe
PID 460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XUUUEccc\LEwwEsYE.exe
PID 460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XUUUEccc\LEwwEsYE.exe
PID 460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2580 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2580 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2580 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2428 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2428 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2428 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2732 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 2732 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"

C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe

"C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe"

C:\ProgramData\XUUUEccc\LEwwEsYE.exe

"C:\ProgramData\XUUUEccc\LEwwEsYE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOoooEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAEscsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeccEMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuYwckwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMgwsYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmcoYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuAAsMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEMYsIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zikAkkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19016647871411765071642134900-1990356475-205644906119313152571436516607213190269"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GogkcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgQgwskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1166439062-390228499-1361611887518257106-132370356718649190272520514561837732879"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqMsoMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMYQgAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "177146349-14549744891679885651-5678678051021140122-389320975974591631-1477607323"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiMIEgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecMYAMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmcIAksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-396405081-98191379-1226618541545550430-1092536418-846828467-606940561108595453"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWQUggMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15659469731870647865788898542-225698813705838744-15135811511629666484-348160722"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQkkYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQckUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccAEYggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SyAcYMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-100644747216760160461049864712-1755854973418115491544597734-1118521542-585405029"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWAwsgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4998837781259837717-75217556-19091964061684724726708411850-20814058272105578236"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEMgwEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gocAoQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10521060637576218491611803287-1054698350-313516841-959896621-2057203392-109327889"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImgAMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgQggoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-779086462-196130179116837610371399316214-2073679672-667756273747566131937225589"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOYUoMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17533438261679105680-610666741-441790464351273505396356969-3330153092104946228"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkEYowEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1798214191-1249833491-721282064-13643999954773964152095572895629439694851232496"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1575020946-1073459849-8631657851283857393-1096263712-2052923181-1947461357486972172"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-389273630-224558514-415459834427380856-38183642993745294-1847662173-1249461181"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\POMsAgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "24614146819254453591875800004-1003925573-550171167-1309689614-1377807417-36640531"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/460-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\JScEcAIc\iYsEgEUQ.exe

MD5 70b46227cf68e5023f2ab4f0f3180290
SHA1 7d0e76cf0b684f4961925059fd1c2fe3c2a613eb
SHA256 372e29b3c0b02ff7e6fcd7b850b371a0fbfaf8eaf56210bea541ea0eaac037e0
SHA512 26a7f9a3ec83e25265514ce19b25363759fcd617b27ab58f9f4e7f22990e54f4e30923d6ef60ae8ef0763a099d899d5c8cec12d3ce779e9eecd1cf3fb1debf1f

memory/460-5-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/460-13-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/460-30-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/460-32-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2972-31-0x0000000000400000-0x000000000041D000-memory.dmp

\ProgramData\XUUUEccc\LEwwEsYE.exe

MD5 fc678edd1e91bddb631cb18b9fe897a1
SHA1 6f8f538b50c668c30dabdc63bb37026e28b5a607
SHA256 46f6270ddf5f5b1657a8f7da7edfd40a244826abef482ec6c619b1eb87dc73bf
SHA512 dc170c74f1d707df417b02445774ca7b0ce6cbc6f5817c201cca90bd521d9e4f144dfc41921cc9af15886d93f3147006fb2154ac1d7cde0ebb43b103ba99b603

C:\Users\Admin\AppData\Local\Temp\AQgQMwAk.bat

MD5 ad45d04e8662423f489dde5903edf9bc
SHA1 f070c07f9fe5fa81049d270370180c507fbf5c8d
SHA256 df0c0aefb0dc07fafdac0eb94d9f29f4aae9c61ad54781816ac0977536a6a37f
SHA512 f27a0411cb64e0886f15acc5187995dc63bdc4936ef0ad1a0981604ab7b4c5b1a3a97747465735a4bb8ba190e0cb3af6e14ddd3f15d9392cfff4749ed462a1d7

memory/1752-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2580-35-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2732-36-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2580-34-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JOoooEoY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/460-44-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

C:\Users\Admin\AppData\Local\Temp\UyEIYQgU.bat

MD5 5ee7a9f45f53a050c8e91167692eb6e3
SHA1 d550119d7db25eb0407358b63679dff6e9154f0a
SHA256 4a815cf4f634688b1e961a2b7a2cd49cecca7555efeeae582996ac3fc0f3e57d
SHA512 7f0677af562ba96ec775087879ffdaa46191271c54521e64d831d5f99e7ccc4bdabbed8a8db3d450de9b7a8766eded7ddf240945e6129290ff1d2a3f2818637a

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2328-57-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2328-58-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2732-68-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-60-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rCsgIAMs.bat

MD5 87028faf3261d2d4eb039375aaf73ea1
SHA1 994e262340e4e45c480c6db84d65f60a77d81a1d
SHA256 8f142e067092be339bff53aac6258747932ba6384f477a8ad776b920c5dbe7d3
SHA512 19aeb31cf14fabb5b6f3c5b7950c7c43522068f120f974f03f52fe6771decd119727480c4098514346bd50345fd2cada36db6b396c875e039eeaa34e32824f75

memory/616-80-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/616-79-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2008-81-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-90-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsUMoYEI.bat

MD5 3b0143bf0e6bd3cb032169a062f168fb
SHA1 b3b116ce5c1f9100532ec9816337a29489dbf431
SHA256 9fbc48686191bec812ac080a92d0a428dcb6015335ba70a04828c7ff9e54e209
SHA512 8fda81bdafe3e2c7a97530de72ee0d44ae84f9c3ce0e7144b980b31ab45de0292abbf6dfa1fa6652fe4d3e53647399eaf5d50d01e919b1e63e9500062e49b6af

memory/2300-112-0x0000000000180000-0x000000000019F000-memory.dmp

memory/2300-113-0x0000000000180000-0x000000000019F000-memory.dmp

memory/2316-114-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2008-111-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eEUoEgwg.bat

MD5 0b16f4dd0a5fe6ad6b57d5d508f523af
SHA1 6dcbc0fbf5d54b78610613a57f3de2588c9e4982
SHA256 db775b23f80d17d1361d35de16143350dac17dd1da8fc36e7cf7ba74e8ed30cb
SHA512 3af827b59e8138fe4c91ed40c94e05fb3a78d988d4c0f7c29470b16271bff8189ef168a3dca40e5e87ac1b63077d17e40552a6e5082ddfb50333313a22059232

memory/1524-135-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2256-137-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-136-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FKEQkEEw.bat

MD5 977d118e0b2e2b606a67db1258c470c1
SHA1 9599b3e2595c65c5fed8313a1adbc683d5a4f84e
SHA256 3a5a91b5f2ed384acf5cbb176ef1e7bfde04764a88a68729c1a47ddbd62dbd20
SHA512 008a2a14a1d03bff17fb8397bca369ccb1ce5b665b5b7146d2b214db1e6ad20df560eaa3f3334ff9da90d12d8cf80497f09527235f9842c1a0423fcf4d40af1e

memory/2256-159-0x0000000000400000-0x000000000041F000-memory.dmp

memory/844-160-0x0000000000120000-0x000000000013F000-memory.dmp

memory/844-151-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2116-161-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAEcEAEw.bat

MD5 042a7a324152ddad62251232ea34176d
SHA1 6f69e1991e470641e1fed740857261ab254036da
SHA256 d025967acf535fc2ccb05b59d01644e6ac241e05138ed96c9dd599fe000da6d7
SHA512 b29a968502b035f44ab1378a1731691c901b86964f5b1a1cd9172691eb4d02dfc2196282d5970815135c4fadcbaa1068e7691c4d4882a0ddc7dbb56d7925c403

memory/2644-175-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2116-183-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2644-184-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2624-185-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EWAUccsM.bat

MD5 c205b5b15577f264c7712d9aee7ceb80
SHA1 627c6e17477d867d63958ebf36f3bf45554dc3ee
SHA256 934aa4b7eb505824695bcd4ffcf3196a3d0e4fa6bc469f36e563dcb4f4dfece5
SHA512 3fbd46b399fb6dd5cda1dd6230b9b3746d1e27d9f96f5fc51e39805e04122a6718ec7c7d6343b043c64d8a196326050d4f625da3bbd802e52e3b814572ae087c

memory/660-208-0x0000000000360000-0x000000000037F000-memory.dmp

memory/2624-207-0x0000000000400000-0x000000000041F000-memory.dmp

memory/660-199-0x0000000000360000-0x000000000037F000-memory.dmp

memory/548-209-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMIYUowY.bat

MD5 e32299495662cd0089a42e34fc5f887c
SHA1 593480b0d1eb87fa21b5106454c3139c034f65e1
SHA256 f116c5deafb4f6956184dea65c1d9aa509d3ab17a7a6e8c43caa0209448ba3b2
SHA512 2a3e1e0ff380d9c68f9d04f3aaeb846c9f9fd652215e262da763967f4ec2695d757e1789bc40b5dbd846f9c6698a32e31a897d11bcad4dcc5d8f2737fe83d35e

memory/1924-222-0x0000000000270000-0x000000000028F000-memory.dmp

memory/548-231-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1084-233-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1924-232-0x0000000000270000-0x000000000028F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lwMAcgAA.bat

MD5 56097b6308c9d6a44efd03b3a9e21c74
SHA1 5b555455b1043c9c8b4e6bd874f2133a21463996
SHA256 0fcddecea53382d1d17a30c8624dfeb8b6d3dcbd49c48a5a78644709588ae541
SHA512 f416a526f5300c9654d351a7ed5bd43c47968da529531447cd846521dcd9fc0c3ece7d38e01eb9465f8fda57278305b480c56354cc8948f04c0f4eba8abc2ba9

memory/2284-257-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1084-255-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1120-256-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/1120-247-0x00000000000B0000-0x00000000000CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vacAkMMc.bat

MD5 fa8b966a75a368cddf5460056f013a71
SHA1 1bb1ccc7ab74f77bf3854c37f3384b9b6f16e972
SHA256 a7cea38da3f89696ebdea6654285a6e2854924c9df4bb8d3d7c6cefb607e7ec4
SHA512 4139636f9a28725c8dc7c546531195a1bf8831637a53e5a22927ddb4e57e84d09c76350b5c51db06f328a77de12d83e644805fa2a92d1f62049725832086f39d

memory/832-271-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1692-270-0x0000000000270000-0x000000000028F000-memory.dmp

memory/2284-280-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VQAMMEUk.bat

MD5 7c8989920a36385dd262585f085e6370
SHA1 ad6e45a1d8f518f39100c77cb3f0149f0cbe9341
SHA256 feb6ca26b9485bcfc296bcf46ab25c07a9fa479a91273dbce269190be9da1302
SHA512 7fdaed678aa2ad061fb7ac890ee08721c47dee21de8627b32a20e87ced39e26edf5ce6626c332c76e8c8fbb0f257b2834a62c257ef18e19c4c644c0a1d91b700

memory/832-301-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2384-302-0x0000000000370000-0x000000000038F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KsoIYgME.bat

MD5 9b0e0a841a4e5e6e318d183bef0f0f85
SHA1 3403163389583ae2fdd03e828e7c1f585fd63a5f
SHA256 b8f3d370f6223d2c0ccfe5d1bc3c6ef1a634f10dac53e78ec5cc6550371a58b9
SHA512 14a657b263788249a169bf8b9bab80b3e8798551d628d6a1fcb2eeccd8eedb8ff5aa3036765b599c53b3c9e22407b0f83ee1ec08f644998ad3d16d1a4da624cc

memory/812-327-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1152-326-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2532-317-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rioYwgQM.bat

MD5 ccea3ca9095c1920a7e01675dfdc7df9
SHA1 14d10174daa2fcfc4e42db1bd6ea53e45f4c58c4
SHA256 8674002dfc02d3c754ae8a15be4056f284c5cae77365a101cf975516996816e2
SHA512 e76b7866a1ce378a470f7ac81dfc997ebb833a241d0cff1bf401b64ccfd0ab956791984d305212798bdbc29d81584da0c86482bb56662ea1e5f2c4217e5a624c

memory/2600-342-0x0000000000400000-0x000000000041F000-memory.dmp

memory/268-343-0x0000000000400000-0x000000000041F000-memory.dmp

memory/812-353-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nygEYMIk.bat

MD5 40c3a984f88ad095e7dd31387bc5eba2
SHA1 7aa92b8977cb4fb9f04e6fb9f613d8d8acaa35cd
SHA256 57f1c2de7375dccf90ea419cda2cbf4a2f2ada6c93ce702dd3235dd5fd6c2c4b
SHA512 cd936dba128cf4898f0addb0b84b46e8307a6d229e561fd1ba496a766687422d125f2ee7571df76fc8052f83d749c30c53ee199666d2c715b701312d94eba3bf

memory/268-375-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2652-376-0x0000000000400000-0x000000000041F000-memory.dmp

memory/604-367-0x00000000000B0000-0x00000000000CF000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\dGwAokcM.bat

MD5 1f2aee8d159cbfd2c50d15ce6ef4fac2
SHA1 67e10296d18540a149307d982e12fe72985c95f6
SHA256 44073905de313d5203f419e1e62f2afbf384e1acdb4fe2d9db94904123844487
SHA512 684b780e7e255bb3eb39382565d7a97131aa5c766a121d7bd30f98ee8feaeaca344ed8cde698c6988d95545bcff0fa8e10a5fb273002bb01ea42801dadf9e1f2

memory/2652-400-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1520-401-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\vYUa.exe

MD5 6a325d265cbeffa8ad347298dd065d18
SHA1 cc623b4d274c14bc4267822292d7047763db311e
SHA256 6668ca15782f47f92ce0ac444a679f3f483a0c75b65b3527a4cfa4b227bd94d7
SHA512 1006e0ee21ceb13e0f67f0c9225f5f20e77363e18159aa9d32538a9c99d88c2fb547da17c5d907dfb2ad19d96018b1cab819e50668bfaac2b2e650a40ab08d87

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\MWswsUEs.bat

MD5 910cc02360fb81e2a681b194e4135dbe
SHA1 498ff44b32bceaf976d963834edc709277d5ffea
SHA256 63443850c4bcaa30061e3c198b199abecb435e80ebf0e6402f6677ead531d304
SHA512 1e3e07166e8bba07a7fe2e05eecc54f03240693589891cf800fb249199aa4ae5a14f6acecf85b1bb3286d25afac83d3ed53f525f9dd89a9c6a75469177e8fa3a

memory/2144-438-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1520-437-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zcgksQEA.bat

MD5 e3a29e0f34d1f17e9eb496043854f03b
SHA1 55be793ffc26c5a5d8dc6dadf07400cbb3ece998
SHA256 628837212633f8ec633886f89e9338084d10866b846cd42756239e7479e1c0ff
SHA512 950a553494f2211e045032c09c5dadd704446e3726dad4d0e5bc944cddacb719f6f2dc917a11f082c6b329e6d5329524eeb363d9099babc29a64f7543ceefef2

C:\Users\Admin\AppData\Local\Temp\TcYg.exe

MD5 c77d305efd2245e73a696db34fc31bf0
SHA1 3262558f34e04cafbf49f379b1c063cf06634de4
SHA256 d6683349055bc1c2cdfaca5f5d3f0fdda6ada0ddeae50bc5b950e62fee1e841d
SHA512 e6d8d59410207a1a6854e1437bc109bc2cf53ca5d161be9568d64110d2adb50df04110fa06f10f7174c9ee4410977eb900e89fb8f430c6d87ae95e28eedb7493

C:\Users\Admin\AppData\Local\Temp\pMAs.exe

MD5 d2be62aa309d45c785b8b6e3133f33ad
SHA1 fc3e3d41b399c036100096208b3e6d568668c7ce
SHA256 c8162e3daff470631b035a98eebc77a0bc832733d79fe863040230610fa56efd
SHA512 af593ab9cea6bd0fa1a99de4c1aa4324b5d97fc4ad65b6219365a7f6a18eecf25f00c2ce74ac98a2b0385abb103b6290aa413ca4004412225533516f1650f56b

C:\Users\Admin\AppData\Local\Temp\lsUW.exe

MD5 e5cd0f14eba2d9658fa63d5f291cebb7
SHA1 ec2f65179b78f016849899e8fb106dda3f785ebd
SHA256 80c84a534d6692e2e47860e3318075469e64ee0933afce5cbc0fe07c1673731e
SHA512 8937a2975de96bd8639d9dd57f40fda537ddd153c00540341c44cb11d06302f6157ddc794b4bbf9d78ce2a71a28b38ce65712e99491434085a8b822131b2432e

C:\Users\Admin\AppData\Local\Temp\dkAu.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\kUIE.exe

MD5 21f20272a4bbfbdbb2835c349af5fcda
SHA1 05aad0ffa37f9e1ea2bba089bb97ac15b4942f74
SHA256 be14942eba4281cf5cd8414d8939f8de7dafa48ba2d0d9cde8c2aee273c62af4
SHA512 f545bf31d0675ef4bdf98090330a443010dcee155c65991d7aacfd97941e5c06ca88ecebcd024d7b4b33a31160486655699b1d729eb958c8154f513e52911d31

C:\Users\Admin\AppData\Local\Temp\soYQIgsY.bat

MD5 7e4cce11b0db0d3d43055b7bdc8e5367
SHA1 a8ddd650409830323390007079f3df5909551765
SHA256 0afeae2ba3c24ba8663cc8cfc71f6f325965ef84dead0a74b1a398542c14605e
SHA512 f3af6e4ec74bcb85ba5b9c212ba2d903a616cbc55900a60a5302f18a1ba6753d8eb6c1489eaabcc436aebadf45890cb0e2870c7b27afc289178f008925c02a8b

C:\Users\Admin\AppData\Local\Temp\JYgs.exe

MD5 700257b974c65692cd9872910a0b4e43
SHA1 3bf7cfddffa846cf8304cea366639b39d9157b8c
SHA256 1732cebc20589fb12f39d0b24386afcc1f676314a3c1ded082bd56290c44d6a9
SHA512 f1455701c51a88c014eb6128fae58b46470dfa04e1de554eeb9bd73f2b0e18bf29bd9c312bde2beed46e6db06e0462013f8e97f99f24fe4a972833b4262f437b

C:\Users\Admin\AppData\Local\Temp\QoIU.exe

MD5 7849ec49399a1afee6d8578c9e137f18
SHA1 ec26a8b603ac5d4a1356f8894b816fc183bed9ee
SHA256 d392e2f83b2663cfadd6a9797f7e0d85cc252b547db34757b9c93f049700ee98
SHA512 80d316c47ace12c3dccd85da0f441285e99d02e7061088720d0d855e45d1f3baab180e4f09dbc8215f82efa19507c70b9565470e8fba4e64b286baf43afa46c2

C:\Users\Admin\AppData\Local\Temp\hgMA.exe

MD5 331982db5b5bd9442f90c2dcb32add20
SHA1 6bf0424bfebb43a9b03560f69400b033180123c1
SHA256 f0838b6c42959aa085ce7648994cd0be5451e970ad7402c5a4f44a27d52f4ffa
SHA512 255d08fabec4d5cb6d7470f3d94275f045f17a5865d3ebc59007a655bebc676d93756a9734447ae16929ccf844f525364f801cb51891eb8a13095616f2014fbc

C:\Users\Admin\AppData\Local\Temp\wIoO.exe

MD5 e950aefb49754fb5acb79f8f26dcd438
SHA1 a8cd75965a39d6b3f231ee050109853a1d9566c7
SHA256 184c1bf62d0c0e2fd8ba38878cb5a8f0b358337972e984b2e41a85d5039a51f9
SHA512 5ec89835096f788c58ae5c443bb37fd964d365af05597cb119a11615e0ac49dbb4accbd3360997b87fe252083f1c5bb325ba280a3c0823b479a2b558fe0149d3

C:\Users\Admin\AppData\Local\Temp\owEUEgYc.bat

MD5 605fac3bf93a62fc028b611162b20adb
SHA1 4878d27c39428210864681f573643fe201062aa3
SHA256 2fe83c386d8b86b666698b12f824ac30b0b65eaa6fc69c524ef33c00a4e68f2b
SHA512 578287bfd622e5b85a006835957baa3a2fbcdc3110ba66c1892a3fc598f53960e49008b978c9086fff29f71b50de5b02e47f1a91415d4acadb8d02aad5d6ce74

C:\Users\Admin\AppData\Local\Temp\hMMe.exe

MD5 9ecf3a4899debb56beaabeb873f7e45d
SHA1 5c1a37afb042769afaafee3cdb6fcd8e68d0eb7e
SHA256 253861d82f10a5d5f68067b7f99cfda020809c8250b2e6a55fe160cde93d4659
SHA512 2af86e742f5597faa019fadd32f170574a42a7bd74b9119ec255ef769db0dab565e75cf08fee0312a52c80629c3062212765783a1388c6b3101a9dd005b1c39b

C:\Users\Admin\AppData\Local\Temp\nwEs.exe

MD5 780c2ccee16215b7f1020f5786d43fe7
SHA1 002c1cb43cf9da6d0fdaf88ec7cf357008965a5d
SHA256 2c1e489579d3fd8c85aa65eedbc3e14d9094f982ffc042b643dd05ca3e748520
SHA512 bf4a1ceb710d187159c2292f9680c7fba3f7c6335c8fcbb73bea8105d9cdc821f0a4c436f6582aed5628a811808043b251db2adfef040182e2700ad232c69168

C:\Users\Admin\AppData\Local\Temp\lYMC.exe

MD5 6d19f55fa58018fe9e534aa13c87bb2a
SHA1 bbbedb0299e4dc6a800bb1b1b5c8ba5ae0d5b15e
SHA256 ccd5f8b155aa3e404b041a12c5400e974941dd68ed21af4b94332a094b78021f
SHA512 cd4c141afd4a9f1f003762085cb78cbdf0d4765382a8b5cb8c5e89f8d55144d8da7f6932f1dc7f086fb1f04612ae6deafe7fc96855c2ab4e423ac11151f29628

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 5cc5dbc34902a524ee716ef1dc0483bb
SHA1 65081693489296c75f49e1d5be734599cfae4db0
SHA256 bc26c782dd1210fbca7c9ece2d92fa819b6614580b4121b5dad089c6f6a8f510
SHA512 a115e05410a645010475faa5a13e7524d46dda03dd039fe8cea96c965a5c8dff27365ea91e2ee4f273773334a62654879698aa536ab60527a9c0485aaded7d4f

C:\Users\Admin\AppData\Local\Temp\PosK.exe

MD5 a1274ddfbdeaea724b34ff3e972b1754
SHA1 ddf6e3083ff36649e723c389e476ff404c391394
SHA256 7f915e77fee8d716b8fc98ae92398ff28d21c900029fe534af775b4b768b9ae4
SHA512 cdb7b1c6f14a82a6fce42e84b16727aebc65cd0433a1f6c2bb9b04c190ad46a532966b89ccbff3b5dc6a8c936d9c7a99afb1e5ff27b1d3aa4f08e055e4b67afb

C:\Users\Admin\AppData\Local\Temp\ZmUgMocE.bat

MD5 0ec380ef8126fd4ced4557121a561699
SHA1 0accde645661722da1ce973ab5f63a4eb355e648
SHA256 7f403faa3a008bce71984c3a3ae2836c539d6c7874211d3266180c9a752bc5aa
SHA512 692c6471692c7b4ff2e2458361fb593996adbe987d75d03324f9599aab6ef91daefa19f7f3bd674182e6f7214227a847b72f4d40baab9b41acf4d5fe09247f61

C:\Users\Admin\AppData\Local\Temp\gsEC.exe

MD5 8276a2c1153ac7c34b1219fcc70fe5e9
SHA1 b44ad7b5ab359c39445257abea81f6c924504172
SHA256 a816ac5de7317f1dca861d19ac6ab425de2c97daa866d5c6238a49bb3c2b1af8
SHA512 be8096c794963a09c4ffab78ecc7ec57da0558045c3e73c96b12aa89cc39291f3199fa63503818b42b7ad1476dc35d0a4475ae90ea9a351a608fdf0e0d768f05

C:\Users\Admin\AppData\Local\Temp\Jkgk.exe

MD5 3d6b8f8be52bebd156464e4ab08034b5
SHA1 87e463439c37b7f71c31d802fbd9a94befd404a2
SHA256 1e6d0117d63a68fea8613c3d8e9df63771bd56c789f07f9038f7ed3c333cc02f
SHA512 99c67a44574d2f3d1bafaade70020be80da33b20012836d848865130b6681b5ee7f748325fa9b83ba8cd195da9698c4ab32f5fb814080fb413af7a8b879b18b5

C:\Users\Admin\AppData\Local\Temp\HYkG.exe

MD5 0cfe43cb8a325ef834bfb23a76d9dbe2
SHA1 19a6b6f4e28b0e4c3c0c597d7fb251c99c41d01f
SHA256 9f01f1340ed6f9b285c1a880b511c89754dd22383a68b30ced09b36dfcf47042
SHA512 1cdc67453cfc65f1425db6ce5158f4f1d30c692d7efea53ba567f7b7a2227dedba1dd6cf8194d483e272c64360753ad88f8282d7d870284be0e212daff931991

C:\Users\Admin\AppData\Local\Temp\wAEA.exe

MD5 731f1ffa5c8026f80490d2de3b5ecf7e
SHA1 273ce7040de07a740f75491e03f50860eb76c0b6
SHA256 60ed5774d69f4e1aa7f7756e9e41759b9b2f0f0a4c8892c612153eb95360f276
SHA512 9e4111d3e598443ce0a4ef3500db917fcecedc29eb50bdee8316ded24d2405e640b100c2cd7e33c12c47cd9908163c859c5618bb82bfceb6023f1e365635efad

C:\Users\Admin\AppData\Local\Temp\gkgq.exe

MD5 c7e75b6dbb53db1ee8a356b5887ecb73
SHA1 63e565f8ee5fdc0421a31c4089fe673e85dff4e0
SHA256 372ba3c483a4d0dd5a33e22281372d9d15eceb38a87af53c816f7b44b06c9577
SHA512 b4575c3648aa6f806997594a1a6e8d8a6dcfd425bcacc9f54e111c515901c06e47f5f12fb7bf487a28f418707a3c4d5604531a99d9908def5a9e18d8480010ef

C:\Users\Admin\AppData\Local\Temp\FycwgcoA.bat

MD5 d779a29f88481a0d759454af24f87085
SHA1 cc5c2af335f9f63a69c5b130358d3e5cd8dd1dfd
SHA256 cdf3d2f75001a056a9fae6aa114a32705f90dcb6ae897bef4ad2d8e5c10ad831
SHA512 93d365186e6218d8f946d9c588d72b11ed5cf884ed0fe325bc0c869773fb77f229d9c9ac4423591f9b10aa0e88ce96bf3759536b97763f5d6ab0795193bb39ff

C:\Users\Admin\AppData\Local\Temp\LUUc.exe

MD5 cfc9776faddc2cb1ac7d613f14e09a66
SHA1 2d2230017eab79d09fd227a4ce518702f26c0c34
SHA256 839dc24a75bffc9971b4bd9cb201f2b99778608f297da02ed8b2f4427c3ccec1
SHA512 8387cf1e9992487d1974f5ffcd4822867e89dfe614f839630bcfc11da0120fd6f2169da744d81f2d631908ca533251bc935731b852f8a39e9934bd4c12a7b7de

C:\Users\Admin\AppData\Local\Temp\RoIk.exe

MD5 04424e49249de523c607289a4d71e00a
SHA1 de0838ab91f20a2eb6bcdb328eb96195b68420d8
SHA256 c6c0cdb31f698c3fe662e79e6b45d72d07f546ffa27916a23286b198d5a7b2cd
SHA512 b9be0b8b6a9f9d80367a2d0c58187f4ffdf6c0b3d4195904565de8bdc0ad852a5755bfa484819df8770849afe215b10be8b8f24dfe5689818bcb401f593f79a4

C:\Users\Admin\AppData\Local\Temp\VUEq.exe

MD5 464161dddb1b0ca6d1b6921fe7cc32ca
SHA1 e28c8bbf63fa58e13fa5db61a4b21e18abf62f22
SHA256 cca4d4dc8048b60be6944db7df122fd7a67a7ed931649feeb317e1e28c04fe26
SHA512 1d999ec70f3d414afa4550a9ace5c319e2c8b6578752c1408a972d16f684422c20d7a72fb253817df2eed6fc54012dbadd361f99d8e9c5c795460f913f8761f5

C:\Users\Admin\AppData\Local\Temp\ssIm.exe

MD5 b739927c5e465f2eb98d2471b9382108
SHA1 5589623f84986494be6a974abd8b905a586a5605
SHA256 d19458cb37aebbf6c984b591fe3f6e9d52799293e0f3ec7db91ed42f3c0e2e58
SHA512 9c258b0fd7a9aee22a3e14b6973da32cd9eab4dbe2d9de4a4bbdc4cb3c42195d54cfbbe88785aed5e400402a745be704352499c8cadea37cb60112de100048c8

C:\Users\Admin\AppData\Local\Temp\RIEW.exe

MD5 8ed2ade5ee5686347b50bbd36cb19a13
SHA1 d27c4b6d825463883bd5fcac9178c8e238c79c43
SHA256 cb240346637f31381dd90527611e4b80775c33baef73794ff31ada50fdcfa3a0
SHA512 25331afd87521f23297e35286cb8e448d5801cee326df46c8f85556cf5a176295dc2454a4fd52d64e07352128d07ee983596774053a7081ec584c6e9447229f7

C:\Users\Admin\AppData\Local\Temp\NogIMYQM.bat

MD5 f4cc26788539469a642fc78dba35d5e8
SHA1 843da7f8df20384cf94ae42e6106ebbc87314bac
SHA256 d0cf0620e4809c7a2f11ca897fbb10406e6517431bfb1d16ce4fcfddd0bd82da
SHA512 178b5a2eab70c328056676e1afe9868bc66cd6a49f7d19140eb546f4c40c9bc6506b0c03c5b083aae4f346574ae41a3f11a0d2c76a193f4a1fe3d855787ec32e

C:\Users\Admin\AppData\Local\Temp\BAYe.exe

MD5 48e90e64a7c9362878c62129e99ee980
SHA1 b71b6fbd5ee99f143e26c7e07fe447ef41831582
SHA256 6e076797c5b180b2a58032602c95324c14df169f4d227e26c7bf5dab6448ce07
SHA512 b60750c119223a8416f9b35d9e3189fe6ec2def9cf665585784f295ba3b6c24fa6d9290288f579e6e6c416cd0bd54c518bee2187742ff81a25d2d4b9a1e3af43

C:\Users\Admin\AppData\Local\Temp\VEos.exe

MD5 91562ee497602b6c30ffd267ab2e4951
SHA1 28724b3bef74558e13dd8cd260f6b9ede14f3a06
SHA256 82509030372b2f9babcaab569811d48907acd5c857c0313810f42d2c70cad30e
SHA512 40f52ae5ccc9e618c5fc3d9f3bd06daa53493f72c86d2f6efc4efc3a33fad9ba02a0f2307f95d94ef52265701961194e18c3d5b4fdebee6f6da353690d4199ba

C:\Users\Admin\AppData\Local\Temp\EEoM.exe

MD5 94527dbfaaa41092b5d99cb9f866af81
SHA1 535e94c0fe7a99faf4b49a234b27609fe9af9ad9
SHA256 4f3276542f46cbb1898d3de3829de4277f87dbf9d269901dc22809100a1dde41
SHA512 396e3694fb56442717a00c4cc29bc3408189eb148ffb8b13d6d544407eb7f22bd562d9cb3bdd41dcc20087313c7d05e5d9fa85e2e1769ff6cde5a408ace78e58

C:\Users\Admin\AppData\Local\Temp\KQEk.exe

MD5 5a520e6f18babdd7ea5d2078c43dd244
SHA1 09defa0aece229c3a56f0ebaa966c55cad16f35c
SHA256 d80d3d866d9bca613deeb44f1753bab8d79950dd2e6d396ce0ca58525b5bcbc7
SHA512 215d63a0be1c7dbf7b41957973422bb22bbde9fd1c225cc9d7ef8163ff4e68535d1b12dd8fab166c6edc3ea1215b372acd3cde872f4e838579a02d433c9c6457

C:\Users\Admin\AppData\Local\Temp\lMsy.exe

MD5 fb9b7494b338c8545ebba7e0a3419e58
SHA1 d788de72e9f614bf4e80959d1cc730eee1bf0d5f
SHA256 f2fdec182a06cbecf6b8a6977ffb15809bddbfaad786fe1c4dbe72f70ddc3d41
SHA512 83597fc9b63ca772b0dd8e121ccdb918074baac9a0c3c5c3a0d6e25bf3cffa817e3fe2c154cc1df464a3b15b14e86a2b39e60304684432d066565da71a3ce2b3

C:\Users\Admin\AppData\Local\Temp\lasEYooE.bat

MD5 7cd476a2d9806778e050cd142636340b
SHA1 1ec4e02dc3979df3fbdda5b8372f35727d5d50b0
SHA256 4fb5f2a25f756fc1912b39b4e13515d0c9e22e9c01023a3f4555a93118a74b48
SHA512 c991253b91d5ad6cbe3839046a5d6fa78f86193261b83aa99eef56829954d44ffdc4606c4634363baa191cd2ca607fe19c0b2e7f42312ed1b4745dc41e5fccc8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 a156af2494e9c51d6fb96d78c3018899
SHA1 a9d0ddf98b1f22c73493e99f8d85da96f740708e
SHA256 e19444018c5f7b02ebe6a3608e3c881725915040691615ca4beb7291184fe5f8
SHA512 008b20ff7a3ae79f6317c65614b426776a9911dd6ecfe77e907c514aff9ceee0a851557f6dd335bac1c4bb4b56b009664821733b0ccc5be42dd2f2b687e21a8a

C:\Users\Admin\AppData\Local\Temp\kUkC.exe

MD5 354339b866f3357dea3c95a7825763c9
SHA1 0970398631dae165e1690db739ec6a6a2fc9aea9
SHA256 58cc8fe50df70517565775d5d181e71461782a8117412ebf723f7c12e6017de3
SHA512 f79d1d2225741a1030678d488199293e9f10840e3bafac690e224c3be2570b99d4941cd51b44e274d6ed0239a0ab1cabaee784c021b6117635a8af0d9047325f

C:\Users\Admin\AppData\Local\Temp\KgQq.exe

MD5 ce6c0756dd716dfebd9581fc60c7ac45
SHA1 cd38f7cba1600449b0ee984b7a410b182b6b7cb1
SHA256 df22be5f9027b4e7aa5c770de91b3683904d9a894c93374759619780a5210600
SHA512 67b7de6ea7d938067ec6cd5312ff132ed863e29e7d4358221c827dad09ac2f7ce39d278a7221a1b1e602c7411d052bbde191873153e094a7384afeec397f3fb8

C:\Users\Admin\AppData\Local\Temp\JsUk.exe

MD5 eed0cab7e3928293a327c1f4f5d1f28f
SHA1 a52f77d837f40460a49c74c288546244ab9581b2
SHA256 939b9c68cb1ec045307aa7e5c9175859640c33014918ea0d97c962cae4f53254
SHA512 a76f8c0c65b4fa97f64f392c8a8a2547740d29c4e3b758720954005df26020ac13b7b178f25d644e3ccf19d8ebb4ba1d2c9aa53b34f5409185e4c2168beb42cf

C:\Users\Admin\AppData\Local\Temp\vUkq.exe

MD5 2fe9932a915a52a01100a18c1ff0b5a9
SHA1 6ebc216ad0b7b6ff6c571d90085f569abe62860a
SHA256 59dd9122fa1c95309c3ea0b3ac0b9fa90e1d2ca5d2a77a7638cada9704198c01
SHA512 f1c6a466bb07d0ed0d30be2b7c7775091b225684ae29ce20a65ee498a7da8e64f06faeecef5ea3de6e50473c54f90a4d4710a3752a7dd653d6527b9b4befb7b2

C:\Users\Admin\AppData\Local\Temp\pmAccsQQ.bat

MD5 ce6657709e1aeddb66234bd984214308
SHA1 9dd97beec55dfa4907b33aec73f49a6b08972167
SHA256 b17811790d874e0b2fe0dbdf24ed05ce64e5d95f28c7b74262df240c83f94e31
SHA512 ab811f397446d30a2b4ad777065c3091aff138db722b078432f572a92bbb2edaa020a2866d5ec93b7014b1e5685a2a511ed4fb9e00b82b73bf8b241756141359

C:\Users\Admin\AppData\Local\Temp\zwYy.exe

MD5 2db9820eb386876f9fa5a801cbce88d8
SHA1 cc946830fe187eae8797fb479d409711d901a135
SHA256 94ef38d6a206b6278249698e3194c92f2ce5156736c335cb7fa8c4b921bdabc7
SHA512 7ea2a99d60414552808505a174550e2043d8dabd87b752e484b543f58917e8eb138f14f3c582115219de98abedff94633b6c39befef1cff83255324021652dc9

C:\Users\Admin\AppData\Local\Temp\vkAo.exe

MD5 a87746498dea8ee8dd9b563f86a9f58b
SHA1 7cd7434950378d56439d33c9ef80f20ab3a0dba7
SHA256 b2c39bd5abe06779f636c2d7701d98000157ea34617caa52cfcb4284fd92cdc2
SHA512 62dd5b287ced14873c4ad12c5cc7486eefebb77f06211eb29b6991e6f9d8c347c047e2858604e598c6b4589e03c4280605298b52a134e1692ecbfe79285fa803

C:\Users\Admin\AppData\Local\Temp\dIEe.exe

MD5 224da11a63b097c4a499c782955c6464
SHA1 ec5d2004aa913c2f0abe868a61940e33020e2087
SHA256 0e00202f69a85b22e25af2c8691ffb35f1a5ebfc53e82762563687ac06089988
SHA512 de3318655dd0292cb4e37946ac6938948b309efe42b5434c0f2cf6a59e9db3422f2641683ac6902e6f7bf147576907d931adb564d7e4842dd500b5a8f65779ab

C:\Users\Admin\AppData\Local\Temp\cIMk.exe

MD5 a3aad2ff2378bc842bb8f0d0d3fa5f1a
SHA1 c71501adc841c328df13f19b874b0ed9f80681d2
SHA256 358447a1b6b0c79a28d17dfc5e1b61a85dbb3833b1743b25d59201af92a1e2d0
SHA512 4569b6461e1bbcfef16d2f0b7ceae10f8d161837d4934fe2315c491a03c4d8ac4d5e7c52579c4342c56c3f7135267f28eb467cc665b6553f447c38de15a5936c

C:\Users\Admin\AppData\Local\Temp\PQYwUIYM.bat

MD5 ea167a13a7c62a1e85f5eacd8d2c7330
SHA1 daef8829b0f0dff6961eede372cf94fb5d6a1fab
SHA256 445f428d4180a587e966607a5d0c5353cde9cfa9297a8a43b4c94503ebe2f050
SHA512 dd25be590ab4c2ac6f22313dcf23f269e6e2e39d04569dd621f8eeca4fd0377a877c55e4f709df5ff320c19b758bb536987f8d7a3a4bd9123cb401e62d40dbf9

C:\Users\Admin\AppData\Local\Temp\tIwu.exe

MD5 52e491a9d628df2f1e352ba7530d3fc6
SHA1 fd9a01b5fdcc7e56587c2a73e8b60eff034e3b18
SHA256 0251277c83126040265884e1e12de0b6c1cbe7805ca3a4aac22ea6605cd4e3d6
SHA512 90beb55545df71ca8872c5ace9d3df8308e525dbd95e69ea93e47ae046218ee7319ee76cbdd01d6ed3f40ba1b3b58c455fbe872fb2ba2f156de245ffd3410a01

C:\Users\Admin\AppData\Local\Temp\jAkA.exe

MD5 4020601afd8b20aad880520ad5053ab6
SHA1 158fce992e777cd08f07140cd625574dacf6ef8d
SHA256 d48833c84c89bcc88b79f17319703700d6ca241e7645c5d81a647c25153e1e8f
SHA512 cc2375b67375e349413916bd83f50e1e71bf3b3880fa8886a652e8cea6af39908044edabe043c9aafe3dce4f312f77beed2e46fc3ebbb1d903fb438b8c85251e

C:\Users\Admin\AppData\Local\Temp\pYAc.exe

MD5 aa648719d2c5ed18456486eb237b25e4
SHA1 5c384922e9095b58504e83b5c66faee353eccca1
SHA256 7863d33a294f62192c7a2eb67d05670558016c4ef0af96fbbe340fc71c677aef
SHA512 089c8dd00dbe3c7a5d110cb90a3e8ce8c8e0210ace7cf596c46c65abbe87941b51b7fb3b70b9cda150adf05a5e58df24b949ed971dd179f69fe7c5be998adadb

C:\Users\Admin\AppData\Local\Temp\ZMoQwEYs.bat

MD5 218741e5dd3b7fd35b675cc9add41d73
SHA1 61f82c821ecb9c776d166b1af5547c6131e964e0
SHA256 b62640984c8d00ed844c7b18d54d4ac784a5d1b010405a18d757a7d3d987a362
SHA512 1a411fd1e2c9b81e9badc872c5aff39bd3524482f038966fa330a9a8673047fcf597b58a145b6fa9438d3b27173a57623daec6f2a6bf4aaf61928f421344c15a

C:\Users\Admin\AppData\Local\Temp\XwQO.exe

MD5 7c7d8b1a911c887bf99f14177e3edd7a
SHA1 73bee54dbcd6a15e6d6140e3f13347f14a502ec6
SHA256 72d8b632d84342c6968622e38142d703895676c5d71bd3ffae9d4a5248b5c882
SHA512 12f98872425a08bfd28a4e241a006d33d6e7a7a1a01010758293404a65e44643f536e3eb122c356e8aded8d18924658ca36e085b46fbcaa11a281f824e0a1d4b

C:\Users\Admin\AppData\Local\Temp\UUAA.exe

MD5 dd96dfe37bc1c8688d9cca3785d79d80
SHA1 2521c28d47c258af294a1ae20e58ab5e8ef4d630
SHA256 db2cfa1ac3ec3948b343651d205d1a6824ea399a05fed14fdc40b540aca12a88
SHA512 222ccf81d7cd3ac6fede8fa4c017de9bb4e23c7b093eaaa28305898355cbce63d8210c7ac6bee5d77232174456834beddca2b3bc4860bed1af8905c2b5523eec

C:\Users\Admin\AppData\Local\Temp\zwMm.exe

MD5 604662c90bc0419f4d5337076de23ea3
SHA1 598c91bc6643c7c89fb204b46b7fbe47708d4089
SHA256 58ccd7967935b4838beebcc2b6f06a442212cc3c06cb22a8a259c68ae9eec101
SHA512 262735326561d7c50621b6f0eaf1b465ffc53ec340b56726e96ac21db19738c1bec6aa2cee51fd2d4580c43cdb9d67d3ed4a1112a72618cad6f1d71ad9674668

C:\Users\Admin\AppData\Local\Temp\SIsG.exe

MD5 cb7de37b8c1fb1fb1d12535ca4a0cedc
SHA1 f33bfaac6f3ea5577b33f1655a04636a4c7053ff
SHA256 f97373b32a1f37a4a2730b7c32a1b3c9b8be098d7a0af41e6e781f33adc183be
SHA512 207d4dbc05650de55e8a1f3e198ebfc4e0e1d29809369ceed916ed8a4b65b95329a349e259860ad424ff14f8f7458c33218676b8720956c3ca3ef77477ced466

C:\Users\Admin\AppData\Local\Temp\rSowIUMs.bat

MD5 657b63c927e5941a0423b5a3db4e0fa0
SHA1 3182daf0fe18f59282f5f153a9b1c427cff42c14
SHA256 fbdfa4307fea03107bc7fb4e63be3e8d2751e55a60dee8d7733c82157d9632ec
SHA512 21d5f38862f5d362382ed5a5693b2127fb37e063014c517c3417d0190b717deb5d318117f9e184e43a95e08cd6f85d90561e9dfdfec4ccab7236b47d8e7aea3f

C:\Users\Admin\AppData\Local\Temp\pEsG.exe

MD5 e51bd40fd9c61442d7013597203792b6
SHA1 ac2bbcdb3d529c6084ac8e730cf53e1e16ddf12b
SHA256 3b5a941f3f50aa9bf2d680acd0817fd0cc70c55a4b3c9f1c17d93e621e67ff61
SHA512 3f181cd44145ab75c18b9e241744a5a2f9475d33e6e3b291b3dcf04dc8f3fcad0f4947916b573fdf4df91fbdaca7eaeb27a4e65cf2d836ed58416cf1ae6383b8

C:\Users\Admin\AppData\Local\Temp\MAsI.exe

MD5 87c05a5e8f389a0e112e6008ab145b6b
SHA1 a4f983d54e675b22eaf78cf3e92131553bc2eaf6
SHA256 8d4e95a0a52fdf19a034da0b8511697d4f11d903dce773d265283df9f300fd86
SHA512 d51beec2d277ed05058ceca663165604e7dc7066a40543ffce6a3d032f228a53eafa6068e3bdbb858fec3ba469105f16dd6a321d90b8a25e29a8388819f86a7d

C:\Users\Admin\AppData\Local\Temp\ZYIq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\BooA.exe

MD5 3fab7d53dba6330b0e591797adf04016
SHA1 63499f979bd27c1183bd87daef4de52fb6a49466
SHA256 a6d038c77aaaafd7a6deeeb99c666bffb680786d74837a9fda9e14cd1c32e864
SHA512 faa4232d390feb1f15d743747182ef79b443ba347f4472dbe5bdde7937ba15b8101dcb4821de17f5fdd4dedfd502a9620a4653a9a7b3740b1c06e1733dcfe40a

C:\Users\Admin\AppData\Local\Temp\iAIA.exe

MD5 2b997e1cfcc0f5d4cee7d180513fc42f
SHA1 8b2dcdc5d324aeb32aba4d518874d373048cf041
SHA256 de87e9be3b0ed91922129208f9f65918825bb6a6e909ae144c20824b02c90c14
SHA512 61a07ba922ed858df04238d839f0637428dc99da858ceb82a535a4d30e242e4834e8c784606320e2e013c943bacc1ae2bc2d8d96905cf2b3cb7af65f5874541a

C:\Users\Admin\AppData\Local\Temp\OEoAQQII.bat

MD5 0ec96f7c439d0adf3ac4814dfadac45c
SHA1 2f2a72dfa88b3849b646dfa100b250696952d4f4
SHA256 cb2e96d88c9c7119176d654472cfeff8fd3d27ea7c4f5bc448a3ab333d265531
SHA512 3642f09cf3b8e975f0d87cdc1ec5eb9afbd5495d8ff6161c3b25b173db2ce913ada17fa2f7f3ab738287cc2be08ca548f95caa6b2ea21cdecff9a83003c7c78c

C:\Users\Admin\AppData\Local\Temp\SEEm.exe

MD5 6b68df9900e848c706d570d9c1b82049
SHA1 b665b51155ce9ae67ed09cb09bb1587e51fcb1f7
SHA256 30e74477c26cd0f8d5879421f01c3f9debbf8fa008e6a97e7b729d32fbec2ae5
SHA512 6a99736e5ea65c9e6f93c45f44dd605e98e22f9313e8249ca047f7bd5c4baa1dd52de10e0db88c8d2f92836c6dbd77231992964910a7e11a7abe5a3c8247d720

C:\Users\Admin\AppData\Local\Temp\lckI.exe

MD5 656e299a70fd8bc6ab78f38e2434b0f5
SHA1 5cccbe7f2f0c45ad3b4b39a3201613f0490759e6
SHA256 7a7c70dffbc8513867fb17ba599a7ce53cd923c3ada4625a622723ea22326bab
SHA512 ba6a28b15f4b900d9d48f73555f924b8bfe0bcd5cc195c8c626415951c2c16456223a6243ab19ea9ac750af6b7895fd21e5238fff1835498995956a0d90d7787

C:\Users\Admin\AppData\Local\Temp\hsAw.exe

MD5 abc4710687724e7a757fc5c07947707f
SHA1 c6e395e2884891f6a05bdc93d7f8bf2adf5f5e66
SHA256 62f5e926a84f14c9b0d010f377110a1d56871ff1eeb3d55912ca82f377eb7c73
SHA512 3144c542322da9e69ca603e58513c7df3aaffa7fa4a0ac4ba1800dd8bb7ce25c63e0aa96fc86e5253153437c7346d1df5e59598beb889c9f8f1df8531185b713

C:\Users\Admin\AppData\Local\Temp\pMsi.exe

MD5 fbd14adf17ffe324382524ac3802eb66
SHA1 043b99bdca95f974f5b96fc81acd0a6d25368127
SHA256 f34c88e35ff05ec3e7c8303d342ca45267a3b6d260ec2b9e0c7f1f61daee73ac
SHA512 883227285d85b1e183d4365deabf33acf1f6bb7cc59c22121522ac0700b6d9a659618f577a043e1954d7dd061f6364583c4bd1f56eedee7821b642e746b886b6

C:\Users\Admin\AppData\Local\Temp\xwMe.exe

MD5 2836ea6f82aa52a042a2690af834a5f5
SHA1 fed1d7e426b4ece3e251a8044b5f14aa2926e1aa
SHA256 972de222a24913e3a0184ba263486933327a3929549643f68b5ce5283ab4c0af
SHA512 11a09668261f1ebc7976ced4cfeb56b5857e0fb447b57c5f22b141144a05865da1d9881a51f61895472216b22c950d28a22fc2c15e6d4f78ed3e8749974ef6ee

C:\Users\Admin\AppData\Local\Temp\ekMk.exe

MD5 0c97d36e65ffbff7738ec3e4871e8a96
SHA1 32a9219ff2192916713a01ade8c1ae94eeae21ab
SHA256 a3d8f570ad6d2302dccea7105d3ae11407088fb30857b94090c88226cf3b52de
SHA512 fb0fe9c71004f96b77d9ccd07e55c49a1fd1751013a8016dce372fd991f0a9f5eafe3059035fd2cb5fe3f23e6eacd8259322527d62b674e7a8448601ca665c39

C:\Users\Admin\AppData\Local\Temp\JswM.exe

MD5 354b7c91bd0845391ba172791aabaf7a
SHA1 e92a8b385ef38474ad41d2d63b40484c653c555d
SHA256 e5dee4346292b2f2c9f6c9b5b7df5a32179c0eb81d6cfe58dc3e26294050463a
SHA512 c84f634329cfabb7173dc8020bbda192c2b3273f6135b9f1b58c1d8eccd2be19e6294d09967136c8ace666dc84aad04150f3902e8add5c2c21ccd5ac29e9a31d

C:\Users\Admin\AppData\Local\Temp\NooO.exe

MD5 a71b82326a507972690f8debbe03b634
SHA1 3383a37b58becccee1a5849d6d0d731d52a6dec5
SHA256 c91c68fab9aab9cfcffe7e2030155f359b2e3c49927c331d2921047081ab6280
SHA512 4ea7a89127922179fbed4458f3f0718791c41b0104314f810200fc359bebd2d618adadd665b133143c8c4df367f9e0655e739d1dcf5e01883ebeb32b29666d73

C:\Users\Admin\AppData\Local\Temp\xgYk.exe

MD5 8c2295a9c24870d27aab7ed3a3fd0d78
SHA1 aa11c98649ad975672f5c56eaa632bdf152627c1
SHA256 f9ec1c3a58a288909930944d4eddefc1c75d8782a69030cc26755c4113227d3b
SHA512 91cace4b6268c060386765c936b177bafd741c7679e996647bf561bdac91971492cf21bab2d275d9ae9a9f49afea1e73a9a3d1565781fe4ef00edd51f9f66f8a

C:\Users\Admin\AppData\Local\Temp\nckA.exe

MD5 bafb7f1b585b77a0bcc3774ac24aae57
SHA1 8c83ed7fd8c852cdd11e51c4f8ed3c372199f7e7
SHA256 679d4517d206258b5ce4030ef2dfa349ef2ee14840a3a156db9740bd6078806c
SHA512 e610e3ce685bc04498bfb258c19d2af2fd2f7b58382578945072ea38cbbc5703e903ad1f9a74a980dadf9ddf132da1690eaabbdc92f4f79525f4ea2ff697e4c9

C:\Users\Admin\AppData\Local\Temp\MowQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\BIsm.exe

MD5 da2b360e951c6e7784f7baed891a12f9
SHA1 d12306f78f51a21eaa96c2fe26659c7a2b108c9a
SHA256 a45b60691a0ac9a84d5d59442410fd766d33744c0612077079d7d2e29d08f4ad
SHA512 809ceb04eaa13ad08960e0a0f012c0af8be77a01aa9eeafe46075799e7b5f4e01f656a7fc09a173ce7a21299dc278900044e9cff77481c143ffe125561f6d8eb

C:\Users\Admin\AppData\Local\Temp\SMgK.exe

MD5 cc6914ab4cfc42878a91966ad90c88df
SHA1 c6432812ec321ca7af7cc45de7476ebf4e2186ee
SHA256 a3524a75f1baad87b66f19e2ac46d7c191070e10950e57a7aacca6b03c65bbb6
SHA512 cfe52cb5ba486b4ac313b976b787fc3b6617657ad799282630d8b376c91e9dd3661e41b860899cd848600e776f9ea4d75654086e0fb3810553ed3ad2ad2d1c7a

C:\Users\Admin\AppData\Local\Temp\tIMg.exe

MD5 5d78c27e92d8057c87b657b5c9e534bb
SHA1 96aa0c6e191ba0d29648b81137a7c115ea5a3181
SHA256 e802d2dcfc2bcf8d113d6cbc8f26a8f5f57bd6ad1e1ba3500b077e3236793d6a
SHA512 22a1bf4bf26b45a327651f28d8ef6b8e9930ab88b54b51e1db95914e4f0e0e85e068e1ee4b85be2dba13c2e44b41dc71d93f2deea34a39eecc163bb11e12b309

C:\Users\Admin\AppData\Local\Temp\lgAK.exe

MD5 372dfd4671053dc326409113ea306512
SHA1 f84bf3e5cc0b37906995841960cedba055cb6f0c
SHA256 5a5382f70ba9b4cd81bef5c30f4228254e9d75d659667820551aa27cfdc7891c
SHA512 21f0af6a954792daea7f65ef183ddf2739eb1754b10b25b46af8a66de674c59d0a744986178e3cecc6c480bd88b67b1769f909f9218998f7e0dc3653bfbf978c

C:\Users\Admin\AppData\Local\Temp\wwMe.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ywIg.exe

MD5 d155801f4b4de1b1efd7aab1ea08ee60
SHA1 70987f789d7e5249c3954d40baea1bb056b6b942
SHA256 9f511af337d2bad0caae08cb9540da51da78d38715f5d0a94765a7bdbdb429bb
SHA512 6257ec984c5dcd011b032ba51c1c660466fc5d5743c2b3bf6a0c7371f2cafba9e544749c8e4eac853106de78805c1b9cb6f68bdffb6b2c5ac6d0ef20d42fdf6d

C:\Users\Admin\Pictures\DisableInitialize.jpg.exe

MD5 bec15382f4c2ce4dc24657c40554cd22
SHA1 52981718b0432d131a59ea805781d40059219f73
SHA256 1bd6e5ff2672b7c9fb5f98c88b1310eb32b98888598f698e56a3be4405367827
SHA512 0e62adf6c12f8f74fc2eb900fbbd2698087c8e48fcb07fdb1e64ece73cc5eaa65b6facc0d2a6b534a738e3d64024ac10e537df79178800156d2f885e3d3ce998

C:\Users\Admin\AppData\Local\Temp\ZYUg.exe

MD5 382e54a770b4c32cfc9680ee41dbf498
SHA1 b2ffc6eb1d2e8e7e9796b0c46cc8fa910fbe1f79
SHA256 1d853e4a7cb1fdb748f38d719eb87adf3e2a35e663e416523055f054e49be50e
SHA512 948506c3ed85cbec9a8a686a9061c54e8647935adfb9433b46bee2022904f237cb1c902578b54d8c6bc3ee799728b07e830d9f8205c1df440f0685f93472ebba

C:\Users\Admin\AppData\Local\Temp\lEUq.exe

MD5 43a6da623d46b2925852140758295e30
SHA1 d2145d4fe5742d0ec5deb4570a2e75f37054ead6
SHA256 c2e203d0dd89a0339053d827cd3097c18102e0ac09dc2dda9de7b8e8e9e276eb
SHA512 a4a049d9363b94948068c5a55c9feb070df4c893634efd11547b0259e45c019e337a7a56746bf4859c0c5f19c1147c18b9ed393e039ff16b7391ec8148743e66

C:\Users\Admin\AppData\Local\Temp\LAgu.exe

MD5 b280133cbfdba31d95461c03bc1143e6
SHA1 46ae131fb69de5f60e2f25b9f675b19544012bc6
SHA256 e93e9744345541e4d8ac1b781ae4965550c16f7a87873207ac13979404460050
SHA512 468c2e751f50d5a7953f928527e012cc1d7f9cbc358892ed79e2f1641f6c6d36d2e07aa157f744ead9afb9a35f92103ad95a90bf6b2f9594a35d554e1461b323

C:\Users\Admin\AppData\Local\Temp\eUsy.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\iUgK.exe

MD5 27029a9ad94430e453ae63b36d762677
SHA1 0b5f5f6360052babd2c857f546379c94d90bef45
SHA256 a90d87d14223d06c69d948bfccf8ac670888a6a47712f9b7c6cab964df7c76e8
SHA512 c51dc25132f5c4c73607cd402126a522f430f427996a34a9c752f326a39fe04593d73e6b267f1fda45d3b0342ed0deaf7a5f2325f5b792ec1edddd9fbb87d9be

C:\Users\Admin\AppData\Local\Temp\usks.exe

MD5 8ab7ca97229559290d77b8748e9cd2f4
SHA1 b35b5e0361e937eb88ac14fe279cc97d41009d10
SHA256 4a3c6047452284930b7fe7387ea041d9c85dfba7a10fe0e7d54cb8d340318432
SHA512 eec8e17e8c92255180c94a36b577c62c632eda4bc761f19a9e9bcbb95c82f0501c285fc8c9688de9f174f52517e1a71a60fb13c736af23db0fb27686d9ab185f

C:\Users\Admin\AppData\Local\Temp\qQgQ.exe

MD5 facb1f6e49e83d6bdae7156d5f9d3fa5
SHA1 a717a5ae8f322ddde9f0f10227cd821443745ed6
SHA256 c808e5417c30e1ce831c61fcc4dfb2ee3658e7b1a5339a1cd745c43f1f3c7f71
SHA512 5ab8dfaf985ebde52c10153d8cdfab5769ce933affc42f91d3e512dc579bf4240adbca15113afee4e3c90f042c3a2f111d7d9d23ac195aa60bf769b687472518

C:\Users\Admin\AppData\Local\Temp\AcMS.exe

MD5 233d35e874aee095a1261875748abae3
SHA1 63b259c4b3d8a2389833c8858ff3b7407ee8e394
SHA256 1760953e97bc2116ac51b6a9f09425c8e7284fcd991f4332b1cd290af939c984
SHA512 5f1a57349ca540e226c008f03a0feb38e2b41004dc6368e8cb87f72a4f765b92a57b6c30f8c7c2240071d0090328fa931840d32b1f597cfbf9346fb8d5442ab2

C:\Users\Admin\AppData\Local\Temp\lMgW.exe

MD5 1a5557a020626028a8867afcde3b1518
SHA1 c92fd1b39167abba015b2fcd7a46bd2220c4cbd8
SHA256 a0ca4bd2bf49ca27700ae4226115ed3c9cb20b6b270c54e670c2abb8433f759c
SHA512 ea3be8201f69eef53134e31ba9e38ef7e07a209c6316b0ee0d29fc01674c9b2cb410703dbd440d875f4501d81d31c871f6f032b978fbbd6b3d85cf6a8dfa9352

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 1600d6138a436b69768c606e8bbde66f
SHA1 41654a75df307e99837aad00a22c994393033f8a
SHA256 8da1ac092a0da360c66cfa6a9e5eaeedcc17d379a278a47b53a99dc06e0f9fd7
SHA512 f24f5734e17d88b4e5f43fd838af6413ab7af27bef4143bd6d3e7a06fb22af92667bdbb70d743f6c49f386d6a0219e4ee55cbe69e4c0f88cb4346febfcc58d08

C:\Users\Admin\AppData\Local\Temp\mUcC.exe

MD5 e4a895f54b532d2c78326f51637db822
SHA1 e01a72671228180b98996cc8bc0646639b0f5608
SHA256 54d9c36c2b8a93f9d580af0d50fe7c88cb5b6357331ab014d6cb955bede24ce3
SHA512 50ee635a2ba07937a67fc2cf03bc1a73bfc72726d47a23042866cf36fb62665894e3b1ed0c7afe96597a8f684c68188633b610e7d6bb924af1c7f5532c8db18a

C:\Users\Admin\AppData\Local\Temp\UYgo.exe

MD5 22685db933cd31969c76d8fa255de110
SHA1 e08aa610ec4842cbe842e91acdb83dff8a3d308e
SHA256 be3c326bea636f697c2865bde120b002617fd2df6245f47877661b70c78be63e
SHA512 c97b7881379056c2c61e7ee8afe751d33ff653e5f50e5d000f56bba57cd27a55dc18b26b1ed7b2622ebee4efe42819181ddad380840fe27c4d938ef0b6148c1e

C:\Users\Admin\AppData\Local\Temp\oEIc.exe

MD5 ca2c9d1b22991ace3cad43eca7d0884d
SHA1 9248641dc64c80d68ea76f3078764a3ffe5e11af
SHA256 9a4d26a10098883eacf670b25356de33efbc5ad2de5c057823131c9f109565b5
SHA512 b882e137b40bce73937ced7df38d7b6d7bce5562c54abc643db23a849c15c7feaf5961f9c1b42bd424b3a0ef9d158ab163561f4d4bf0ee8c799bf0bd21036b5d

C:\Users\Admin\AppData\Local\Temp\Nowk.exe

MD5 1868d354803846229ddf607ecc337c1c
SHA1 62673a214a901e121224e4d8b20eb43276ea143f
SHA256 d8a8e3c6101935ac430567026ce049dd4dff0ee33a7609c98d0c4cbbe1aabb71
SHA512 0e00838e95d91d9ef1089ff80528697d532c9efca78942bd3c0d536d68843271675dc1a8873ce62b6330abcea8049dfe68a6683839e747aef5aa926f7aa4e16b

C:\Users\Admin\AppData\Local\Temp\HwgW.exe

MD5 09a60568cd526567d34abe1bd68a03d8
SHA1 de396922c40c7f3fae859e77fcf2652aa04d77bf
SHA256 62f06b2368e56c99c407f2e1a0ea4ea607d602d8f21ed2237d696548d411f203
SHA512 68281cf0cef9638ed3b52f71b7d99c48fe1e59d1cc802a0e520460e023b37430fef4364cdfc3a25289f5602fd8afde8bc27e1d073c59c49efc5d931f04e0e8bf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 51c5b7e51fd652c11c146d6bfb99dc4b
SHA1 21288dc28cbfc0852f6af9007ced906652a3ec81
SHA256 463df88a03da40e41240ed939976111e74a17467c12a021d6f5b59f35afded58
SHA512 c77944c24cbee0846157ef612f65e41b023cf87d25c87725d99d8dce03e2d87bf446098aa0b1dffc8affe575ce18a6b7095ac73eb0e2c4d544db040428a917ac

C:\Users\Admin\AppData\Local\Temp\FIgG.exe

MD5 b90554c5187789fac188404075782192
SHA1 85905d8615f36df772ad8926951db8e573e357dd
SHA256 4b06a7bb95eba00231a5a39f5dec7821aea78e5877e328328658eda5ea868b59
SHA512 e2c39b8cf833ebbbaa6870d4dc1e1a92888d251b6c4bc75b426ff82d7e5cdd69f2fc5a08bcb111f577076dc9f14e83430be6ca9a88b9c5e8205fa684a051bf7a

C:\Users\Admin\AppData\Local\Temp\nUsI.exe

MD5 af343ad3bec63cd15e0e7c022a9ec737
SHA1 14000df073dc57e55a5844071a9ccb745ac51e81
SHA256 0a61a18b47657f1aedebed985bed9db302c6e16b77f6df3786a842b2e5d27902
SHA512 88eb47732dcb5d367ec363193eb53d33185c29b35604a5e7dc526d446cfe25c1a159b52c4c6caca937bbb11ee87257bcb871b0e87c95a9905261a81a844dc4cb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 72a7f1689f51f9924120f02f512a9ee6
SHA1 189728b08bbad4dff9a9fe7509ede0dd5ffd99c6
SHA256 374c5036d115f44856418c44d253ca3eb9285a2f74c21d7bb262ae27ca8325dd
SHA512 6f5e5938c43320fad6393042751c97ed3abb465b6e89e9fde9c4d56be0d63b5a94370a7d0bacf3a9f24ddf2d2ffd2a27dc2b9fd9bf28208c95ab0a452cec0714

C:\Users\Admin\AppData\Local\Temp\NYEI.exe

MD5 18caf70281d6f586a836994b7d50319b
SHA1 0911c81b6b807cae9fd3ff513d121e658050f35c
SHA256 74737ca06be475d79ed41ea448cd2ebb13bb46b66713d88a32fa4f779da1567e
SHA512 1926a711c897ee1255069f16bc213dcdd899bb9e9d1f7574b65ce0eaceab3beaaf038c5131a3421d839f2d0a3b582d2a37f3075d0b5edd4ffa5923a2b540fb61

C:\Users\Admin\AppData\Local\Temp\Pssm.exe

MD5 a92adde99c967743c876b33a6b5b7ddd
SHA1 3e52f7c6ecf9982fe9adb3bcee3982ed79c28143
SHA256 731092918c07b5343c49c9b0b0e54e953e5c3a14fba0279941db398fa93fdac0
SHA512 24f7385614ec4baf1f6c97318b613599f0b53c3218518a5e60b8560b807bffb38909d852ce1f9cd226957f946d123afe822b2a797c4f6fecf6c4661780127a25

C:\Users\Admin\AppData\Local\Temp\GMMk.exe

MD5 fc48274ad35478a717a80fb08e6149cd
SHA1 af917a0111b51ad2eafacbaa065846502b36a388
SHA256 69dfa9ce9ef0c7ec59fd2e8391c831122426e322d8bed1dfbcff204d33020c96
SHA512 3bd6dda1011a486529cc0133f0feabdfbbe02d640f19a3f45da392194a621fb8e807006004d5a83671b4b4fa3910a3f68dc45cc991d047f18b31e9938caef62c

C:\Users\Admin\AppData\Local\Temp\ToEg.exe

MD5 7839fced6c2d325b5f00bba5429250db
SHA1 c13b06393e2585a6cdb4e13c4cb742abef45a6e6
SHA256 35b5a951bd95db3fafc3201f873ff50db9d34a7ef30bcf5f1fa26e25a5d231dc
SHA512 a6cead3a035d42eed14460dd9335da0eeca0d5f4e0d115fb4c1ef51a2f86b220f33c441cad5e0129b3dd3c3c186548e0d4814f3e3f7ca3318719c64760987f94

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 8feae2b393d469aab74cd263352677fe
SHA1 2160b779881350cb303fbfd23580df3aed504b30
SHA256 c7570e0a8aaeb5e974546efcda467d45c2bffe6e72561f6d7371ce3f8e5ff7a1
SHA512 5e54539cb05ef67ad7718bc6c88dca0242d3965ba1c498560608b1ad9ee92d41f94cc135a3363c31f6c94a45f0212d7dfedee5390057d1407d3d0e9f4042c397

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 06a271cce4816ba548340b947bbd5513
SHA1 d44c389383bbe9a58cd07bd20ef79d25a73260db
SHA256 1f3d5f888dad47dab59dbfe9e25f1a3ae51986fc26ca33e6a238c4a144f472a5
SHA512 f59dc96bd6728964e0a004c9b74862faf2ded88cb9aa9bf3392e0033fc7b01879ec2f8764fc470637320a90406b9b83dfec40a5a7aa28bdabb7f34f37cb75b8d

C:\Users\Admin\AppData\Local\Temp\Skgy.exe

MD5 ab82b59c00bb02c620e80adc46762dfd
SHA1 d436e1b72a388d62675d3f3326d31dcf50d75b37
SHA256 730bba3a9a4b1f580d09f3d205745839fdcfbddebac78a5ba274b784976c50df
SHA512 25cc94c595e3203fcf602bbf1de54d1a6ba3c452872131c88d31d7c9633945a696210564744288177e50bbba3b0ad3bec1c943905494b0d8a4a33e1fdf0d162a

C:\Users\Admin\AppData\Local\Temp\cQYM.exe

MD5 5cc934dc858cb0937696a27976c13ab8
SHA1 b0cfb52fd45d9c89779dae56007ccf376e915900
SHA256 28f6400bbb6d0a42795acad117ebce5128a293235b3b85c51ccad2c6f29de74e
SHA512 3b2f025803b9911ae2bfc40d7050100a539e75da6ee177551d017a11bda464b487e63feeca4ac0e942549892f15b8be77feacab6db708daa5a7a79ddc7a2b8d3

C:\Users\Admin\AppData\Local\Temp\jsUK.exe

MD5 681d52ff12b23fbe8882a26dd434f474
SHA1 b901cf01616e6afd9afc72ec7ff67ef77ba91666
SHA256 7559b5cc63998d466583ab0d168159b7a2b4a67602242b04ddff0fcf7a9ca6b6
SHA512 e8fc409b2e3d3e371074309da583744e01a89bd761bc9cec541502c8812e70a056cb05b1d1b5a08c2c89c7f426a450e237004dbf5cc88aded5b119cce82f479b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 5732bca4170e052609d7c79444a01010
SHA1 1f16d2bfb72e0c2792b215ea53ccffede9c3ef54
SHA256 3d77e902f8954d0aefb3c1c76cd04c8b9748507b4fd20e73b287e472a2e6b570
SHA512 5805a77924808d724a47130bc6312c7dffd6932d5c42d11aacb92f669eae2d2097df61bc4f7fbf940f586b2334cf624321ecad1c500ec4506263df35743ab272

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 54b33df04bb1dc02fb0dafce045656ba
SHA1 e01f20deae8bef111f9b0b9d58def4bd196adcd1
SHA256 1e16273285d9811b7e9cf7ca2021d301c2ae095a0e6e04a3efba73fc269213d2
SHA512 4140e3dde452455340eb8ee5062fcb0db2a60ca43d06e85e5284f270ef4d9b90d1c03886874826b095fc3d077453648beaf5bb0fc398a4436f35ab46ff0c6d95

C:\Users\Admin\AppData\Local\Temp\sUMw.exe

MD5 2bbdfaf536e16e6c84d74e95f0535fdc
SHA1 c81b718b23bb3c48d35163d12f24d33b6a9f6555
SHA256 69752bf85befec5f37178ed41a70af6977082206bd9bbe36f8d521e901e0a830
SHA512 1340d02bea79b73244777709ee9f490cca172f4622e700838d2bd09d3871c74be9c198f2636df958d15907dcc6001a9cb2638dbd4c8296287a29de90ed1bcd31

C:\Users\Admin\AppData\Local\Temp\iQcS.exe

MD5 7a81361c1f3027e5a0daaea7cd511746
SHA1 3b83eadfa447d18c05fad441b061e69bbfa46551
SHA256 2478d37d8e534f4b896c7973ec47b1983f36940a463f1dc5e143a720fc0ba87e
SHA512 eb3384e37037a92c382a7ff7cae9beb89e6349fae4e828ec407162fd56332e838b0f0dd2f3181ddcfa0ff1058bfaf3a2ff36bb77ba205978b900f6da5b03f68d

C:\Users\Admin\AppData\Local\Temp\zIww.exe

MD5 dbb37b3e4f480c6e1baa8d2969e7e1bb
SHA1 dac146afc51b5b4a479743cadeec3a51e8d0c315
SHA256 539771f817b2df95b31938bc7d656bffaf5e3c7b6af56c18ca6e325b796e5758
SHA512 eb3389134980a48b464da96b2e4dd34557b9bbf3b70995d74195fb67d96664f67d7cc5193821657d65f272eaba105807a4c00a4791f072414135dffa29b93a29

C:\Users\Admin\AppData\Local\Temp\IcAY.exe

MD5 041f581d37a3ddf0f1d68f5ded863dd6
SHA1 abbc98781f9e1f9baa7daca2095eefe215f2be7f
SHA256 c14c388e694f6cfc048c35774f0ee5f7cb3d83a2e9dadec598d0daabf924ca5b
SHA512 40e209966aa72c21eb21cab55010d7e35ef3e803ac46ec1ef6969d058048a4ca5199aa3d5a965bcd445c1b4952e947b1f166a9e659b6682f2bd50036ca915cc0

C:\Users\Admin\AppData\Local\Temp\rwsE.exe

MD5 443225af7f984c57e0e30dc63e34eb8c
SHA1 249305692e9d1a4ede11c1ed6e3b5b2582dd52a4
SHA256 2b96e0ddeffb942ad5d01bae76f79a1f186738e0473e109ff63c3f7de144dab0
SHA512 9bccbddf020ec0b5e486d03c92a105106fb8b579bb18c69cfcccfcb70be174059850d1232a789e89874eb504c17727e5faee37441a6e7fbfe2a1ae0369c6a07c

C:\Users\Admin\AppData\Local\Temp\vsQS.exe

MD5 0276de040a526cb3b5cacdd3cf6ee69e
SHA1 f4bbfef9dc47c42a23dd0ee5f2964ddf7b872f83
SHA256 19f040c345202978ca2890ca0641d4be027389e114d2a88156829f4fc22f80de
SHA512 43436384b85b94516d0a472a4763ad623542daff1af6391878903ccbdf8b72f6e4398801fec6e0fcbb89aa3889f3db54f3a25ec7cedaa3d514b4253c6b2bd9a7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 b0d5100557b9558a2f962b4004118af9
SHA1 44479625e3165244d7433afc5909f372c6585343
SHA256 6e7741f2fad4f240b4ad5eff53a48f49011bedc211e52a73f5c1f0055d90ed9b
SHA512 db12c61803fb4f18ba9d0b67aedc1809f8124873e2c1e4d804a17e9f94388f686a1903e05d134196632798396990e401adc69a0d28028cdd0412793d6f69185e

C:\Users\Admin\AppData\Local\Temp\XYYw.exe

MD5 12c704998a4f71f40e87de8b930419ce
SHA1 833e77123c7ae457baf44b62d333f28dbda035a1
SHA256 e322ef2c25717a6d478ab314873b47737d72e0734a6066365e7a295ad4d45f90
SHA512 cc63b987147308e6a2ad520f286e836d03989fd011b14d5b3c9ac099bd8f72b1f808386f29f7d44928ad98a69af1a188fdd0b2ed9d6112b7adb3d7365733a0e2

C:\Users\Admin\AppData\Local\Temp\HocG.exe

MD5 edd1373c99d277b5c2511188225e58c5
SHA1 f02084aa17a693690a79293e9861c7c08f780134
SHA256 cf1e6902489371bba348051ec8d495ddd7bbbbcae8f7ee2452be513ed654ca66
SHA512 90ba37c97cdb1c72c0e0725c01b32ecd346d30eb6d31b441778c739e1213505751e7d580e8e46f5dab89e646d3c642aa38bdb544dfd9740447336c42dccae979

C:\Users\Admin\AppData\Local\Temp\vsso.exe

MD5 67948cc0a467a92d0858f0497baea95b
SHA1 343af7888b788b8d2f39a4f86b47b5b6166004a5
SHA256 b1a52af254b86d505b0eb122d9181d97f5409da81831751313fa7641e882fcb2
SHA512 60686b864c059eeaf8bdad78bf9f9b37d0b0003a071622180febccac03def8bc02721d2e52c5c0b0d04155113019f4ccee33b59b8c8ea6fa36d1739e8864c9eb

C:\Users\Admin\AppData\Local\Temp\okEU.exe

MD5 e34c09b58fc140b52b1192f505406105
SHA1 75b354f4d6afb892900633b24c7bad11ec2d096a
SHA256 f3f530259260727efcb6b6228b17eaaf270f162a2567d3e92d6e11eccb948c80
SHA512 274de3668dc8e381eb6b2ba8d2f65fb83b86e39c1439f7fc36cc146b3f7846cc00c730bf5fca76b9ede0d5f66a17f5889d08b944cf41ed5f35344089aa60d62e

C:\Users\Admin\AppData\Local\Temp\ZMgo.exe

MD5 d26cb435df503c4f3660244dda1eaafd
SHA1 609116c41d9def88c5f03401548d9c02763ff992
SHA256 fbbb3c2c34cbe963b706cde155a454a6604980bdcd3bf3e879e329a1534cb55c
SHA512 48bb0e3e0210fba8f86c3985bb3a687075704efe405673af3d37940ea4a1ed55ebdf4386146e249ad11bcbcbbe9f467b773548b245845b51d916fef41300a338

C:\Users\Admin\AppData\Local\Temp\OgMe.exe

MD5 fffe9527544868975092599c18cc24d9
SHA1 b4447b516765b839a494806ad98e8635d8e48fc7
SHA256 5e8b51d3326e64b876494f16b894d6bc98e6718d642616c35acdfafc962e119e
SHA512 4752385f896e5cb134d189cfda1644088ebd0cbe5269606c8583115fafa0380c6c69bb52b8b8854f4c92442ea8fb5297f7476a44e2e72e6bc839323e81fe795d

C:\Users\Admin\AppData\Local\Temp\mQAw.exe

MD5 35210fc9732d64641ddd1bcef5028ab5
SHA1 3c1e69c36c880cf84effb661e2449fa68cce0dd1
SHA256 09a2f0a3649bd37f25837c3a42626f41eef04c6e4f93e5ab9d68393964aba87e
SHA512 a6e654cee3bc7185b4adc4dbd650917259eb2290a81c5567c92c2c8cae7c8cd6c1f431460145df52cb0d114fb7982f8d5ab173edd93fa826a8b1fb431f7a9867

C:\Users\Admin\AppData\Local\Temp\JUgy.exe

MD5 5422f7983bf4496806f4101c968b9b08
SHA1 f678a48d2e03bab903e5a4e0a7000b3347c86e05
SHA256 cd6d89802efe09d4c592ccf948655cc485500f7b5f2c51b4bbbe951912c68e9a
SHA512 8c79e6b9970de26d26f320ad00218ce62e6276cac7aaba196d089f3cb87b84757c4bd557ed17617f7063a0e077b4bfb6310c7d3132abc313d7c53eea7875d60f

C:\Users\Admin\AppData\Local\Temp\GYco.exe

MD5 1e59f592384e62c4581513129108e0ae
SHA1 d682b16ea3e2279bd30cb48f6cb0ca7eac210445
SHA256 489fd736f6bbacf270c2016c1523c36946d853be24d6bc84c972840f2d682024
SHA512 6115c09662efcdf05c5a9514c3cf9ef652c0bba56bc28dc5084f9f19a8508b45034c7ea751d38414aaf4795cd6cfb928d9fa0830d3e2ba55b803983c37356418

C:\Users\Admin\AppData\Local\Temp\EggW.exe

MD5 613c0b48475934821221e1a63a8b9241
SHA1 3b673f0c4195775b5a3aa962eb091f3709065038
SHA256 e7123ff2cdb1481ae243ec837ec9db6a89da79f5eaf184772629f0afb1ae780b
SHA512 ce26bd2b282e0b785441a1947a3bde73945d608ee90c9861d9c42d1e952e47e5180e2d194954e1d49716887f039981762b36e2b107c04ec02113cac4bf42bc02

C:\Users\Admin\AppData\Local\Temp\voIc.exe

MD5 51c99e980122dbb4e3f4e1d460be1c27
SHA1 0292e896fb6fc6775c8c87538c0f2446dd8260fb
SHA256 03db430919ca94408035985c5d4320e2c1b87c4b14cdf8fa76e6ffed2192143f
SHA512 75fdefdc424b43c3f0f26e0f79b6836b583f1803d7da31314e014f8dc19c95bcc32a50d0f79349b884b629d228625ad0638ff01fedb85e919514ad06bed8dcbf

C:\Users\Admin\AppData\Local\Temp\awQg.exe

MD5 7b8be6e8525ba3e053eb27ef18bb8543
SHA1 4d8cb5df0b850a94715321c665c1d40cacc2d124
SHA256 77c4f63177961af550c584112a9dfd80bf13937f96538726d0a1a9c35e31742c
SHA512 ea6af5b243c0e7cbbac7ba5e657d30d51580fe51bac5e0833050bebe048f027de00014cf013aa65025d4c6c9005483aeb093b6425809fa75662162f9fd7ce2f3

C:\Users\Admin\AppData\Local\Temp\IsUe.exe

MD5 62590e7702d18919a1551b545368c34b
SHA1 681aaa59e2cad52b5ad7a2a40e95a83fec403118
SHA256 338c90279d7bbe2117f734e47e85e073184babfefb71b5fd272a897169c79b98
SHA512 becdfb3b86324c86775fb25a61e137feb0dc2468f827ca68225dc94fb823f7ea44e038771ffa8c034db473c6007652ea62649f8489b461695b8f632f0672865c

C:\Users\Admin\AppData\Local\Temp\UYQO.exe

MD5 ef4db9b42130302bee1e581d0ff4a13c
SHA1 edf2162519cac0fc4107be557ffb6153377951a4
SHA256 93e28b78fe1835de6fc94529c9b6f5e687ae717878e9c6c66fc8ae2307bb52ef
SHA512 048fa0a2866226cfff83c03c3599a997cb58976cfa278a0ad0d830b6ed5ad7cc4122b8f1cd3e2ba039de3f234351d191b7dc1a4791fb072f25eef0de7657dcba

C:\Users\Admin\AppData\Local\Temp\Jkki.exe

MD5 781a216b41068f14550f5edad4ce73ad
SHA1 f6969f190be19e8ec414edde87f26758dbe180f8
SHA256 4cef06481735c2016cd0c129c46dad9bc587094e74dd47f8b7fcb1eda123157f
SHA512 bc668d7be795409cd62850921f4f36be653dc7c927fb1258f5389b025b08593992662119f77377d19a8dade4fcba39f749a64fc209e5742e0dc49611141998ae

C:\Users\Admin\AppData\Local\Temp\vEgC.exe

MD5 c02044ab8cdabc2a2b782d941080f7e3
SHA1 cbe3022b9fdd547e92c0f7609d30905b62e031d2
SHA256 5a2c584d0d7091369e1e6cd894ec4a25098905a6604b086ed2a883807882a5e1
SHA512 20da3472d2f55a14fdf9f889c313bec3f948db45f6ae6eec2668777422da1d4ac26ef3d2244cbf2b3ae7c86caad77d024f469ecc9135d9feed82ea32d89bb0bd

C:\Users\Admin\AppData\Local\Temp\sgse.exe

MD5 b951c36741e3e86fae6e81aaea2f1505
SHA1 14dcf8d29b95acdbcf68db8f8cce76e904c313aa
SHA256 782b52c0174dca868a7a22efcfa2505a4301f202823a8693e6ecacc469c1ee41
SHA512 24902c1b77956ff0d292e306bdb781161c3d71a395b3ac1d3d46ebade5d94be82ac43a29abcfc500e388b6ca8f6676df6e9cfd3b92f419b0b83d783cc4bc7696

C:\Users\Admin\AppData\Local\Temp\yUEe.exe

MD5 03d0f02b855b36274982a5b9103c840c
SHA1 6e7c9b02b7a3d63bc24770deafaafbfe55119bbd
SHA256 c6dbab09f3564b379600c6e054c296cc71461cd17f84bea7cbb2fd2d038a88f8
SHA512 db88a327413f70726fe8421895baccb55abcdb5fda81eae0eb13b317f20dea966934645730962afc49ced0cf6b53f5a82b7665a412acbad961632511fd51f27d

C:\Users\Admin\AppData\Local\Temp\xMgs.exe

MD5 aadf92e4b89ac6c3965aa7bdd2e3293c
SHA1 532cdcb24ddcc034cda3ff2149989369dbfd9d07
SHA256 93a62c8989f08f253b51fd74c2af3bcc2abc6b337a807ad6b903d1393c85cda8
SHA512 f3f25059946505aad089fe51c720489db5e53b5f60b5dff3a68e462aab8bdcf3b632d844fc1c755350afe7918cfc0e3705e2db37ee336450f861565190999a06

C:\Users\Admin\AppData\Local\Temp\rQcO.exe

MD5 50fd4997109f711a025c36f108c59f22
SHA1 5d650247e4b8bf3b6128a91603d82ac1b6674940
SHA256 9e17318df40ff8edf9023725d865c464ea89fc20d4487f53a1ab4a9d1cd5c7c8
SHA512 cd42990b16d52e68b113c116c57d1fb7a67fea87c16b736fcfb9eadd59fe5382cf61233d2df83c0d5c469dc74faa84d3d87830f6132f3a997d84b7d99a9910bf

C:\Users\Admin\AppData\Local\Temp\qQME.exe

MD5 23c1da9fe447926f112bf1fc54e0a6cb
SHA1 f84f9477c24132a16cc4f4de20729fde5490d596
SHA256 eb8f39a2d6478e497795c7522be26b2529c0eca56e693988fa87d2c6d69e9bc5
SHA512 d4fe572d00e3b79185eebc6f20774684fd1fd8b1cfb2bf817414a40e7275370e4beb208382243390ab03a053f8b8cb39aaeb66e3bb531e42e723d9da5a9d0e1c

C:\Users\Admin\AppData\Local\Temp\NsIq.exe

MD5 1334b061c83c99e3302103d44848c05d
SHA1 9b9fb03c9c1e536b3f6f138877cf4c6523d3e7fb
SHA256 128dbd8a2949303931915b03bb34a9f1680f4656d48d6dc27b7804699969223d
SHA512 a8d9c8015c02d363e30fb9aaff5c78376cb576ff1c9717230a59a84d2dd48b7a7426dd59d1ba78408bbdd662b2f28671ac342727e993ec976ab63c9a2989c3bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:56

Reported

2024-04-03 18:59

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\ProgramData\XIUQsgkk\PuMogUIg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuMogUIg.exe = "C:\\ProgramData\\XIUQsgkk\\PuMogUIg.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YyQMkQkM.exe = "C:\\Users\\Admin\\VOAYAEAQ\\YyQMkQkM.exe" C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuMogUIg.exe = "C:\\ProgramData\\XIUQsgkk\\PuMogUIg.exe" C:\ProgramData\XIUQsgkk\PuMogUIg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YyQMkQkM.exe = "C:\\Users\\Admin\\VOAYAEAQ\\YyQMkQkM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A
N/A N/A C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe
PID 3224 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe
PID 3224 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe
PID 3224 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XIUQsgkk\PuMogUIg.exe
PID 3224 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XIUQsgkk\PuMogUIg.exe
PID 3224 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\ProgramData\XIUQsgkk\PuMogUIg.exe
PID 3224 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3224 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 1132 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 1132 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 5832 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5832 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5832 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4544 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 6064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 1548 wrote to memory of 6064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 1548 wrote to memory of 6064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 4544 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5184 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5184 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5184 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3060 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 3060 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 3060 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
PID 6064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6064 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"

C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe

"C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe"

C:\ProgramData\XIUQsgkk\PuMogUIg.exe

"C:\ProgramData\XIUQsgkk\PuMogUIg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQcIcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoQEUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwwYkYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAsYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGcwQEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMoUwsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQAMYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMEcsYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwgsUMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIIwUgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awYsgQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogYgYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkQwMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCUwwoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUEYoccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqQcswgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkwAgYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSAoEQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCEUIgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiUQocAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngAAEYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAckQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOwkQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSwMogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwsckEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUsgsEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEIoMgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGEUAEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwUwMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUUcMIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeQwYUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESYsgcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcIsMQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liYkkkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEQEgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakIYEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqEEUAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYsAEQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSoAssMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muYIEkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaYYEUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYMoYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUEUokUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoMAEAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAQIEgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoIMAwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUkkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heUckMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOAMMsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hckcAAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAsoQkEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIsAMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEYswos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQYEAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKcEQIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKcMYIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYAUcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCsoEogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQQgUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osAUYQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSswAYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMgsoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMQosswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twkgQIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKoUIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwsAMsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAgkAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiYEIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMkAUQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgMsosIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqggEQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUowYYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQQoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYYgAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqksMcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUoAEMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYUksYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsMQQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcEggUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYwYcwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWUIIwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWoowUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGQQYsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCQAIUQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcIwcgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkMkwooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cswUEAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGogAIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgwAAIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIUUkIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xassEwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSosEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYMcQMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAgscYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoQUogIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIwQsIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3224-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe

MD5 d60bc4fad8befe21dc6d79b7693bf90b
SHA1 d0dce6f5dd37c7cb125f76d75a42459554f98a0d
SHA256 5375266368324668245888ebd139f192e282abb5a7e9d27ff6e0ab0aef3324ba
SHA512 0932b87b1da3dab23bdd1dc12d4f1443b1bd2397580576cfe87c4dc0cb5f65f1aa9bc0fd3716067f59abd486e8af850e3fbb0184c9a71dbcd3dabc77e1906343

memory/4340-12-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\XIUQsgkk\PuMogUIg.exe

MD5 2517ba7f08b001d8833cb847e67a2c22
SHA1 0e9c91d3fbaafe97af63b7c08437611292e7d833
SHA256 7bbb19dc274205a2fcc900f6ed40fc608073c1be8be54e1cdf02f857aa6428e6
SHA512 e709c927c8ccdbcc8a6e5ff964a2be082fc9cb644b42e5e2689600b357892bd861018944f8bb8e0149cd942c878d78562ed7e561086ad369815ce9590ed72979

memory/2656-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3224-19-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQcIcUoI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

memory/6064-27-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4544-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5080-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/6064-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3732-51-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5080-55-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1740-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3732-67-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2884-75-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1740-79-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2884-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3844-98-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4016-102-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3844-113-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2756-121-0x0000000000400000-0x000000000041F000-memory.dmp

memory/388-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/548-133-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2756-137-0x0000000000400000-0x000000000041F000-memory.dmp

memory/548-148-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5204-159-0x0000000000400000-0x000000000041F000-memory.dmp

memory/944-168-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3724-171-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4900-183-0x0000000000400000-0x000000000041F000-memory.dmp

memory/944-182-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5984-194-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4900-195-0x0000000000400000-0x000000000041F000-memory.dmp

memory/208-203-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5984-207-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3888-215-0x0000000000400000-0x000000000041F000-memory.dmp

memory/208-219-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4636-227-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3888-231-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4636-242-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5088-243-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5088-254-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5656-255-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5656-263-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3188-271-0x0000000000400000-0x000000000041F000-memory.dmp

memory/100-272-0x0000000000400000-0x000000000041F000-memory.dmp

memory/100-280-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3556-288-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1524-289-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1704-297-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1524-298-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1704-306-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4540-308-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4540-315-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5224-316-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5224-324-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3944-325-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3944-333-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1696-341-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4204-343-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4204-350-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4544-351-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1444-360-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4544-359-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1444-368-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3560-373-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2960-377-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iksg.exe

MD5 21c38b83fa6fbc5dd3d31f33faafa8b8
SHA1 7112ae4e9573ad0a8ac08dfcff1613b667157408
SHA256 655cd92971cee3bc333bfb43419b3e45c85bcd9dc0ff7c38efc13742b939bc5a
SHA512 4365215326b025d330b1bebca0f6eab535d1ce5db0428ce09be0d542abad9391b003b86960b3ba28b7699ec4e5e532e5eacb4770e7dae334b40675819d7395c7

C:\Users\Admin\AppData\Local\Temp\swYw.exe

MD5 e8c1dce9b66700ea172f8052151a82a9
SHA1 2fd6dda2a55825ca56d2dcd2078ab7b0c25fb916
SHA256 9877578509a909864b300df97112c7681e3bbd4c3a21a58d2244c020d39b94a9
SHA512 62955e42adce7647422e22a874b266e9dbf5c9fe35fb90e72c608d29d17cd19f4d79d3e333c89a58d95c9c7bda2df72f23c575af3b8667bfcfdbe5d9f7bcbcbc

C:\Users\Admin\AppData\Local\Temp\gcsQ.exe

MD5 9fcc00710c6298ae4bd051af660b6c82
SHA1 323bb1902e0ea98726aed98bdfe9bbdb53dc0ad9
SHA256 fcde41481bf5029cf8f6ed7000a389f23132a257a4ca4a08017f5be7697d89d4
SHA512 d41d3fb6151f90d9788513fd12a1bf8e528a435cfbe22a1c0fd06085f5adcefcb4850881d231ba2c790614aeb1fd8ed257b6e5d0ebd75d690b6754ba2954a608

C:\Users\Admin\AppData\Local\Temp\asce.exe

MD5 86714444cdf5addd2c8497d83c152c39
SHA1 36b9c1bec24d94b01a56daa9c01ccc34c3d4347f
SHA256 469512c3f6c15df9c247d3d946ab6fe958bb86063310cf536626232967ac663c
SHA512 92025177c40a87c76c1b9a0bdfabe1314421f5530e0a9e8f0817f222b3d205dc6624b1c9ddd380783cad0050900c45feb553d32477ed10b7e14c910eb4642303

C:\Users\Admin\AppData\Local\Temp\IgUq.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qwoe.exe

MD5 24f511d54fb570d772e05bdc1e3c413b
SHA1 df4d1e41cd79aeef5d044b477d9aecdbf59fe927
SHA256 7398bf680640e433252d7e42623e84c0efbb473d29566aea71de4850f9a97ec7
SHA512 b53d4b6324c1534317ec1fd74b05bac97cdce84fc22a328455dc167dce9cd57effc69e19f4a7687ff8a6fbc4c1ab688b5dba47f0c45f88096ca348029dd885e0

C:\Users\Admin\AppData\Local\Temp\EksM.exe

MD5 bd310726ca93e9cfd4f855d829069739
SHA1 fb8dcdc11532c183d39f0d0d0214a645ca1cce0b
SHA256 a6e9a5cee70361eca03191f23fec0cfe784ca1bf3b8f25b37d4d4b8e09379ec2
SHA512 81e563c1b80ce768d8cd465a254b87b57bd50833503b9d095018cf3b04d65f9e3d950441d82ae7d31cc4f715de4152e38120d6962a79b6bfb17bda56b12c6243

C:\Users\Admin\AppData\Local\Temp\okYC.exe

MD5 1d257c549528c50901fdaf8e2832dc0c
SHA1 f749c789f0ebbe97688eee4405ae800b88c37d63
SHA256 d0134a0dd720ae876f0f07be16ba4220c601d1c6dfa7ce576c01f4dc37350537
SHA512 b5c0b1dd443ad29dd8303a4fc14b8cb9cad58e1ff88d9e0a6dd8276ea28b5325f48f19aa07875151811dce73bd267ac93afd477de986cb93f44639da34a9e16a

C:\Users\Admin\AppData\Local\Temp\WUsI.exe

MD5 0fc9d2ad54e6f49e4226d2a9e3a1fbdf
SHA1 f7d083a349228475bd8dd2ebf68cfef889a73afc
SHA256 44667ccd3e643aea0ae8691296986b078b9895b62978798957744f3617856036
SHA512 3382fec138e7ab4e0a55927fa64f7382ee5006884a0b3e0d54efdba1caaaae049909b359a6691c93b2c4059614f24b26706b7533bd753ae63b01897f217c4b1c

C:\Users\Admin\AppData\Local\Temp\oQUy.exe

MD5 1873bc17c6ff772fc82d8e28e11f9dbd
SHA1 187813118ad41ee85f455ba1c8e23a41c0281dc0
SHA256 c66962e895334099dfe1db8add42381503314b7a51ab0bf3237c660aeb103ef6
SHA512 703792527e0f780b6e70d74fb5dadef24bb54dc282cea781c1941b4b86b9818259e9a16e41a54fae4b74a66ed67fa169f25251cbde8de3d3be6752d535560733

C:\Users\Admin\AppData\Local\Temp\cwkg.exe

MD5 17f823a8e5b692ab75adf36cd56be8da
SHA1 8016e6b38200133739e7d6c96f8de4fd7232961f
SHA256 10a905cdd7c016003c830ddd343c7d269ce1b93ce7f8122bc5821e0c356ac610
SHA512 dde4db38f364149f3de4b9ee5faaea0a0cc2804f1cc71ed89dafaf7907202854f85d3e3b302c1e944498100c2a147a5c77d7ccd9345654710eb7c39e9ad1fc70

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 283185261b2a952f7c135f087265baf5
SHA1 4ce9aee25b95277826c0eb74e81dcc7331bca0ec
SHA256 578c94d277205076c1d52d821fa4b2cd34ef60647f0056df12bfde9630ab6808
SHA512 e4525f6e4ec57946f620726fb3f4872e7be62a8b471d2b5de9e402058e6b8865c35d6fb7986b0b491e15253cc008178f32f32ef198ead6edea28f59c3a2dc8b6

C:\Users\Admin\AppData\Local\Temp\ecAk.exe

MD5 38aa171fe4f3a5e9c26bfc9a89f62211
SHA1 4dd50fd8b51dfbae87a01075f92917974a951e2e
SHA256 333c9e0f8e312b45cfd11441f043f7d6855487c23a591fbec41ae02a97fb1121
SHA512 ce82eeb00471048edb8c04eb23c8dc033fe450c4f7326de8ba4d6066375160bea77e880f0138b2cad222ad45e25cdf06b2b46a263388c1943508c968c61d1491

C:\Users\Admin\AppData\Local\Temp\EMwY.exe

MD5 23af8fe3dfd8050346abe45fa65d7663
SHA1 11ff0142572103ae1c353843cbc19d999bc1ba69
SHA256 3f9a76dfff97e6d0fa64ecaadbffb7d76a0cabc4492be80a08e9d9892b7b18ff
SHA512 418d2a5ae389c4518c86f55169b0012245985de8a1e86511f5413f85274f629b58b4b3b4e538bf747066cec5293c351b24ecb44a2f0c2f6ac345c337471c7a55

C:\Users\Admin\AppData\Local\Temp\eAIG.exe

MD5 18317952dcea806778ba991c4a5e1974
SHA1 b76455da239373e6baab7a76860ccb3d8c7aac17
SHA256 be6bdbc8f8709fb2b1ed597f47e5026d90cd3b6c2d78e8c9fc3ed147b6e097c3
SHA512 b72e7b98cf59e7a4ea7c070e49bd65e4218e672caae28084d1cf0e9e92cd1f2392b25a47d5193923b73b420c1ad2d5d3e9960dfd8a83227c7b26e2e0851946f0

C:\Users\Admin\AppData\Local\Temp\Gckw.exe

MD5 6bb4beaecd95bd50fc5695eb4b57e982
SHA1 aa0e00aae6c6155ffc2fa560a317838661316775
SHA256 34ae86e03d2dd4658ec9e3c1d0fe3741f93c6edb6ac5366af1e108a99a121320
SHA512 05583d1ddb5b0dce419a7f2bbdb219d02f5e5a70ad981d0659a91f10e58923b08f31f45553c55af6d3f43085599f93dd9a8dabb4c19461a05ffc7262ae469f05

C:\Users\Admin\AppData\Local\Temp\yskU.exe

MD5 9ff9b0d6d8f250d73eede172d92c0d05
SHA1 4cb59dd5fb4569cd18b6cb4185fe31467ebc98e3
SHA256 9d9d5f9ee1726eb0a27819fe166cfff3c6e6c5a51deeb0bb913d14fd7d90db91
SHA512 4b1af33fda40567e2acd22457699d267750ee5160c88072b30dfdba1ae84d4d3b1452955595e1c3b02f902d3edd1a2f71d635f61076d19309f365b436fcf2e38

C:\Users\Admin\AppData\Local\Temp\coEc.exe

MD5 a9cd4cfc3df7e488605ed5f6071846f1
SHA1 2d3c0f63ba391893cbe034a16afc6848e422d42c
SHA256 74fc78677d908c60a90f089d2209ddc76ba9b2815124b724b6fc64dbb025d563
SHA512 24071ef1feab8495a82e48c7acfc105d4ef634b360fe70c9e8559e479cafb7bba5c43da85b9bdc1b5647474eafd53c16d22425114e890ce76165e5ef272cfca9

C:\Users\Admin\AppData\Local\Temp\ckIw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\EkkM.exe

MD5 baf8bb1ba9af3735b3e4843987db295c
SHA1 9ff3096d719542c89f3156f42a0d7659e0d57b5d
SHA256 2de69245d4f3926f9d70a982de047d1a6b009b75b48d8a6018b843f7ea185738
SHA512 6d565bf31bcac11f39f9880bd75907db9bf38fc740cb45165afd9fdf50c6be8510d0b622e43dff69c5c00dabfacc882b5e094713c30683dc795b5898b2febe37

C:\Users\Admin\AppData\Local\Temp\WgkE.exe

MD5 06dab3566816c3c7037a68d951eef7c7
SHA1 efe7008ca43e44b1b9ee7141418a11d651963908
SHA256 42d00d2dfee04f33eeeeadcb34ed8d6b305391757dea1fc6fc80352f2274d956
SHA512 29e78581056b7f9f77a3b66de43a33fabce0f8731383121c3e67878f65cd794ae3a573028d690cf1ab9b1ff47bbf468046b4c366e702baea9a7d0b876106d2ef

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 14547ef05b946bfdcd9051815b5e07d4
SHA1 b2731ea201fa5e32e5a01774537f9232c037415f
SHA256 e2aad2703298a546f2c7e35275622d163ebdf5230dd12d1ef1d0ae422fd62552
SHA512 c224f1edd5df255889f1d1a59cbb4fae2492c70ce83a98c41b5c3bb6fef38ed4c1d465042ad6d657bc60555213c97c5e92698f57bf151c81428a773a237a13cc

C:\Users\Admin\AppData\Local\Temp\msYE.exe

MD5 de618e14965c82dbf966da99726afadc
SHA1 63e75e2b16c6827531ad8e8c3904a03518d68749
SHA256 d3d918bb26ea8feb6f8dbea6e1774dc2b2e81602385ae39029acdc304ed391a3
SHA512 83bc20001deefa659184ccda4e00bbbe1352e0bb03d4e64ffea7ac2d111cd48dc7a92467fbbf82b6fdb6cbf77dfbd64ea62efbdfc12b57b032c89c83606c4876

C:\Users\Admin\AppData\Local\Temp\AIUi.exe

MD5 a5a8d8564a663aecdded5a50e18f197f
SHA1 ff4ab2726ee400989621930c5bcd586d06358b19
SHA256 d8f7a25853bc4fcd2de8e5d0804e5613a4c1c45d16ba5f5fede8ffee8f5dd7aa
SHA512 308c2951f5da23b1a34a17f0ab4c27e7e1a92bb170da43d3d4ba23a96b1362a7fd74377679aceff1498e7714e2717cfd0310d71fa8a3b2228af9c1cbebd8e0c7

C:\Users\Admin\AppData\Local\Temp\kYkq.exe

MD5 c12273f0c045a4b41893d989c51358e3
SHA1 9db5ab444a4b8033b2df6041a3583287e2506b65
SHA256 7dd30d1c00eb576242ea1eafd67e8d32c42089f4ad1352e1e46229b3ad58d78e
SHA512 7c18b046d68de7c358a49b88ca1b115511780550c9ff99cf036af2893dc6710c6108f59e2737e5d0a2d2f2599befb309bb9e3930ae952ec7b1107c43c277c2aa

C:\Users\Admin\AppData\Local\Temp\oIEU.exe

MD5 691e276d496c509f52fe390ae80752bd
SHA1 e9a543ce140633347b3fdf4d1451eee2eb21b905
SHA256 24c08285e3d6f06e96e606f0591a56910bd6de6668ccccd9e57fca04fe530086
SHA512 baa4b8778259ad7277d801d4b01d89fcc97c76151bec6f1351e0e8c6de70e196fff4d6beef344b99562ef73685cdbd41bebeaf662f91e82c2210dce503341cda

C:\Users\Admin\AppData\Local\Temp\ekkm.exe

MD5 920d3485209b4b404669233fe008f4da
SHA1 bdc2fbb910ce664e55ba5e55a5c26b89d3eaa2d1
SHA256 a5dfa6258b24e566a7ff17c7c6e11975af884cb8b6d83e217d093d5ea693c7c1
SHA512 e3cc57980f2740dbf6d03e172c2e7711507c24c63b5bd85c5d5c5087ffc8fee40a1ecf62e5e6d4d316beaff2bb7df350c46178f6fa5d930a35e54458d106a51d

C:\Users\Admin\AppData\Local\Temp\CQEY.exe

MD5 0603cf55e90216fcf8d8747800714f9b
SHA1 9d8768c6da619996734e454b737fcc03d0802537
SHA256 5547e69875abc9d767a000ef93029e1466cc49a1f0c6452529ef6ce6a7cb791a
SHA512 94b74aacad5599115ee0b7631e0e95cb7a369437360802856c23776d5e4fbd185b738dccdde9b864d043e2afa5723c7b86a93222db1ce4a7fd9d2aba6f8c0405

C:\Users\Admin\AppData\Local\Temp\KYIQ.exe

MD5 f0f250d16e5a9d0d1aa15fd0dbf7f770
SHA1 e2206e9e1b3eee77f701f363997445c6de2f6a71
SHA256 74267017092d10aca356fe91d0b70a314a90d1f1119ee28700a698a92bd5d0f1
SHA512 da61fea117c2487b39e6f779b90ae64f9b4aaf356583d03494de632084445cedee69bbc12c63b604cf4ae967f9611f38a18497a71679f4c300f6acd5aab91282

C:\Users\Admin\AppData\Local\Temp\CQQe.exe

MD5 7ae629b22cfaa72b922d62faa7e621a4
SHA1 42322afc0f0c59be5741f52b9c22df1e63d5874c
SHA256 0a51a08c9153a9c41525fd864813bd39cf44ab2497c95840179de1ff1c9c1282
SHA512 d538acdb89de63524f149de41b28f8a6e5bcfdb0af137fc00ab8fd0c1ce1afcbfbdd970de09268b88e78584565231aa2b4f152a0bfe1586afe8dbd1d1db114f0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 8da6c096e9060cb4c007ab5236993217
SHA1 361a0f3cb4160232ca673b8b1f5dc84df3acaf1b
SHA256 f3ef757d97a3dad9fd59410924139b49dc1189bfaf99105fb5f6c82a9d912e60
SHA512 c9e2bf38b38a1dbb4da9e385675b14dbc425b77268f94885de5112b8721522f83f4e220edd5e865cd3a1b09a9387252ecf1f4887fa3667e82799af8f8438d8ac

C:\Users\Admin\AppData\Local\Temp\SMUa.exe

MD5 19ac04cdde7cb641a2a9e30b83a27335
SHA1 3bb4d058fe5e35fbfe1205461df3aa7bd4f552a0
SHA256 7f72e30b3bd64fa8afd4d6a05ef28e15563d8515ee048e0ca12596230ec4ff5d
SHA512 47407e00346f88e08ce815ec561ce961700c217f0364172b055cafe981bca7783806c0e5321b972de9db6be59914a0d8fad14332807e53070bb13cf998cd30a0

C:\Users\Admin\AppData\Local\Temp\ykMI.exe

MD5 e97d194b3ef0086fc30bb2834bd5f855
SHA1 70abc56df7f8c5a2aee40b0bec3d9213952ff0e4
SHA256 cb13eecc40ccc7560b04f169a5d7662d127ea5ec682a410c2d1db1617a2b4b71
SHA512 fb11cf8d9237468b206da77677828fd2afd9ab4723c5f62a47a88ff2a26922fda89bca05df2c10b0d9a336f25ebb54281a9f61ce4cc2e1f5b5942ad633dbd353

C:\Users\Admin\AppData\Local\Temp\Yosw.exe

MD5 178bb0f8d2ffbccc88e9b0752f3b1785
SHA1 b633370fef9b50c691a411e8473c0a929b8a0028
SHA256 cef33b18cb70cb53a53d7d4a42db8a3dd10ac341c7e0e9cdd5471ad0328e99bd
SHA512 d7fe23830e8d172d0e3cbfe6fd26b03ea115638345b0cfa3eb6a74cc43e91de2eb41f4594c1dc1b01fed194fcaed8668bcd8226e4d528d0c3a0b0f2b54e250cc

C:\Users\Admin\AppData\Local\Temp\iccI.exe

MD5 e05ce9adb5614236ef2a5e92902feffa
SHA1 9bc375abdfe776cbe3ed886884c3cc13cb2e6703
SHA256 e6f5efdff2e8359099e9ba18804f8372e183ffa6f8b16b5bed23f7faf54c4325
SHA512 8079d926333cbf46ed028b578ca1c91fbf3de637c5e8d641a08dce938bd64680fe7dca601cb69dc323760dac35aebb6ed9d858bcbc34096ffa21d82acff01be4

C:\Users\Admin\AppData\Local\Temp\ewcI.exe

MD5 5e6cff7d881432c006306390dd578c96
SHA1 5aad639866f00ec9cc81e5c9f11fe5a811dc836c
SHA256 e8fe4c0269251672bec43edd27f69d65e9a07c39d89e0523bbb76098ee1db42c
SHA512 39d7e30321940ca69c317b84d146cd18ae2e772e1605d32958ee175be0caf3a45a7429cd8cd68cbae8d1db334d9a07e520dd8304bc28adc70956783104a8d270

C:\Users\Admin\AppData\Local\Temp\CEgq.exe

MD5 3b6ae9866bd984374c76c63053cf8c86
SHA1 22caa8296e23a30dc42a332aacd89726d9da0649
SHA256 b0b26bb649d1436f4228fccd27a65291cc449d230fb7ff5612d4fbe8ab679905
SHA512 e096837027c3acefb79e5238ec71cd5d79ff78f8e250dbff0f35a04dfb38b77fb7e2a832d70566b97622284c3c06283fc4bd359f9656911c5d5685a1b754ac6f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 e5f155ffba76bd6183ad699256ad3ab9
SHA1 4ead500fc0a8078ee46c063c84ae2ac3d2570ba8
SHA256 c413d4cdc53c0416e96278ffa2e614b17c60e46ad12915db52a7cd2390c63d01
SHA512 41e7b253747612c392f6895c726ff93543be5448320f5a28444e2fa6c3fb25f2b4fd2d137d0fd0938f9c531d34bee56953e3ac8b23791e12f54e11f0e2430bc8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 5fde43b25637e07739be301f079efc37
SHA1 159b1b68234c29f9fa86e74a9204ab69dafcfcaa
SHA256 ad76478cd6318a953b6d3811329aa941aab7e9758fc98a487cdd3d52a20ceeb2
SHA512 6383d0343f8b9caab3b5950989e89a8f8ccebcddc5dae68c58349dbd92a3ebd0ed9b91cf81ac56c7eb7b0e9555ca37f46e7133797ff63820c87f54b17d8e6393

C:\Users\Admin\AppData\Local\Temp\cgwg.exe

MD5 54fff0d3aa9fbf74d83635f77026bf57
SHA1 d64f2a245008b4b78203958cae4cdec3e2728428
SHA256 42b28e95387482483b462de1785cd01d8903ce3b2e69c1e2366ce680c26dc34f
SHA512 7686782d3f824c5b9fcf7ba0379ecf275d05c9e94cee71b06db7d203809d99e0d64515de4a66690ffa5c0ef2ef9bcf3f6c4de42ef6e0eca5a2adacb2a62ef4ab

C:\Users\Admin\AppData\Local\Temp\Ksow.exe

MD5 cf0ef2cc68c6abeda1fbb45395e58fae
SHA1 97e2c2b0a1c9c80d1e58bd72dc1af4154b86e688
SHA256 274d6a0e9e2f55a2c21e0b7d064ea27ae013d1d646afea1bddc49877c712800b
SHA512 9a245323b53ab4dfd696b52ee092be5e34c5214ff1cfb203428c3e8b4af163feede55a67d441a819408925ef0eff4318c808b268aaed0936bab9d9c2362d0201

C:\Users\Admin\AppData\Local\Temp\eosG.exe

MD5 4819808ae1c3b41b7f0d2e472ba61838
SHA1 661e4b2bddfecd8e6640b607244176d0a89ba252
SHA256 d503e78a0f0d89f0d98d7527a942e4ab34ff079e95184a6526c4e61625458f45
SHA512 f087ee77fd5bfc3a2323b1283ba7711cc79619f06ba4579bcc6184294b99978ed4720377b426339e6031299b6100194251159d029b7962ad5f041424907489a2

C:\Users\Admin\AppData\Local\Temp\KcIi.exe

MD5 1c57a180287f598341a654db2071ecd7
SHA1 4db13754814f3df0901aac04a386426121ebe017
SHA256 7a70170beaf6bf3acd8957db1290caa603bc6cf86e0359e034b1ea998bd81bc5
SHA512 a7e97100b5d388ee7d2f061d66b1c4578e0ce185a328da8e331b610a05a7d326697f26980d8cb38f755720fab5f5a4dbc4b7a59dca687fb70e52fc980a2382b9

C:\Users\Admin\AppData\Local\Temp\woAy.exe

MD5 31a492a3f8dcdcade4273f34879d8ef9
SHA1 16784f62c0e1f302644e2b34af862510d032f956
SHA256 bcf20850d4457b6c9cd406b752c999a84e4729bb7273513828005418c75bf2b7
SHA512 29e8ba09dfe5a9d9754f51534cbc5d6139f2a60a016cbd65dd92522d59d4f88618850ea7d712f0cd6ecec65d8dc4ccadeccdfbf20a83b39a583cbf84fa74fb85

C:\Users\Admin\AppData\Local\Temp\QQAW.exe

MD5 16bc2004f21e54663ae50121785fd720
SHA1 54bc3530f083cc4aa799d859fa9149698c6e84ca
SHA256 b70fd1adf39fa75f74dfa4e7726ebd514b63e7d4359fccf23782e00030e689bb
SHA512 f3f9008cdbd2a9590c88640db7e829c3b78d0276fefe2697458b098913211a1767bdad66440b91be56c81ec0729eef7003ef915b3465d36253436b5697ec28ae

C:\Users\Admin\AppData\Local\Temp\oAUS.exe

MD5 f71cc34b0ffd6b79cc68d42951cf0b30
SHA1 d42dd0c9820084a1f6ccd6c3ac74399acf27198a
SHA256 b948c37584dd9fbf1be5d765acfafb7b8ca7c8e4ae3053f6276debc502c3284b
SHA512 4e3453e95e4852646f5cda56332d741fba54f40f4ab913df4885f04bfe2adc06f94edf06cc9ac529aaff294f6b7b9866ee832653a15bde724413febaf52fefec

C:\Users\Admin\AppData\Local\Temp\IAAW.exe

MD5 d5e0d6cc7e7782346874d82cd20cc85a
SHA1 b4bcaa2d879d5ae7a2c41292643ed88eb6269f4f
SHA256 6d38cf0b845f8fe6106f6ea66d31ab3340ed49f8b002fbff1b0a9c0bb9bbda7c
SHA512 e3580e1fda85a0dad74a1f603f77543115c6aa67b82e3bbc60dea90f8b06c15f080adba82c4c813eeb1e474bdc846d021a2c23d0b10fbf4a78f5eddddd4d7c06

C:\Users\Admin\AppData\Local\Temp\uIUM.exe

MD5 c4d90bebbf21aa546eeb2549a05e2e94
SHA1 97653c2a2d69da5cffd0c506c6ece9d4fda4ac00
SHA256 05106c8b3c379b6c8c186a876a6d4e47c3c3343c02a475525fadb76a436ec8ba
SHA512 a4fc67e8d55622756e6276fcf8b9305cd530cb3a5703642f2d9eb2b049d912c955eff3319c1ead5e15d57feb9ed974694c0302f58e130a8981af9dbd115d28e8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 95823319c42a3fb0e55a132c0afdd4fd
SHA1 afefe08e82bf9cb604276f7e6f66803b5b2dc3c5
SHA256 09d1efab4e6fa0aef5eaf139ecb1e9b1bad0b336b8d9e6d511c50aa97c120c18
SHA512 f0e10a8dbe1875c303c6342058fa2f115111eff9980e95b64e16359e1fe6a007e851c7d3cfa822c620da3715d9b5c0189939046e8942f8d20102d59d269f9668

C:\Users\Admin\AppData\Local\Temp\KYIo.exe

MD5 a9930fe04299c6db1565ba4068caa7f5
SHA1 5fafa0dba78c41377ef1ff07782d5e79c3b95e2f
SHA256 cb9af1e1675a5d71a3884f35054faf260be1252c6e675ea7d59b1eaa4d44d42a
SHA512 8af74c8eea0027f6266b108e72251c0778c5ef0fa4d0b415bac7ce58bdd04f740b30c3a6790fab194d73e998ad1994a12df63df2e139e59683f376c16c5fd79e

C:\Users\Admin\AppData\Local\Temp\KswK.exe

MD5 c17096d5a46aceb6d1528cb2deeb08c9
SHA1 6330e1d998a28f460d54310199723ab9dc5b0376
SHA256 e86c7aa7000f262f29aabc52dc3a7ef59adbf48d485fa1bdd422dca963875c12
SHA512 a76a67ae88721a58de2ea2eaa8b54ab42a3498cb771601165eb3e238dadec317521708cd11d0be7764236a759e876283e57a1c475144128884cc2df8ddd4d753

C:\Users\Admin\AppData\Local\Temp\KgIG.exe

MD5 da6c2986de3e38967a6208c52464afe9
SHA1 68748fbe98cb9d2b6a1e43395f35cad10bb63eae
SHA256 1462548a12801b82528440c0504a4edb44b4517a1f49c9c9372c3081aa0f5266
SHA512 4eae6942de1f961c75ab2a5452204120e023e9833f41e9418d9ad49c9e706f024c116d649f0b639e6151538a6a1a0c9eca8562aacfb285026399024a3cc82205

C:\Users\Admin\AppData\Local\Temp\ysUa.exe

MD5 e401047a2cab7de5711b442e2ea3bfa8
SHA1 eed83a51fb5ccedf21bd194464c0707557cc4459
SHA256 aec8809ab82e19803eb79f41eb0a2717bf93f91c3f5a153a8a3276c903a33188
SHA512 ec7587d700d0208960ab176a0989e25db06ad80d47b61d0a82819fb81899c3d0688c2bc83be83f6da6adc9fb9d5a7fb914295d783f48b5a8efe4b7020f39aaa0

C:\Users\Admin\AppData\Local\Temp\qMMM.exe

MD5 f678e4b662ea18c489abe896e00a87b5
SHA1 c5386fb74bc0403fa633a41a8354df8004b9e5e1
SHA256 141d8e03278c59b8cbb0afe5c9170881056160c31bb5cee5b2022763018b5594
SHA512 f998c1765ea822b4f216af3c825733064df13fcf42bbbe00d1ae15804d73aa578a63b4d8e868eeb53b4db255a727d90947bba4ebeb24cd1a325279c1de82a36f

C:\Users\Admin\AppData\Local\Temp\cAgO.exe

MD5 0858d6bed8c05e08fdba7dd9a038a0af
SHA1 3a7b02b68b99c12c07c38292b03db3a0a033b471
SHA256 d246df69a24af270b7334ca6c28a032fc8bd401cd349cd1b9b1d8d239e0e2dae
SHA512 4d4c5cad4e4039e5e33a13853dc75ec8b0f0365aa6937b29958fae563e717ff50f906d9286bd48fb79f163ebda5350280d9487dfded90756e8a96531705bfc86

C:\Users\Admin\AppData\Local\Temp\WAEw.exe

MD5 2247a489a4ddfe93507738e376ad9d89
SHA1 cd62f31cea0fde4772a1479c40b0d00a5cceea6d
SHA256 6e0781a6e2bc7332dd097e23d0a732526e192c9c3ffb830818ebf3c5234e0f68
SHA512 c02d2a8ba300f042261d07b524ca7e9c2ce7682c6a64b62ccb20d66263d9e550225b67c12f4dc9a596f84990e1a73ddaef7e0708551cbddfcc8ec3d2b70f9dc7

C:\Users\Admin\AppData\Local\Temp\WAQg.exe

MD5 7361838ec825e968a8dd962c445013ea
SHA1 a462e92ffd6656141e6ad9ac3a35c4c1e031b4e1
SHA256 178d751197b82513d03e6e319ef38bb658d6952f5847a54706950be9e58514a0
SHA512 16b41ceb5adc8014904b2296070619bcaac5cce398f492eec7fd76550d7883b8b3cf7f154c68e136f87d2ca8c560644a38cc8ad511d984b435551fca78d26762

C:\Users\Admin\AppData\Local\Temp\Okgy.exe

MD5 868feeb7d7e21a6680739299780acd2a
SHA1 8b9f9c5cc689b98abd494bbbb00174cf5410a1bf
SHA256 62668f06a7ea6abf616fa6a315d8421c53682c1867f706acb64c07f00acbda05
SHA512 0f8bd57d97a7ac70eba499b364145a50d804b551cc171909eeb311940e62723498d2a041076541d60ee5d1ad9b75f4c11ae6c02f0cd5847bb9dc8ab7933e6b51

C:\Users\Admin\AppData\Local\Temp\AkEe.exe

MD5 b369bfb5d09b2d86d1ad510516ad54b3
SHA1 f87b3b1a67242f941f653539005dec1b289be1db
SHA256 5bde5ee676d7b87c311706b554a8e09f68dcea5d28870ad5d1028554d84f159a
SHA512 e7d8dc15186d61c3298a3f7150a579635939fee463c3788c84a0b522e5f5e09e53740f2e1115447423767188e1fc801e7e7e2e35cbb5f86a8b75f210b63d9269

C:\Users\Admin\AppData\Local\Temp\qYUy.exe

MD5 a0f461d6a0ec361b96c54619001b541c
SHA1 41d2a0207f2bbf85869f3dfd99597dfdf172583b
SHA256 61dd3162cd7ef08f4ccc3076bc19a7c928de34d77d55b5c1d0ca31b276bbbf98
SHA512 5451394e1a8dc489041849cbfe894343c4c9468a8c1913f9e3f9ac3617fd4c222f5caed3df2e05eec7a683db345233c042566a8825bb1884eb558ef2815af9ff

C:\Users\Admin\AppData\Local\Temp\wAMk.exe

MD5 d046d0e6aab5774f0863fe8a27816581
SHA1 af225e8bd22d533d4c2dbcd506d17ad337bb2f21
SHA256 c3fb6fb54a4b8423644ba2b1ffe2380b100f76e00c5115e22d950bd15a51b9b0
SHA512 d6fbbdcfeb56071d192b1eb32ae6766e3892f86b54a4867875646015d690e2c91a59b2d6d26711471c7edfa284b1d628ca3d7a5b72a21513ee7228427fea947e

C:\Users\Admin\AppData\Local\Temp\kYYK.exe

MD5 76e3bf33030889becb2351062f214e4b
SHA1 effbde665332e5452336fd38c46fac75d68fb432
SHA256 5d078d130773e81dad7fb14cf001766dae11acccbbdf0be45bc7b4ce101c061a
SHA512 221076fcb9299d3d753f466f2b528b7a9662358440ea579cd6062c1fcc4e9a652038103c98c692bb81af956f1a346f40fab1c6d2901ee8e6ec460a4298ecce8d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 60ad345a11e1af3900f39293784392b1
SHA1 c978d0d29c8e5e40dc5a8814b10ccc85463ad024
SHA256 43e4eb6a9ccc1a9c65e18b87fb2b63e3dcd8ab1d7ff111ff631f5d62a0a6d215
SHA512 75d01bf0b03eda3ad95f120d30472b754a478636e2480556e98720cfdb3458912b26e668274fab6c437ff7ab4f430d4eed1d153d8751718d3ebc9e9b8f2a3c9c

C:\Users\Admin\AppData\Local\Temp\ckIw.exe

MD5 14dc4cff9834cdbed0bacafd1060357a
SHA1 89c9d817797dee6fdb31d350459875fe3694402d
SHA256 b4ea7bf35bc4eba03aca3b5feb48894d99c3f112e5e342cd3e9591334563922e
SHA512 ea80735b208566b486074953d70a6a441ba0647efb463e0d8dbe2272b824c7dcfc396771617e8e5921d1544305d84d95bd1562ba78d31667b9a1f549a1cbb654

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 498039137d5d8208fcfd29e58c092a13
SHA1 29f58db04abf39eee9fce4c3ddf113a81396e07c
SHA256 c586254881dda4dba84edf8db711bce4871e67013981f3c48291b68e42cf6a47
SHA512 4c6d9686443a1359355cb945cee41ba6674882c7f06f5e66fd8fd19ab2f8c556a084b0c4833498d636d059947232f58dd9094d9a4a4321eec61967288364a253

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 ccda9524541a92ac762f17856fe9fb84
SHA1 0b64fec5b9b20ed0fbee018f81292a0ece154396
SHA256 6f3a705a137c9325b17d1e19d242f5c6059db38e7b0f016fe85456f5b6e9c3dc
SHA512 4a321a25a94a79275415d0d5abb61f5bf34222d94ffee3d0ffc47576d35e03d193fb88c55372c9e1705348510267e6232bd83cf70cc575d9d42113445db97643

C:\Users\Admin\AppData\Local\Temp\Gcsc.exe

MD5 2a2e0f6af81b9bbaebac740042d135ff
SHA1 10c7c49ed7c33d4b3db6c00a412420b1da40fa95
SHA256 f5a493a6b980123d2a31640c2ee367a49aa001623e12a8113b10e66254167949
SHA512 60ee225de1c6edb293874ef459fa3e28ede49a619cc2029722357f09fe7da6c004e67b21b1b6bdf3eec919fb6c787a6fcdd34318d49c4ca01d6c205e18c6074c

C:\Users\Admin\AppData\Local\Temp\wMEu.exe

MD5 a519837aa0795c7aa07f7639f1ec902f
SHA1 e609d2a238811b0a5a93d80c69df6005f95cd091
SHA256 75adec302057b2da564110e1ac7077caf8d58d279e8bdefe2e7dfdd54d7bd638
SHA512 668289ee7a82c280cad8a309ea629bbde26f6de2b222554fa72f481d9268953edece716a2067f266c2685a4927e32fc2c44030e17f45a6b6b3218f47738ff068

C:\Users\Admin\AppData\Local\Temp\EsMQ.exe

MD5 f4406198dc09fa186ce6078a6ad78475
SHA1 b5c5ea3c1d2cf7a20cd487c2745be1211c38366e
SHA256 ff338d24d3bd32e18acafc8db32b5eb4b87cef8519af2122f70010281ec790a7
SHA512 bd70e7f1bfd47b6f88262047a0c864eda57ff42e80d20756ccb626c79920c14cc619d15e2663d844aa1c9f2e2f5975c5d06c50bcf68ac2d680fdd7be18129f18

C:\Users\Admin\AppData\Local\Temp\ksYi.exe

MD5 726f1dd768c67058957c09af99b3abff
SHA1 dd8a730d9b4fa2158392caa5745da1c146ba3619
SHA256 1dbda91257af929d205be821d0814481c198df0eb146d62c33530a70b0af836c
SHA512 10f84142e846fe39d13125ba2bd45066b861f20cb47f366ea9d8c59b735c21c1d3514f75d20ccbcee5b125a41f7737e34d588597281fd02236a2b4efe346e37e

C:\Users\Admin\AppData\Local\Temp\CAgo.exe

MD5 4e4e93fd5fbc1a638c5e0f4221aa8788
SHA1 a03913bc99b3b6ec4f7382b69e1e906167a89781
SHA256 1d84d727856ffa2046293440359144e0f0d31da2e3123569044ce849af9700f8
SHA512 ed7f39c89146569d0a382d4a152eddb164df25f4d27b892cd65236311471de840524028c8c5bc7a6c3f0dfb8989d3c70868f6d31aed59d7428722128d93469c2

C:\Users\Admin\AppData\Local\Temp\EYAO.exe

MD5 07bbec4f03b28e03963377b8055e9d0d
SHA1 9c5d193cca8c43ac2aa537a62cbdc5e1e8948a1d
SHA256 d8e5aa9bdce68bc00ff76e5459ee36288f5b0b3cd79022f34da3edbc5f2bc745
SHA512 3df9a3d2ea87e8ff89fa60526c9ecec0b3dbd89b8c3a7db8381184cb343d85d62d1d396ff91986572bd9ba87288a50ef8f22461f99c8a8f5239e6d826e93599b

C:\Users\Admin\AppData\Local\Temp\sEoy.exe

MD5 9f78bd4c02ec8f595e6038d07f60b946
SHA1 23209c21e77a6c2d4227070c4538f5dbbff84d88
SHA256 914c064ba557c9d82adebb0f4bf8a6605cd7ba76b729214e9c3238b4d5bcbe8d
SHA512 b7ee267f6346959e2e6308f5f4002cdc1d950cdffebdfe8d64a1432073837f999e9fc347bab977934c84f41bfca39ebc2028ca6879a12dd1fd6ce0ac616e72ff

C:\Users\Admin\AppData\Local\Temp\qckC.exe

MD5 cfed052893aaf55b958573fe365fa109
SHA1 e4925c7bc5587e214db1aa2046f4b4771cd9af87
SHA256 23cd94525c207702cf44bfbfb296e0db826009d2086ae3c701906a41c27c7daa
SHA512 47564fe3e04524dfb2ef1eeeef2baf51f09557cee1adc803b000740a0f80dd65bb616919e15c4b81752d585c7a110eeab75acc464d11c0cc333618464a3d1ed4

C:\Users\Admin\AppData\Local\Temp\wYgI.exe

MD5 ca47bbf55caa08296fba7a01e24b2df0
SHA1 0fed3e0690335b31846397e4b9ebe2bc3999926d
SHA256 77d0c7f3751c817d7ebf1848d7b4dab44732ec94cda69043c0e5dc59238aa7e7
SHA512 866465218205b4710d6b5c5cc3812e8972771250c32f59191731daf70483b95f0f88e201925f9c66f1b10a86574bfd311b3ccbfe6d99bf166729b290a155ffee

C:\Users\Admin\AppData\Local\Temp\EMsM.exe

MD5 217d0bbc475bd3bdca9050850992c4ea
SHA1 84693551b25e70f2aa8ef763495d97300a72b28f
SHA256 5f221bceee39d43c1b0833a6313f287a3655430c43c2ae4d7dcfddc4134d0d52
SHA512 87236b77231e0c8e4ab758fc7e2fbf998207667a598ccdc10526156189250e906ebdbcd693edf89b68f75788121e49a64c0181eb25d0e6eee2cf4118462d6c17

C:\Users\Admin\AppData\Local\Temp\UoUg.exe

MD5 5a9b3dbe4b5c441ffe99386902992dc4
SHA1 f1affc85984ce3872b2c7fb86d1ea51f6c5a463e
SHA256 9d222e1e7b63f3cb529d07eeef278bd6c121f057da0a5705a9f94bb3d70ec842
SHA512 f65f51745df07ef793d3be7ffa7f995a0ef6bebe9103ab562db403293cb729272961e90e791ebc2298aa27fd672aec12bdf2d91e6bc9905be72a10d0576ce20c

C:\Users\Admin\AppData\Local\Temp\kwoE.exe

MD5 da57e727d49aed0672e18206ea4726f4
SHA1 860427c89c83e569418e3ae695ba0993b774ff73
SHA256 df8304f069bb8bace90ee34cf63ce5aef25eff6e75142d053d85fbec72dc21b3
SHA512 487ea64a10b6692e0b1452ca1a7066d24164830a35700dbb754d85fc5fd54c7fbcf76a29cd50a3549b3454989af8a1d90037e3a237bd647e2ff48750c1c9f5f3

C:\Users\Admin\AppData\Local\Temp\ygEy.exe

MD5 1c60f50bcc7ea345e161066fd69751d8
SHA1 a2d8ff32bae7f60c8b4be36ebd47a3fe5111f506
SHA256 e4bd06fe148f37c3d2256e4b4eb6fca6d0f8a3af49b4124d9e499738486b2892
SHA512 5532cabb31a47b13c7c22a34630cd512aa6f747a58774a68c86e779252ba807568c6b27554731cb3cb57ffa5bb91e439e579493d9cb7df6ba8290a9989a95bd8

C:\Users\Admin\AppData\Local\Temp\iUom.exe

MD5 a6b281de132596ef8f5cfdfd7e83e0ae
SHA1 31a89243bf61e87661f01e177e7aaee870b034ba
SHA256 65e0fa142ef68da4bbead574e775281f9276b4ad4a993746d6838f81cbe38b58
SHA512 9804303864b452a0c0a7dcebb22751704d2a8cc3a8b196d45c7a344678ade03f987461bf7268e4e394eea6e59dd5b7b73d951b3f51aa96772a207e772eadf371

C:\Users\Admin\AppData\Local\Temp\yokm.exe

MD5 9842504e1b222ba4079fbc0450cb40ff
SHA1 cba5d795ea02f152bdc34d9871fefb2e963e7676
SHA256 91c078932c1c4af2366fce9d5a23b749e1f70dde72f33ce4001ed8c5b47f85c4
SHA512 888709205b305fd04f736977b3cc88b12a53ba45950ad7f2840f0d1044ce872148334842d22606c72a717f93b95667e8cad55b3e0ddeecbe923a88b044a95657

C:\Users\Admin\AppData\Local\Temp\UEUk.exe

MD5 d849cfb31a5aa6e1184274be647290a4
SHA1 7c03f7b441610064dbacbed9f6902418510787f9
SHA256 5d79bcba82c58864459c1d90fcfe0ad2b0fa49e29f744fe91ecad6f867bc8b73
SHA512 3506a27b7b139e4113b0030400ed28b9eed87e4ac5b71db2fe8d883984afccb54d5b730d28c43ddd705313cf6fa8d92057c9b72553091e5df69bc12e70f831bd

C:\Users\Admin\AppData\Local\Temp\QcUs.exe

MD5 6c9fa1c586d1b56fa9e0e413fdbc6d54
SHA1 9f28767e955ad3243c2521244b6bb3ead4423c1a
SHA256 c0735f9d021d677a6829d91538b3154043f2740bf86d54b5c9c48db0fbf1406b
SHA512 71a1939ac8d2f660990c7eb160fcd8fcd54d3672649fc89270a33ac31c3c60b40327902e867cb71e67f01494253219b34d70313d314280ed332908a6e9428454

C:\Users\Admin\AppData\Local\Temp\mcAi.exe

MD5 585909d533bcff11b7459101b501369c
SHA1 5070ef88ff054f9b45cbaaa1999522ec45a8ca62
SHA256 de1bd21ad4e15121c3fffcccd2202f25b02a56385c2e52fd5ace6b17fb52535d
SHA512 237f746e7449f4ffcfce3cb8deed0c862a80609c7d8381f047892a886f70755d87b9a10398d9c29af3d22e9078e4d848dedaef30b0e38ff316f3a502d185da03

C:\Users\Admin\AppData\Local\Temp\gkgG.exe

MD5 2394dd1ccb02584cc97c551a9d8d8519
SHA1 1e38123a7a14074cf7ee7871cdfbc0131b88f7b7
SHA256 fb017ebed8fe835793b8eea5d8b2104a8cebcdf739d619e3b5ffc78e1c3f1d1e
SHA512 7ae7cc5b14e41b84f6ecaee19f811d13ac6068e72ad5c0979d0c0c16105cecbcb44bf8fd20c99268006942e8bb774c693364d4ce547e4981dbfa526df8716720

C:\Users\Admin\AppData\Local\Temp\kkoA.exe

MD5 0ec17cbd3ab84d58c724726ede0f2920
SHA1 98442c56fdd01e4c63362bb4416fd8d58f05c343
SHA256 c031666e63e1cfd19b2c4f0fcf7d741d7f838c060fb414d6c5b12047def21cf9
SHA512 f92d2fbbcfbaec9f1db81a05bde7fa770e49fa40194776f0c46a038c6dfab8232a277ea4b608918f27c5fc7f65a555a315f0786c4ebeb494d183da15edfd2be1

C:\Users\Admin\AppData\Local\Temp\MIcO.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\WsgE.exe

MD5 b48c5571d418edb108d13be396af8edf
SHA1 30922a828c44d8095ae4718acef45fd07355b7e7
SHA256 cdd95be17549f5c70bd13c05c9d72414e5b15f9d0c09c618309cca0afff9f79e
SHA512 bdcbf9d40bfa1129b5287b139aeca3f93acba257d7130fa1fa15199814011171ef6486a92b1dc3f040f9489d2a904af700a41300b6df846135a2d8a50a56966b

C:\Users\Admin\AppData\Local\Temp\IoAw.exe

MD5 4d4fd566c592049ee3f5f1fea69472f5
SHA1 4a1413a489414d7d1e54378c32ebb91b8e1a12e6
SHA256 a5be8bbad1834057e38810ccb54b3d4ed057f4990f13a3aa66f5a020df01fdc2
SHA512 eb6326e6334eb51ecfef59f14a03939bd8d5ba41369e4288ddb36d016980efae6837329ec10c52d6a36519623ebfe985bbc11d6ec192a717d22aafa92fcf9723

C:\Users\Admin\AppData\Local\Temp\SMYc.exe

MD5 95fd180a7130d17aa1ea4b77bf6ba6db
SHA1 dc5a9cee0ec72b07999b8b2b1f62ad2f3e99956e
SHA256 8dd77cd65b21313e100797158d351554a9b04caf17fa94257c112773adb09af5
SHA512 86339a6f4ed8d149d32db79d9570638688d71b20aa3f27c434944873f89af0414e1c6f3614285149604eb23de667362b7d5834e3c9e67897788394e5ae6c6d6c

C:\Users\Admin\AppData\Local\Temp\GUMS.exe

MD5 39001f045d9a30043d84cd3dc0b5b73f
SHA1 965e3f10f9c8e6aed3f4a409dec36c8bb1be0684
SHA256 5462f6b66c5128a6ef47a3a3182571d0dd0fbaff0ec076187284fb83146d9eac
SHA512 04836f7ab60b82421c2edb7580ae71f08eb057ff8da2a029df3296ff0da8217d8167d550733cec52e314458dc7149bb117d860a55ecec85afddba6d7368345eb

C:\Users\Admin\AppData\Local\Temp\IYwk.exe

MD5 2758e0e6addd60781e7094b18085cd77
SHA1 50841f71ffe1c64656fec2186e44f601391bf4d9
SHA256 8616468eecde39334701171c4385332fb166865becfa488ee12073ed84dcf398
SHA512 f33cb81f295b8a6a5415ece02598d8c0ebfa072aebd5b1cd2e7eab47e168e7fcbcd63c13bf4d2236d76b2a37941c73dcb4e8a1ce1d8387138133b175001da3ca

C:\Users\Admin\AppData\Local\Temp\Ewoo.exe

MD5 021daccb2bc98d6b25638ca35b430d92
SHA1 1eafce56bb78cbe68f95bfc9d2f4958470a9c199
SHA256 5c64d99f4953b2a9cc12d5692810ebca775a92fb71edd55a62dc8ae7d313123d
SHA512 583d08a9100b39991c05e1f1dfa82691f1191efccc155df3254e953b61c2c596aa722b7ff44d0dcc0aa9a1c62c7d14bdb8a03fdd7f3ca495e8478b0d23413993

C:\Users\Admin\AppData\Local\Temp\qUko.exe

MD5 ce786f8b54478d18410afdc3c0096f9f
SHA1 852e88d81e4409bce67c8a74ebf879d74d44f1ca
SHA256 8bd5ac5c6d21c0f27992074cd698c8b4aba85798691bf26db8293f1323272e70
SHA512 807f1c6a07e8a735dfa8d2e32a4fc39ed59ff02e49263853a9ae23977786b77d7aff219d0d6d222f7b88ab1fcb201b1604537c3329efeac405db4e116faf9dde

C:\Users\Admin\AppData\Local\Temp\KccK.exe

MD5 b4c2ae4e6cc687c66c0230c04826e881
SHA1 defe61acc55265d040dc00a11c5cd4f162dffceb
SHA256 807a4fbdeae5e13ea22486e0762f55913f6298700a7310fe167c10ddfd614a81
SHA512 0ce60f3ab8441d9ece74b7b7da3c499c032b602dc9614e26d3e04bf37a3878c73431217618edce5ee24b5af89680a4e4a57a4cf53175ff5fe52e22bd40d296d3

C:\Users\Admin\AppData\Local\Temp\uAgA.exe

MD5 f358bc4499ae7be6c84378a610d5fd06
SHA1 9676b64b0c6f113ebb5418215eee0dcde6f78148
SHA256 0b14ce139945cd5824e9d4d40972cc4a28a082af2a02f1791e2911a84cec96c1
SHA512 f9ce8d683a26428cf3b36be3c3812e44ff8f0b38943e1183b137e27c416d48b774c659e762501cc2b88a572279240335ebf6d523043de8010a5442092b132839

C:\Users\Admin\AppData\Local\Temp\uMcQ.exe

MD5 2fc154e7fc2e83fe7e3321a511db3def
SHA1 7d96fb9f0502f4be02478361f829c8ab5ba91342
SHA256 e49790c65348b0d24820da141a9462419ef7968e7d154e04b71daa45b940ac17
SHA512 d1af87b4513be82b89c193b1dbdd39b31d57227cd84c6583dc6ee17f0aac33c1f133b51778ab18aa3b21264791abd9b0a380bc0bde756f7bcafc95c2ff003991

C:\Users\Admin\AppData\Local\Temp\ecEM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\gUYy.exe

MD5 d03b29308d70e41324c4474e254e1a80
SHA1 3cc8dc73a393e34cd6a36182038cefc80a373817
SHA256 95c7d6742c84b19a8b6dbcf63bd9f78b67fd650f7de26247c73b854ae41938b2
SHA512 8ebb65c273506948d8cd4a1e8b9c5fd5ebd44337855e8c0581e4c465cb0d263fa054f5aa4d35df0b05dc6cc50477c428820ff4d65aee381cd7de586c4e4c3ddd

C:\Users\Admin\AppData\Local\Temp\OkwU.exe

MD5 956a687e39cfd27e1f0d99923040f6e6
SHA1 e9010e16b1a39e0785c4b3965831cc4735648c12
SHA256 9558014a174b6121961b4198eb3fea57fe102b53e8456a1f7d0dfa8abd063728
SHA512 fe3b9703c38f3b63712bf1a47189534ee11359e42052572b078bdd6588657c4af7cbfb789a1b6b6add50cc34cd036e44250bac80e0ffc89150db5e8917587be4

C:\Users\Admin\Pictures\CompressConfirm.jpg.exe

MD5 99422726b2ef0bcf2fdf1e10a34464fe
SHA1 7fdea86255fb46e9354f67a30967947c0a4acb68
SHA256 31dc292c5efffac1bf72310f3b4d3b3fea4cd8f89755e5ebcea859528f3ec2e6
SHA512 eaa15efc19c6d95ecdadc1b88d3e875df168debac4e998da78f4018e282fa8acdc46993473d9bb4db6e2bf29c4bb73542fb79394548d4730f4cf330e5cd1b0cd

C:\Users\Admin\AppData\Local\Temp\OAwM.exe

MD5 382810c4f90c8ed8a49102889f120802
SHA1 467d1adc3140ffe19aba4aff8fef302608c69025
SHA256 8b24e120e3b67702761248c063eaa09823f974893480b96c2f146889bb53c6c4
SHA512 74625bb37481e862c0b77326252bf5b154db9cbccce07eb70bc2272f4d7a02912f73e056dd3b2c27200c8c6621f7ed91ee21101cca8e00d320e4e55121650f76

C:\Users\Admin\AppData\Local\Temp\SogA.exe

MD5 afddf7da012f0869d6929eff5d425ef1
SHA1 863be60f0bd39a4f91ec7f4ad9945677c26e022c
SHA256 6f1049555d6a85f86980625e85988c12d2c071427ebb55e1d11d0dc229e264a7
SHA512 178a32399408004aebb53d747d23c194675d97b4d23072a43b6f51c97c964fd5dee1ed9a1470055c7c6a93b9a56821bc6e3ade0ce0fe4164ae1e97915f755f54

C:\Users\Admin\AppData\Local\Temp\KMgI.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\swII.exe

MD5 9e40c85eb84a5dd926bb895c0f043da5
SHA1 4c6d5580648234b9ee8e3dab5d6f30e0e1d6444a
SHA256 7e3c8118ba40fcac16318b6db5b5518ef3df5642edfe592d6b576fdd41067721
SHA512 a14aa91b45419766efd7f262cbd03347a4bb2ee1b1e0e33a9e87c416c1b341e1404a0d343f03ed81e38e5b1cfd9ea5194c5c80e5e6381b21b9a0c3b8dd5c9578

C:\Users\Admin\AppData\Local\Temp\swII.exe

MD5 d6d343f5f014420b840a079bfd65cadf
SHA1 ea83fdff8d83792729c6b8c17124677dbb6f91e9
SHA256 db41b870c0b8d3bd79b570c82434b986e72cdfca068f62889e129bae9b5dc21c
SHA512 c0869a05d7149ae7df6a07b1833d88cb033b1b0be9a466baba357608893cfa274883864ed2b201d34434abf96ab8c5ffcdd2621028062e230c3ab870724e32f4

C:\Users\Admin\AppData\Local\Temp\YgYU.exe

MD5 3d40533464327bfda6ddefc8e65eb6db
SHA1 695c2ea8c4496280d3470f13e88d917943fff7fd
SHA256 8fb6d648bb346972aae87114498974450704ff63ed9103585b0a83e48fbe550e
SHA512 d9a1c45a155180f6c7a7b8ee72ebd95432e6e1dd032ddf3d1bbf9900dfedc2d9949fed40bef241a2a354ea9638a4c0c3899c628d73684a37d13cf3bada236687

C:\Users\Admin\AppData\Local\Temp\kQoC.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\aQIy.exe

MD5 fb26b0cfe06f8c484a90130171d48489
SHA1 a2a501b740281b92eae0303460480f16a70da547
SHA256 dc533c85f87f55d42d465c8270e950fe680fe2ba2c3be3e26724056e75366b7d
SHA512 a106a5a1eba26a5a56aef68cce914c5506a437a9ce68c259332650b6297ddd354770c60d021d2fe30ff7482ebd8ccbf8ead4bb01bdf63195b6eb91890de6de8f

C:\Users\Admin\AppData\Local\Temp\Mggu.exe

MD5 6ad041b450e85dbf587f1e40c20daccb
SHA1 9e61cce80f7aba4f80b2b2c7c00a25b86bf987f1
SHA256 936084846c106ae59ad2dfa5c3d18dd218ca715025d635bde0302ef09c2ea976
SHA512 2d69a829f2d8876ebfc823d3370f45fe439b718b911adf13c2aea564d1354fbb3ce7677e84dd77d8b268be6ace5fe15581cb7b4b49f6f5ba039fb0f5aca8e3aa

C:\Users\Admin\AppData\Local\Temp\GEoc.exe

MD5 1ed82f42162336e5052409574e1f8c3c
SHA1 1f693a4cfe672c056e1eb4b013c873d98f2939ce
SHA256 557813a8d9f0b66de40da08d78e4b46f17eee490b364e5f67275f37bcd69ee70
SHA512 3267c156e2394a87e00196a040dfa1b32e69b299daa2353f1a6862a436bc0bfe5873b8e07217a1502d44ab2a7cb463c2edc11996f265f66109895187581fdcda

C:\Users\Admin\AppData\Local\Temp\qgoG.exe

MD5 a77511598cb804b77fd43eccc4d333ad
SHA1 37076c6f7d649406c820e6a8df2ac0dafcbfe936
SHA256 b491a822eefe159e46ffb0d9112b456b431920c68cdae5483532780a7df67b02
SHA512 a71254a3938f0f1e3975f18db1af4e2f3d05c0e33ff57e71be7a081ae005f811a0324062c2ce428de1e2ec7d128e49d78e63e81145fb4dc6dec32b939404f312

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 3e82707b47ae587288ad08226b1cb575
SHA1 4bbeab9a82140dee466a1124703309afac430e5b
SHA256 24c7693247206110ff0101b37e4b21241f5d84bd2c7bf2ac6d8040fcd05c8a76
SHA512 be85a9ef914ef516baa3024c0698270c4143b39bb09e1b1a68a8c51a0b126587dc2db5c9a4abd2eb49fa8fe6cd11253a51b309dd15a4fd9b5d668daccc03c6e2

C:\Users\Admin\AppData\Local\Temp\AgMQ.exe

MD5 ff0d4fa7bb545f3292879cd1edb07b5f
SHA1 7a9867ab9d8f4a43732038e843391fda8f442194
SHA256 46f2878d49e997ad572cd010460b11ec19f099d383f7cbc7067f3d8da1f14da7
SHA512 cc091e96ad5dcdcd42333d80cef756a20af4ecf3183ad452d8239eb0ba8f9a62fcecc4d78380409baef44b5aa0e11be0f9f4b90e4f39e8d10534b1fa345361a9