Malware Analysis Report

2024-10-24 18:18

Sample ID 241018-c8nxfavgpn
Target 2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
SHA256 dd7dbc78e267a832e8ada5d70ef95158e77f720c0822f44b7de39c9a5405ba86
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd7dbc78e267a832e8ada5d70ef95158e77f720c0822f44b7de39c9a5405ba86

Threat Level: Known bad

The file 2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (80) files with added filename extension

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:44

Reported

2024-10-18 02:47

Platform

win7-20241010-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\ProgramData\hIgswcck\EWIAQIkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeAAEcQQ.exe = "C:\\Users\\Admin\\cKEAIEsE\\oeAAEcQQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EWIAQIkg.exe = "C:\\ProgramData\\hIgswcck\\EWIAQIkg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeAAEcQQ.exe = "C:\\Users\\Admin\\cKEAIEsE\\oeAAEcQQ.exe" C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EWIAQIkg.exe = "C:\\ProgramData\\hIgswcck\\EWIAQIkg.exe" C:\ProgramData\hIgswcck\EWIAQIkg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\hIgswcck\EWIAQIkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A
N/A N/A C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
PID 564 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
PID 564 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
PID 564 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
PID 564 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\hIgswcck\EWIAQIkg.exe
PID 564 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\hIgswcck\EWIAQIkg.exe
PID 564 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\hIgswcck\EWIAQIkg.exe
PID 564 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\hIgswcck\EWIAQIkg.exe
PID 564 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2964 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2964 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2964 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 564 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 432 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 432 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 432 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 432 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"

C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe

"C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe"

C:\ProgramData\hIgswcck\EWIAQIkg.exe

"C:\ProgramData\hIgswcck\EWIAQIkg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYYwEoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XEIYoQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEAccksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCsoEUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOAQEAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYMAwAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWwAwEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYAcsAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoYIcYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1506167368-121326098571933161115011811319986577739215635521715838944811719078"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-471722675145223109-165406953812815181219576907981849445961-861954592-1205277036"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQAMkwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAEUAMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcYMUEwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyoIYgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BggAMAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiQMMcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "847862670-68046052513054573601312092431181050667-1187683668-622635692-997112796"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyIMUwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAAkcYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSYYAkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "779025898-1233074173-4733102061871073416-1687929293-1088376264-52891305626291690"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "212874069792937623-151793325352532416-1981460410-525525725-449203097-2146385281"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqYsckAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "535432082-777601937-8592059281693241210-11520929471932031012-959895861445613863"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2095032663-956203888926272941832367038-472928387-2152142291904522690465943718"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3608053531604192414-280146818-1590456231-1088582954-567478952-14043756891643237521"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-844760650-869434733-2125015529-1835083545-1975435563-2099096673-880740634-580913280"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsEAIYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReMQoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1105613896-1979648457-1413556803-102081228-1986209641194619761-1168711974-1875068803"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1850115814-1115447309-7315015042035048459-1665232590-162628445721423043951263666574"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1186356397-9699432801980618356728186886910577724-703379784504300701939748000"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-184259031532794933816160904511307728944-90571795468458860-2003683660-183572886"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-102859447487840624-363704795-1605535798-20512396615136005891536802162-1372889370"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcMUAUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1741080409-487981911-329836698137964971-21036482361260378521-2129414361-904022849"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1002894802-339325842-196805867612321935801048565490-397765206-1007173002-1137188608"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgYsYAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-149602287381878994413216055562130584324-1089356354-21387433691356049045-48014904"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "269502927704360130-1714867471968829866-9164512221725928358-148963021-2004757046"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/564-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/564-4-0x00000000003B0000-0x00000000003CD000-memory.dmp

\Users\Admin\cKEAIEsE\oeAAEcQQ.exe

MD5 6acb2f31358df899b3f2ec10fc4cd728
SHA1 4959034e0c93fc90d8b97c6908a85496e5492cdd
SHA256 79eac1d69d66ac75d42f317dc156360534cad317fb677b306f0e262245eb5395
SHA512 4980a420e1706ca63129b68db65fc7d2ef90cbd59f7c1283111fa5f1b8cc957a3a10df920a0de4939dc7b427d9689dc6e254ca01f9738425e7f22ae19e4206ef

memory/2080-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/564-10-0x00000000003B0000-0x00000000003CD000-memory.dmp

\ProgramData\hIgswcck\EWIAQIkg.exe

MD5 58156d03cfdbdb0cb04bb7dacf3cbcc6
SHA1 5a3b208a0042ddf7a9f1b7f17864f1aa936ffe7a
SHA256 e5cafaddc376108534d8e032fbd2549da2780348e4227cc4eca66ccbcea865e8
SHA512 9210d7b3cdfd2e104c628a7c241b0b5c6255c067ae54b098cf38bc8dc9b546deb3ab1bd105030e346183aed8cb88a1d7e2007747ca5162e99f9650126a2a1a92

memory/564-21-0x00000000003B0000-0x00000000003CD000-memory.dmp

memory/564-22-0x00000000003B0000-0x00000000003CD000-memory.dmp

memory/2880-31-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jaEQQAIw.bat

MD5 9d63c62c53dc994a0f40f4a9bdc37b6e
SHA1 bf1087307ac13cd9043908c5ef2030cb979d972a
SHA256 45a5e6e77c9d235f32ea7b3825a9235801258e7ebb1efcc50d19469c4cc3e6be
SHA512 a617135979623654d9618594a9fa720d1bb6a76081226fbb3600a62f2025a08229f366f904d28a0182c0e2a6295ae82e18a4a01e360674049a6f5b81d1f50d3f

memory/2964-34-0x0000000000170000-0x000000000019B000-memory.dmp

memory/564-44-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-35-0x0000000000170000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nYYwEoAg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2700-36-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

MD5 35cbde129d22ad6080dc8fed0fd3e185
SHA1 e29871c61fe34d7159cf12daa543e1679f3ef63a
SHA256 eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265
SHA512 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

C:\Users\Admin\AppData\Local\Temp\foMQowoM.bat

MD5 5a6c4fe3cb030b2b72fed77dc4b9b2fc
SHA1 4a9e075665ababdd229ccc69a53b10cb5bf8dc3f
SHA256 2d3a7da9d4cc4283844df4378f716e237055f00a8c1872f8acff6e0a9f5eb83e
SHA512 1e245efd32e0b51f6a53fe50b95c13d4ce136f4acab026347379a82b8e40ffa5fb8b7b6821f8ac09a56faed22ffd8494041ec5f906d1b28ff7ac8c50563edf16

memory/432-57-0x0000000000180000-0x00000000001AB000-memory.dmp

memory/2700-66-0x0000000000400000-0x000000000042B000-memory.dmp

memory/432-56-0x0000000000180000-0x00000000001AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\RskEYIUs.bat

MD5 4a3abf2c0dd1112268397765d0c85cc6
SHA1 9fe5f1d053dbd6377fe8eaec0b92b7fc0df9aea3
SHA256 00f3dde7d9397870ab8e52e711a26a9ccd3765c9aae1937ad0e56e3a489e10f8
SHA512 8aa1ed0abdcdb04193769f5049606857965dbf0f06dc7f3498de93428df911e135b7aa8e434cfa453765afe67ff97bc2a0de035691ac384fcabd94c9213b5307

memory/2196-88-0x0000000000160000-0x000000000018B000-memory.dmp

memory/1968-90-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2196-89-0x0000000000160000-0x000000000018B000-memory.dmp

memory/1884-91-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YAYAcksE.bat

MD5 0ca62df0435b5eda02a279d383dad2f3
SHA1 455b2d5ae5546c7537ccebe1ab10afa4db79872e
SHA256 bd0f14838f2206d3598adc6e8796587a85fb137e0e1b785c4cef1fb0eefd1373
SHA512 855c39d3ca435f1f3b5885804ebf7d4e5b604613fdac8d5b768ea3735b1b38a4c128e7aa0485071b160c3da613c9f5b6913d0f7174ca51c366f314fd21742d3a

memory/2220-104-0x00000000001D0000-0x00000000001FB000-memory.dmp

memory/1968-113-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcIsUMUw.bat

MD5 247d480b38c563a9b5c6efd8f4ba391b
SHA1 9abe6afafa17b97153296ae04e1188bce8b3a02a
SHA256 4b3211d69d791ec21999c06e75a880f81ea037c43e0ce39cb12c305fe3c8afb1
SHA512 70248ba61a7578f26230b5773a4c66afbcea44fcc8bd7a4f51c6c4a9422f4d938a7fe772a11345e0b2646dfebe3ec6f411c1551cae55b441c8a77e74d538d774

memory/2240-126-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1920-135-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwgAwwAM.bat

MD5 e9d50b7f376b04e7a76106813771ab37
SHA1 e3f4f197bf6faac664e92d4e90f4e42edfae5f9f
SHA256 974230db9bcbacc976993406e20f83ffadf10ac7ecf6b266fc03b6e86a16f88c
SHA512 c1df6ebb47a001b1fd84e7965bd5165d191f08d80e6c7d8bf4c0b716c172968a2536c02f3b6676cadcf8d0d2905ae0a03aafd7a0cae680677bce146d1411d9da

memory/108-147-0x0000000000400000-0x000000000042B000-memory.dmp

memory/108-148-0x0000000000400000-0x000000000042B000-memory.dmp

memory/884-150-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2072-159-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SEIoMIIE.bat

MD5 5011d3a095624155ddbaadc2393f2bb8
SHA1 1fb955ce1bdce7e8ff4211d8921ba3b53ccbe27a
SHA256 2b6e01fa3c1b26e849112bfe4eab9a1e32809c97e312854f95b2d491e3fe510a
SHA512 03a4127832308582870121c3a63e27d42c6ff8d9b668fbb266b473b3ad838a37efba923098b28041790354c643b67eace8a20398481d890b25b4b1fc9452cdbe

memory/2828-173-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1128-174-0x0000000000400000-0x000000000042B000-memory.dmp

memory/884-182-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keEcYEwE.bat

MD5 a4ea08f91974f93a3a39ed4c9373d608
SHA1 e7fdf06a12c482c60af3a5fc26470ad883f95c25
SHA256 ca8eb57af5dc7c461bddb1806fe96cbdd4856abbbb38bce7d3e87941dc3b334a
SHA512 33a48b2f6b959c2832464da20802d7ddd3474244248b9e95b3ae7a26b7dcfe2edc62de9df668ac39c0d98e1b53f1b1fa9288f72e398b08bc737535587b43d368

memory/1940-203-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1128-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2700-196-0x0000000000160000-0x000000000018B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YeoEIQog.bat

MD5 3d7d4b722f22dff86992dda3bf275fae
SHA1 6dc3e83a6324adc01c36b8069e0880c40c3b9b87
SHA256 c9fffb2d5f998f165a25bf8d61e565e939bbeba1494316c3db163547aab81d54
SHA512 dc102eea267644295a00137f424938be8ea40189b60dff04b5c3014f217f5e03ee211890145ed5cb87efe731d8271d4b4364709540c2836cfb009d4da0cf1f28

memory/1940-226-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2720-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2216-227-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2216-228-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMEQUUAA.bat

MD5 9f4ded12d5c867e582fa44ede638743a
SHA1 245b5677899062a84bcf310fa2f88de472cbdca6
SHA256 6220e0fa7d22d26164152627840b54f6dbd1a0859ad24d1e35aad21de84f1989
SHA512 8f26ac1b666dcfd4290b1c361c9ab66a71af55d5f8c29c666d86c7c5b667fe929c03e15260b609f3de233272849424e7435a41d76b78f143facd0b4c209f6c00

memory/688-241-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2720-251-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pyAkwIgM.bat

MD5 fab7ab979fc8477af5b50c8b33a1adec
SHA1 1122a2038d1c19e672c01d09940d75b80bb280e3
SHA256 d829b70e50694dd26a694f5b652d6d09e371ef0940e2b8c59dc79a6a1d20210c
SHA512 25946652d0bacee0a55adfd69de1b5d173fa135daf8e0bfb058ba595bd0ec72d63d563e8b4ef7c4fea1941561be974f789739aecd57d00c239ca0f7fa5eccaa5

memory/1692-265-0x0000000000170000-0x000000000019B000-memory.dmp

memory/976-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1692-266-0x0000000000170000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XokgwIUg.bat

MD5 3bbe5bc2b7bb5cba546076850489f0ec
SHA1 7d06620b1707e5f4f6196029b622491b635b6e17
SHA256 f6dba59874a4d4f6c0a4697521a84a4fc29b41113651ea164f24c51a82686cc4
SHA512 af7c5df33c3df741e2b1dea6f34d38b4fa3768d782339bada26aec5037de37284a919ac75cf6d5dd2e8596458b0311285b8d5b6f04fa3d990611e7cf7447bb87

memory/1252-296-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1508-288-0x0000000000120000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PUYYYEII.bat

MD5 3ecc0623121b8258cd91eb72c4a021fc
SHA1 3b0bea55700080a00bcc635958722a41fe65584c
SHA256 24df42d48f7a94d56be65c5d172fd664e480023c6878a8f5d89195fc569351ee
SHA512 8dc46610d5a8cae0968b0dd169d03f807fbd7b034a706f2f8de7f02279a2438a15535c107a801ac9ce345fe0cac09c0d2e7488761e6cab2be4f2d258a3d173b9

memory/2812-317-0x0000000000810000-0x000000000083B000-memory.dmp

memory/2604-319-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2812-318-0x0000000000810000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\regsgsIs.bat

MD5 66373a9c960d5bb19f89068c5a2797b0
SHA1 d6ce3e479207e1eef007d38224ca9f16a1be875e
SHA256 7a7c7a82777b67bbc7927f4060882409a96e643efa7edeb379a2b1081b8032a8
SHA512 1a340cb72b33b8c8ada3ec018111cee7d2e66d7235206bbc772becba81508414ac63cffac5998e113dadc83c34684ca00f462122948ae36406e2b7c7cce86338

memory/3060-333-0x0000000000170000-0x000000000019B000-memory.dmp

memory/564-335-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3060-332-0x0000000000170000-0x000000000019B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2588-343-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/564-380-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3008-382-0x00000000001C0000-0x00000000001EB000-memory.dmp

memory/3008-381-0x00000000001C0000-0x00000000001EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tCEswUgQ.bat

MD5 2d484eb5af7a49d6724afd2f48081d3e
SHA1 dee03b08faf829dcae7c7918d232cf16ceab8fc2
SHA256 c550710a57f6c91f0a252ca599cf564c108c75c5ebbcfdb32262dfcc031df996
SHA512 90dfd0a4d2640fa704a68e492460c029b2fa33709f84749dfaba1ea52d55c3be74aa9213e1e5cb96e9d873865125a1356148e299a0b66c3f263b27402ca509ad

C:\Users\Admin\AppData\Local\Temp\SwQM.exe

MD5 f07f4aaee2b482ca5ec2b3e5c0f7f980
SHA1 a206e6b9d014b7bdb486ab414c609e3a66539c5d
SHA256 6b5264a4a2ae0a61104ba9c26a61e3caf290bdae5bf79f82d05fd96282319fc2
SHA512 9e16e43646fc4e6674556a45b4e955d0cb42b56c070b12dba35650a49cc67830fd9eb0ae91316b2d5fca21943ddf781a3da506227b10a3251a1a39fad6029bb7

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\ouEMkkEM.bat

MD5 046ffa1519ddc91e14e3ce13d2bee259
SHA1 a10125e94c33b5d83bdc7f53087062eba741064d
SHA256 bbe3ba40e86a6deadd69634ae5f76c4fb34b941ffcbbb8d0b13ac7e02639d393
SHA512 067b890c6655bff8aa2e6f246c1156a8e7740fe5d04fdbb7a0bf78677a3ba9f33ab832a7f334498256780bfcfd4a55982e7110805d32cbf9071b16b75f5a1620

memory/2460-405-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1288-406-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2276-408-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2276-407-0x0000000000260000-0x000000000028B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yOsEsMIc.bat

MD5 8d46004c1e4ba11faf8815a205b39ca9
SHA1 ce5d7c12a350c6e5b1d068acb16c7224c34491f7
SHA256 929f5d275089e1b179fb5bcf84cdffd73c2f5b2ba93c15281ecbd28b6b399a25
SHA512 2ea079351d06b3fd40ebfc0053a52874b04fe9480eca18d21be24d0a04316c1614b1fa3ba506b3bbaa3093b951b1ec3d86f985de0064962cbe86b901841c16a3

memory/2492-439-0x0000000000260000-0x000000000028B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAco.exe

MD5 45913d2c1aebe186a67e35314f301945
SHA1 b18674b7c7ddb2a9f9d63bee0b4f4611004e924b
SHA256 b378d4d316a19e672793aa755cdb6f328c1a25df92392dc8c4e3c9d9a51f56fe
SHA512 5fbed213d8642ed3b429d5113333a573a0afbafb70eb4fb9a5155a722cad68cb9b63ab4f3ffa517cbdd73a8f35c68bad3597fa0a2c981a23ecb973a61f5cc6c1

memory/1408-441-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1288-430-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2492-440-0x0000000000260000-0x000000000028B000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 87526d8ce8b47322c9829d2577d0e0c2
SHA1 7aad6804202090e429339894cf33a4b2d12142b0
SHA256 c186f3552f8300d5c1076ff229fd7e235247da20da58a7ff281f3ed2da21fc83
SHA512 7080272082734a07ac289d5465006e0ff12e6287d12438d737ab0472a73f4b33982d8ab4b4693c1615335e973270740d39c768e8ea9bf8de87e151c54c1df4b1

C:\Users\Admin\AppData\Local\Temp\QgEi.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\UoMcoEkg.bat

MD5 a27ab456a2494ca24fe3323f18a2f024
SHA1 be1c4e1d6dc1fce4433d0e169620506424c43afa
SHA256 50b7d36a8045e05f4c5a84a609374b19512848a62f3b0652e9b8be63163d6646
SHA512 c84b4b920fbb1487e0b5e6af3f05890cb84a580af8d76a4847db6b4a1a93276d3008c519eef9360fedaf720efbf36f7e5dcd55ab088827c2ee20296c2d21d150

C:\Users\Admin\AppData\Local\Temp\AQMw.exe

MD5 d9345fbd057690c40e688c8dacadb9b1
SHA1 9c6e1ea356ba06c45ade3ffaac7346d52bc77142
SHA256 6618a9d2df80c9618b431fb5c7b1a11c129d0eb0f9a107e0647a8661dbd806d4
SHA512 faa4f7cd4c228a304e6987681b920c8990196271c07405984fb1183ab824958f7e513795fc3983a994e8e186aebb20a87565a4ac06cb24e37a8fefc381717442

C:\Users\Admin\AppData\Local\Temp\IwkI.exe

MD5 666cb7cbf9e86596aecb8a7d6814a982
SHA1 a9470e0a85e31c14e8153edd633249f1bf755d24
SHA256 15631446cfa875866dd2cb36e96b190526a3e49c67ad2be65b8d7af9939753eb
SHA512 97552b3279eb45169abb82085f3c58d689406c50386e516f85790866eef4ca496293e72bc564cd1ec09db2d4319de8519bc57c6c718edde71c50f5eaea117833

memory/1408-506-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-498-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMkI.exe

MD5 6a9967d8ad12e8306fbd3478a68789be
SHA1 7a293847346ab8cf1d04ae8f86ad46a30e26e947
SHA256 e8dabf1c2aacf8a7f25e485e8f2be8f7acceea295a127755cf75a1e1b0cfb875
SHA512 fe1d0245aca2302631bd02da473a0b99afdc7882a984022931d491dfc4da2e2078a109c22484a6d89d9f1b1d99f31a82acab57bfe5b013ac4d51a8e19c1f5217

memory/2332-484-0x0000000000120000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iooc.exe

MD5 ce23b9795b0a936ed19d8936c8bca157
SHA1 636ebbe2d59f7e3026615985360e327a7555b9eb
SHA256 eee20e00b729f687bd8761e13de8063b761a416628294314b08c23fd974e687f
SHA512 5cfad7c3a63bbacbcd186ff9a759ffceb967692ee7bf8f1cc9d3465474e49c79be25d11dc7741e83805a36ccb06f8ae4448773e48b17fe1e85a3ce62c7a15c90

C:\Users\Admin\AppData\Local\Temp\sQEC.exe

MD5 c0aa4897e6bf03ced254256be1d420a8
SHA1 8f6b1f229345f2ab3629668a9167be20e191bb59
SHA256 37027c03838b77af8f36aa83f4bbad3fa0c5e51807a7fb3322ad0c7f996dff4e
SHA512 842ca9f2e05c5814dc206c7e2bf51927a55cdf542466145868f4a19076e5a1b38f7e15aec91dbf9bf8164fa6b8dd66c9a4a68665140ef889e6182e96d0ed0de7

C:\Users\Admin\AppData\Local\Temp\aEkMMocg.bat

MD5 190436205ec0e469b5442906788238fb
SHA1 2bfc539e3bd1a8741400aa9dff6a4a43ced9691a
SHA256 4005fca0b6b1dde6737c4751e1a6c93e462c3968515965206e2780619f98f68f
SHA512 997c301a97e581a4564321a8641281117cb56ca294765736bede1d83668344f37de18fb93f03c4645008f2fc18bdb69c4930a811c3e29a3d577c1c33a4a3c5e8

C:\Users\Admin\AppData\Local\Temp\SQEa.exe

MD5 de30ee32b31ae604fc26349874dcc053
SHA1 62687e6dd7d7961fb5905ebab309c32f702aa1e4
SHA256 c9e1d21813268c208e187c81c77fdcf829fb21511d0853515023e901e7883839
SHA512 17e75496c35fed84b415589ad820fb4e391dac3195df99ac001e2156807e271e0385b04b0c79ff00c1dae0b95a355fa0a1be082be6e49ef121f997a04c9cd9aa

memory/2692-579-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2624-581-0x00000000000F0000-0x000000000011B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EooW.exe

MD5 a9703d8915428d815e2bc0c2c3c93b5a
SHA1 4e115240e539c209504815f2b3c5e98912fd2789
SHA256 52dc0c0626aa57374df4f9b53c400ff09e0676553cdd5437fb9c5dd5635350d4
SHA512 f3c16e546ffde14a336d0ae7d5c1ae3a2efd770909d11c9b34a79c5873635ea37ca9d8e11aed4341f938833b6503bdac17677159fd859211f470c84c56bffd13

memory/2600-595-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2624-580-0x00000000000F0000-0x000000000011B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUkO.exe

MD5 94abb9365e19cc9860291d1d97c294c9
SHA1 f6d9e444ff006f6f8f9cf88b0710b0ce09ffc9ec
SHA256 b0c537eba4bd27d94c89eb43e18219d8352cd89b3e10106e6f088817291b5217
SHA512 04cef40f234ae4583670d479a27eea6bf072ed8340a1244e58ece281caab6bb50b83e1abb1ff8059b3dafbe4b37794c83062245414bad2391608f02ad2cbf27a

C:\Users\Admin\AppData\Local\Temp\cMsA.exe

MD5 2314349660b22f3c4f2903b0842076a2
SHA1 365028c69b7e92596a21ebf08e1b3711b976bef5
SHA256 3b4d48a0ce27e91c3bce5c105df9327736e69733033abde267b09bfb7df86616
SHA512 8723900461015693b2f850bb4b6350e7985d7543d4dd2af5b77ea3dc634efcadfe961caa1fe0ccf85d2a1c2274628a16fd2033dc6d56fc657e866418bba12386

C:\Users\Admin\AppData\Local\Temp\kuEYAoYk.bat

MD5 51d08f1e8109b10199dbddbee9608d48
SHA1 95fad4cb8cfa9dae6e35cd6a4c8580d4b6adf6b4
SHA256 545d5cbfa596b21c9c50f2258c9f82941c7ff54037003dca6bfcc99cde9f5ed3
SHA512 fd5c6af12efcc71948f0ce3c706461431aaa3b3301fb5d1628b35d7b598a034a842bcc8a7e7d051e80f208a459d789400232e200e6ba9e4ab3b3642edd066e72

memory/976-646-0x0000000000200000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OgIY.exe

MD5 606a6af05dd25e093899e1021c055749
SHA1 13898237571e85750a472abc967190d792cf4977
SHA256 20427a145c2a78fe0da4c715af91a50b2691f10cb3eddce19e36d5e4e889f653
SHA512 0b4afbdfc7d202e4d0a44847a617a3cb7c73ed919be7c40b159dfd413b0e0221672fef0ea16f9cef0a8d4bc9a93e8bb6b42dedb11de55b8544b2c0a47b3b7879

memory/1700-647-0x0000000000400000-0x000000000042B000-memory.dmp

memory/976-644-0x0000000000200000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eYgY.exe

MD5 1fc5d320c0a5f944ec075e58d66c29a0
SHA1 73565fd9860be11d78a5126fec555e0f29dd5926
SHA256 66f12c66d9a6120e6b8f3dd9becd9670f257b9374e37a1efb8a5c257021b5af4
SHA512 74a7092c74fc90eb152e017d53d30c2f82c2a4831820d67385abe679fc904e2837cfff668c7a9247b0b46113de1b59f8108fbbe5d9582439496a69cd437bf84f

memory/2600-668-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMwa.exe

MD5 20971716ba4013b00bb4d67e224bec67
SHA1 7bbcedcc34ad7d49fc8acca3c1b1fdb361bc82d4
SHA256 d5a3d495baeaf4e63246efe2c76a0d2e66d45983b9dd148aed73654754653c4f
SHA512 11b3a1e98f214aa64e02523f67fc7c6f3168baca3de67d709e1aac5d23ecab986f16c7933c8674f545a2ed59dcab909c2da87b9c81fe50f8458ec517f86ce027

C:\Users\Admin\AppData\Local\Temp\mqwoAYwM.bat

MD5 40b1f368ef47d7a5f8d5a99be4e49ec6
SHA1 a88e4cdbda18cc97aeb0ea737cdbd794cf564403
SHA256 572d420e5d97c3f629c921fe210fd65d11fb6d3af182b09c885a565dd5f35ce0
SHA512 ede1fe8db1cebc623ba8bbf199901e5d19c788aa06b7041c36ea0a22f93a1c4660c0ef86f0ce1c2f4c30400892d5798ab7cb6cc287e489a7a4aefc4d144c2331

C:\Users\Admin\AppData\Local\Temp\wEwW.exe

MD5 e6c0eb82c466961250b4cee93595d146
SHA1 42f2d4674e5c939497391a2eedc774fd4dd1a73b
SHA256 5aff63e4c75c1dca0336c6fbc01060ac233f22f07750d11c6ddc6351507caa95
SHA512 676d47b7d36e666cbd907189dbf9f814ea33767259007c5a7f53cb82cceecb8a4ce57baaa431db65377c14529fffe819eec1ade570d715d77d455716212b5ce3

memory/1700-725-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAYi.exe

MD5 9abcf765991696faed7ba6f7a485702d
SHA1 2ce9c24c771a9168334cfbffcb9f971bc99699e1
SHA256 5e57514397b50f676a26f623c0e0f81015d881ec2806737e798b69e058b176ca
SHA512 84fe88eabcc15d9233083048539803066d6c576157dd37c1922e3aeccfd3967f2e4ee38a3f4b898ba01604e2d77af2304d865fbabd89a9c984b3123fa03563ee

memory/2924-748-0x0000000000270000-0x000000000029B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SscG.exe

MD5 c68df4a1dd7c90d60e80913a388a5f37
SHA1 e101134acde19926db16ee3123214028e1e0ac39
SHA256 c1fcd3da7576cb230645112fd5dee5b45e16ee296f40961b5ab3fa5d61b0f81b
SHA512 90b119b469379df207a03f8a6daf7c7cf66c5b2478fc8b0dacdd20dd5b1bfb131868b65d9e3dbc874069c9ded284eaca116892425b21802bf42f92abd013b052

memory/320-749-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\koIQ.exe

MD5 865e91ec8f26cdab13ab9e0cbc11d6e2
SHA1 bb9e694604fb791a0c31854034b9f1b32111f698
SHA256 d84d0ad42013b4d1a40eb3285ed3df95709084b1b0ecaf097480d30fabbf8533
SHA512 52067925516a658fc690064efc71891cbd20ec5adccb53143cacd049a79b841cf87178f2176306173b5a3c1f209dc3bd2afec74a5a5fa7e98f7064504a7c7252

C:\Users\Admin\AppData\Local\Temp\OoMi.exe

MD5 fb69768e63a4f9cf011aa73c2ffed61b
SHA1 77584f0752f10b7f7ebab60404f7c608519e8c46
SHA256 cbeb3cb8dea0e844dd1998a59ae77e199caf7802f61b62242eecf674daa017dc
SHA512 1f798e4ac66673a2330aaa2ac86825c0a46acc97be8ec5e84affd2ab1d373a7844d1f187276ee3c068b64bdda1ee549b294b6d3451532b3b06a7bfef5ae4a826

C:\Users\Admin\AppData\Local\Temp\pesMwcQE.bat

MD5 e2ba2b30adb135f1c43290d0b4804768
SHA1 6e92f1a43cebefee4cd64d437261552075ee5462
SHA256 842632788bec618c92b3a01715ca0ded9932ea1002b3da80cf39558210a0d9ae
SHA512 f136405f2d3b53cbe5bf3ba1b506473c89c86a68dcde8e2ca983c270827aa8cd1c76067777d435ffc4800942de27a631bc33c9be5dfd97cd96cb7310611b9d91

C:\Users\Admin\AppData\Local\Temp\Skok.exe

MD5 39cada3d4bf7e48a67d1c706cab0a72d
SHA1 4275f1aee49b658cb72dc2e9590e3b912e40a471
SHA256 b222fdef35d7448df325cf9b7efc9aba139b190b186be6fc17246a1e5739d684
SHA512 6087d958d2af75bf05beb76a79787f228c0efea04599cf7bbab14453c833d5f82d4b5751598464ca575a96ca6c517f892115e64e5e877a7330a7c0a13a26ffc4

C:\Users\Admin\AppData\Local\Temp\OoYm.exe

MD5 d4d468f2d5c0bf1b0bab8ed822d47f7a
SHA1 5d8122650c57087824ae25b8f5b8ecf205ffd270
SHA256 6dd4506efc8e0c38cba3c4503bbb31782f65f8b5132aadf8e823b446715237f8
SHA512 cabf420a9594b09df7f3fcf4f4e53b263deb6d9ef9c9318b792e9a810d6b9f3343efb8daca18e3349edd098b57b6d951514b6fefd815aebd07b426439a898b0f

memory/320-810-0x0000000000400000-0x000000000042B000-memory.dmp

memory/368-813-0x0000000000120000-0x000000000014B000-memory.dmp

memory/368-812-0x0000000000120000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEEi.exe

MD5 ec755bf8b533b15a317fc5cefaf827b0
SHA1 822628f8b307812c9c9d178df8f295952ba33c54
SHA256 bb5b198bf41a792d309f8b43ed2408b20df8155527e4145806a846d9df756986
SHA512 d9fc56ffd23763ff9dcd9daeca3030d67336f8913e0c7f881bee348ab5fbba3a4c2231d1c0021a8fe483e15f5c67d8d43a7886aaf6f8956868711e0ffbf62b1d

C:\Users\Admin\AppData\Local\Temp\IQAE.exe

MD5 ca7c9fc83da859e9f4d35cbf53c0eaef
SHA1 48496e6f09a0a9adb0f3888e2bc5e5f89cf06fa4
SHA256 04453e515dcf9e3495d5ec7f2630cf57b36fd4f4353ff5b5b85daf87614d0d5c
SHA512 49ec2411caa33171f446d7f356150385a0e155413a43b7499d8db106184b777cedd187c8dd6d7ecb7c4b8cc1c77e8d160c8ba324b60d6dc9e13b735820829382

C:\Users\Admin\AppData\Local\Temp\coUI.exe

MD5 441aa9e9a80615e4f6e677e383684336
SHA1 a111960a02e6e92a6bc3975a751d0e34d78581cd
SHA256 2ffac34118ffe4f7edb6f22a0a13362f030d1cfe4506386358c6f62c7f8a9788
SHA512 406c7addf86c7ede7489b335c4249af77ed7975c084fb33d89b8f091d1e85968aac55dfcba4a56150f8568873bdc6a3080d692c3daa6065eaf64fa51a6441744

C:\Users\Admin\AppData\Local\Temp\IIAy.exe

MD5 c251a39c8cdb984a3104805c8177503d
SHA1 40150c6eff5d407d9991eadddf364dbbb7ed8e69
SHA256 3897fb5402f066c61cf1f640c7fa123b808ed543911c4393e1157ba097e55c3b
SHA512 ee357be69f1174bfd7419cd2703b51fc0b51e647fcb3d92f404c3b35fade4dc833f290239511e146a714e1bdc5e65377dc7d1834f41852774577bb15f9fecc6c

C:\Users\Admin\AppData\Local\Temp\VEEUMwUg.bat

MD5 99b9579a8c98994ab7d1954675f4bf2b
SHA1 8ba75fd8e98d70722990f57ad925bc9ecb379766
SHA256 8da5b0edcb3c13fd606c91a2c1ea8870a154d77b4f9ad6716b186f9ea89820de
SHA512 123fc2083cf033af68b32ece61e1d4db6cb4f681daf54f622aeb92021b9a3c6a29f1abf7844c3a96416990b26dd441c26477ca5eacbed84e4a4315da5318ccb2

C:\Users\Admin\AppData\Local\Temp\SoUU.exe

MD5 0021ded07c59bdb3ec03399fe58a5d3b
SHA1 754b3d2e35d78c50ab111989e9f29827333e6ad4
SHA256 90062eaa0e0a04e524eff3227f2482fee50f34a1397db1f1b35144f58a9aa9be
SHA512 65690ef2dde81864e4ac819db1690e0a74dd4c0c2992b574d23ea822b3e7a01b8cdcc6f8df96a6c3d48cbe6dea27a411fb4135a21c4ee510f6e90a2b3c517aec

memory/3028-908-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIgM.exe

MD5 7cd11224309effac4fdbc8b8358aa7e2
SHA1 74aeb067b9dc45a81bdf41fa5bbd4dd22f7aa5e8
SHA256 e6ca4300cd454eaf00e40c659ff847d009b08352582e349a5fbfe2b611a5d0bb
SHA512 c6146d9b00e4fe8b0d590afac4a45bac30ce5efbd7e4251dff31938e6cbc7f985b03b211482a72338c0b094329ca458753c44ebe478ed195c969f1664368ae43

C:\Users\Admin\AppData\Local\Temp\wwAU.exe

MD5 8134e2ddc3b1d59dfc79aba2d998e5aa
SHA1 bd21eb0debd2035ec62a615f11606e7baadef85f
SHA256 2bc49aea949e0b629c67497d32a9063efe68b0aa0e50de63eb88d46fd7e78d5c
SHA512 cf37f8d9a8937ead34391dbcafeaa25c78ec124b2ac7459aef944f9de0375009f1f15f8f977049c66a461abe0457008e4b2189d2174c7d73c0a73b1bd9d43d33

C:\Users\Admin\AppData\Local\Temp\YIIm.exe

MD5 ea8a78781f4e4b3f007975cd30528394
SHA1 d50673f294539542c3016f75fc57a3ce1ef96313
SHA256 7fb2b87db93745556d60d4c24e09b4b20436666cc664f84506e94d5ecbccd941
SHA512 8bbd5ace143055f757c812286d5d474a2a77ee0df2fe95d5594b6c08eb1aa4817bb917e8f7cf0ea2d3522630104371e0c436097bc818c2dbf512bc27c5281a90

C:\Users\Admin\AppData\Local\Temp\swUY.exe

MD5 307c3503da2217a8eea51391d59c3af3
SHA1 940aa4e361c30c7421767b904d66360deb2acc60
SHA256 9ef054fede26ff9595ede89d95c0e4a6ce83010120a802571bbfb68b05b515ab
SHA512 cf799e8dc19c0f0ddd306ad0afbce42c466e3707df8eabac1f8b02e1f6fb5921628ff823c7cbef3e3239d3517d221f5550714b693e7d3bad22e2140d072e3f3d

C:\Users\Admin\AppData\Local\Temp\IwUw.exe

MD5 8ae5f6e678da747fdd18598714e4abcd
SHA1 65ca2ec538d4e19f3ce03301737ec5c4bb93c24c
SHA256 fa6d77651bb20f2a7d014577c9324329a2f5095925a407be62067cfab1b4892e
SHA512 b21573f343d981497b0bf53c90936d23c44401a3d1a4fd467ec1daeed2438aee71e2ebac496d1614f66981c50eb02bf88b917514b2fdb0be9042a078895933bd

C:\Users\Admin\AppData\Local\Temp\EEIy.exe

MD5 db483a3a467373e8ea72a9b0a7fcd34f
SHA1 d97b7aa280308c41b0a92fefe5af5bbd6c406eac
SHA256 88dd2a0514540cd97279326a683a5b5f0164d0b15a871c75b5a44782199d5b35
SHA512 442b6b60fd4ba662813efe68fd5c03e5cc797410cef1be1adcf922877e510b32ae257055e8563382032aa2c682733667a49f9d769cf525b6bfb30e665a0dd444

C:\Users\Admin\AppData\Local\Temp\SgUG.exe

MD5 6199ce12141f5551948b1b93f471bb2e
SHA1 730ffe123911117ac7fb5b31e36e341ec1dca5a8
SHA256 f94ad09c20f9500676b5e018617eea04ae6854c0858ccdffb7c7e750809b89ab
SHA512 6659bf6ebe85d7533a3b5971164992a4a7c9d57a91d229ca9a0d3919186f8dfe32a2302bec16841fde9599dc02146b43c7c1fd19ae70f049ca928f0cdc831953

C:\Users\Admin\AppData\Local\Temp\CkwY.exe

MD5 36828b36aac89394307860f43c757b22
SHA1 a35edfea55c828116ed992449747f0541243aed6
SHA256 a6a3cd29b2a7193daf12e61d42a26dab3d5a08a1a6d3f283a1ce9378466e2326
SHA512 4180e129eba114bb80b402cab56ef2421ceb38d86f64883df9aa1efe5eba69f16c3558a10f427b4ce6aff8a05e5e27d2245a25363ea8907be0c338e0663a469a

C:\Users\Admin\AppData\Local\Temp\eMgc.exe

MD5 6c99aa432b91fbae9e142bc4ab5c4c30
SHA1 c908aba88e0640e3dd1056e0c6f2ab4e8b2664b9
SHA256 1d47d5a1d6d7b27303fd20e7d01589c58981a4a32501d9293f3ead05ceb69554
SHA512 b9da9ce3483b4273ece84b737eefe7071b0bb134fe233539bdffef95876c5181edbf161c05e4812ecf521a72979cce382183aa26d6c1254b1341bf194b385151

C:\Users\Admin\AppData\Local\Temp\aswA.exe

MD5 4682c09e988ea5bfadea64113964815a
SHA1 211c66235ad745e8e48ce626275f1a001bda05fc
SHA256 bff37dafb621382431422da8aee9975a1190a127dc90d3eb4dce5cadb6ed7bbd
SHA512 022bedf85b56af05f5a6a581e5ed616971140a68c2bf1f4ff0026066f06eff5a6bd20675153b271aa8996f6f8d8ede40231e7b3213cd5c7e2ae9744358713c48

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 2da577d2013ba3dec1e94e139e09c0cb
SHA1 9947cdd191c3dce7cda079bb440c4e0ba156898a
SHA256 30366fb1a7ee7bce69a445c3cd8bceb5c963e114ca89de63f95c85754cc92e75
SHA512 228e84f59a237864495bb8535116ecb3ad5408ab3264b9126ce40d8ab466b23cf04da5d9e725e2f2a92c556c095d4c079de8e389ec917e009600fd711b703e48

C:\Users\Admin\AppData\Local\Temp\ooMG.exe

MD5 a307fc30a7dd55c8e4aaca172adedc4f
SHA1 57671f33755c9e28074ef29f491dff7453147e77
SHA256 9d0ed86ff98b5923219b00077b0447a8cbf74630ce7f33c726dd13adfdddb8f5
SHA512 11aeb6877cccee92bcd7702f6fb3aefba6fe0763fd90a049d723f9386ad9ecd78978f356043d19ddb1d97f0edbf652b98e46eb26d6d60ae5625d03a1ac325d0f

C:\Users\Admin\AppData\Local\Temp\Owoq.exe

MD5 a1061fd7d9305600d0d4f0e485fb14e5
SHA1 8085bdd69c7fdb6900b6da552c4bd64262400c05
SHA256 d6db3c9f7735e2c15c1bfc54827205040516d509a763d11034c9fecb6967ce32
SHA512 124249ac3e5aaee0d57ca10926b372cffed5db336d1cbcc8670377b536da2b6848e092e3f2bf0e0de91938e3539dd2a5b4983ce64804f2e1424f15ec3c9a1a57

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 e2e43dfe585651d34667c1736c43b0b8
SHA1 b61044e26db1a9075d911fc78d6858f4b0e3bfab
SHA256 dc3c8c72d695b5ecdf3deb19dea3d5bace912a2ca02f5246e5b4ffca5949c6da
SHA512 ecd1fdb0f53e1571d84a2417a9f961b7af63eedafad3d065f2f017c6e324d011e2d1b2e534324992648ff090aba35842b33a6b1fb80748fe7d06f2068ea87add

C:\Users\Admin\AppData\Local\Temp\YsUW.exe

MD5 235a3f41af697f113c76f62ba1f3eefb
SHA1 226451ca00fdf58db4cb4ccc8ff9a3bb121ecfd2
SHA256 2f150a34b3492f96215a8c81d4e91e8ed61c3988848bc73e1948e31ec0b289c2
SHA512 c11d8b975bb1f98e471cadf9a686126775bb047b5877fb3ed73d785bd21ec50f562ed4c392f52b9a6b5fc06e5d6691a810dbc9ac5d55943cc348310e2f80689d

C:\Users\Admin\AppData\Local\Temp\Wcca.exe

MD5 e654e5db7851378dec746a40a566efcf
SHA1 bf11482200da818db6f7f0b537abc7a7cc0d314d
SHA256 79b52b67679647e577e1970c465a8d15ca92e54d7cf7b15a3b9ef4e99ebe1dba
SHA512 df22bde42b64f11602074dfd4f22d2c6e7c8a33e0ed541ce7a0b18b229294e7e63053daac900e8e64a528b97823825a50b827c7076bc84ec310d944e0e941d3a

C:\Users\Admin\AppData\Local\Temp\yEkS.exe

MD5 3bbc3e230918e561adb42b528dac9a6d
SHA1 11c825b7f486ab4f8f74c9c1e9b48b54f2dd3fcb
SHA256 1289580b784897fc434e85ba3c160c604531a67f0d43df35b4610f842df9cfd5
SHA512 83bc5dfa8350817b65c3b62edd9b3b6c27c46f0358f8a0957b4c6962534cc73839d42ccd247ead75a309491b0ad3d473fec3c41696621879306765f7fbe4771d

C:\Users\Admin\AppData\Local\Temp\yMsi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\yYgo.exe

MD5 d8862ccb80b6d3153c5015a11a62f832
SHA1 e5e623154a15b16b425c63a5ede059cca6eee7b4
SHA256 c5de9c210979ee7ebb2932a8d105fe0446222a7a7a486b1056fd16e5f21f6881
SHA512 bf09a05d16ee88a458d7dcc1c5a4faf88b08bf36ba8bd4784d7c7ad9a9e76c8522a3c024741413f397c4cd7c7b9fe8e3cdb80cd7aa5fed141e9783bf52e0f524

C:\Users\Admin\AppData\Local\Temp\ewUG.exe

MD5 a6b04870a56d1989f7d93ea3f76efc63
SHA1 0c50ee2dc8e9a9a0e2e91c329b4a69ffc084313d
SHA256 37ee6dde712abdcf4825fd11a0d841777b57be684b2befb6b57b46128bcfaa70
SHA512 31040260d2df9ec8698a7ca87d465224d375c65e539dfb7447b6dcb8842cdedda30c64f38ed3379e9f14822435d2b8d01fab3c771ff18456c2572f4d11d30a33

C:\Users\Admin\AppData\Local\Temp\skUA.exe

MD5 127dd53fabc633304ce9f7c5a94d17bc
SHA1 0bcc25a45db5d0815dd8779661b84748e1fa2b44
SHA256 ce9fe7062e41fb697f90d0d3cb5a24fe35c7b65dbf4c25327e96b24e2bc4d809
SHA512 b430f97d12ae6ada70e3fe659d22d72ca58f8cd25d87364a6db49ccf9a8e8f5a531f597e18a37a3833ee18a36e578748a1e5f6d5adc67e30cb36597a827cdbf2

C:\Users\Admin\AppData\Local\Temp\yoMe.exe

MD5 cfe6d29fbba6355be89eed31e86e9f9d
SHA1 830054209dac8bd03e29d22e19eafcc14172f571
SHA256 f9af7798a47be8978cee5aef3786ce6456c246008a3813b8a582cc9b869f7b37
SHA512 883a75fe5961c4570efd37665395c3e3cb4031934a307555246858ce27f124ec0632c569365ac4d49056b8b9513193f17857879bcb76c617d716af8ed02e1e2b

C:\Users\Admin\AppData\Local\Temp\GIMU.exe

MD5 375db3faff9e8917bfd34d5f28b14a10
SHA1 92cb4463292ef5c72af50dac458074e86d259c17
SHA256 84b2fa3aae0d6440d85871c2d292922177ae79e500ab7c7c3e4b939bd238b4c5
SHA512 28c210018cd45daf996604ec6641df2a4a09de7562a4f48c43476b87242048650b54c5443a8bb75a9f119002c217f72276102dd3361b04ce989f9e15e692755b

C:\Users\Admin\AppData\Local\Temp\gEEY.exe

MD5 c6bf7feff813fe1cba56ea67af9d4cdc
SHA1 605d75669e73328c5582abbbe5e3393fbf00ad8d
SHA256 d572fe81b1a03f2ef5b659ecfe5c87d89d59f0c32b5ab31c018c594699b5a1c8
SHA512 09c79261257b9f17fc8bbf93035b18c31e487b0155da8d2bbb3f17ab0d0b70687457fecbf7a40a81bc99f1a360239f9d7cd1a0f191486905d9ddfb204a9d13c8

C:\Users\Admin\AppData\Local\Temp\EMQa.exe

MD5 4bc18ee1deee6818e381920cb761aa39
SHA1 6efcd502c7728af105124fdb122884703377dc97
SHA256 80e87164c4bd73b85e65bd90c571db46d1d343894dd3e73d9f647861c92ed46b
SHA512 35931560b2b2c5ef6aa4b87342775f66963317567c67b5bc5f49e0b24e4fd0ec9b7aa7128c23f0438b8ad48359a552ccd276ce23b9541f50cbfa9f42e898b65a

C:\Users\Admin\AppData\Local\Temp\acMa.exe

MD5 eed9a325477dcb1c0b3daede316ac722
SHA1 4eaef0e1eedd912d61bcc7c4be0cbfc88414c042
SHA256 309acadee92bebacaa6ad0ab8def7886e9e750bde22add2af64afcce7133f301
SHA512 e7a684264908bcd5539b5e80f35d2cef34dded2434b67a7ea1801cb471fb44b9016d9395392c8cce47e2e56783c66427b38b926088bfeded73fa372880bc3370

C:\Users\Admin\AppData\Local\Temp\KIAa.exe

MD5 606d068c647b7666f339735c36ac3647
SHA1 368df43416401ff44e74fe2996f0eb07adec37e8
SHA256 2592201b8f07e50287ae42443db3d5ac72f00a600ce85382d31ee414b28c4414
SHA512 bc5b81ea83d083ed93025e43e4807d3c7fbeb425f231cb5aeececc451ea7399574657b1a75bd9217d6bc79f1ceb1f9df4472fe05d3a69a0ffd97a347adba7bd1

C:\Users\Admin\AppData\Local\Temp\WkkC.exe

MD5 58e2d1904e042640a388fa6cfaf77d3f
SHA1 2227999a9ea3f9fc1f865ad4f91ce8385efbc2ae
SHA256 5c2dd11c82736e546db45cc4bac60725f9eee30df7a01269083368e07cb93c6e
SHA512 d3e183e8be9b0766ed2064661c14271071e421feaa48d8b308fcccde07432743498b082d1d5978d17bfa1556a030f1ec244317f7209210d26786b47e79d6e90d

C:\Users\Admin\AppData\Local\Temp\EcUA.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\owEK.exe

MD5 b10bed91acc476ef1069cb4ec6504047
SHA1 b4f4a94015760912b3df44058e647726333b522b
SHA256 f03dd1c928f5a01d2ee3eb25afbd8cf508d33ca0ad793cc407608504edb76d9c
SHA512 72d9f0a5c8944728d44f3cbcb0410167d12087fd627addd4ab9739e63597e4bc0775ed3fb8773d6d295ced7b8c7504fc7f0b25b77b3ae72365464c8db1d67ccf

C:\Users\Admin\Downloads\PopDebug.xls.exe

MD5 ac27c286b868797ce6d261f08a0259b4
SHA1 7c66ff2cf319c583106180140140583ab6a0a974
SHA256 a612ef0c30432c2e3494f4556b29d91a2370190029a53653a9bfcac27063569c
SHA512 3e9c25162eb691a43d3bc8af2e5ec988da9b7a40e2bb2af4ab98da474bd9310c4a4c4ac5cc2792ea4b7271dbc480478b0ac148fce9f2ff5d5c90401902d16702

C:\Users\Admin\AppData\Local\Temp\sIoC.exe

MD5 4538865471f2b8dff6b6a7832d398e4a
SHA1 8b1a2d7604b869deba79bb766151a0662f2a0289
SHA256 e5ac205a5566f0e44c86fc47b3ab918c3d6b5ea5901a25ea7b2e8bb3a000d279
SHA512 17b966ae16103397de9ad43b2d43fee103f25c73afdfc0cd5a01e0b0ded77a89aad64841c528a858bada8755edb6a869ab1cb7e5717ca083f87b4e61b980c710

C:\Users\Admin\Downloads\ResumeOpen.zip.exe

MD5 dfa11426e39c4024b953cb63ec4f54dc
SHA1 05cbee9121bd01a81685666e33853018d901c0bb
SHA256 0f6f9c5e3444184b29a12fa80cdd7aa0640754d7e0d9e418744239db40f50ccc
SHA512 06d8cd63f7a5686d3627e49d3cee4193fb03f0fe7baadc382b79b3b97f8d8bbb2ec42a7f0c41a564b9715acfe00ad293ca181c702d35d0135af607ac70bc0c4a

C:\Users\Admin\AppData\Local\Temp\YoIG.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\MogE.exe

MD5 a6a88df556c633523f102ca58467f4e7
SHA1 5d9689350a214ed2776ee47161865298187c7d03
SHA256 20cd6a46a8c789f0644b8ba36dd7a74025c06c5a7e9ce4e1985b35983f0b51d3
SHA512 77cb778dfd2d7cb083538daa2d937211d4af9f5252af5fc69640fbbc99f8379d4cfbfdb7a5a8e23d3fa94a347d2b04fec0ac2e83ecdbc8904b629a41d5fac482

C:\Users\Admin\AppData\Local\Temp\ukEE.exe

MD5 57ba0673fddd97c7f6b2f5c342d5da4f
SHA1 2228dce4de7ec7c26f840c6ffbec8236e25a3505
SHA256 7d77099c17cf8c86a38d99b490cdf7b89901c46d3fe2e653f51063d136195bef
SHA512 794a91882c257652b20084330b5723618308e53775338d7e983783f41559c71e6e96b9d90b54ee1b4285a968f95f4a9b50c2470b1e7b3de69a39ad7905ce8abc

C:\Users\Admin\AppData\Local\Temp\WIYs.exe

MD5 b8dcc868794319ce52546f23d67f7d7a
SHA1 c17f63365d00042ad958d2d4ab726d65d8c6f717
SHA256 93d8598b544079697397c6d14bb5ad8a3e7c67701976a8e86ed081da90b7fcbd
SHA512 8160230e0c2eb066d06cf9a162401b2085e56856713c79767e8fe210f085bfc60b0d4513c05c5cf4be88a10683fee1702501f6f21d72690dd0a623fc27164010

C:\Users\Admin\AppData\Local\Temp\kUUQ.exe

MD5 35c6f513dfe4f400e9194e84d4cd44b7
SHA1 0bb81d406bf692c5ece180b6e388277e8e5b9ce2
SHA256 a2c6e34b64274abe281f78c68047e732b318914f050a1e1b7fa7f5edb2a83320
SHA512 ba347b238f607d26af4b26ef05f19592390423578387e2f2f39615588aa2533cadb4d79660c7fd022741b7ee8d43ebab287418ddfec6f3aef52ffa802ea0b2cb

C:\Users\Admin\AppData\Local\Temp\Gswm.exe

MD5 3d031d5e58e7461693279cfaa7757f23
SHA1 0e4c5b04e917cb6ee0ecb88fb79d86a6cab12069
SHA256 e4c0b27e58de7ff7bc21643be050db423bb03b4dd5cb3b517340cdfcdd4bbb7b
SHA512 e3190fc1f67cb9621d64f4fec2cb56fc55c2a40de9a201e823090a6e6745bc1dbafc6e70a4bc3e4196f6ba2a995b422fe7906e50596bcc0a02eadffa4a57eacf

C:\Users\Admin\AppData\Local\Temp\Ukwa.exe

MD5 ededcae04a740c9419daf462e63a6d11
SHA1 0e176f3fe84b7963927ff676923c61d9c04d7931
SHA256 e485a6ee7f9b622cca457ce2f47b99fedc9e1086a1af2059db3ea38f295f3eb3
SHA512 ed6ac7209b78dc2f5df5d9a4ff987c046e871c0caf52abb986324cdc1a3aad38668898f74ffae163368cb17401240e0eacabc83f15f6bc7a8e95f6ada53e1dd6

C:\Users\Admin\AppData\Local\Temp\EEIk.exe

MD5 bae89992a63f7ce8e051f3a56e124335
SHA1 b9778412971c350cdaf43c83bdd663fab2fc22b8
SHA256 6de092a1e2af614f7ce346c0ae5b3d699d60b7251efa7578b2f125453464aff2
SHA512 30c3789f9f49890c07ce91ae41c3be02597ca26a224c0d13db2a767e19e99201920722014516aa2b06e2bf9e88942c8b92e7839355617f2982dae540bab78806

C:\Users\Admin\AppData\Local\Temp\IYgk.exe

MD5 f26c1ef9f21a8c76e6c86013b787eed9
SHA1 8eaebc93465f8425347b92f392b02875dfbcf222
SHA256 4ad1173019b5154797f45fd6f8c06464189b3436cdbfe82cead09a234305e709
SHA512 e66d3f391c7d471b11f8af25d123100c15d15cd86919ebc442a603e024dee2439ca00df517f2c9e16486fb1cfa15ae014e6a9e449c872da0b667d3faf9ac281a

C:\Users\Admin\AppData\Local\Temp\IQgc.exe

MD5 839c1fe9f3148275c91e4159658bf396
SHA1 75696af6dda61abd4494b4b805c683cac111b96d
SHA256 0b2ed0d912ed38dc3589d8b3a48710fd5d7e42af5ed5766b99959008c3e5e639
SHA512 79d7fa1e4ab0c91d64ab91499bb1e704a2d064abf8132573261c4b062e2b88287d1bbcada230a60e234658d2b7cd9f5033ee128ce26cd55b8bd982acca04ff70

C:\Users\Admin\AppData\Local\Temp\KkUw.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\qMsY.exe

MD5 094b38bdf87a6845642d27dd7b48f0b4
SHA1 984c8cae0d9c5e22a155614ac06d3703f4e52b89
SHA256 b948fdd44979b81f9159fc98338487ae8b381683f7ff6483828f93132155d00d
SHA512 0f18f10ef17276e9af29091de2538079393433b4195e64865a825cbef938b5a9a46f89855ff2cc4a69de5a8fe0097edd9f18d1a78d888c375a479d14f6b26e67

C:\Users\Admin\AppData\Local\Temp\kgUe.exe

MD5 e1356b01ec85650bf3b4f92af63537f0
SHA1 4c679cffaec95bb2cfae7c0b22d7c59f0ddd8140
SHA256 4832a56eeae353126ba12d8590386b7e51ba8cd53f912d0b4078649bd9924d9f
SHA512 ad1a19b3250b5544d5a595b72047ba51cc71f140129eec771f1988b11088950aa595bd23f38f58040ed36e5ab3369ad92ab036bb293208465b2b5d05d57932a8

C:\Users\Admin\AppData\Local\Temp\sQkK.exe

MD5 e091f49315356f54e7d8b3304b9a415d
SHA1 ba5a5932df0837009bd818fd6ea52abcf4fea0d1
SHA256 72e0d68990617cc9949594f7b2d96ea1b2a2d05cf9f32a4a166d9a02bd30e79f
SHA512 e553e2fa6326c62e05b5d0db95f91ac911d76d01b18335248f438ddb31299fcbe0e9d03040db51e6bc059a56862edcf848e6bffc3e71abef1a6908eefe3d8ed8

C:\Users\Admin\AppData\Local\Temp\iMIg.exe

MD5 5a969738f2357f981a4af26157f2d96f
SHA1 f153f98baacb444a29ba3cbca3c7f85569a6e406
SHA256 25de1e1f7381bfa1b790653158feb7ca98df6a36b411bc39f05b4a8032756b70
SHA512 5fab9767135cf903e57062bda06985edd70b623dedd7b51d6660dcb995d0ed0bec36ff905c4e7702cb5d9fd723243a9f63469adfe922e0136462549cb375129f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4b510ec482a82303ac47fa2c334235c0
SHA1 14810ebc9278806df042f511c1bb33d50ad2924e
SHA256 443da4d0e9c41f5f74ec581412ca1f61bead7197122612e4f0cceb985b5f574f
SHA512 bed8eefb4657dc7c0bfc2e57799a0c4fc556980f4dc2b77bb1d5a94a664746a22e7462793dec1f2ab2dbb5c23b1368f75862cb67900438b138b75445f7bbb6a9

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 49edb3678d663356000e27705c65fcbb
SHA1 79a41f7729afb1671fabba942a1ab334024b7315
SHA256 01ff6fa4e239ff59c92ec3e04d4c325e8b160315718d7c0a50a567fd5b70de4b
SHA512 4f89eaf0d1f306ad68c918919fba46991e76b2b540f873da53c19f00f15747e2e0cdee7dc470d8ba6c04b3774f11e0258925f51ef13e2e1eca08192e18788cad

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 4270f0505bc8acd0b83e77ad8edd05ef
SHA1 31bdfb917977374117b2ba35d43c0577829e4485
SHA256 e41e4f97175686013d0a8e2ecc22cbb37383090b0dbf1e0a18e2e4871b89b195
SHA512 5c8c11ebd8a79774c68e4dafc009aadd078489ae8bd482ade4c46f3975514567dadb4f820ab9907d159f6310280cbf6529e0df1c7db5942366175f9e8dd5be39

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 6ab5c688bec519dd8805b037011039c0
SHA1 d4bcb7b0d47e5b164adf30b7b4cf5745bf1907d1
SHA256 d85e391d12c5caf677f14ac68638a7db15164ea297483fc15afffa9b14e186d7
SHA512 80021014980b1790950df296742f8914746e606f047fe3cb40ee080a01c2ed1719d8d61da07ebfff8929e6ffb5c6616335bc142875fd1f3dd31f36429c8834e4

C:\Users\Admin\AppData\Local\Temp\KEEy.exe

MD5 3f10e35c7fb24d06a41909d8437a3afe
SHA1 97ad8c39cfd763474d38d8b38e6c07a55731aa5b
SHA256 d38532beb097a67697189f6c341bc2f6fe46f9d91ee8313c0c12bf8b6d257fba
SHA512 9a64ff63621e394b8febd79ff6183b496a38c0f4119ef932914e92d0aef91010314bab5f421b8fdab10a71242750a8d5ad9fae134b153933368fa7261429eacc

C:\Users\Admin\AppData\Local\Temp\kUMA.exe

MD5 77723ca732aa0a23f6198535644f017c
SHA1 0af37c11cb6860720ca3f8910530c08601801a49
SHA256 0ad37c6a3089034670d3ab7092eec3f240b2371d0174e2190cca4c05ae4465c7
SHA512 80a2b898b8f9fc7de354d64f42dfc6e6636e2306956932b0736568f00d8bfa62ff1d125bfd6198ffae470e180780a2b620c65c479b7b46fb6cceda3d3c79e106

C:\Users\Admin\AppData\Local\Temp\isQw.exe

MD5 e52cb446ba042c2b394525ef6f8d668c
SHA1 35099b2d4a7e0eb6088accd1238e5d73521f0118
SHA256 a7d458433a13662979cbf396534159f19e3d88537ff50db87f091dd0ad600357
SHA512 3701989d2fdb4007c5049f73ea0529c6e3ce543b9b139644eee86615022445cb08d19cb7e15d124e2693e0b06ad84f4f175f59e3d7d12e7227972e9a42251fae

C:\Users\Admin\AppData\Local\Temp\UAso.exe

MD5 6f14bd36a80f8a5243ad42c56afa3cd6
SHA1 4cedacce6597ca62da4429c798008e6210e37c90
SHA256 dc7ebe6798cd2569aa9cec95256a207eecf674629a984b2fbcd2f7742de8ab27
SHA512 fe9ab41a12d6b35d3c7e8260014e931417af67345c996b9a07c2cc4c558bd8cb059a68147f70a1db5cc1458f64e34ad61616dca53a7b5e46c548efb80476591f

C:\Users\Admin\AppData\Local\Temp\ioMq.exe

MD5 70cc80718c32f251613c120da34fb2ee
SHA1 07f519f3c953a6cb268ea6a6c25b27474f66fa0b
SHA256 e938783bcc8180312fa50368c56ef5ff73658f25aaaba28f898fe3c7688fa847
SHA512 af7d9c20df5f5ec0131198b9e9305436445e5e795af6326872b9722268da732618b25888bffc92ad16df7117c6fb2b7b14c79ed1485f67463b29487a891e5a5c

C:\Users\Admin\AppData\Local\Temp\gMIC.exe

MD5 6b8657d893a48dbdd5c98fc14341d148
SHA1 166117e45a32804458357ed42536c7a79c81db30
SHA256 2ebed77b1ced800da340c6336fc05ca2bb28a847ac0043c0919bfbf9e8ea3eb1
SHA512 508d100e004370c8211e62c8390581ad9b363e56dddddabe27c6bd4411d20382d62e1e5b4d6b57147527863c255ee9e6a1d29160e559212d4a92f7ec09ebd38a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 d68144bdba42ad81504baf5aa337be7d
SHA1 6e1a4cf31da27a6e74890bf62546a9507cf20d25
SHA256 317d44ebb359c65873e8cffa8320fca28b8eb85d7d7042db3972772a76da1f0b
SHA512 94295c7e61bd6ec4cca7d16773149a2d8dfc37be76c44737cc650e52ebb5c733ed55957c61f932b10865a60c6de12ef8b1cde14f5a946917c0deab909246496c

C:\Users\Admin\AppData\Local\Temp\AYIk.exe

MD5 755274f65bef2dbb2a2708eed3db65a8
SHA1 a4527e9b956ee6337157d43c3ff0ab5630611b2f
SHA256 1ef85272a5e8f00a7157c845a578c1fe541f3ba646ce3ada2d8e7835ac486079
SHA512 a8fec41a54fb687945cc7fe4c43ab065480401473a1e6f752682d27a026d633697e77ccf9eb36b6e033164159058c075d74391cb122b2be3c610a08c2620a28d

C:\Users\Admin\AppData\Local\Temp\UoMA.exe

MD5 f214d082a2b9b49ae85d623b8e18558b
SHA1 bf9c8dd65d6875de98e8b3b0f73c8391f0d45933
SHA256 0c3f3bab99f61e5e89a846e99b4e29b59fc83df87ba4f71996dc0a7e5ad85356
SHA512 0a39680a11975ab5fe58c14849284455e8d93d7dcd3758ca798609843aabfb90fe139c19c430cf5ae2453d9839325740b0e89e890ad38fbca2743b0a26f716bc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 6c83da6353c9ae481865259299f9c1d0
SHA1 b08d814b9d800c8261f5d34afa5870b857b61cf1
SHA256 0e03c374c04b69e10550c6c10726dd8432a2b9653be989871ebbd01ad5dc90b9
SHA512 caa9bd4a6ab81e8961fcf3f101f45ab98e1428aab2dae436db72006f32db10e8b43cf75814f3534f194ecbc3bbbd244584335831421eedeee8cd980069a2161a

C:\Users\Admin\AppData\Local\Temp\QwsK.exe

MD5 398991c2bf1434c2aea7a302e853e75a
SHA1 a7806da04b325c8f2b3c29cbd00589675d4d81b2
SHA256 5ce3baae323865551eef13702a3fdade97a396314465bf24b5bfd2986d500f27
SHA512 3dd465ed2b76f43d0f44d69ea448c61c2bdd685a5b84b70a60b9590c5939b9a8e685a47befcfc8dba5e40741006b907e76fabdaa640e8984ec1217150711bcb5

C:\Users\Admin\AppData\Local\Temp\SwsI.exe

MD5 24002862736ebe3398e1795badef7dc8
SHA1 7cbf1e5bcda268f28a5a20448d91f5e1204332f7
SHA256 08cfa06416ea86644bd4d5ad103c4aff6b6aa91f06e581035f6a1503fa8fb42b
SHA512 fbbe943b4b675defff8b2f2278b55db9a2f5530c65cd946359875d9261cd688aa9e41514a7b70aee6aa5681750eeacf002285f1f2fbd656fb16376c76051aaeb

C:\Users\Admin\AppData\Local\Temp\uIwW.exe

MD5 e74c30b1dda85ceb0221541df60560ed
SHA1 3e548f8b5a1f06376a647fea14fff674975480d7
SHA256 1e38438a326f59457fd4d40d097c78d8eb944bb85135534c94e6da8cb9c82911
SHA512 893cd977589c0211fae9a7dc59a652529db5173299e89a06a203e9f6ce3e60feb9faf2290536f671c313d31d40a5f78027d8444c43db2416861c7d580248ffcd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 6d867e03bc8a9a1367644b6d2b744f63
SHA1 37c50391b3e2b4b570ef6f3be1958e64958156da
SHA256 c46e6e321eb31f5b224cc36ba23d29cb815e0daf63e8161fb6fbdbdf7fe2b231
SHA512 06ec718ef5fc603ab2354e00b716d775b25c673a55c7058e5cdb2f7c49a590fa2b3e6b7f0711d670993405fb806a7e8544a29ed21ea2e659a44b841e5d286a3e

C:\Users\Admin\AppData\Local\Temp\Ccoc.exe

MD5 d23c031b0058fe7b4936f603b68c738d
SHA1 d4c0c408aed2ac560077b64933544f099dff329d
SHA256 6934b535e7226aa3a2e1caa25b595ffe776e55028fde53e596c0ba91af26ea7b
SHA512 e37691d5012c2e6b1ff280ac5d7ba3bed9a22a8fe75765bf598d2d69a859e4e2bb6617de0070dbb0d312aa11f7918b67bc7ec7d1c0a02b003c099b12a36aa81f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 f83437cca14bd84a3df5509471dc3abe
SHA1 e9f7f14ab2f7a7d59d39ff82ce2da7154f7a474f
SHA256 6860245e35e1c333c544af46a6a270ad79d5af9512289f84cba131309280323f
SHA512 0f9885b5e7e6c8d10ba70fbd8eb2d1bd2a7d4b88270c64f4598c5ffb62b8230ca0b32765cb5358ea7cd1b86222be56c245d2e79fece70abd432d7c90dc8705de

C:\Users\Admin\AppData\Local\Temp\QAso.exe

MD5 c331d74f7f785fef842aed363a9893c5
SHA1 8a898a0a8376c95f2ee7456987158f51677ae58c
SHA256 7b42a17df4c851db89e5fc31361434420a9a3031554e8cb458e2b8b1c243a093
SHA512 1d1418c3156c20b7e597f7fbbf2fdedc3bae382485cd36b9564704ac39cb0b97b6be3aa19f04d3e2f05160733e7cc7fb23a55d760ee2f0204c06542a311e4518

C:\Users\Admin\AppData\Local\Temp\SMAU.exe

MD5 d41fedfdc98b43785821f6d84451e435
SHA1 ea19318aab873c2ff92fa224182859f70c4a78e1
SHA256 72e66acce1512f6d40c490856d3fdcf8dd1fbad2bcb5cc14463dcf972d4d8457
SHA512 a1fd78eb0b04c6a92a0c8ef920b89e62deeeaf9d90f512c7fcd37f59e5f9ad270395309bc5532709a838d9cb31f6f7424d08b412039c3cbea791a888626cbead

C:\Users\Admin\AppData\Local\Temp\MQki.exe

MD5 1dfe0501f1c4dea1773e90f2a3865b96
SHA1 54592d5064dc9a3fe21eac9373f72e7791b38552
SHA256 32eb295a345e905a56095cd1baa97d3f852f846c57d62a12e4a304542a46111a
SHA512 ca543026ce8370ad77441bc19cc047d0181c5bbf0eea0a5f4a302733079603e37d591023a15c50cf285c0fc62b6d241db77a3895e704418900ab9281e59d4e34

C:\Users\Admin\AppData\Local\Temp\MMMg.exe

MD5 a0bc5aef9ea74abe0d45d8fa2c8eaaab
SHA1 640877ec7574709055f8101e45ff1f046358c5ca
SHA256 5cb3705404c6fb7329dc9e7cd7d6543b8caff7a5719f6b0d5a227fd7788e9cd7
SHA512 e94dfb8a50f4922b5cf27dd49b56c9d0976d3ef3ecc598340489d7165023e8702ce7a418013b59ba33e09e06ec8da4557db72cb27bbc580582ce153295ad612d

C:\Users\Admin\AppData\Local\Temp\oEUw.exe

MD5 281ca4f8c8fa81e65ce1045732f0c235
SHA1 d09a80714da9461728c916a56a94b2806c59b772
SHA256 862fdbec9d0765f5074dc5bb83b2d7acf5ea152443b739e23d686db3b04b7458
SHA512 a57bec7784728d39ee1898efd128d4f36c0c820e06ff9263db1e424c2c2bfdace9493485252dce102f0cf6b296cc498fec3faf3b89104f7eb1da3666ac101be5

C:\Users\Admin\AppData\Local\Temp\OwwQ.exe

MD5 676ce0525770aefa858ba13786477437
SHA1 8cef5d395154f3598b1cc272e34673f3c970b035
SHA256 d3daea484b6abfde5d60caad5fdf5eab22043a296693f9e995529cdfd1e85c16
SHA512 a9e152b1b12a51c595fb67cd02332e95d5c529a18565ebe73bc28855b830f28b006eacf91fde73c531807d665d4f3f7d4e82220fa7a9b24f8e21f8ca1e4932fe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 8395d0067807512fa4803de305cc73d6
SHA1 6ad1b8e49af69871b594510cd8f73fa2a436284c
SHA256 8dfa8564b4b6f2c8c1ac7ce01cc67a3dfc381bafb65e5a1a2a0011f982b18b0e
SHA512 34763fb0e4bb1559edcc68d4de110c6d98db29a3050db5d8e854887b11b5d605e16a4c5636243ca4398d5a2758c75d9bfbfbb6d611db7d1e97c14fed51557edb

C:\Users\Admin\AppData\Local\Temp\gIUs.exe

MD5 8eccb7ae0c19e0e9a6a936cb7b0fca11
SHA1 484a692e24eff85f48742657411f505c32db8576
SHA256 9425141ca2701c82c91844688b3e72ae3375c09dd98add94bc6a4f42b2faa0b3
SHA512 f2ca694edc3600f5cf51d176463d41082f094804046b73a6c41f98c94e99e9d9b83bee117058db895c8f7f3e73c0e3005a3df41cc7b01e5c6140b7ba42206ffd

C:\Users\Admin\AppData\Local\Temp\kcAE.exe

MD5 bf95cf77ef07743810e8492cc9adbd88
SHA1 ec5ba7a87162ed15793fd1d920dfe74b6c78cd10
SHA256 011e6b89fc1a29718abd9233419992d19c1b3c5cb2df4ae061437b16e5d5a652
SHA512 067bb55b3fb896eefe912f1d4870371217eb8a8c4d28c465f501f7e210a684a3d6dd37d5a150f117cf3155c52836dbc9435073d11b5259c45cfa633d0bd2a63b

C:\Users\Admin\AppData\Local\Temp\oUsE.exe

MD5 b636aff5e11afd68cb6d9b4c62be3d8f
SHA1 c13003bc6942667d71b6be4e248e51c90408700d
SHA256 76ec3fd280ea6ae126df8c5c314aaea0ab0089c8126376ab8153fd13e9f9fe9b
SHA512 7f44a37bdc0da9d2f76c91e60b38b8cc2394026444d23c358e633d8beca5c3ef0c9e3d0e5c2a4bb24b10874111bccd12530276647374904dc0abaa92ae97e296

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 e827e07ad89a567e600d44b65d48c89d
SHA1 41613bbf2252c2be2f1399c2b16f2698f05efeda
SHA256 5c3b3afcdd33fc68599e84dd346faef55b340eccbe1f0d1588613be744ae82bf
SHA512 8703d61c1470bdedaf52b8870def5689dbdf3fee23400104fb6a71eba7a067327ad4d8604ff6a11319ebf2cf53985bd24697b80020e948d4401d548465375f84

C:\Users\Admin\AppData\Local\Temp\IkwQ.exe

MD5 d3440df590c531bc790e633efc9642d1
SHA1 69e379849ebc075ce9cc16f4c512381a4e99a71f
SHA256 279583e6f72172eedb5c2432033634cfa683d39576ab0ee4e4cc2c4ab2d00eec
SHA512 756131bdd2f9131fa217800c6ea4e6db5dcf83efa23fddb3ef5954c926e0dc7d7cee43ea0051d5fe71518bec5c391f1fdcc5f268d72fda713b49b9d75eabc7fc

C:\Users\Admin\AppData\Local\Temp\wIAo.exe

MD5 65ffcde71dd6c9dbaf1163f9d5fdc500
SHA1 55f31fc1421a9a58a0104f3ac8cd383f48a39fb0
SHA256 8e6b25a4335e3b4054160e4b44bfd42dd8c42128911ae86adf4acae66199fde8
SHA512 e5e94340892d00df15b1ab2d1b36026ea9d978d10fb248d6b23bd8e7232462c6c4e95d1c234d1436690373613cfc6fd12da72c49a2fcc245c1936efd712b4a3c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 86aca8c2c50580512107706fc5a26efe
SHA1 69f105c8ad5d192ce32e87aa7313982a5152b879
SHA256 6c58b8cacd18786395c3ca654b0286f766e101cba0b80e7364631bfb38c9fe03
SHA512 d3469c60f7e2dbedc06b96b06fba018d3b8141f1765680895f9b5bc5aa171806168572ed8461079b09e45a250d5079bbf3e5b7ea977bbed9e75a3e14b8ba2bd2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 65f0b5e334918ea6a3e0f14def36339c
SHA1 714fb8fb92e3f07a218465b1533a60cb4d0edb32
SHA256 f25cf68ffe2370b7727aee3f0747a73b50343b2168f63f47c9d01ead9c239e78
SHA512 d77ae32f723736e144680c4c89e9f2cdf8d9234712925e00a057a1c97a7ae792c252e7cd6443edec885d769341c4600ae7e81e9434b32e6ba23c6e5b590565b4

C:\Users\Admin\AppData\Local\Temp\YUkU.exe

MD5 625c2abad664f663809494f693fb9102
SHA1 146107f46c8d5c0ab1a0eb9b0e6611aac7185141
SHA256 9af48ff2e9b67c78fb2b008bdde07f8f2dbed4e4e40ad453f2daeb434081a741
SHA512 2a132a82753e7e047a3c687dff20a419e17d250dfddfeba797ee5cc6545b335ec9c38067ddb58debf15c7a7afe7b225ea28d3693e001d2ce36b5ebe7ab75ee7d

C:\Users\Admin\AppData\Local\Temp\YQcC.exe

MD5 5bca0f6ffcb09553f3d5bf1b49fa6bcc
SHA1 bc0cf16b4f181e46a1c2e3860b027fd33e5d81ea
SHA256 450ea49d0bcc150cf0ba429baf6dcd2cad9ef5c52dc042a00a68c64114db8a6a
SHA512 dcd7d638966656058760a3feeb741f7896db5b68da3b2cdf2024b0524388ca1aa342cde7d631f405b163a65ec991fc505e098f564748e53a2ee803f655376d36

C:\Users\Admin\AppData\Local\Temp\yEUC.exe

MD5 bd380decd51c75f482f143deacdb9ba7
SHA1 00bc2a155869b040f20d3bbc48e6e5e365f86350
SHA256 db7b8f13e73e64722b292e656aa4bb4a89c4f4d357b330f31621e88ef10c7e8a
SHA512 bc389a1af4a1fdbfe877307356897aaf5da82cf333791908ed29580666df18b5a33274132ac4b3a815754a518f829f44ff0dc5dde5405252bcc6d2af68d72cc5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 20a8655d380d2ae967a76740b25163c1
SHA1 66368909554273983cec54f69d7ad17cca6be39a
SHA256 566b4aac7bfbf4fc5b238b9b8ab31074fbae76676ebf962c53263d199836d1ed
SHA512 343af8365dc5bb1e379b233684141f0626d02064d81794fdb913d90d83df9164d468400638273e243ce7004baf385fc097dedf19a91852727ec450015fec8ac1

C:\Users\Admin\AppData\Local\Temp\oUwI.exe

MD5 bbe3dc6e87b366a6178c2313378eec27
SHA1 d7d92aa2b9aec398f45429969ce37fccd4bb948a
SHA256 80c5340110d3c6c51fae2c56bccdb82ffa07073d7a3e4a0f3629076ccea09577
SHA512 519532db0b94143e6a50332629ba0cc00d40ba731491442c0d61c6bc7e00b65c7604a1b3f1ec5afe4a72d72955ac099c5913443a8b78b8883eea9e6dcb1f42e8

C:\Users\Admin\AppData\Local\Temp\SgAI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 f7a6d64252cb03a74022f118ae36dcb2
SHA1 93dd15e3ad13af5b308e4d846e6f81ea2fcbee4e
SHA256 9f9e63cdfcc0413765a311d479c8fbe8876df3c697c1e24db2ac90741f91ac9c
SHA512 cc9e447d47d62dc6b0f924676bc352731dfca1d32d46405247f8d1e60b89fd9279e52910d123df8bd2f01e6b0c0e4f616944f98c5d31fb8f64c8498139129c50

C:\Users\Admin\AppData\Local\Temp\OUcO.exe

MD5 1fd60774e4f4b741e710d15f67a0b6ec
SHA1 ce2a1f8222cffef374012871d2c617966a9be199
SHA256 a5a372ab48aee34a6d5246bed3504e04861ce7813e99fea520367a76ff2ec1a6
SHA512 117f17bcb37293b529f3c6203df38be259d95322fc61d6c72a5c631a982afeaadf90bc28856112f4a8c09369c275cf393d7591d21bdc92f6d72ef4b859096681

C:\Users\Admin\AppData\Local\Temp\OYka.exe

MD5 beced10fb0edf458f2fa02f668190a55
SHA1 a11c8be3bcf8f6a6f46f62feab01e36e060aa15d
SHA256 47f44db395cbe0a4dc485d0aad03c0a6e3d081832350142fba42125ec354faf2
SHA512 de9fbaba484eb5b17e0404d92f4ae44844836720b7bd8caddef0e6fd750f34e3317a12f145215431f735168d1aae299bd54029c9c54c41c055c01d0774a6b308

C:\Users\Admin\AppData\Local\Temp\SsAk.exe

MD5 3b45c75b1c32a8e3f23810e9878d3022
SHA1 56048d4b744998c236fc951a0130d71c73e01107
SHA256 d503da3c346258bbf7d80556a0e2d32fa8d29ac1b5ca1a5cbf7320972b123b56
SHA512 8c441379b98fcb8553647f90d577d3f9e9cc54893ea8de8aca90979fea93eac6424151ca36ac850f51fc3a4c0ce381b03924ee604dd70c75db8e5ee723f66dce

C:\Users\Admin\AppData\Local\Temp\mwIq.exe

MD5 7e4fd3b5a62c1694e8bb38d04f764597
SHA1 2351f58898f86e3450211b1e5d30b373691cd199
SHA256 6d79882cb38d95645a018f1b8f723ee608b96e241baf444ba573ba9192ac0772
SHA512 8e1f900f51038f4b03c7885ca0fe279c14d6acbebcfcf88bbe8317371fdf614bd004d534d4ac988e2d67c31574df3a4f71b72c387ff6038c632ab5350d8c644d

C:\Users\Admin\AppData\Local\Temp\wwAo.exe

MD5 293b77890eec67bd5506ef4647ba3cc0
SHA1 e089349e2180babb51ff0c2e062c7ffa5717bf1c
SHA256 f91481bb39236193238b938d482cfb135f0bb413cbdf40d00bbd576e1042edeb
SHA512 f2ad006e2297ab0c1ae7717ebae956f60501b549cd77ef166b2f801f222450a8ebd7191d121ec2126618ee5de0e4d8cf4f182bbf947a6615fdefa2b73abe4899

C:\Users\Admin\AppData\Local\Temp\KMcw.exe

MD5 94613a36a01026589e8c65b032ed46df
SHA1 3b6acd30e2f795faaa9bd2cd6dbf584397e110ff
SHA256 cdcda80fb62eec85513fc7e55112ee61d700196f1183bd5cd94c5072539fa1eb
SHA512 89ff9d6d14d0ba1b4bdd05540154e825ab30e31ec01c559907a255ac780772e79019fbd2a8e265f6744a174cdc3de3249d983b816caeb763be38462408a059df

C:\Users\Admin\AppData\Local\Temp\QksU.exe

MD5 b0ec93f217ac6957d89181d80739f3b7
SHA1 66153d6e650910d8e922d0f7c1cb444e06d47d25
SHA256 e50daff5ef7ed513423c77b6c5dbb9d972a350419f5c53b2a5bc7d5e1c022830
SHA512 1934861b18d35efa6a934efd54e3539acfc39e26e9e2973b84bd9f12c98eada7ac81a8ab40e401c54a67a23caa05c6e84eed0ca70fd8ed789de911b88d848da4

C:\Users\Admin\AppData\Local\Temp\gMUq.exe

MD5 6f500b94407b3bfb11497f17ca566fd0
SHA1 0127dbb9dbf8e791c973e4f4491e48ac4a465412
SHA256 c3f41e16367a0253cb92d880957f330609e9d6e84c3137181c440da4fd85f967
SHA512 95ddfed1fc37f73cc7692cde4bdf2cd1332c04efe484fe73a26c729fc63ecb2e612d7bcf7964050720f169af29a7a4ae91d50271048355365eda23f465a08783

C:\Users\Admin\AppData\Local\Temp\qYgw.exe

MD5 d8709f5e56d600f9bf23a278a13f8d1e
SHA1 82ac26607113e9ff4ac071db1c9761e4402236ab
SHA256 cc7e6081ca9adc0eafc87817779924ff2937425c0dc426662a124be2e24490a0
SHA512 22ebc7075cbf3670e08867e3bd28317544d6dc4adb728ce1c7b0b35c99b1298b8e26258ce0ed261953b2eefb960d767468c7b540731958e612806cb77acf0ccb

memory/2080-2299-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2880-2300-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:44

Reported

2024-10-18 02:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\vyUswEMY\lqcwAwQc.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jSkYYgsU.exe = "C:\\ProgramData\\LGMsMEQg\\jSkYYgsU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jSkYYgsU.exe = "C:\\ProgramData\\LGMsMEQg\\jSkYYgsU.exe" C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqcwAwQc.exe = "C:\\Users\\Admin\\vyUswEMY\\lqcwAwQc.exe" C:\Users\Admin\vyUswEMY\lqcwAwQc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqcwAwQc.exe = "C:\\Users\\Admin\\vyUswEMY\\lqcwAwQc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A
N/A N/A C:\ProgramData\LGMsMEQg\jSkYYgsU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\vyUswEMY\lqcwAwQc.exe
PID 1952 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\vyUswEMY\lqcwAwQc.exe
PID 1952 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Users\Admin\vyUswEMY\lqcwAwQc.exe
PID 1952 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\LGMsMEQg\jSkYYgsU.exe
PID 1952 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\LGMsMEQg\jSkYYgsU.exe
PID 1952 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\ProgramData\LGMsMEQg\jSkYYgsU.exe
PID 1952 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 3740 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 3740 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 1952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1952 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 592 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 592 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 2852 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5048 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5048 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1304 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 1604 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 1604 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
PID 1304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"

C:\Users\Admin\vyUswEMY\lqcwAwQc.exe

"C:\Users\Admin\vyUswEMY\lqcwAwQc.exe"

C:\ProgramData\LGMsMEQg\jSkYYgsU.exe

"C:\ProgramData\LGMsMEQg\jSkYYgsU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meskMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYEgQcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIoMkcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgcgkIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIYgUAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMoUoAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKAIYssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAckoYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYAcgAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMkEwIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaoEYkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgEsIwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUQQssUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOMEkQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQYcwwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAMoUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAAgEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoIcwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAYwsMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMkgEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSkYkoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dygYQsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKQcwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYgcwAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMQkEUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouEYAkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oesQYsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGcoQckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noQUIwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HukkwEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saMUcAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksIQMUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUEIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAogMkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQssIEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmAskkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsgQIogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiYwskIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmcMIcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuYAUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmgEEcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiAsQgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOAAkUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmcEsEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYAwUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMssYQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWsEgoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUokgYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqocosEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWwkIIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOEQYUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSooYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OokgkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGcIMsgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIcQkAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMcwcgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwAsEEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaooMkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMUIwcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyYgQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USQEwcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sckIYEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EucsUIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIcQUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGwIocks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkQkYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heEEAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwUQkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgkscEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUsMoQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuAUUgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWUEMsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIsQEggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGsgkMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAoEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quEwQggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCIMQgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCkogQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgssoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSUAsUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyEoMEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsEgMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMYssck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeMYMokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiMEkckk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NigcUgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmAkMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSkAoIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaAEwgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMwQcwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmMEUoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqEQwwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUUUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vskQkswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUEIggYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwkQEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yssocMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuEAoksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIEYokQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIEAEEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv jckMLkVNskGIC+vvUHMGcQ.0.2

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1952-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\vyUswEMY\lqcwAwQc.exe

MD5 39362545d87204f1958b9cb98fbdb299
SHA1 8ddf3e9c3d4012935d7ebe5a9abfa081e48ed6b2
SHA256 7d8f57ed8f44cb1c1dc2a3d90a2b4eae61e61630e18f6f1b1b0ea3257579fbf1
SHA512 c4e413238c8e6b8c3753eb912028829b649a8361aa639c444da3f55f7bb01399e28aa66baed470830f8f9f9cf76fc1e256740fd084bf9c4d0c2ed7fb518075cd

memory/4332-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\LGMsMEQg\jSkYYgsU.exe

MD5 37a1e9aa6f10b9e8f32c139ddd9a9482
SHA1 f722c6c911552f58d5952c063c11362aaae9af6e
SHA256 3b6600b38ffeff4860ff5aa85ef6df5c0eb5c58176ac0855ef5a217526c6adf2
SHA512 51163415fb1323b150bf3c9ff9691b52222f18d3c9228bc3d85cb3268eb7efbe513201322c320840a7253a032e06622797dd074852cd8ef4ff2bb7089107667f

memory/3548-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1952-19-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\meskMYcU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock

MD5 35cbde129d22ad6080dc8fed0fd3e185
SHA1 e29871c61fe34d7159cf12daa543e1679f3ef63a
SHA256 eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265
SHA512 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

memory/2852-29-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1304-41-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2516-52-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4452-63-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3268-64-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4452-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3452-86-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1744-97-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1128-108-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4356-119-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4912-130-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1320-141-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1028-152-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3992-163-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1436-174-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1132-185-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3616-196-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5076-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3212-218-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3224-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1028-237-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2516-241-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1028-249-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4940-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/440-265-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3612-273-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4792-281-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4092-289-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4960-297-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2896-298-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2896-306-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4104-307-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4104-315-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4288-323-0x0000000000400000-0x000000000042B000-memory.dmp

memory/408-331-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4912-339-0x0000000000400000-0x000000000042B000-memory.dmp

memory/724-340-0x0000000000400000-0x000000000042B000-memory.dmp

memory/724-348-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4540-349-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4540-357-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3448-365-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1092-373-0x0000000000400000-0x000000000042B000-memory.dmp

memory/940-375-0x0000000000400000-0x000000000042B000-memory.dmp

memory/940-382-0x0000000000400000-0x000000000042B000-memory.dmp

memory/468-390-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3916-398-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2536-406-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3396-407-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3396-415-0x0000000000400000-0x000000000042B000-memory.dmp

memory/732-423-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5076-431-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3892-439-0x0000000000400000-0x000000000042B000-memory.dmp

memory/220-447-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4036-455-0x0000000000400000-0x000000000042B000-memory.dmp

memory/724-463-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3916-464-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3916-472-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2108-480-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2708-488-0x0000000000400000-0x000000000042B000-memory.dmp

memory/732-496-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4740-506-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3288-520-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwgK.exe

MD5 c91e7d7ac8aced8be372fed318131bc1
SHA1 acdcaf767194c16cb044cb21624fc751501d93de
SHA256 f1269fa133216b9ebba694b3bc38914c6bc52425729a4b91402cbda17e6e7079
SHA512 84abf91068ee3f678b89fe9f5844b514fe7af0e274eac379ff9c09b2d0f6291ac461921d890bac49bf5953d6aae093ea496576c2d2ff7e521a3b6dda38712bd4

memory/4740-528-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sQAE.exe

MD5 33c240afe29d3db86591df16c09634da
SHA1 408fabbfab23bf5532992bcfd5c919e75af85a79
SHA256 60869e2e4bab6931a3062adbe4ada0c2460dcfb2aa5aadb16c77805559091d42
SHA512 23e89748900066446f8174b17402c7739422a8e41b6f20c932bfb6b80c7ee74433034af487c3c3508b1a3ef5f2297ce514990738229b0836da931100a1a150b5

C:\Users\Admin\AppData\Local\Temp\EscG.exe

MD5 eccdadf03f893f36c19d02c942875801
SHA1 dfb8518319645dca77cc498925e504e2529cc9c7
SHA256 3113eada32c252b8a9de8731dba6ad13caa81a6048bfdbd3952b68d5a4c0d54c
SHA512 340876e4a2371b70802582c9adf4c4549eac4d3595c5559e631130d05ebb85334da614ea4b02f54607da8f4159e7ca427f40511e5660cb24f04891b93ac3b999

C:\Users\Admin\AppData\Local\Temp\oQAw.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\GMAy.exe

MD5 8112f8d43662de235a0a16ecf7aee6b8
SHA1 577a7cbf71303becf66cc15169014e42274250d3
SHA256 a1b578b792ad9c34011e72303ab486597b601338ed34f71abcdb6c8d4b416dc8
SHA512 ac06c6328c077ed4f414635ba009b97d92d8f589a72062b1145dbab2c9a4dfcfb00fc33135c7065824e742cd53939364d6bc13a073ef84bd10316ff410899cfc

C:\Users\Admin\AppData\Local\Temp\okgS.exe

MD5 14691028182a48dc534d5a54204f5fd5
SHA1 b2d1589e42560e82f9468df056e81588c9f3a161
SHA256 4acf4dd7193e839e838abd788a9d4dc6a4557df04d1f0de5c08b8103922bec58
SHA512 fb539fd48e52695f1826895e29d28225f3672a019072f9869110d5c6b4e106eddb0930e1ce3b50a63cdc0dc111402df5c93b485b5d2c1b3735b2a591a148b24b

memory/4120-592-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwIo.exe

MD5 ed40f174fcf65684538f7200362f7405
SHA1 e4cbd6c30dbb25fc8e3176a814b40d7cd4b79925
SHA256 539852dab8b1bc87fa520118d401bce111fcb3c640f9312be58002e939fbd974
SHA512 d0fec99c22c6acf9fac0d6c031c9a1ee853b574f629566ef9f4f20dfb55f8fff5e3f27ba111f74f8c4ae20183f8151f0c71b1309c1996b165fff9f281cadead2

C:\Users\Admin\AppData\Local\Temp\ScsC.exe

MD5 de05c108b6e4eb58e9f41f1331ca8d5f
SHA1 bc4cb476657674b8f148f813a6888267a116be3d
SHA256 449bb85ba38cf52361f2d758205d9895f6076f54b17f5ec6a7ec347c48cbd8dd
SHA512 d1e91bd55f5e846ac4ac068448fc5d52e3e7c97c9504cb63aab17160d6df7a4ebe6bb2d277e103e84f6902c977a0ac8ecb755c9ab111fd9a59c97bab1ff5a306

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 486f4eb713e75b559d5c0d01cde71095
SHA1 42ad460c69a962ec5cc81a6022b0d026f74682a7
SHA256 31874b6e040348cca55e1e4707f54ff8946eb0fa37fdc8ae70b36ebbb620db44
SHA512 81c3f041318dfc52193b4e5c57fe8a87e2893f0853846dfb1335af99c83818a514bd231bac16d36a5c0b66701c5b801361374071a1875343aceb33b1bdbbfcc5

C:\Users\Admin\AppData\Local\Temp\kIQK.exe

MD5 f41f37226d311a97889e1665fc69c8bd
SHA1 dd1b3c7a68e5c053bcdba9ebaf3ab44c1aaf5738
SHA256 1c1bc37a0a3bd6836b41abc315058d26d926eb92f6d871c49e4d12dca26ef982
SHA512 e5bd546759271f3f00449dd90ee3f28a30dc86c996311e95d5058c812d6538e39058a97db2d35ce930f2f8f74122ba378ab8fc6c35abb774973da7458bf3ebb1

memory/4036-656-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YoQY.exe

MD5 bb66ca7ea5d2c8096e3aded5ef456ae4
SHA1 6bdccdf6b420ec84d6558cb74cf3b74cf8a118b8
SHA256 a3ce6b3f70302976cfa7de0d419777745fbfac052436237310baa14bfc1351fa
SHA512 70ff2c12232dd5d6a2891ec1971bb0f96424a39cd594482e9def4cdd279c270e54dc089aba8755afe9f94da8be13334602fa543f1bfdc2d65aa9788db70e1a46

C:\Users\Admin\AppData\Local\Temp\yQce.exe

MD5 5cb084208800d82ccd4a7b8737d47ddc
SHA1 58ca2a8add1fafa18f4590717992fa84b54dff33
SHA256 a4a39c2ebe36c4a7948ff7b5f346b42b002321eeacaa6445cc114e3905e60254
SHA512 13611bf03584d8a5c26860c4f9481b23f93d1479353bf3612e414d2f72fbeed5697893c3775ed20f78644dc85d5fb20cdbb67065ee1c3c53468ad33642dee993

C:\Users\Admin\AppData\Local\Temp\ucEq.exe

MD5 7659141d398de2d0a87e111862a7a219
SHA1 353236bc085de64c675f992cdf80b349b2f4bdce
SHA256 f6a0f4894cb9ee3a2e155ef80262724e3d5dd308ef313dd62f794a59bbe8a335
SHA512 9f8b972e3a56924064cc366922444acc5521b1bf3d7c7e6d5a1105db7a39af0682145046a64350c71d4148821080758e509596583603c5b8a497d08195727324

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 517bbc9399c7fdceed9fff5494bc6216
SHA1 7fd3884710ef64d5ac2f18c984cfaa92ed978d0f
SHA256 cb3ee8940c3b0cc5ee2581babc28d84d8b1b6c678b869d3ed30d76606906210d
SHA512 765c9020ea7d89201a76b4a09f5fa183dc4874a500b4f297e9ca9a67604ca9d09544a8183db477095e23d566353f8b7e21a4eedad9d8783081b11134418ab667

C:\Users\Admin\AppData\Local\Temp\Gkke.exe

MD5 1d3ff35ef5a0c3d13e2f44fdeb15b115
SHA1 dd0f8c8bd42b66f38ce94d6e5aa4a01f442763e8
SHA256 f800072ce2b0c882b55ca2baed84e2bcfc575fe875b3ac251f3b97e983eca4e5
SHA512 5a0414b940d3da8b93337c82dd6ce6bcf219c8f084b396b3019287a1013ecb9b3099128b92c0a3f9ae404cc082f8316d67f11c95436d7db4b3136347c525b84d

memory/1092-734-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igIA.exe

MD5 b453e7293de8eca12a4a55098caf20eb
SHA1 6be22e2f82e21aab16a7d6c933e340f1e7d1072b
SHA256 99fa05717bf897960e7f7f02cdfa410cb20bb9e6d91b8ff2cf1a98d6329331db
SHA512 8d005e4562907a3ac03107c26b0abd651fe2613067605a7c8527c1f4ee8d86fd1fe411abeb8ee690f3e287f8fbe959882d87a4038e000101fc18db7075814e2f

C:\Users\Admin\AppData\Local\Temp\eows.exe

MD5 d6404d6eafefd93481ae88079289fb59
SHA1 257837520489321b46fba7f0c79e373dbeff3fbc
SHA256 da3d8801fcef3f3bcfdbc2ebbfdc21d535f199c2997e5472952fbb4d4e2a9ad6
SHA512 f7b95f527e4f7b4ff3d24c0903b084c827a9025d0ad7d9672aa4e6805317fccb394b9c4086f14537fae6e594ab6053ef29b3c8a6710a13ea5015ffc61b57e0f4

C:\Users\Admin\AppData\Local\Temp\QUUK.exe

MD5 722de7de15434f67e39bf9f06045a0cd
SHA1 c076c5f8d5eafa392bd01ff69656cb35903f52d3
SHA256 dda1612fe011851f94e02d98ec24ed072093f968b1e795884d62284e3ff2a266
SHA512 0bffdb9b1fd49790a229c97bd91cf65b261eb5aaefda50116dedc0b02c2516b352008c5ae4888a12fa339e5faa83b264d6be79d8ac9cf48c4570b68f08d9068f

C:\Users\Admin\AppData\Local\Temp\kwEo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\EYUe.exe

MD5 f66fa1b9788e816b464e40b28f1b5cae
SHA1 3422b76b965aa5fc9a385d5ac14f801d3def2d02
SHA256 c74def5d60ac762dce5e255b3ccfe2c98c4c021513920501bf2804335c85355c
SHA512 e895628941a58e9692bc2c23eb839799180923b32b3e2509f8eb60391d3c1a7d659b30ab6de84c4030b25e0f39120baa61e0c8ee1366becb222ca4d6ce4af5a7

memory/540-799-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4940-798-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwgG.exe

MD5 64afed44646673f27ff1a0e819192ea9
SHA1 99a60bb48fff673168f7596ef710e6a8f1625ce4
SHA256 0fd9dfb20b10ed1d62e220a254844525e320623531d770e64f100a275f6ba744
SHA512 8fca3f85a4e296e5733d04cb5a6fc8fdb9787bdac986cafc9b39c8a85a4569761b407aa29c2a584d58027196ee796dbc0ee2700c2748226ea07d48d4b3ecc3df

C:\Users\Admin\AppData\Local\Temp\iYUY.exe

MD5 aedd6bdd7640abc656aa23e99a5e922d
SHA1 e595253907e0da3fee89edb2e550c295a064980a
SHA256 0acebea672503a039fe826009a46be0a7ffc0e1e267c933b96b32394001149af
SHA512 880f5158ee7c86a4c07d9554c481e485a3be242914fff32e7ce729e3649bb84383c504640de97f4eade3dfeb1555329ea149ff8dd96e484aefc29d416619b85c

C:\Users\Admin\AppData\Local\Temp\KYkI.exe

MD5 f8b3142fd013b9391071fe6ebf9f03e4
SHA1 f1a43686194cd16766d23e43b42e8afdf21552a5
SHA256 6a6d14a056ec087b2a5cef6469b360fdc48f0389c6a2074a3233a6fbe2f494d6
SHA512 ad005d8b30f304c59ae48b60b471bcc3837d3824e259b9dc83aafc696cc218f3bd49516aa498501413334c115742aa6985271364b1dc8f747fcb475c9902f03c

C:\Users\Admin\AppData\Local\Temp\yMUA.exe

MD5 919299a34cbf5310a1b3bdf5d4b1502b
SHA1 b8bbe5c16e10d97c771138ecbb75db23f2c17841
SHA256 85e1a23b69853a53e6859f54fae81d510bed1430c8e99dc99b27c7c81459764a
SHA512 0c6198787d08bec2202fe76ee8dee3ebfb99e86f74119e542527f9fb3ddfd57673b7fb08a706649de51bc9a4e5995559717513bf92988f49655edcfc760a24fc

memory/3780-860-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4940-864-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OQIW.exe

MD5 c4098625b12525c832ddf73a847d3595
SHA1 f069fe1f12db41c44cfbfff8f5d29d6471281b5d
SHA256 745751a1bc1f8265716c0bba54bd9a2ce002c131d99c87b7fe852eee26030cd7
SHA512 4c19ed227cde404288c700f88c528775e1d159d7a304a077f41872480aed1961112e055a9cf71e761019a41b75ce7df28524949ed63262f511e399cd20bdaaf4

C:\Users\Admin\AppData\Local\Temp\uUAo.exe

MD5 23bcfd93eac22561ab4c1795ab94731d
SHA1 96963793bccd16b0e19e52860e66dfd3f6f8bdfc
SHA256 4c51e591f866a444d63bbaf708b4b8743359d443c220c12b42cbfe081ebab581
SHA512 c8c9c3dc50a95045304fc86161badac19f37c5262316e5ee35fb09f6d658aeea381a86f5cb40b179c01a85cca5d6dcbece140bf4982ebb3783430883d6d3535d

C:\Users\Admin\AppData\Local\Temp\QMYA.exe

MD5 f59df0de63cf99e9f62f0f3b3cda1448
SHA1 d84c3bd1049d74f7442f6de861802a00c56378f1
SHA256 ba56245bee8cfedf750009b454c13255d67b985f5866821871f055b1a66c3c95
SHA512 96cb38bb50f451424d2384b60e162353eeb0dc642301fc36655a82e6e3c4defeb5246faef8a9aa7bf606804c2e18cec50e423fb34ef3ab89ac09d58635f6949e

C:\Users\Admin\AppData\Local\Temp\Okoo.exe

MD5 97e6d81169dae21011704e5ee13c4eff
SHA1 11e862d8399e8d99bf1cf33e8f15b256569eb773
SHA256 a3d4f022f079d68040e969325b5d07f5f2f75276dcce77c161516f31907481f8
SHA512 900a8867bafe42be50dc3850afae32a344b2f561949ed79bef89100425327e2b1e128fca4c893ab4f00d446cbbe22d295e6c5c54f513fd2317216ebae1a16505

C:\Users\Admin\AppData\Local\Temp\OMEK.exe

MD5 12eda1629f8854ddc80a9421d0e6fc96
SHA1 7095e0f8aae4381fce23232a9aa490364f859552
SHA256 e5d45d451814bba5a5cefacc751a9865383198a77768be29c9b7cd39c130b39b
SHA512 38c57afc09f93266eb420df0600f7ddc4675e14df5ce87f96846bcc950a75a24ff124545b1aab48fa889b07060548d938e4547fb95a634bb0f1c6a030a2bdeca

memory/3780-942-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KwYe.exe

MD5 6aa95129a06cc140b9632541776d2602
SHA1 6b33f93d7e28ebb985580f9481c3dee3a2ba44c8
SHA256 152968c1f443a2ed1a70c57ad2d463a9bbdbe539f687b171a0c1e0d3e35f6ede
SHA512 09f6df4be19134a12b07ebb0179385d1854ca3b0b0b4be9c3c2cbd1cb508e6fe950847df1a627e31d03b6be8fe3ec6c616c5ec5049b5cd0b83d8aaf7e13894b3

C:\Users\Admin\AppData\Local\Temp\iwkk.exe

MD5 6f893fd189ea82fc7076b65c2e7b1d2f
SHA1 1ad070e76fee80b017e16144749d20c3fce08314
SHA256 506c93ab9d9e72076161e0a1b4bf8e250545d5f75eaabf169ca07186bfb998fe
SHA512 1aa65e618ca2c70ee0f34e22257c758c1df4a6c39ec0ecf17e9f173b7d325974b69a5fb7ddb8c9f6495dc4a013b07c3a61b11483ce17525351e946cf64334f93

C:\Users\Admin\AppData\Local\Temp\Ycsc.exe

MD5 4e33fc6f3b19ae6261d883a244f7864c
SHA1 3606640c129e7b663e01c1f5e55c85278ba5835f
SHA256 0b680f9cc38b949e993101587710e06837cebe8b0bd8a1dbdc9b2336613ccba6
SHA512 2e2d639ec169b0c8d507e0a219d05b1ffd1d6a9220fbebb0331c4584cb340bfab49447a94c04ed3a1a2d14821b0eafcbeb0e4b8108007809cadf3d3f158b5089

C:\Users\Admin\AppData\Local\Temp\WUoO.exe

MD5 84e96cfdc433e40487dbfc0f82fbe104
SHA1 65ef79dcf05d740aa17f3150b47579a132768b26
SHA256 4b47c7fa840e81c939441552231065e11ce2d862d6b5def7bff9defc5291a31a
SHA512 0a223904a29eb3a0448e4696f1da6acd0044a9f75c177c423b7969e643a9b1c89aac291af334aa98c9329642b0e7b62aa5959d99edee49b18448d35844e24235

memory/3436-1006-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GAIa.exe

MD5 43f750579ea52a4e8a6eea122bda3d3a
SHA1 6f4e7910d8edd558a9f53747cf6ab26bcd3e3736
SHA256 61f40320e61328808f288a3867934f34a9741889fb3a1c8e3cb40ec7d37366f2
SHA512 c4a944262e1bbb3362767fa3c04fce8a1d7f5a6550666ee3d79c925513621b9a3c2c29a0953a60602ff958badde60f17062ef013b636d5fe6c1bda36680f396b

C:\Users\Admin\AppData\Local\Temp\wQQu.exe

MD5 540ad8a169c3b0133f48daa52e8b6394
SHA1 95299a5eaa75c5fb28653009b0bd8ff57d6c3c2f
SHA256 2d827123cd59c6b2d1a216f8c4499dbc2d8aa0ab1dfbd5db8025bfebc43a9059
SHA512 cdf87947bb25162fbce1f53d8aa01e43f786089b58d0684f6c4348331b16b75c5bb9348747ff9d97b054e21dd867456b364812a06a8390ca7d27327ed63dc984

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 2d7fed41e1e879b09792c9daefd96223
SHA1 a0b3dac6a8d9ab9aa41b734dc57c3d3ed7ff871d
SHA256 3148f4e0a3998eda5b11e4022b7f3bb8664bf653631c633b17d3d9fa1727b624
SHA512 3eec6313f885e4f3fb0381ef52e9b991732973c251338d685e674ede4776afecfd64ca9989d19c92c6a1081a1779cfe08a4c4c17c9b22bd3b8d8c3a91a51abc1

C:\Users\Admin\AppData\Local\Temp\GUQM.exe

MD5 d7cbf11f2ce0bffcc9d67279d2298a1c
SHA1 ff8bf0e484461e33f49f1712ec2457d0e31e0eee
SHA256 2b2f90e3aca6853a774e2a090be5e146a0a8b46f8882bc1efb97c22f60e041d3
SHA512 cfddd0ac6b803110f3dd2a41fd856efe408ce77ca70b8eaee6a2c6b26427ec06f4fceb49a59d6461b4dc824bb871d589515661dd4edf48afbd318d22bac9a096

memory/2320-1070-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aAUC.exe

MD5 2d57b63990e3f6efa0844b0e5c8ab2e5
SHA1 75db1cbfe32e9825da88d375736e2dd57299eebf
SHA256 b84923e3a1bd8ed77bb38525f7fe71b6e28ca0a8bfdcfebe17c2a0e7b6633b11
SHA512 3420441a6c036ed7b2fd01431b5b5f7333848e6d8f1aa5c2471d70cdc81826d715c2ae8c4bed440704648325a10986cc771e5023bcd7662523550c5d17ba95ac

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 5e1be7ad6435e59f80a22c0a72915ae7
SHA1 92c0eb5ced2770f1cee509bc68efbd63bed68ccd
SHA256 378f26473be15dfdfdea5629acab589b47feab126d94301e01955ebc15558137
SHA512 4978bb956e8b2e28763308b29babbf5f6511f869fd97514311bac3a5ed6cd51fc777e197f00b55bedee357291491c518b74da5b875aa34b8836e0e252db92f50

C:\Users\Admin\AppData\Local\Temp\mssU.exe

MD5 22095c2a199d80b20ba2edbd15187387
SHA1 7307a818d17e715c00affd94ce7851183c566c3e
SHA256 b9728319a493f55aedf6c068bd5051aa8d1969cc8c745592f3551de9dd73b683
SHA512 821f539b1e29c0471ceb8711c36fe840277278772e0a6fa0befee91955fcef6be0ff6a38808fe2303435493e047acbeb1e4a5bd1d5f9a57d59676310babdfa36

C:\Users\Admin\AppData\Local\Temp\AEwK.exe

MD5 797d9d8d40a984abb971e0b5995527e0
SHA1 cdf055713d0d2ddf913493d0e6b6e9cc8745e2bf
SHA256 b6a96f3740056cdd284f562446ee05fc3334b5cdec42c9e1fcc9d85d8cf77d68
SHA512 8700e475fbb0c290a5cda08b3292d79f5d5f065b45f7d6699349421aa5ef280a5df9ceb580bee56f73bd0292260472ed0cd217f131427434c7684a8b8d1af732

memory/1744-1134-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAcE.exe

MD5 09e0c72e0936743358c8884b5cfc9de8
SHA1 6442e1476dc7d24302970ae09b29bffb6cd69483
SHA256 b0ac35aa3d78a02560f11a9ee596638eaa06a4178365330b53b2b13d851d37e6
SHA512 d08d03582c2ecaac68e5ee9e91bd6f0047d2698c11beccf4ac6e427817105b62d8c45d3e839de58b1eafb2afa1b4477acd0acf5cedac29a5e6b06c1fb151df1a

C:\Users\Admin\AppData\Local\Temp\qgkI.exe

MD5 a6fdf0458d48bae84a952aed845c197f
SHA1 cd2784061bdaf66a2a25bfa7fd1ccdcde15873f5
SHA256 de51d4da058793df9205bf2057d5304b163a07258a3f14a654675cc3abd06d2b
SHA512 d4708db96856f908327ec84e70fec489f74e5c55268a079566fec06fe8e67d9d7df02691acd99fdf0c15b6d4124d782418baa55aebf1f2d27c7847c892714c18

memory/2432-1170-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMUI.exe

MD5 053d7189954e63bc1225b4603c409c55
SHA1 1ba6bd23bd2b67f540ae5029076452e357f7a2c2
SHA256 b9c29483505598033b06e95b12b899469137f8599dc2fb824d920d5fba48b62d
SHA512 7fbe03725846786efa243a70c84ed288bd2b564622fae685b973989b62684743d88c93e2030b2deffea4f4227bc78e3279741d773572dce6e9dce1d6754e245f

C:\Users\Admin\AppData\Local\Temp\OsUq.exe

MD5 707b8ff4af9b43f0a2ce2bb2cb559114
SHA1 7580b0eb063bad3f7eb5840f266d60a84fcec1f8
SHA256 97bdbdeb25a77a190fc6503e18ebdfd5fa67b205425b927bf4df4e5acaee5d33
SHA512 528b402dd06faef0884860c68ef661f7da627a790b06720092a4162dfb2f686ee5c70ec4fc071e538b704b330cd63c9518afaa6cc325e971b03d6e3d00c95d55

C:\Users\Admin\AppData\Local\Temp\WkIC.exe

MD5 ee18e18de3cbd6608e7daac7cfef38b4
SHA1 499d1e58a43ee07b40a4b6824c694e66f6ea6ee5
SHA256 b4f740e5b554a9c6ecddaee70b362858a8c784d5adbcd224b63892f01b6b8933
SHA512 4663bf361e4e56e50e3e2412f25ede65cfb55c2aa62d8254b25cfcc60bdb4ee33b1b3721b37d95cf4d381eb9429aacbf35860dfff46d44817c55de0aa4e5d98c

C:\Users\Admin\AppData\Local\Temp\cEkU.exe

MD5 88ad26e78085c5bfd4b32ee3836ae83e
SHA1 15f3ca57ceea0f520fe653def290cfc745d89ff1
SHA256 e9e70a475c11feee715c426133c9ac79b21521eaf1869e5dd7f6f7850ea1de04
SHA512 31b20039db4182e59d4ae8a94533045ff6b16a26a41e9dbc1577d4773f5f2ed8b373468372384c8b13dc750cd72edd306b90cc306050acc64df601691a7ed65e

memory/2616-1247-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eoEI.exe

MD5 ee38c1325312ca67740ae1a2f5033454
SHA1 d6fb06d79e56ac8e0eaf4f91cbe6e1a3f956e883
SHA256 847813b4b5d6756aa369f969c425bff73f4102e3c5e6dbb89b10acf212e7b9c9
SHA512 0521ca068bc1ec947ae4917dc5cbdb50c7a36f8e1a80ed3892ab6eaa5a27206e14d37bc1ab9008e8e9a11d98496a39ce51f170817081119dc94c41f17b477b5b

C:\Users\Admin\AppData\Local\Temp\OYwA.exe

MD5 8141b39fe8a2c3bbe2daf03287c216e9
SHA1 27f2681b0a69e50b78acab4918ae1799ad890b4e
SHA256 5662ed5b9344327d9628f290e5a053225b4981703007b9cd1334f237b4fb72bf
SHA512 ae2a84d769795b9707a6941fc16ff2eeb5cfb14a39737868fe0970602c7aa85da6b416ea3e870aa1da8dd00bf980d33a3d3cdd1fcef4a43cd0b55848ecf353d5

C:\Users\Admin\AppData\Local\Temp\yckS.exe

MD5 6e3e94f7c1c289ab09d5e033c63db2e4
SHA1 2513d6aec0d10010b79a9a8271ab2e2000e3eea8
SHA256 0f5338583c5a429f8dbfe8fb2550374d1c7864f2e0035c750419c360efe6bd1d
SHA512 57a4c001f044e010f2d4b76820214f6d429fcd98670861ea1b4e48de384b9e3819ee200c32ff97bc47c5f825c2e1c101c2f9cb9300220f6598b1bd5102c80757

C:\Users\Admin\AppData\Local\Temp\EkUa.exe

MD5 2dad0f27bef908d6aa3d0109ac90594f
SHA1 a778e41d4c33c117bdb8306a6b2d9d364237dcba
SHA256 7cc96da2a320a34c0f39cac7265ff78a12765064ef158614096fec22fc8c9d58
SHA512 148e112ecc87b137d61c2bf1bc856856ce72a8005a2726a31f2e5ca4238d92dfdcacba67c89e015ecf5ddfce08022a06926d51bc3fd511168712d395425633b2

C:\Users\Admin\AppData\Local\Temp\MwEi.exe

MD5 364c2dc3f76cd5c72533cad8628bb357
SHA1 ffa7e6891cc3312856af23cbff6b874682282935
SHA256 53450be4e4f76e82c203363f035e7b1c0ee3b000860003bc079184867a3a0fc8
SHA512 b392fb1ff1ef3f5cbb71ffca3fbad3e17896d1a2c0e4e75ff767f53e4b982f44d08e8d501c0bdfa690a4f657dd1b50e45e699090691408d2b889978ed0ecb09c

memory/3676-1311-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iooY.exe

MD5 e2bf5d891b5f78c0411a7e6617d61e5d
SHA1 b1c09ab6f04fe988124402959eb92fd1688fca08
SHA256 d6946ec8a4eb08bc428d54f6665c4ad3631eab0a2c5f2a1d3797e844c5c62a2e
SHA512 ae8c00f7ae073a8a8eecf004b9475234734218a3af3d66f4e7ae35f0f38dcba458070a78098366bb0072e7ddc6b018925e862aa74336e2ab38fd2b5e32b45355

C:\Users\Admin\AppData\Local\Temp\EEEG.exe

MD5 b5bce3924b5734cfed49cf5be4552cf2
SHA1 52355dfe9e7cb926ab3be16fd3502d72ac1bf7fb
SHA256 2cdc914045d69898697328b0635c6f4f465bb9bd34f409042933711a22d4f992
SHA512 a088adde92ffa4c333dc1c71e2b54d799618efd3136579de864b574402964e62284163c13fa118a8d9f218d3d70af2525e3252bc781242935757cea32c826fa1

C:\Users\Admin\AppData\Local\Temp\EwEm.exe

MD5 2b61c04050dc229ab1e919d16b301bf3
SHA1 8ac3e09d459ce79833ae43a4be64443db9935174
SHA256 fb81d5643b4da839d61537c31abae81a6a7b53ae620855dc2851389da41c2f21
SHA512 8c0f5d819f64e56716cdabcbc759df1d3ff759d2a645fd60045b3dde52621591c6b4cc38c411a4df19f644215937dcd624ef84a2c6867934c41ecfbba6ce9f8b

memory/1148-1362-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3148-1361-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sAku.exe

MD5 796249780fa9c07509acbb9b850751aa
SHA1 784d53cbd01333476f1760d2c50394c6bcc41e0f
SHA256 9f0e1e6d9e120b5b3dd312309380279cca9a66626860c54c3d9f3f40495242f2
SHA512 84958b9c8e5bf0b2b81a81ea29765ae8fa5b90a408f1cec4db1449d76d8c57e65f9ba15823286a24c8943f7f59111cbdb57d31f06ac241e0993561a159ec89b1

C:\Users\Admin\AppData\Local\Temp\uUAU.exe

MD5 fdd272402012c195be8f524d3d400e66
SHA1 b97058068bb037ff00b85a08ea693842e049454c
SHA256 584b0a73df2e6815db163a96cea95e281894cff0b0188172303c9edd13fed9a3
SHA512 a58a94417fc39ee59cc199bf33e86695967b8b2f9105ee0cc1dde8ac9fbebc6922e351e36de369702fecdbc8322002ecd77742b24c7ec4307807f45106d2396d

C:\Users\Admin\AppData\Local\Temp\KAYy.exe

MD5 846b839048b9c9cd0a2dae82ffb53645
SHA1 19c86c6efacc4e194ee19858b1d418ab0b48b7b0
SHA256 78022a0c1861dbd5c9c3e5febe6605fbf11ce8336756098f05213de30a6a374b
SHA512 510b28e452358302f964b6add2c2ab271f95a711df510249c550f0258acd1411cff7f6ea29398d36c510f7e0b1f55b2da8ceb46e6516488ab824c6ea096298ae

C:\Users\Admin\AppData\Local\Temp\Owwk.exe

MD5 4014f587e400bb2e282e64b9988fa515
SHA1 f8c9ea8ae02c42e909b7615faaa99fcbfaf0879a
SHA256 17fc8f621ed24fe58ee410385a447ac3fafa0502ab346beb457ccd3374d49c39
SHA512 0507bb5a6b44d31c9d7af9e92ecb9d50215e3615e95e354941fc57bcd6e5149b4c91d27423305f34d07ec0da1b5604dd0e510e93d523090ccac54998cfed5237

memory/4072-1422-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIAw.exe

MD5 917b05e4099048109213a092181fd327
SHA1 8e22ef54230ef4eb41906e38c40942744d3ddb9e
SHA256 ea05d994cb6eced0a606a043fbcc10180e7b83cf0514d81a573680919a656714
SHA512 2aae4da2473f379b6fb7a67758aec6295ab1401277a71401bb7350a136d6f14b4fe03d800e8a3f5c8e5fbf96873e8dc3281e77e99dd2900cf6bb2f21627d2049

memory/3148-1440-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UMkg.exe

MD5 ea8481268e43656bc085933529509742
SHA1 61d3e751131a85fe0bcc0be1a0dc95dbfef8da59
SHA256 7874add4a7ba61b72e501728bf87e753339343e42f91028990df07b217aff86d
SHA512 2b6ca5c512a5b0c684801da47cfdc623a26d6665db7e5f307662f0b63bed93c116094cb11263e8edfce0c645fd7770dbb74e8457c00b7f0ff4ef08f57b946b21

C:\Users\Admin\AppData\Local\Temp\MwMU.exe

MD5 b36906613131cd4cc688ab4354a293fe
SHA1 471ad54b985123911e0371e2c1327afc82a5af83
SHA256 5668ce21b019a8a2ef9c115cf208cb204c8f0041ac299233d94dd3c6798d61c3
SHA512 230205c9c9afa5b5bd5de2a8bdc169330dca0e445c39969957c9711a0ae9cf36f075116a73c51c07bdf487b110bdcc7c3bb0e840d036f94fd5b83ea9adc6f637

C:\Users\Admin\AppData\Local\Temp\gQYK.exe

MD5 a062f921c68f28abbee5361cf6ae394b
SHA1 6ad9b0f6e59da045e54d31d53f6cf97855bdbac7
SHA256 f46c88e6ad853145f425528f1bb3175d3ff73f0bf4c4f17009604a9c71dcaa55
SHA512 26c61a61e6972d61b41887060564fecc89735236b32d650d5f6b230e2aaebbf62bd6c328789cae360b8d6206683519d7da275755b42fbaaad17d449ae2311b40

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 367efdcba35471e4bb61160a46a2e5f7
SHA1 918c4d38fccce90952834b029a96098b521d8775
SHA256 e76ee6f2e6410c2aa33469860c5ae59281a4f655a31ca0b7910576717b383033
SHA512 bd2f89106d7b4e8b9214cafb9eba42d77319cd7b2eef95f02ffd909e637cdc9148720090edfa1291d6bc9c38e10388a929b902a9eb4a0238ed40fbc3bf061d74

C:\Users\Admin\AppData\Local\Temp\kEAG.exe

MD5 a471822bba3ec0dd6f6dbff3ad3a29c3
SHA1 0e240d9700e792cc2074e4be86a9dc78ff31e4da
SHA256 dad1ff573ec45cb7dbe795cea8f19fe244c249af9b42cb4c0f10c4a24000e673
SHA512 f30201a0d957f545a28a14864c2855e8550686f2cf83fc3d8329ec65b1d76cc628cc83cd804fd317054da74abad9f2af6e699d758170dc4cd8dd22d6db5fc3b7

memory/4072-1519-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEkQ.exe

MD5 201e095458dc0205f171a3736625ac7d
SHA1 082da7766c4890c50206740b8fd06d3ebce3fc7c
SHA256 cc42c82ab46837dea418f6077a7cf94f086481dbbe9aa7621287b47e888dd45b
SHA512 77c936052b80fcf518fad3860e2511ead29730fb9c493af1a242dc5f08ab797ed9e5b3f7ad3a93bf8e9f4c5c6cd7fba66cc5953a9284307e1d0a42f525efdd54

C:\Users\Admin\AppData\Local\Temp\GkIu.exe

MD5 2d5b74d790c290757bdae96ccaa354cb
SHA1 ceaf64a885fb0db95c6bc556518d447b540668b6
SHA256 563b02d5949889f612079364962c1bc91ada59b27e4d39db0d27a6df6358a2b3
SHA512 086a373aff3de4280ef9f011fe68236234147dc7fc6844a1026950ad42e976a70c48da7d0577ef57ea983eacc15f654f25c8e3f2ae7fa7645165442dac13d8ee

C:\Users\Admin\AppData\Local\Temp\iwkG.exe

MD5 9c8083cd114fcd8bbce2308042152939
SHA1 a1355986b064d3d15dec0b563215d7dea1e0dcbd
SHA256 a81947de1fa670d979d3014a88f359a63b7ffe3593d636bacce6013ca1a748cf
SHA512 489cdb48b5118652f2a2a9a03a73f10cbb25f4c5a5f03631f0444b9cf3b1d7f8a4f5408ae353fb270dc86bad2d04a649d28547df84f24bc0efa40f71596138bf

C:\Users\Admin\AppData\Local\Temp\IgsA.exe

MD5 78302900801a22b9a19db8b6503fee8f
SHA1 3bfb75155e5e327a0adf634801cb2c83967fb49d
SHA256 5e70d58e0b76b41c1dc7395976f7b31a44176b59296ebeeb2bc84a7057cf2907
SHA512 d9eea97dc9fb448b856f9d0aec5f32f90c2816862e92c9aad92e02588df867bead9b841476085d04703c8b5b5dfd7364986ed688758697dd8af513eb657c33ca

memory/1340-1582-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Oswc.exe

MD5 510cd49333885af7aa43e5309bcf0947
SHA1 aa82f975753bfdca046e2259530900376a0880bd
SHA256 80ac250f72c7ab51d3a8885649da24d274fad63e1a571a48b817568b80dae842
SHA512 588562b1fd21b8b90e3cbbe96412c8a265ac9ba17d3a32931d8a58713ac2c57a0eec609fe3795a344ee9ddcb51b10060eb2c34c41590ca226a3be83e5ad84c17

C:\Users\Admin\AppData\Local\Temp\aAME.exe

MD5 c8259ffae073ddd37a95c290e8642ac5
SHA1 1bb205282bdbde06f8058120e4ec54e6cad940a7
SHA256 b75c54e4f41d92ae67954adeeb01686c5dc83163a4192509703987f740a1ac53
SHA512 23ec76d681a5007038bddbf753530f9e40f269f41dd8b10cad04822d5c37bdad559618ddc32e25eaa68dfacf9cff0a8d0d808b097ce2fbb94614da0fb81c8046

C:\Users\Admin\AppData\Local\Temp\iMAs.exe

MD5 4fb0c7c5f1a3f58ab2e452f9c90a3372
SHA1 6e4c5a91a52333b24be191bda94fde355cea9eb9
SHA256 06d1c49ec522159741b2c9452b0e5c87bb96b7b2620190bf383f797bf85354c9
SHA512 a7bce55d4b82ed669876edab450b334f2b725fecc36f43897a61d09c250786b3dc9d30c7e64d8a9b48aca7aa24744efc2bcf9e0db8c36c3f042979a4e7e8ca10

memory/2988-1632-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQwM.exe

MD5 554390de74fd7cd4b205eb1154f2a663
SHA1 990d1343d9943fe1e2708b29972b8065054ebe6f
SHA256 0db0cee417a2bc964f8c3d26051013b3d333d82412ab179a8bb0cf5225ceaa40
SHA512 c17be35333285f455c3630708c584567a458ee644a65bdfe3583c10fe4ee3df82f67eac2cd82217d18f4a6bfea71f0f34d90f58a59984e8317339108810e3477

C:\Users\Admin\AppData\Local\Temp\cQIK.exe

MD5 5e78afcdb2e9f88b452772f19a23ecb0
SHA1 feefb85689ed35803757b14f2bcc3d8b4784cead
SHA256 6b41c0c61bfa1547960e4b52b5ce6bd0183d4860427252a42aeedba80cf0af41
SHA512 4178de219df8fc0e69f287e1ae781d8522cbaffd33126e7041f0d53209e8f6a140f742f1405dc259fd3dfe44188c1f20418aeff3000cf2537bc241ec0ef80257

C:\Users\Admin\AppData\Local\Temp\skoc.exe

MD5 838fe3bc8c96e9285f14f4aeb7aa7f4b
SHA1 c2f3394738e1dbdee15bc7bbcce8e1ee69874a23
SHA256 27071a2a65028dfe13c9503ac05d61e57422ed77305cfbec33003c05079f7c87
SHA512 487a2af1c7db0eceedc92bea60fa599566a52853c29faf1293a33d43989818b98d732efe391a13d9339778758c4e8888d27b365ad35e855d4da4bccf1a380325

C:\Users\Admin\AppData\Local\Temp\CYUE.exe

MD5 83e00fb37df89868c2790cd1e4842ee9
SHA1 bcba806ea6e3ea14de7b10343ec7dfed2f2c74d0
SHA256 40c1d3f2ce1ce0fd081a7c367c398dd1ec7432bb74db4e61ef4c1a674b5f6fc5
SHA512 0460e1ed6e0069390257f962b14c6a102988aab3808d87779ed224f40dc63a9882b8b3507d6f76c5cca55f036aca698ee5f43374e683d8364e819ce5e4e9348d

memory/2324-1696-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEYO.exe

MD5 51cae1c61c3759995acb9e2df22f6b33
SHA1 7a72de22d160cddc2737346468cce6efe2ffe931
SHA256 c6ed41f674886868270d624519c7894aef448786cb4f48fb1345347d12a86c07
SHA512 84eb33ed8ccc731be27b572e5a3888fd1747e6a894c98b2bd1049fe3a2545b15a5e6de0b902386065f55112ec0142d0f80a1f77567dfdbd13611a5ad03b843d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 4c9a5d5ba124cec8fc9248baaa092d8b
SHA1 aae12214d014b31be0b3647ff35913a1f4601aa1
SHA256 404b2975a70921f15e988a6ef57cebe66ebf5c89f801885ca0a5e5be3cda7a38
SHA512 1a2371c2c0d98b898cfc688d2421bcfb565a5bdf10972f17603a6d126c77a352d833a8cf9bb0b2e00e9401de02dfd050ef705c725ceb89537e3878688e6c3e35

C:\Users\Admin\AppData\Local\Temp\Kkso.exe

MD5 278b9cbbcb8b553047365ec44c631643
SHA1 10d6b78d979b122e7f95bf23280b07b6cc5cb18a
SHA256 1261f6d034e88324dadc5d38b9baee92c8affdfe3d62b5ba8b131e5cc04b7bdc
SHA512 9ae358a8086ab01522df88f016f2a449c91dc05c5da77d3cf13f6bbe57e89250b4e533cd37b5a9f1af7733c7de2cc69c483d1aff463584d94cb3801e34055f33

memory/5044-1746-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KgsG.exe

MD5 ac5e030ba6a3638a7f373adc9c65fa95
SHA1 cf14251394fa6efbbcd889bfac0d9e284cb1d9b0
SHA256 ca98e5b6f7d01ca77fae556d6fad93bd53c61ebaeaf8bc6d4b6505630ff19f59
SHA512 b5715cbbe67ecec9c28f7995f7ea91e2d7c550fa9db0527a72278861e0d3350276afab86f8885382f0a8cd6b58ec1420d26aa99b90bcd71428da17895686d72f

C:\Users\Admin\AppData\Local\Temp\UkMc.exe

MD5 3eac456533b0d92937711d73e2710fb3
SHA1 4062b50cb2bbb33ba94918247acf1fad07e81cea
SHA256 2f9ad9ec612ef788b27a4850d4e2686ddaa3a57c2d55bd6bced6706359182ed8
SHA512 e38473aea6d4ecbea3e09fa15ba8d418a8b2cc6f0f3b6786a68e34b57b6187494c167f0c9782b15fffbe457be20d49fe1773d13eeeaa66163f0f496e44b0bcf4

memory/4416-1761-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUgY.exe

MD5 3a63faff3ed8f3475ca465fd04deabc5
SHA1 b08dace60fa6245c24e4458f778183e8bfc322d5
SHA256 c8b78acbded10104e0271e0b366250f9e498eaf346e86730c8a446500974679d
SHA512 bad907a570c2790433f01537db0f5f6fb32c02239e53a11f13f4d9fe9c6f16d5b538e36d4eb0ae9f65f64487a6286c7c5e35359c3bf131a8a722448eb59c6c8f

C:\Users\Admin\AppData\Local\Temp\Igcm.exe

MD5 513e9f4e704164334134be0ecb73e77b
SHA1 335ba9186c80caf3ad55c905f656c33af5c4c650
SHA256 e43137451c561d3c2e830c2506ff73dd5f0662b2cd5530060c4c61e72e28e1a6
SHA512 384c70d1157ecdbc5efa25e77e7a1ea67b6e6ecc4616e81c9e2a0ba0062947bfd5a01befa8abbf85c8e8a2afedcc49bf299ed13cfb966b11581d3dd4dd0b21dc

C:\Users\Admin\AppData\Local\Temp\gMYM.exe

MD5 a31980e53b78dc2dfdc5c2eb9bb0273a
SHA1 5ee86133d6950322022a16278b98d9ae5a72b863
SHA256 7634d8a70ac94729893e909b1290563e54c628bd099a3461f1825b7655c1c094
SHA512 28e37c4fda776767999f53129168aaa17530d8f00223dbefe40ad8c59d5797b720e946e7917ef9113fef5e9f85690eeded0bc186248ca5ccdb7557664182347c

C:\Users\Admin\AppData\Local\Temp\aEoY.exe

MD5 cc04af882d36855b78135f7934a9f6ff
SHA1 8f76ef3b70ab1606ed5406ddfa499f4632d941d9
SHA256 09344ff305409592bb85bb3def117a05bf1b6e8a6fe8bf5101e0b27aa954087b
SHA512 2c09b82ff57f7c16554f3cc09bb6734283b627d1e86d24d26715324bc8f9df000f642b7632b770cdf0bb6c7974cec5bf62e69c73b54053f0d28315ba2b9f0edb

C:\Users\Admin\AppData\Local\Temp\Mckm.exe

MD5 9ab4b2816271d719d64caa89421b4997
SHA1 92ae64de146a1f86790223e8c670c53ca0079217
SHA256 80d907362c6cfac0e1b72d04afbf646f5f2e67470e41a63aa7a668223ba15132
SHA512 787680d6f8eed991dc528baf258cb6e484fa811f9999e0456c7f197245994f15514852f015864d56a21cdc6ba4686f70a74c8fafccf7dfe2fdc909b40ed25df3

memory/4416-1853-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EMga.exe

MD5 cb194e3e54cf7c875ecdf32a8a986434
SHA1 0560cdd51ca3b4c0c50a0ad53e90eb84849724fd
SHA256 ba69178f00da28568720bc0d3d86b78b6507ccf0761eb37b161d969f3a711e85
SHA512 6d5547ead6aa47eda8e83f6bc4e396122c3a613904374ebe8cad4c1e89b9be574baa7d837c69cae2b590bae672c27c9db6c0f9c49502fe47ad2d18ce482f1089

C:\Users\Admin\AppData\Local\Temp\okoQ.exe

MD5 c15245528149ff54fa302409473d34c1
SHA1 8b36f39c1fd084451bbd50d004f92df514c9b53c
SHA256 25748349cd28844e00caf96887c24e10d7742ca9af944e40e8dc9bc811656f8c
SHA512 573d3a0b8dd3002181b542db565280f4e5b584477dcc6c58100925205177b30b0a040206d832af6a6a47852085f3fdd4fd355e7e93a3c5db37981add8c375bf7

C:\Users\Admin\AppData\Local\Temp\mgAC.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

memory/1860-1889-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GwUY.exe

MD5 95eb82a8f285103aff36a3a2026f0ac5
SHA1 0ced165012d75a28d9254a69bc7d3d1c90d8461c
SHA256 1f352f1ac75fae65ae4d2bfe96792f29ace659b806365e5e122bcaa3a323556b
SHA512 09422d610da5f3a67415e0796b2cd6bcdb0e2460c51a8cca15b4f3e1b40896d9c9208dd0f8037ac82d614632ed29dc2a9a6dc627b323f681e1a5de410c0a1b6c

C:\Users\Admin\AppData\Local\Temp\Oogo.exe

MD5 ffe0754ef97a348feb335a33769ccf26
SHA1 41b1e02e7e10b28c1890bc87d7ee09a4dedcf6f1
SHA256 4f90b361d7bc292752af813760f3169edd49e6af60e862121b50c4155d069684
SHA512 44032cdeb4525401fba4ff81de1c49afbcc51d5c092ab184c8b96dfd97c9f64491b4e339d02d9811df7fa1252bb928776c4c94913d1259c3e0d7a62c37772d3e

C:\Users\Admin\AppData\Local\Temp\KkIc.exe

MD5 89e16aa86c75834d221a22af3e30b741
SHA1 835f05251c51f64228412bdfa7577296e747dbe4
SHA256 7450ac24f729d876f773f34af551bf01329afc7249ae1d73bcf5187be9efa12a
SHA512 cd59b21ed06d5c6303dbac8c7331c353c9d79a249acc427d67a0ba760a7ebfdca1b85dff66bb6f6f46fce8223b1066e9909d7837db6a703a9ff0291525e9562a

memory/3172-1939-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KEga.exe

MD5 cba673f48f2a3c546efe3af06c928436
SHA1 b13610d428413db67043773a230f823d7e9ae367
SHA256 23bf7190c4195e83b757b8b0021871ebbb437b11d7837ce95545cf75a86db9d7
SHA512 2309c528d17dc0643f88f737ec62b2511a2a3bcec0aae914cdebbc0ee13a4956e9b1ceb1eadc31f1cbe4f0e11e840e28a77f04bc9475bce0a423826d36c0b4dc

C:\Users\Admin\AppData\Local\Temp\Aogc.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\SIsY.exe

MD5 6477a97628a7060f3fe0bb269aad4f42
SHA1 f96ca6d325c1c5e42445b78ff9fd188da2040028
SHA256 c8722ea85e2229ccedebe6f772896eebddc059c0496aca8b9ce08aa8452736cf
SHA512 dc7f60ada80b7a2fa42ab57880c919702fc4ec9993f8674315d2916703a49f2b9458d0f3f4080b2226df95537c59d7182dda4ee7f46351997536f7797998a113

C:\Users\Admin\AppData\Local\Temp\Csgy.exe

MD5 8daab3ce39ed0d5a759e5ccd0daec30d
SHA1 260f662ace009d16e3cde93551d0be407558caf0
SHA256 6fca4a1e55cb208405b8030c4cff20d711dfca1f81959a2435523d9fd3757535
SHA512 451439467255afd2499e238ff5895d3548e95cf68be4c32385eb7c39483866e072d82fbc2275b8ada2d27746b99f7dd27bdee25636c14386b3eb2c713f4dee82

C:\Users\Admin\AppData\Local\Temp\OMkE.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\WcQg.exe

MD5 8e04b6b8e50c5fb33fd280cb9ecb4856
SHA1 ff514f88bb713c176519525fee16fc67ae4d7825
SHA256 25a27dd2b6236ab837992aae53b94ca7050f15aa285355a1d5c906abdb49c4a1
SHA512 f1d5fedb348e991f5056a4e9abe5da0debde5cc779fd161f77abac9080241eb8782a73eef1828755151bc5281864193a7f0023665decb22b8dada21954f32db0

memory/2516-2003-0x0000000000400000-0x000000000042B000-memory.dmp

memory/540-2004-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMIK.exe

MD5 687b702bb09af2f81af1564b5b5030db
SHA1 dac41a1a14fb192937a06653891abd9849563acb
SHA256 0c0138d46557d51b600ab4958610615f3b31e682282090ddf62ab209f80b3a9c
SHA512 22eb8048066ca5690d20de3c43392e972f19d35584d1768da16517494f0de03d5dcfbeeef26a04ba6bc6192bce2f9ac6bc347f38354e217035e35a43d05d218e

C:\Users\Admin\AppData\Local\Temp\isQk.exe

MD5 5c80d1e307b5511d4842ef0041c9245c
SHA1 e759dab8b36938aa8c670873e0b06722806b5ffb
SHA256 aff732d6dd2266a8a7d4d6a321ea9037e62a9b43e0400be96fb486bfc402c0e0
SHA512 93ac50d0c5312beb1d3cbab422cb7313f5dce2572bacc23d1eb26a70075211ea5229da24e9c449fcc4d2fc4f7110e31aca725f24c4440b54b625c0bf8770ba0c

C:\Users\Admin\AppData\Local\Temp\MsEc.exe

MD5 a28fe19cf05817dee289dca6ff16693c
SHA1 e7b2f3defc8c6c16fbc534e70bffe9c220d66038
SHA256 6a7c9277cf0215fbe82eebf8ba67a20d587b6a593380662ea8047024bb0b0e6e
SHA512 2c260cdcdfc2280990102008469c616c734c32f7508dc12368be15ad2de4024fcff51e48d0796ba1ec19ca70eb303009d307f043d37a788e2061c7cb24ebc83e

C:\Users\Admin\AppData\Local\Temp\mAMe.exe

MD5 8d23f69663ff2383d2e7df5a9b06aedf
SHA1 8ced43cb60e61eeb5493938dc9204937e65c8392
SHA256 998b515065c89e2e4fb3646c95275d2acf1acbb611e6e1e3f82c6e7dd16143f7
SHA512 d1f173193ecc8a1d24462a8206c86132ed774c214864787190d2fb1071a0100d8ab03209ab4ae8949f7d12688c25537a0746c088fcdc8fd3b75d7faa2b17ae74

C:\Users\Admin\AppData\Local\Temp\coYU.exe

MD5 064e5da732dfae68d19cf86b2139da28
SHA1 62a06c9c7097f42cb702c63b97aacb8c720760b5
SHA256 99c745445250431489ff15f7ec779955a0ab63a9eb134d8015ab287020493b2d
SHA512 329ab94168697b7284a8eb80df7973a5acf3bd920a7d3c60019c08c2241e3e2922e9c5adfce80b1d7e398b46237aac2a4d80a47eefd4e988ceb2e3434b27edd1

C:\Users\Admin\AppData\Local\Temp\qMMA.exe

MD5 68bae0dcedf90ee4d0b64bd6a1aa56e0
SHA1 8f5e265696978d4e5ad250b12ee82a168f194e87
SHA256 71b44c780cc3f75d0f9d02c633125784ee3381017e0ffa0be0330347eeada58e
SHA512 1f0df3bf69aaf02a486b35ffa009063656d15e39b3e418d7ed60fb8a418a2b061c228b855a9211391ea8f78b7431fdbee7c5ee843db9ecbf0dd6c73b0dc3994f

C:\Users\Admin\AppData\Local\Temp\wkAK.exe

MD5 c28f6e1781e61a73da91739338a21adb
SHA1 a2ddb807cf7241a5c970e493ef9a4722344e1ae7
SHA256 57edf545e669fe76344042cf7316791b6b02cf0d203ecf6fe61c6047d3c81e94
SHA512 3c075e1d64169f16243b4ad6c813e9a54fd5935605421548b5982ca228d273443489fa040d00d86776a4ff70c8f76556723963c4972efcee005b5bde61f58354

C:\Users\Admin\AppData\Local\Temp\iEUG.exe

MD5 3443872a93754ae36881d15af12a9820
SHA1 23e19582e7314f10411542d8f499c8b93cb117e8
SHA256 95aeceddc6bdb961cc98dc0ef383da2b4cac5f73866b4663d52b65affe06aa3e
SHA512 b4de9a397c7a3925014665f86825510c909320bf03fbace6335f54f29c4b3f470e68ec3018efc8c11f3138d90e298f8d23d339a2da5df2564cde867bf084eb5c

C:\Users\Admin\AppData\Local\Temp\ikgC.exe

MD5 0f33f1ed2ca79bc9f66815fdda67378a
SHA1 1e3c6493ed37bf50784866f8b46bc0f1d44d62d2
SHA256 e770ff951851071b4736082d747ab810e98fa8e34daccb1e8c6d55d9edb4e6bb
SHA512 4ce0baaf9183c318eb702f69d0e272b35002b23c83578bc1d66e7f675bb437a13140ecfa695ef2ada32992de3915273018f12c76e51a178006a9c6e6c5cad150

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 42309c5a8820a4f1c4c89a1053db9037
SHA1 144495615a9039fe188ab32a6ddc704d64ba60ee
SHA256 7b2530126c7d7393e36e87f66fa948c21a03d59640de5293f4e30c6394d7138a
SHA512 9ef2f584b5626675b10e68804228d36482f1c5d27ebc11e796e283d983bb8c7e5e9f25ae36028cf28f6b7dd02cf7708cd74ba7c8698942179ce836db1c65d9e6

C:\Users\Admin\AppData\Local\Temp\kEko.exe

MD5 bfcf9c8aed760c102a91e0475e32ec21
SHA1 fb8ab13453c2741a670a914db737445c6ee18330
SHA256 ba389b5b74c09fc1c24663ab7a46fd00668d7643738945ae225c9c038bec243c
SHA512 2aaf5edcf84a07c506d39562abfad999b74a62420251b75dc0576e7f4b2acd9d9b787d78c21b279a39ed358bd728c1feab79ead36929991bcaf6bdcf265b58d7

C:\Users\Admin\AppData\Local\Temp\WEYm.exe

MD5 92547e6a4f88221a0d94bf10b63dc78b
SHA1 315753e201b45c64eec7b2373bd607bbfb6638e2
SHA256 67c098eae988701a2312c1ae2335d74e8757d4251c6bed7d1229c5e153cc2c2d
SHA512 945acb5e70b696a4fce801a2e28ccede87c1553882d42819ae11dbba801567521193e1057ffff0987c0b7944e65bee7ec72779e72d7b13dc493dc775738e0d74

C:\Users\Admin\AppData\Local\Temp\aocE.exe

MD5 05ea7617ab65463f8d0906d0702959e8
SHA1 f4f76495b72b9b227fe7aab1afd2f9b3de0cf126
SHA256 7bee6f7d4be61205eb986e372b363f3ea2c6f38207968389524ccf8f3b22ba7f
SHA512 1a56ae2db4fab67d2ebbc1c10d55a9ab2f97a9af546b95af29b706df53049c57e85ff07910ebf667bb688d5c20d7b9a0c2b5d85853ee44ff6c018e89ab1827a2