Malware Analysis Report

2025-01-22 08:14

Sample ID 241026-e3bq2axlgr
Target 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock
SHA256 ee88a2e13047ff2d4546c4f160be8784b5c8cf8d86c2e026b3adf102a8515f3a
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee88a2e13047ff2d4546c4f160be8784b5c8cf8d86c2e026b3adf102a8515f3a

Threat Level: Known bad

The file 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:30

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\ProgramData\kGYoYwAI\sckQMYAE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tSooIYUQ.exe = "C:\\Users\\Admin\\WOsEgwog\\tSooIYUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sckQMYAE.exe = "C:\\ProgramData\\kGYoYwAI\\sckQMYAE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tSooIYUQ.exe = "C:\\Users\\Admin\\WOsEgwog\\tSooIYUQ.exe" C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sckQMYAE.exe = "C:\\ProgramData\\kGYoYwAI\\sckQMYAE.exe" C:\ProgramData\kGYoYwAI\sckQMYAE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A
N/A N/A C:\Users\Admin\WOsEgwog\tSooIYUQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\WOsEgwog\tSooIYUQ.exe
PID 1320 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\WOsEgwog\tSooIYUQ.exe
PID 1320 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\WOsEgwog\tSooIYUQ.exe
PID 1320 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\WOsEgwog\tSooIYUQ.exe
PID 1320 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\kGYoYwAI\sckQMYAE.exe
PID 1320 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\kGYoYwAI\sckQMYAE.exe
PID 1320 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\kGYoYwAI\sckQMYAE.exe
PID 1320 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\kGYoYwAI\sckQMYAE.exe
PID 1320 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2132 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2132 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2132 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 1320 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2612 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2612 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2612 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 812 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1368 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1368 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1368 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"

C:\Users\Admin\WOsEgwog\tSooIYUQ.exe

"C:\Users\Admin\WOsEgwog\tSooIYUQ.exe"

C:\ProgramData\kGYoYwAI\sckQMYAE.exe

"C:\ProgramData\kGYoYwAI\sckQMYAE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIMsEIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmMkMIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOAcYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwMUkoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcgYAIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAowIoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fsoIYcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syMoYQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCIgAEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCQYMogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsUQooIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuUoogUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReEsMEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViskAwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYMYwsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biwsQowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCgYggEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmQcQkYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwIwsAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMssgEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSwsoIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSIUgsEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-912021698-101120731-400844059-10249895371938923566-1290468888-2009597066-1727165539"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMQgUUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWsoQAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "165747323883438965-1745742564-1114079120-1570434623-1759277375592595340-114785418"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEMAYcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4946003111178081459-207598328913513933001056907751-84034297166480486-97257721"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUUIYUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCAYoQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-822587085-863808802284765191-288808023-138438869-201960145112374771431347069955"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWUUYQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuwoooMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1961677141-17519066526861168251260654656-1788580898382013708-1965291907695083787"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgkUAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOUwcYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIUIMsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAMYwcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSUYwAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9674024971669416855-1128906377-14945932-8596104231657525251-1845605465-1942741545"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-729827085662475462-2587865709955948356407804971148550316-709109949-31102628"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWQsoQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20436378661785921005-1961284611-1281605380-1458371789-1657921797-5924678022036847196"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcoYIQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-259247267-2093432640-756040551841763047999429603361111350-18792854401724080326"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-721534022-490859214290859282-10233437352044613260-640024317-582221446-2029552150"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYUgcQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xusgwYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-870491925-858569800425434015-137667458793528221-1781320714-1205938371-569627882"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tysAYgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4501479191463150387-8798947761524456327919457481855437100713995731475891970"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIgkgIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiwoQQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-829389064-1815690160-110630351017890117671026546804-152784895220812780951219582823"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGgcIwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1553957588-2062515555-1933731909567033621097189052-172871231321082629241140455768"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-289850760154417474016540626299575643616828647122070678719499448892-591037976"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKQMsMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1348227592403257455-1446956770-454518565715311231-17116943501510184930-874982806"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEgAgUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-348537896-1958292513-1613798587-20567707811116854593-1653354617-8064518621583552060"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKIYsEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcMsAosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jsMcAkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\locUsMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2649382978519918752059394542-1629716330-25897188514194884211194144610-518954603"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14698786201665916278-13870064531718605839-1907329337-801920268-1335067459-475980754"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWMEEQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1769014925364985277-737714993-227218167-806184840-1405855995-803599510-1086151899"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGMYYAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScoYgwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "732926932-1963697797708842202-155258687168679249120486479291317763351072065963"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7875947365940937820739541531977718849-5425358802072710788-36835251985032034"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGEQEYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUEsQgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuAMkUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9209054038995487201763290246161834967913474594083592852681646856587-78267869"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsIYIkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "250838665-722008718-1448514941139713308014215635721868376869-6739116251174020142"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1565189393810636836468998182-5276109171189548333856882505-246341386996955635"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOgUokwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "108314413110563518321728240336-70557725819278382871284155198-863396110-967253788"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1753714764335041096867734652455485676-676244754-121388909012371912831721490407"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUQkoYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSsgMUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMUwAgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSQscYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1595777223143473358420300804-10334875831343467371589756149830288942-556760352"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9473811491278887892-912526124-14708049362134578308-1329340124-1626475675656611183"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1270760871552253522199118663-7280971701973437935-859280205-2144937194-87418928"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsMcIYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1057063943-2010403721-1192143112531656351911115725-1408163916-934672438-554935520"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuIcUYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKgEIccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAQwQEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-133220465-15026774121250308326-1068676533-636865232-20793621607193044842037936746"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fewoQwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1320-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\WOsEgwog\tSooIYUQ.exe

MD5 f93a4739a84ad1fc7f153f0e461982f9
SHA1 0af86a3d201e640cc4469396c888323e2eae772d
SHA256 ef7efd3dcdf756397becd6c9f333865f9b4246e45f9f0a5e833aac9f2f71d629
SHA512 019892a6fdcfda6b9a0ec7f7f37f03655ad058c6e4de0515b2e9e0db115f8982ffc1a4fa51c4b19dfd2edbe047a1cfc67e0b2afe8d5ac7cf7198db9acfec1d25

memory/1320-5-0x0000000000390000-0x00000000003AD000-memory.dmp

\ProgramData\kGYoYwAI\sckQMYAE.exe

MD5 705635c4b1ebe32583e587bf395f0d47
SHA1 3b4536f54e9815276097bef441830532cc4c4ba3
SHA256 5a01dd482d3dae2e5c310f7b0dd772572104d4cfbd364baa64fffb9ba92f4cf4
SHA512 5c68db1a4ea971cf983ec21b1d9389b701c13c7b5c1fe9e61c0d503da0a28a231066ae16fca27db02b26d2667b1383b81d704c86eef66843bb2a6cf14edf43ac

memory/1320-19-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/1848-28-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEAsYwoU.bat

MD5 2a45035c25f49c7a2c2333e248ee8628
SHA1 a8e8d4558e43a2397f9246208733f524e467e061
SHA256 fdb0abff60e55187db83009b98f03b6e13c6556ee1246700d1d900dfd15bab72
SHA512 1bfa4e90a6a627d8d6606a7d35b821e13fd4fe20a3f9b7b39d22edc92e7dbfd4a2e56e9b2bb504a86cce99dd99f468c3ee213f791d80beb00632aa4304c73209

memory/2132-31-0x0000000000270000-0x000000000028F000-memory.dmp

memory/812-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2132-32-0x0000000000270000-0x000000000028F000-memory.dmp

memory/1320-41-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oIMsEIMQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\kMQUQgMI.bat

MD5 ced29d13a4ab0bbcdad3c908e61abcb9
SHA1 7522349e800cd36fc77bbd03541aaceabc1f078e
SHA256 e839d5c9247fddaf871984054e965cdd09da35ca034bb8bf7aeda062e5721a80
SHA512 123f714944af82230d1a266bc89b3ac9d1eb97537da10243efdfbe427f1c39033080a5eeb1d86c2b1683d4230f4af3b543379dd843f42cef382706031228f8b6

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

MD5 913064adaaa4c4fa2a9d011b66b33183
SHA1 99ea751ac2597a080706c690612aeeee43161fc1
SHA256 afb4ce8882ef7ae80976eba7d87f6e07fcddc8e9e84747e8d747d1e996dea8eb
SHA512 162bf69b1ad5122c6154c111816e4b87a8222e6994a72743ed5382d571d293e1467a2ed2fc6cc27789b644943cf617a56da530b6a6142680c5b2497579a632b5

memory/2716-56-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2612-55-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2612-54-0x0000000000120000-0x000000000013F000-memory.dmp

memory/812-65-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SaQQwMcs.bat

MD5 8cc8776ba35cb81aa76623b72357e7d3
SHA1 4d9f44a354a2bcfde4e6e7efc23be6fda9354871
SHA256 27aa52db48a9ddaf557f1816d8b14885e89bbc655cd19a98adb2e225d3a67ca0
SHA512 d6c3295a4c97e29af30f891d07e063eec922c177b99bc0a769e7e31be27ba373595ab1377f4b65e2ad78f327b71c2d0cb05b82c9209083c62126816e36881e9b

memory/2908-79-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2784-78-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2716-88-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jaIUgksA.bat

MD5 19c7c07bf10a76c08b80bcf337a56b80
SHA1 2559e2f3ba4e1b0b3c125912c1cc928d0ecd42e9
SHA256 70d619e417c63c28e7eff89f7477f927567dfd11f0a6a64b8dd0320bff637927
SHA512 1a3b005a495904543191c764d98d6a8f31ca81d0b8048a32bfc54765bff0b2fbe1188aea43716b7f1fdfce37b268cd6f80a3316a07210828ebd20f52ada51208

memory/1816-103-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1912-102-0x0000000000140000-0x000000000015F000-memory.dmp

memory/1912-101-0x0000000000140000-0x000000000015F000-memory.dmp

memory/2908-112-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zeIEEEoI.bat

MD5 dbe8f305cd05dbae5de53058c3f59781
SHA1 b4e3ddb6593a6ef54e6f95711824566d60d090af
SHA256 1f3480c3f831151870a4963e6636047f07bb740dc236059b105b42a33b2ed59e
SHA512 8991df1e600590e474d36b16e08d8340bd44fe2a33f57d37b60beac61843dbf1395f0f149be5f76f6e077ac56630b600f2571fcfe47f933a8a1354a7fb7df0cd

memory/888-126-0x0000000000400000-0x000000000041F000-memory.dmp

memory/888-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1380-127-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1816-136-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HOYwUwIs.bat

MD5 7c0d78be0860065c5b7b99fd36af6714
SHA1 f98be6df3ee8d8bad14cc0faa10a71d62292a6db
SHA256 0393a3fcf770a5dd1b58da44e3196ba22a55c200688db996c6c11bc594cdb30a
SHA512 bd7b8435b88cf832999af6162f5177c8a355bbd712dc3e0168f7caf8443eebdd34081a68a52254ef25d87236de9016c8dc49823a4c2dd4647de523a5cbf8f6a1

memory/2324-149-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/544-150-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1380-159-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWAIwokw.bat

MD5 d1a3c54b5bc4d0a96f9bdbb0d343577f
SHA1 1fa6f7fab56c4645b8287fa12791ce3a6ae624f1
SHA256 c4cb38685aabdf26f96eba144a61ffb7ff09abace4c4995780bc46b8f2e8621d
SHA512 bbbefb1cfd9dd900c42db8c1801350e43167e9855db06c667ea57ae7d9d0254f9b364aaaf7831572927aa7af4c2c61e2952be030403a0f78b25a23108174d623

memory/2696-173-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2696-172-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2804-174-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-183-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GWIwQMwM.bat

MD5 eb7962467f7e5da30810be4a0021cc4d
SHA1 699bff77074f47aa8a5dd55941799bdcc4a43eb0
SHA256 0b929865dc98903a6922b328fb5d0baf1946c20dc2e1ee47a8cc04dd102d064e
SHA512 15fda2deac01c87a2faeab5906b60a8548ce3b942c01f16e0d5eb4d54e7abb7da408761d942ec1bec9eb5d26c633eee619a2665e975ca822724d9b2d43805fb8

memory/2104-196-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2104-197-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-198-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2804-207-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQsEkEQY.bat

MD5 b2aaba395255a7fee54cad3c1a5c02bf
SHA1 db62eb59bf9da36d26f06d981e8f7eb094cc1960
SHA256 366465dee9ab59295f131385c0d99d6820f762b318f432103fc5e244d3e4c12b
SHA512 bd706be9c2e44f0a0ceb1ed3043e86cf53429b2cbf162329c94879bc02fcfe5e5a540edd75b12bfc52fb99301e065f671ee330574e68720054e0a56032f194f0

memory/1492-231-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2040-223-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2008-222-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2008-221-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYswAkgg.bat

MD5 bb6807fe14ffb4c8831fa4f8b0e5f68d
SHA1 2f7016559be3e1737c71d0e761843b602f3f87bd
SHA256 db6d6b38617167769c094896e2557e36b3aa4282a44c44184264e45998d33789
SHA512 371ef685297c9efc96a29e6800f791132e973324e96ceaa82c367b3e7f3ddf22d7a0251c16ce4cf01eba92e3546e4008b95ba469d260868d758d10d64761986f

memory/956-245-0x0000000000400000-0x000000000041F000-memory.dmp

memory/956-244-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2040-254-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMsUAAso.bat

MD5 7af796bddc941230797871a066c1b3e7
SHA1 2e8bbfff76b6dc3e76a0c22d442af786e9922f69
SHA256 f040622c797ed48920df73e191ee352dbcc94d8f3ee2f535e5cd499dd640430b
SHA512 6cdb618b4a82cddb55eb97c6f3e91b2b8809b110babf734bfed1b382081a14905037065cdac952210b15a064116b34c943aebe6b8dbb53193428bb44bb7b64eb

memory/3040-269-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2308-268-0x0000000000280000-0x000000000029F000-memory.dmp

memory/2308-267-0x0000000000280000-0x000000000029F000-memory.dmp

memory/2948-278-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KqwogkIA.bat

MD5 40bf8701c98048976f4574d9dc70c56c
SHA1 acdf164a039cd73b1774e59013828022cc72e04e
SHA256 9a5f85d05b2cfa30cdc7fba88c807c09e51713c519af15a9be143bcad8575ceb
SHA512 c10d9b8077d1c799b992061cbd910899ad1f9d32132a5db78b5e932f49e4fdccc1ef1d326d72acf56fbbd325bef12bd42bb9999a3e09014377978832b5e69ab5

memory/2832-291-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3040-300-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ngksgoEg.bat

MD5 5844f26ac83094f25cf9114fe6592977
SHA1 89b56a5801104f1fc6bc995bf4c5782c04596024
SHA256 69d2df4e079c45b56a59770785e403cb88ba97b6b812b771fe9ec4ff7e5a89b9
SHA512 a816299884623cd7c20048c260238c42453582bf2a00fb315a0153207d59cd5bad6aa265ab3c4267d448f6229a34016ac61ec60c4bd68dd3fcd5782ede398070

memory/1764-313-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2432-314-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2832-323-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwYgsYUo.bat

MD5 7e279da0d17aac6f2c67e0940bc3f1c0
SHA1 113bb00f410e557cc1b65967ff17f6da71766303
SHA256 5ac038da928724cdcfdf318a140ee07b47b54cc510aac34f00bc13890692a79b
SHA512 ab1bd8703c6f1b81a55129aa0de13ac41704e9b497e45d7b79ee8943581be9255f062cdd9f67a9826fce95bffbffd0cde4f3578d22519ace5ad8f98b02042b07

memory/2756-337-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2124-336-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2432-346-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DqcUUkcE.bat

MD5 1aef1e54dc869a470dd78dc92f156d3c
SHA1 667726e3d3621286c26c3b1dc178a8106687b488
SHA256 4d0a2f2e3e55c05c3a5fe9bf7a2983f312ca12ed0a4bd7a804e93b7a8bbf0f73
SHA512 59cb27f746aabb6a67fc756e3a77ce7f2592352b4c0e89c1f864500d9932aa53cb63ce2627e404be1de976632518fc33b5e986f7be83f030a7c44b22055dc546

memory/964-361-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1832-360-0x0000000000260000-0x000000000027F000-memory.dmp

memory/1832-359-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2756-370-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zowIcskA.bat

MD5 4c3211290b796fc8381a06d6ee08101a
SHA1 e4954e9ca85ac074a284a1d7203830cc334f7b49
SHA256 f6dd160bd34186d81ba49be0e5ed29e0c26ad2d76d97c845cb7c20ce3ce956c6
SHA512 a85b10969bbe5bbb4b89e222c410b57ab8bf6f24d8ba890eee6ce5e66460c08a207099152da1e98c3d8726c932dad6757f413b87cc93a4a16ea4371683e4c36f

memory/1968-384-0x0000000000400000-0x000000000041F000-memory.dmp

memory/808-383-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/964-393-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsgscIcw.bat

MD5 a0390e0947e428a5a990167d5cc01fde
SHA1 1d83ce4eb5667f79b45748d5994662763ac0ff2e
SHA256 f374dea5e1c92c60559f20d43a8f00e39d8cffe6eb8a87869e9928085bab47d7
SHA512 1671a8ffca85c92f829173aaa5dffaab6a4bfb3271feec79a554a72cb5d6bab455230b43848f73d62da401ca9ef3e34b3c2bb7d49d147cf2cb09d307eef7dd7d

memory/1812-407-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2140-406-0x0000000000160000-0x000000000017F000-memory.dmp

memory/1968-416-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oSssoAgM.bat

MD5 0d910675edd809e040b69ba4275d9844
SHA1 cad08ea8abff249d5e39346bb5862da731c2c4c3
SHA256 0bc7c31ca2dc9e63582f3dcc83bfc479263173c80deece4ea34dc868d6f8d327
SHA512 d59decb81a61b357639affa9ca749042202739ed142617404b7a3f4363c5ee9950c2723cf83a33917f16d019950472ec26dc2441282ffe309126aa0b4f07c974

memory/2836-431-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2384-430-0x0000000000130000-0x000000000014F000-memory.dmp

memory/2384-429-0x0000000000130000-0x000000000014F000-memory.dmp

memory/1812-440-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\WIUYsgcw.bat

MD5 3bdefe68ff2a5db5d10d18e195887b8c
SHA1 5e223aa3e8a9287418cb635c91b7e1d943218860
SHA256 063219ccdfaf7d8ecd51693a75cafc9d07b2be29fc552150ab1ab941eadc85ad
SHA512 8256a381995959a78b3bdfeb2a9d9e48b48d3446b5f3b6671fc7b1209fb703ce636adb2a0e7d5599f055c52f54a6e83614a6d43b8720b7607354cd31a60d4b3d

memory/2708-456-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1064-455-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1064-454-0x0000000000170000-0x000000000018F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/2836-480-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mAQw.exe

MD5 6610eafd4c08167842a2416153fbdd9f
SHA1 9c0f31b52ff32deb300d1f83ed87c0b2f5164d16
SHA256 d830972cec6c01b040479b0a80e9d66516c613070f84089977b8bdd9e3e55916
SHA512 c4e56eb60e5bf159e1848bf9bf26002f95973956ab34736ba1946d1f4b25226040c5af47ff66d344104c2d734373f84cb3190180ab7f6ffd23b88b2acb5aab03

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\KUwwMAYs.bat

MD5 2e59e4f799b0c9f59f26bf2dabe2060f
SHA1 e20a1dbe0525b822c3b1ede62c5db3d630688caf
SHA256 c5613e82abbd314b600134e58b7038dc0982a1285009c392516c404d5f399231
SHA512 98da2b682d899c751544d14d331f80b386f8b87152bf3820a41c478262e234d1edd83cf057b8c6feed1b6ce1bcb62f8663c2dee7c32589cf215c920f10fd916e

memory/1036-492-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2908-491-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/2708-501-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WggO.exe

MD5 a39a76d21e37a1079bf1933921b30ff5
SHA1 8d76f761deb258ad8f44449cca3c00091ddc7f9f
SHA256 a5c7e955d8038f1a87bc074f1d21e86e001e8ecebb4be1d2db76d06b57646a65
SHA512 521b6c09481c95e147aad523e8f63234361ca21216d60da8438db17222ccfd311e0026fe66de9278cc120416e2f34bcc6c61b39068354da7fc34af3d3a5f575c

C:\Users\Admin\AppData\Local\Temp\mUQi.exe

MD5 f781e70da8dac0af887acd66dcff2fac
SHA1 fedb965bf6d182e8b0652fd75b5b708730646d49
SHA256 0937c8fcff30eb11cdcff206c5fba8c7e3a4f51f241da95768c102eb1ae3b125
SHA512 7d8e502ac3f1f90a04d55e7ccdb22ef77bf5f26f44a1ec4e865e0f04a13faf506691dcbd2e31bb2208fdabd543c076de68edf9cccbb5dbe89ff1a01762aa1235

C:\Users\Admin\AppData\Local\Temp\CWwYIEww.bat

MD5 c8b1f1df88cdbc9494c2bd8ed35e743e
SHA1 c5010dcfa13831e97e15c54f32a05c0cfcfd9e2e
SHA256 ded5ad1f1bcf4b0edd0d7409be7d97c1cfaff4df726905b036c2db0dc59b53bb
SHA512 a732854218f0e41614fdbe7daa88d500b97e42d96a07bca17cd6f41b42cd0da5360839ae18583439e8a211a30814f79f8e7bacb33338327fc97d4e95ee75e547

C:\Users\Admin\AppData\Local\Temp\uEMi.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\CQoe.exe

MD5 32994f2eb7a8f1a4ad522cc18e0aa2e3
SHA1 ff0273baf60424358e3ebbb7adac8bce51396b2d
SHA256 8131c0bc2a317f7561f87e64d952601bf0338d939e92fbceb9fb29112be1d002
SHA512 0b15d8f8fa9c26fb31629ec1d9af8634627e3cb1ba14002355b8c21bc9466a3462ab6e009b818ebb54a851fdaf04782ac8d8f47ae7f235514f285af1dc7bf180

memory/2924-550-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1672-551-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1036-560-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIww.exe

MD5 98b129587fcbbdf7c264255fb30b83d2
SHA1 ce3eab7a85ddb8983b0b18d04d46a5c370f5843a
SHA256 5d3f1626fd0a74df74191b20d2ee7e9c45c0c63d658df03778420ca6835dd1d6
SHA512 94cad6cd63b6d6b85e6cf5841c4177eb8422eabab05e3dd637906fd61ca2e16b6aa426a5226338f3384e8735e7196fcc09f546d5adb1dff0c5fc5694df63f842

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 7f187881635ec9e75904bc58dce2bc43
SHA1 6a56a841247f9208b315656b7f8b06bb62c0c765
SHA256 cbf80f0f114464420763e6b67c9b49127553d65315d9659daab7d4e3269af070
SHA512 06a54eafe6f9cd1cd1b73281dfd20c32810bb63bc25e729cf4895565fbccc3cbd9aea9a72e35604230ce2b9ac7d7150ba11fb8a107f60cab3e82cf8ac43daa1d

C:\Users\Admin\AppData\Local\Temp\JKswYIgU.bat

MD5 b0c8e3b807a19c65f758459b1e7b808a
SHA1 2756a31eb9068b81a2f1e2d9f4840ba19fe7c849
SHA256 bafd6d264163950f0dc6376706e1dbb9c98b65ddeddd69976ed89af5a304b6f0
SHA512 8180b20a07036f7d764eac01b420da6d0efe6f6b9002aeff9f0aacf4cd6d0baf39a504d923d9684023f955bd9c8932ed663d33de78baf945008a5a400e557d6e

C:\Users\Admin\AppData\Local\Temp\CUEy.exe

MD5 bcd116fe50b675f9bf350402d26a27a1
SHA1 e9eded3742f0243e8e254e82ea2c6c00f6e41263
SHA256 8913b42617076a07095e1e60d486d387b629f85057d48ef2d31a378f1ff5d248
SHA512 6fc7ae4bbbb46aa809dc50cfe3888620a15edbcc45ba4b9ca00292c1b75f49ca63d7f85b4aaf92bcfb4b7f3382cd6f85abc65a88c296a4905d94e1a6f7899f60

memory/2668-618-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ecce.exe

MD5 831296ff2dbec3793b9608e83d8e266a
SHA1 1ba3fa102b7a09e78c417fe7dd285bf5a1eba555
SHA256 177595428d03592663c089e2aacd406970991815be455794fba16a31d8c60c9f
SHA512 4d768fa2c219c0285a2f961852559d68cf9a0ddf6c340baf11d8ba8ee2a2f7b48da011684dd65598b2c5864c5aa1295f0cea76f2ab3012fa9c8df9f66c128a56

memory/1672-644-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMAC.exe

MD5 234dbd94e112cab93507d32267bb462c
SHA1 e0afc67a4835712adc188c626e0677cdf91ebbb2
SHA256 ba9744c88a598f7fe24fb0816bca59ae376033263d40ca005f026264f20de50e
SHA512 ca37a7d1be075f236d9aa4a53d26cd6ef7745f2adececf4b7a3728fe1a23bea95e0ed1bddef2dd87a367c85c927945de3b36954be1755e19da39599eb8080b5c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 cd8c2cde12c7ce273754d5fec7f27b02
SHA1 d3d1adc254798da081352b5293f232e1cbad767a
SHA256 c75f07a641166aa1666832c5cce410c87693977cd7ce3e65099428f5104c24b4
SHA512 f388d70b65c0b34a2455d2d26e9497d6fa5fe39447981c5103e23d90e3a5cf2a33c1858d84fdafe3c0cecf9a9fb1d78ffc3cb5a990b8143917118778b6e3139b

C:\Users\Admin\AppData\Local\Temp\IwAu.exe

MD5 6f04491aa26995555d0b82222ed7ee6b
SHA1 0d8427d42784dfceebf14cd46ea913b50d2dd40e
SHA256 6e8c0f16989e31abceb87bcf01dedc894a59de86115a3602d552b2b9a1640225
SHA512 7abcbb914553eaa1d96b458075bfb96de98c4d0dc1961febad7d7c2023134c547b94979f899c5514a23ff7dcbfe663f9f51d54db3e832d1999c30f94c0890c8c

C:\Users\Admin\AppData\Local\Temp\zKkwUcQg.bat

MD5 f43d7ae073dbf0698bf65b439829e794
SHA1 8479244a117091015de8b0c096bf8a27d1708f1e
SHA256 eb3e117ba8aee1178c4ae77db6552d24b99299c1fcde6c196092476315f1c2d4
SHA512 eff81ea48822caa2698ce295e368a1ae1194602e41f2c6e945288c1c9b182e6e230a56b289100c44610cb16068a1f600074998562eafe6c1360a7c0af4f4c3fc

memory/2888-695-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2532-694-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2532-693-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIEQ.exe

MD5 8c76990d74ee1125904dc9d226e759a5
SHA1 0ab36cfe463f91b2b843316cd60005746558484e
SHA256 69f0ba6d7f68703ba3df8ac44f0fa832ea9484b9d571b6eefc6271c166a2ea1e
SHA512 5c11d756c137f1ab98ed0fc236ddf56b1203c8bd9d9c495bcb2008c8f03a441405009c066721011eda066c95f5ef761a737fab49f8973e14641daec565f61899

C:\Users\Admin\AppData\Local\Temp\MsUO.exe

MD5 a4d7b7c3c273ef7e25a4e5fd093b5615
SHA1 24fce0f8245ff7d5a024b2a115f245973264e2b2
SHA256 efc0e0c899b37580ff5ee146019c85e6eef2deac2613f88e24adc10258b2f084
SHA512 cfbf4c0520915506eaa20e3c7771513cd7ea70e221f3fe261883b2b19cf8844a42feeb9055078116e49993dda59ab004cf97bb85554941a2f4a8ccd84d06c35c

memory/2668-717-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KgEA.exe

MD5 5880fc6cba0aa8176260ae54637babfb
SHA1 5a2397169756b8edcd6838f4f2e6a2531df4028e
SHA256 f66371a562511c0228cbf977d6c0cff13f6e4eb200cd647ea4e027ed5af4ce5b
SHA512 331695aac926b94cea063c591ed69e96ad6f9357038ae7ceedbde5088743b232fb10e6cb810ab41404f450df1a58802bf8caf1c7c542021663b772d0e18a862b

C:\Users\Admin\AppData\Local\Temp\SoMk.exe

MD5 11dea9d18f53ec21e82dd893bb688f10
SHA1 4d652b0cd03d77f46930f62b18ff8bfb94b8e796
SHA256 0b701d160b35dcb5c4efda1c02d56d2944eae4e89549f0367279f169c78d3908
SHA512 023b62dcb6787eea035a76bec99afe6dbe73605b2dec320bac433bd0a09b57b8af3cbae340e16495b34d8869e915d2efeb4fea7a4db1c552ea96ca46362d5caa

C:\Users\Admin\AppData\Local\Temp\wwEU.exe

MD5 b28cb1d6546bb49d3699199562df6556
SHA1 5c81a37e5581c892ca8dc4275794ea3df451cb10
SHA256 f6d1cfdd6e0799b58700a19e9dd9c546389da369c742424fd0da8359dd2a48d7
SHA512 262e29c1ed5b2579fc24acb6c209c32169146046665d082512ce3a9d9a3ddf0fb51a07d8879fa887fdafb126a30fe7c02ebfdf204504eb437b2b0cd22c3b82ad

C:\Users\Admin\AppData\Local\Temp\nwAIIcwg.bat

MD5 a0eabad81709189b6051be3baa90e321
SHA1 d47f655cc549503a404218258266a11c36154a31
SHA256 6c64d0f5b5aca3e1f456fcc6f78bef470704313dde39a2cbf0894b366f5e701d
SHA512 dc2c31a633a056dc34fc79c2c9f1c4bf864476f985a00e545d290571c766abd9d289ba695a61a4c6123a8b02767dfa6afca5de89497006e9232a6475fe64a180

C:\Users\Admin\AppData\Local\Temp\GAce.exe

MD5 41856e47cf2880979451b627e5942830
SHA1 c0eb2a0e6faa0d21c1bf833a0cfef9aed2741c21
SHA256 4efa0621ae9dd7f5290bfda87f587597631e78b11c04176bf8b3bb88b8a7c6b8
SHA512 19fd14f316c3d3d5d1fe89f86a809d5239a3ce9300f6cd98059a731f10ab9cece6e9316b83dad03b8ee923a5b2df7b0b4f51e4642b48774d56bc9323899f430d

memory/2168-792-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2168-791-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2888-814-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aMoQ.exe

MD5 a15440256de0b1d2561207d1fecb23b7
SHA1 ed350d87db2e6391f6e55a3761c898890ad08d7e
SHA256 286c70b0b3b27becc5f3b285deffc0224b59da5ce006c748c6ddde017612212e
SHA512 51052ddbca956917d9a860897c9234dae604da3487715515fd29ebcff5b4ab44da79034e1382ecab1e5dc6c69c859e77e0885b198d3ad07511d10fd2af818516

C:\Users\Admin\AppData\Local\Temp\AYgy.exe

MD5 ca3a8ce663fded2b08005962ec24623e
SHA1 15b710a7658d27715e396c2745ddcc9b0cc3d69b
SHA256 c569ab0d918401dd7a4b5e7370066fcd7ceacfab2bcc73bb4b1f031adcc6dd14
SHA512 49c2e9559abc8dfc9c7146d8e3b7b86aca9a31c1fff946669d1c76a104c807e810f64c5cf665e2ff27d8cccee95448ddece4ce17c9fe006b5aa7c60d3178e549

C:\Users\Admin\AppData\Local\Temp\UUYA.exe

MD5 43761ba0094081f0681739681235be06
SHA1 bb6b9878af9c9397af782cbc4b48bfd08c649424
SHA256 0ef7657eb6d6c7ece4136f840b7976e8f6626ef3d899d560fe3249e5dcfe0d0f
SHA512 ae8ea4796ffd373561ad883df8d2a5c5ae5a80b3f38fb12f59a6575f7b25573b38c4c75cad0f9dccf2d1e8be37f20511f5d947da978eedacd0e5c683b8fb1d50

C:\Users\Admin\AppData\Local\Temp\pyYUEswE.bat

MD5 13c121c5e13a0a4bdb423e2f6b7c01c4
SHA1 cee2c188f1f02a8b1c46c4ffba15e78c951dcf09
SHA256 03c7d349f9a1372c9b2841c219f5c12f8e209f8de28731f508d96bb9db22960f
SHA512 cc23d5f5d0a7dcf7c010f9e3a82abee2ee01f5461c45fb6cbe267598d652b9eabb0613856cb9249884fdcc36600acf615297b210891b8198e3f459d9360b9584

memory/812-850-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwMS.exe

MD5 47d54252772a676bce6f7fce3d1d5385
SHA1 1c205b7b5c52eb0ad5e041be4460394ea5778a90
SHA256 67795d3f78ba28210e4737b2077d9f371ef352793cb1449d206db3cdaa302420
SHA512 f8120adf33c4745f56c7f85fc81bcce5c498d3b0879f1b5ade2c1e8db4ad0ca33c8deedfb91305c80342b9000a130c36349692b35adcdcfe985a09f06a53d613

C:\Users\Admin\AppData\Local\Temp\agUM.exe

MD5 a71a817bb5f351a88d11ac390fe9e4a4
SHA1 5f1e71a72b2a54e8c8140be543d9880ff5eaf90e
SHA256 81b554f78f7684f9ba2eaccf02d59dbb49714571aef68ef45db025be7bfa4efb
SHA512 6c5ec40f450cfa97ae754bab483e8b3ba9589c982d6b2753463091bb3868600aba5ddf8146ed0b5cccfdb0e787735f073fdc2b813808c1934c1af78c2849ad58

memory/1928-872-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIEU.exe

MD5 bacbbb193de8bc394f670529e0d71a54
SHA1 e764d3900a83cf683dd35d1f4e032f240a9ed203
SHA256 46b978674acb39ad050b45f74e167048c73dcb6ab9b0b20ea876412cf9686b51
SHA512 c40b97f9c50a9d02a74c33826660ae866537e1476395ce121c96957a7cd35e5be64a6ddcef8d1dbcd92480811874211e3af7387d34354e693f6c67cf192f2c56

C:\Users\Admin\AppData\Local\Temp\Aoca.exe

MD5 07b3c223f8da0d462e8b7f353cf131e1
SHA1 f7028471508e0f4bee0d99cdd8497d0c5265ee36
SHA256 9610dbcc656511392242f53085ff563be8f41f16b990b177e9f1020304494207
SHA512 0ec5ec4a0d9cc601d2ad154a1664b635bb2ac174b0c5ff3402ba5163a951f047143b3bb4c2365b68e5ca3013908ab0d4c2064495ff70e093484ee373132f9e86

C:\Users\Admin\AppData\Local\Temp\iYoA.exe

MD5 a17226637afecbba7fe85f2614c17868
SHA1 9fe3e8657bd5ea1d9cdccdbcf21470499dea0169
SHA256 a71351e34c78bbb5a743d3cad9e5d4c78c9245408375e97ca29d7dcfd9e7e6ab
SHA512 4bd9c87a3ab93cfef5a0c17a3d1273cb59acd4b61ab44ee0c1238b179d919121887d25b87c7ff5237be241dce85ec818148f0a73699a794e4b818de9aeddf57e

C:\Users\Admin\AppData\Local\Temp\PcQgsQMQ.bat

MD5 079116b56f0194a9f7731c305aad6dc9
SHA1 9d5cfbc0c7819f078736b6dd518d2958e353d7bb
SHA256 d2590331ef62e479b347e52e236a62095bec6c0e6217c6469b27f94a4ba20e39
SHA512 86ea97bd5bf0d9653d5650bb15416ea05a575ecc6829830e151a6c2505cc66deec26361c39020364d6d20c9bdee1bb3e6367a5b31e0413337d0788d68b93b5ef

C:\Users\Admin\AppData\Local\Temp\QUkc.exe

MD5 4d36dcc10bab3b22dd4187aa0a331cd0
SHA1 c985c65c7151569b38dc8298db6d435cf2e727a5
SHA256 377a2bee43e6224200d96b8873b88ed07481ba83a31e58e7764024588d09268a
SHA512 38b248c418680e2d9ee44b6c4b2d4d179be681fcfe9a1739bbf91be5a117a116d2ef134e32d54d2458f8306b7d4c0c3d9a615d79d80a0916d9fbf8d537e92a8c

memory/2836-948-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1632-949-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2836-947-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMQq.exe

MD5 edd5b4df14d999f10f0d3b5dd56cccdb
SHA1 0da771e692e372469feb32b74aa3ed44ec42cd2f
SHA256 c59872a5726618ad8d9d76a78957067eac609eb5b6a8407ac5395425ea86c11a
SHA512 e2e66aaf6b7c5c99b290e3aebf0cc026a2c071d9ef3a25d18818977d1cc955788838fddc6753f168ec30f650f7cf908b424f20e7caa042976fdb5d9c33d91576

memory/2764-971-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEoi.exe

MD5 b664de64970ef1c2f24f090405f18906
SHA1 085fef78b5cabeb1596dfa67b6947dceb785fc30
SHA256 55c32dd8e5c88bddf3475508a73a6612313440d08075ceb8a023479c27a825bd
SHA512 bfa2d43bddccfd6ab1efa831391ed532dfac248b61d8b40133d49643a991a6d17942b7ecbffe0f67769ef1183296fceae22e2d7e486867a98dda910ca9adbae7

C:\Users\Admin\AppData\Local\Temp\SEks.exe

MD5 6577661d6d8704433c63bd22144697c1
SHA1 00afdeea152eb42bf0e3c290fcd1ec722ae4d34e
SHA256 277b899b29bb27ae5ac6449ba6b9dc0f9e913e53fadeb906098d23b4a73d8a1c
SHA512 7e2bb29d9f6899a27a48a41266600aae541438a862fb53bfef4242963afa189d7598ca136c75bcb61237c68d50932fd8465ff3e0e27baa87ce4cc83bc57bee6d

C:\Users\Admin\AppData\Local\Temp\GwkYkEkY.bat

MD5 a328a126126e5a9c1deaef73816f630e
SHA1 ab4aa1a017dca65ad7f6f414c50051f75cc0a7e2
SHA256 cb203a427fe3f7fb682e97c3f47ec44145b783d7a1566ef044fa40580b1e10b8
SHA512 c25be2e0a4f91bbdb573b31178532c038f784490a9867482454dedc9243796b00b6ffef7af0ac3578a0b41a04066587ebe6ed5fe8f144c79b5264392f5bfe5d2

C:\Users\Admin\AppData\Local\Temp\YAEs.exe

MD5 5d37621b6fae7cd18ca8e5ab1f016ccb
SHA1 cd330d38573a57b87eaa39b924fd0cea760c3185
SHA256 a0bbf7c3022e69f1983becf043ffad2b3c2ef95cdb67d39e5d02bc666d0ba565
SHA512 d5d325ca16388b2202cdb72e8f4d23c3032bc8518192cf5d5d7ddef6b3e7a057904ba85646bf0a67663ce6021ec1290a1fb183e569e1c356346651c31233f7ca

memory/2440-1034-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/1632-1043-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moog.exe

MD5 c1b3287087780c3df621947183b555bc
SHA1 bb599ddb2a6d1c6287299716f343fb3b74951cc9
SHA256 fe3d01e61fc09c510ae7271ca84c531905986c843e17287a8c92d7d765ceaa4c
SHA512 2ed7c05527f5e120db249238c2a06681c2f8282db419bc3b0ea449e3c3bb52b9f02afb0539f9eeec381fdd95fa3a32f37e77f09527b8a51c50a83ec6d1727d0a

memory/348-1035-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2440-1033-0x00000000001B0000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Swsu.exe

MD5 fb22108f9decae55f52e8a4278a868a5
SHA1 ff0be6a85ac1f1f86996030c35f44ae04d09f0f9
SHA256 15285517a2bf127470d3404391007a0a794941534521bf7fb670b584692372e9
SHA512 21fc8756a603f94b1cfbde71f895d72ece36e728c23228cb2955c6f91d36f7cee60f1460acefe079537917569cf917b1b6e25ab73a4ccc0cb359ef9404bcc9d7

C:\Users\Admin\AppData\Local\Temp\YIsQ.exe

MD5 2869bf5db334422568cccf863fada5ae
SHA1 32814b66003b5b2472c5300c4eafc3ddc81fa1bf
SHA256 fe310e3724d2e6813c2d8c665ce4b178e05a2aa136f1a52c173531ab9b999574
SHA512 d6e476bf5d224d16c9cca2e4e7143c0f781b4db712a6fea522cc96adbb249b4b6ffa4545f2cec8f8591cbd9d070c857e6009332879ccfa9ffd643710c9c15115

C:\Users\Admin\AppData\Local\Temp\iMko.exe

MD5 833a39709dfb3c0e3e4e62615c10e789
SHA1 05d77ea8385e716dffab817a7e5ff5df3f36077b
SHA256 e2cc6cecf042e962fe84275dc28d9209b2fef48c87f54e598ecd32a7346dcc7b
SHA512 d482c2d96108ad0f44c8634d717123b87ac904d71c37f2938bb2f7af525e547c889dda66ea27823959dfe35b91c329a10f4e99f517bb7c56af8843987e9d4343

C:\Users\Admin\AppData\Local\Temp\AeccsskI.bat

MD5 b1db900adae95c627f2462f041dff7b8
SHA1 cfbe1f81ca04810731ea3eee79ba1b8c6e740797
SHA256 8b56ccc8d8a5cd4fe366cd62e44d4ba5133bf6c134caf4f0a29152e2c03dc314
SHA512 f04d679e26d2d8a2feb9f34a852ca8c039d458aff6fb975bb5cfc971eb899786eadccd3adfdd98b466ea2b30bf97ebbfd05d5d31c05481aaf43fa05dc3cec6b0

C:\Users\Admin\AppData\Local\Temp\wUwM.exe

MD5 d1397bfd0b0dcb65fa40c622fe2476be
SHA1 58af00f31dae9c1a5b67f03f4286a75f820e9717
SHA256 cd783b74b34687dd650797c41483429e698920fcc25970192354460c6f43e873
SHA512 24adf5671b4baa608946f1d52519de79f1b248b6ec05508425c027c441ea03a36d07e032444f9fafe003d74085dc81c6c95cef51d251d6be883d5bb9711d6e22

C:\Users\Admin\AppData\Local\Temp\kMMO.exe

MD5 ab765d97a0e6e594ee7f97c67ed90762
SHA1 08514bcb593fc4994235abecfcea9f4c09fb5426
SHA256 12ad56ce3a2fd4cde9498f175041bb3139cccded028697ab1fb5e1d922bbdf0a
SHA512 db41dce6a5c9898bbee9833db6a770c81a9db54fe905d6a52173162474b4cbb729ca7bce87157926abf9cc885efa610e03f626680b89e6a61049a16146eeb259

C:\Users\Admin\AppData\Local\Temp\qIsu.exe

MD5 5854bf945d4a41cc1f6675b529e8b43d
SHA1 0e38c41ca82970bf66bad03b92dfe7da9d8d4399
SHA256 ce84dbb3b2f976fd0d747f70c9553ef4b7927642b5774568a757c2f2cd196126
SHA512 a3c02ed0fc7f3921fa9e32e6db34ea4257a14a009797427b0d4da1410510c548bf56306ee128bd5d0943d8bff08b98aad93d9c2035b09dbb01cb2034b744c99d

C:\Users\Admin\AppData\Local\Temp\GIMe.exe

MD5 46b85ada663dbac36ad96b925aad8b8c
SHA1 fa43e8e1640fe34ea8e3116eb856541120da0c33
SHA256 d8c0f0d4e5f75454c05715c315506e2e0e3dd5c76e0c39e1581ba987e3ef3ffe
SHA512 348d9b8412c028eacf86f1c6bd2618b2183d68de54812c5e0eeaf923b07e0a2deaab4febd07fe9a9fbc324735d204d8494575b3421006e35f1e92eef6f141e97

C:\Users\Admin\AppData\Local\Temp\wIcW.exe

MD5 9fffe38054d7e7f31a2d9698e2c6b6d8
SHA1 7e89362b4dabb988067f47a945d62395bee33d4a
SHA256 f7c788c71271addb5464e9b8d4013ecf9145b9dbc3fe6511d13050fcd9a8ed2d
SHA512 0f6b532cfedc2247223ced33042770aea6d169313f82804b550e6fd6515c3afe796a0c0c6e94d04210b01902bb03c3f600647dbaf66b7992723a5f023928d838

C:\Users\Admin\AppData\Local\Temp\eYsIYsQY.bat

MD5 0036c418e8f182f5c208c5f13818e8c7
SHA1 cca642d9f89a9a7fa9f2049ea5182e7a431752df
SHA256 1deb09e739a634c8243740c8e15964196035047e7c78a1dc796ae8fe7dfb9d6c
SHA512 aacec95c4147551123aeea407c7f94daf4382cfca83be503c21fa43a0f6d49557a04a7c1f40156ba9991265af03cfd26e3deed91c6ea768b0b5b3c3ffc56c32e

C:\Users\Admin\AppData\Local\Temp\wIEK.exe

MD5 d27cd9012750653933b5c8f142fd6c6c
SHA1 58be416e6d6e4205bdab80062197084fb7204d40
SHA256 5f01540c9cd67c20c232c6e70dd96377492af871657f1374e32653f50ff5e531
SHA512 773b4758eea2ddcd99caaa2f71cc127c283dedf2a52b5a059471c9aedc721251086c9b0e9598f457c79fa94473ee219e4e9c60ab524a8aad4b5b3b5f2f91eb9a

C:\Users\Admin\AppData\Local\Temp\OsUq.exe

MD5 829f9985abfed9891f1b9818f4a888bd
SHA1 bf7e8a6e1fa102aaef53f29cfbae140797bb48f5
SHA256 7ee52290981390cca0bf7d641c78434a678474189a57e311bf458efbf94c3e67
SHA512 2ebecbe8df6060d6c25fddea516c607450c1a3d809eb2548efb41e885d8565392783169131e2042a13ac55d503c6e84c7b7fb472ad5dfa4fb654aeec53c2b7a1

C:\Users\Admin\AppData\Local\Temp\sEgM.exe

MD5 ba3c5c1764cd174170b53b5ad00d96c7
SHA1 366c157db2863ea2a30574e3c4ef0d18840b05cf
SHA256 871874bdb92f6a0bd48546345d588495edf5dcc93e4aca54ef4d610c599628c3
SHA512 8a7178a2bedd6911eaff6368d0725e46630608837d78a64043a658202ee25e7a367f5f482e8bb6c6dfb70f46d078de7a09d0643b9bec8d48ef807bb6984f244c

C:\Users\Admin\AppData\Local\Temp\WgAG.exe

MD5 7f2f6934a149ce54a9ceb9c8d7242698
SHA1 27fb86795c6542fff00e2af74254e41c2503fa22
SHA256 c1323160d27d053b1a7ac22e17b933e3bdddc79b044f52713a4cfdcf09c3b59d
SHA512 bae8bf8fdf908fb698f398cae565fd85c5123c38d07b485a925d40c3b2abcf9f029fe73bee852e838deebae1ba6a01670ba74b0599bb7f09300c181d65dde7d3

C:\Users\Admin\AppData\Local\Temp\sQgY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mUQY.exe

MD5 9eca71498d7ba6b129840c269e431f61
SHA1 fa12cf07165a7b9a8f7b8e4cfb299f050e9fea38
SHA256 b624d1d40bedeef03397ff81a0afac4c55751bbe87151e97fa612c6441aae690
SHA512 af2cbfe0d46dc7ca48aa1d4bd9dc66ecd24a66126d677f282597687b45a78014b715e64161f1d38182b3f1a84003d3a199436c06727751d8549a044aa1f88e63

C:\Users\Admin\AppData\Local\Temp\GIEoYoMw.bat

MD5 6abe7fe89ffa9f5ae7155dcdf6ab3926
SHA1 a58313f45a2ddbdc6761e179a3daf0170d119cee
SHA256 38d365c3ffeba072a225a403a8524d1f3bf810b98099e8e8bc5df44046d3c992
SHA512 93195f96427f19e82f66ce72aa9bc70e03d1ff8ee3e59b8cb77a51fbca89a91d435fc900891fad08f1dc77a2614d727bfe522727d31c01c1e7c5d677fd89d0ea

C:\Users\Admin\AppData\Local\Temp\uoEW.exe

MD5 6661f739fc7d8c3bd59f96e0ea998adc
SHA1 e1e68442dbcf1c5799f801e9518694bf29b6acf1
SHA256 5d7ce5a10cd8c4c2b8f87aa89cd78fe7c30f2140b5f56f64409accd7d8ff06bb
SHA512 afd4a272cc1cca3d8feaa03bfc01623c11da3b9fd9f0ca47e6457f359efed60daa85fe35477f325292efda7d21506ecd8afc1bcedd7db6762cc33adbb0fb3e17

C:\Users\Admin\AppData\Local\Temp\eEgw.exe

MD5 48ce405a66dff56e1c5c58cb14351597
SHA1 63027d4a2b0faca278473769c4997f8c0d5613ee
SHA256 c7eb0bfc2b4a4b1a2d1a26cb576601f3ec65e8c6833bde03e133d2d780f6291d
SHA512 027b15f41257b08146b2a89d0e0478b197da3bad48df95b517b8ef7549cf59f5cafe2fc83d9723fcb6c87f5a153996eed99a1f72f12480bb850f0590ab6a15e4

C:\Users\Admin\AppData\Local\Temp\soQQ.exe

MD5 f993a4255ff800183ea854538bc42e89
SHA1 09ebe38de706889655aff2d2ffded9854b21c1f2
SHA256 9723545046a71c177dd444255839f35fb594d5b294176fe54a726834d61ce687
SHA512 2c69f4e2bf864a2ab308fe5eb8474caa7840cc54324a524827ca7beb505d10e253fabcbc1e20f2e06e9cfea7e6a7c5f22c9d61b92eb172f3eb1701f067ec438e

C:\Users\Admin\AppData\Local\Temp\qgAU.exe

MD5 96793b64cdd748bada5dad11ca6eaaf7
SHA1 33550d6f8c282986bdcbc5a1ac7862b6cd9f4719
SHA256 b0f885710803f464c7c7672b6f422b6fbb770edecfa8284ecce3ef5d46f4dff6
SHA512 371db507718cf204111ba0638b167f39ad4d2aaa1ead80fe3b886cb475c48fd010dd006827e1582c68af432f7ba0b337b752b05c9cf4389a085c1e645a8c7cf5

C:\Users\Admin\AppData\Local\Temp\GMMS.exe

MD5 426c7c2362b84050bf42396ab1ec5d4c
SHA1 2188d1051f92b48df1271ef18734cfa65aff73fb
SHA256 d791976c48d1e521675a41299dd2ffcf93f66ee4351f636db273a27cdb0501d1
SHA512 78cc0724adfa44ef4a7a95bc7a414c565df7e0be1918487f12eef4298eeaf5da99a1a9391788fcf5edc0fe1a309b723c165245063381e7fa080f9eca09b999c2

C:\Users\Admin\AppData\Local\Temp\iwoA.exe

MD5 f6423616b627a090b6e469b349fc8e83
SHA1 205d1994b7dbaa074415372c25eebbbf1abec891
SHA256 26c4efe67867b6e58cad5a32b510c659c55ed904cee743388a58ce499e225f36
SHA512 7838f9d76853f89aa5a52470bb53e5ee26fe08d9b0ce9286bbb97b09c1a26f69bcd62960a73a2c549046a173bf6f034de3ec6e03bf898565903164ccacc58878

C:\Users\Admin\AppData\Local\Temp\kEso.exe

MD5 827e7b95d3485fce43520a0d1d53eb8e
SHA1 d15194cff061d56007f14011de0d4e1c785e4e6d
SHA256 bdfedbefad49b2643737972ab8f14af4ca2d247ef2a22250e5eccfa5bc54fc5b
SHA512 36aab7f2c42a1775e205d45d07593717dfc4c0619abf9eddc0c31fa90a893c08df2dad15238e6f5c11fff444a54e368a9a83f75eedff0d415d4f2bcf44f2cd46

C:\Users\Admin\AppData\Local\Temp\rkYAIkwI.bat

MD5 b8a7cee1ca6e796557ec094e1d558e61
SHA1 0997ed96380dacb5e9451e8d7630110e4186f8a5
SHA256 13dc9296d981bf37c78b816dfecf8595503c2d0aedc1244bc9ea5bd433cd47eb
SHA512 0002b1a9657f7aa75c10be0e9ddc92b13289f0502fd77b7b9f3f5ab471280cfc53ca54d32f170a35f2cb66bbfb575cc22442817ebb94da45215f401be927c7bf

C:\Users\Admin\AppData\Local\Temp\qgMO.exe

MD5 871e93813773b66f7bf02b54195dd641
SHA1 00abacd5bce48da7b564aad695ca7b20f68462ff
SHA256 6b20a217b01a5dca2b3f91e6374680871615862aab2faed3c4735426ca27c27c
SHA512 20c0db6d03e2a06ca1f4244e5f4f99a90383dc8e441f772b54353a253a3857ea5cc28b2eb49ee0d66a1d3b0275c09ed3a41dfd4dccb8d3ca1ae354dbbc89c838

C:\Users\Admin\AppData\Local\Temp\GYMO.exe

MD5 7de981011b46d3424f5d8eef9c01087b
SHA1 bb19d5c3f3f0a513bbebe265246a6fd89c6ca9b5
SHA256 306c273bbc4a3834f83dab46f084840d18051f15fa5cac99fb4d4185d4ceec61
SHA512 420c8fdbe6547cff641c297cae352adc2c80f5af6094dd90b47c37795d53ab5a9a45af392c61d42f8dc943bdcd54c90069e731ad600a1e2aac3739540d886d4c

C:\Users\Admin\AppData\Local\Temp\KkkS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Desktop\DenyTest.mp3.exe

MD5 4d5316add2385fbe20c7339f6c5969d3
SHA1 d52b79b4cc2b987fb572b2966b70e506bee12287
SHA256 0a24194aeeb8d6cd4dcb19b18ffe4000701e2ffbb121e28106b9945faea51c15
SHA512 4f88265abf2542d42d5fa2f278d2931558520841c89329f3ce29041564ab190ca362ea994d1c6576fa90103ee2d06c10fb518c008f759d103ef7e7f47420badd

C:\Users\Admin\AppData\Local\Temp\Ggwe.exe

MD5 871807d400d8a2578d3fb4e6a3d41dbe
SHA1 83dea357449a08ba7e7276ee2be5bba7da018562
SHA256 3ef39140409a3f01ea8eeef20392a7597d95e4d47698a1b401cf07f36baf0361
SHA512 13681f7b0332d91cbeffa7a041f38e9326b4a15bf59b39db613e76f7f0ca90ff8fc6ac50ba4ad9af7aa127a3962e44237183ce30b2c5ad2d3463077d8e9c4f85

C:\Users\Admin\AppData\Local\Temp\DkowswYQ.bat

MD5 b5f01a94b17b387f6c76ad6412dbd6da
SHA1 58de058444e39e5232562b940aa2ef2161acff2c
SHA256 b6601ea91d0f33be9ae5f87a24e9d1d925dbf751bd607a13d8011badf48a7b14
SHA512 f46d4e8bedc25ace141c2f47e58a7fda3010f7158287ec6a095262af74a3fb8d82c12dd38e29557e5d5955cfb201c6f95618856344a32892fc6f3915edc79d58

C:\Users\Admin\AppData\Local\Temp\ycwk.exe

MD5 2cbee181f8a0e796fe8b4ec48b216171
SHA1 b2dbf1a1c0b6aeed730713995b79a721afe02248
SHA256 fb5c6a58a6bf6e8506acfa52a6fc0b8c8c91b90cdea41c2e49f1368ba0e62eb6
SHA512 a4b12e0e259cd5f8ecd0dbfb7dd7abce8204c47948c0bc87979d8438b5041416b8bed156d3be63acb955d90fa1bf3245a8b25171d2af4deeddf9358699be5ffb

C:\Users\Admin\AppData\Local\Temp\Goww.exe

MD5 a29169b20f4b5fa645986c3a05ff63e0
SHA1 8b00c986e68e46232aec0a07466952e060f7eb59
SHA256 abfe2bc4ecb6b22b988b6a0755dafbf2972f938108792330bf19477dce01e0d9
SHA512 c562fd029764b3372f9c8d2ff7bcbfb06b8f241c2ca2a9fd3991a4d2866e2cb36ddf8e9a5582ea0827732a6f91546b8fb7247457ef718d980159cbaecfc54336

C:\Users\Admin\AppData\Local\Temp\YMAC.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\eYUs.exe

MD5 1b29f02c2bd9ab7d6f337fe23daa708a
SHA1 90a4b12c6d284b81eaff5b5367932f44502086fe
SHA256 6cb5bc53ef270d502884e0b6fbf7fe7be10352b05301df111a76996ca061d6d2
SHA512 4649ebeb7ec58aadd40ee588223452bc3cf547cef8f7853d391d846a8f909f8ddb2e258e9f2f64fc482fe65249a53bbc35de33db684c1094a6dee662d4295c1c

C:\Users\Admin\AppData\Local\Temp\kIEq.exe

MD5 e9900860d35cf3846b517b61e2b45144
SHA1 8057ef1d4a45808e34df99f1d2af3d9be2563395
SHA256 1562b7a54224c87aea3d488cf000aa600e36e81ba2009ff785b225cf55806210
SHA512 4fad83e08cb0e82223911bd90bc9760f2900f5603a732c250d39d6b9f94d1cfc3ae1fa7af5bc40bc7a42b268de1b5f61439ea2c413760048fdce95375475597a

C:\Users\Admin\AppData\Local\Temp\iYMU.exe

MD5 f8155a99a03714e863ff73258a99a22a
SHA1 7e0b3ce47e86580fe815b16ac8ffd884c5242f28
SHA256 708eb6bbf2c8fafd65156a6e5aed3694887e9b3a512f9d53e1862ffd34de41ec
SHA512 c1f244e49fb0de49e0ec83b5f7b36a9757479ac0c1a6b3e44a2c2c31d92c8ae887e74bc2a38155b1de4316cf6ab7c97c7dfeb31f7c21686ad9cc8702587c2ca4

C:\Users\Admin\AppData\Local\Temp\YggQ.exe

MD5 136ca974b8f509269da99232921ecdcf
SHA1 55fd5459a9e63f3bfb2f8077b1c01d408a3e1a77
SHA256 68f6f61340e90e0a7be1618241476927dc03af26cac776f8dcf5b9dda41c7cc0
SHA512 4b68bde5a4bf81e9a2b1f259268115695b5005b2283f481aeb0df6c126fcfd6714a2529e60d77f8588b94e0dbc95490af43246c5eed07cd024ae601089ebbaa8

C:\Users\Admin\AppData\Local\Temp\ckYM.exe

MD5 681a156087d32d85d025b7e113f50580
SHA1 4a3cd8583af0a86dea3c4594a5f85db79f0d2c74
SHA256 7c72462c9802b75326f7a0d7d3dbf424884d21ac868d898fc693c05b51a37a36
SHA512 0a056523838f12903150d86a6dc9f7da942b86b2b4cb7a1e409e3033b15d0a3d891abf05f8a9aa9df46a5800b4b36afc51b7b72ee02745a0e48d6b1172be5522

C:\Users\Admin\AppData\Local\Temp\mIUU.exe

MD5 3ef0e0dcc165576d79f35221b0baa83e
SHA1 ab90eb791a2a2ce87c9ca506ce8545eb90f2353d
SHA256 fd3ff110cc950115bb4992a770c780c34b26a07282afe3e9956b6d3c07afa2dc
SHA512 48186ecedd1026d5ff22fc4695ff081af38138b5bb9f5b462127b00004a31318f4172b1297c379d125505396a3993393ba0634d30be93f2a668b88449b42b3d1

C:\Users\Admin\AppData\Local\Temp\ZykUMUoM.bat

MD5 c9fe28d50aa15ad0bb1bdd4d7f4bc5c6
SHA1 86997f4763794fdc0bdf62914b2e4ae461c61b9d
SHA256 8767b53892cb63640675055472d9921c2ba0a55a7ac34355f94ac23a625778cf
SHA512 c2ab2ae93664dd929cafe7941e3c3eeeb154ad83bbf812ecc70a2ff971f94b12886e97ef24bda5d7a1fbd8cd35a52d86279da10437e8a49b6003213a3ec09095

C:\Users\Admin\AppData\Local\Temp\KQEU.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\cwQu.exe

MD5 68dce0394b7e3125a42ec5304acb44fc
SHA1 7810130aee18ac49a38875062ae4924f31d0c85d
SHA256 cc87b828d9935d809ae79ca4e20d9eca36ae962f30551550cdc95e99573467a9
SHA512 ce65a23e23c679b44c975d80b6efccf3e2dfde111ff510fa85d528e1baf242ca32f0c58f4780044996a22c5625c0cd6c2d6bd6eaaf1b4163b225a160634d69a3

C:\Users\Admin\AppData\Local\Temp\cUsg.exe

MD5 4574bd87a943ae84dbe0e3fd7c418eb1
SHA1 836b51f5c079e76cf3cd7943c67048d380883354
SHA256 042564ba4921219a895e20d7854c6030a82a1ca1e320b27768a739e64bb1156e
SHA512 b117449756179bd5b44ef91d7cf4df1d7caba3a62ef75c9313cf223cc20ca15d364c396a915683d53866044b85c47d58e855fc805c5e83d45242ec33ebe6e66b

C:\Users\Admin\AppData\Local\Temp\kEkS.exe

MD5 1ecc442199d77ddbcac7d7956859ea81
SHA1 0a2d0fe36a368f228ad2cd9c8c0b771d2d8e1f07
SHA256 34353d5166b76e7a12bf3c6436cc0e78e14c3a0035b565238d454f8b887ec386
SHA512 0b54c09e7e2cf86ca2c46f0d392310d2ed90236e6d3b1771b1f8b7b6a8f11cf66968b737cbc00e1dfced96d14a205f5255756b0fe578559185ebc55a0059fa40

C:\Users\Admin\AppData\Local\Temp\mkIW.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\eskc.exe

MD5 76bf6ec79f22d116a1eecef17b9c0072
SHA1 5be06969c1d88ad81bebce287e71c3bac5891dcb
SHA256 430f03fa916fd4b3e2fc89dd6c4ef2f9b94c23457269f9cb43069f5f91848cf7
SHA512 09abed0b02a92bca70d12647107263a0767d62c3c5e1cf6d8e7e64419c94b90e50d71201e2163298d38d9d4231c8472e288be2bab260d5df338019e530ac0782

C:\Users\Admin\AppData\Local\Temp\yUwI.exe

MD5 5ec2e18c4778375e634212fedfb5e137
SHA1 709107abd589bca5d17df69fef71f8b4a505c59f
SHA256 155b8f8f5012acc2826a8d2fce9d3951748ed79e344ec6e87fc8ead1180f99f9
SHA512 b40885c873d5f973c076de25018e7efd498b053df1d3bc3a80fda7ab2f97b7b6a89c7a85e1d787d0d3823301fae4ad5d20c28f6b3ccf36b298cd2e6806a4b5cf

C:\Users\Admin\AppData\Local\Temp\kYgG.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\cMYa.exe

MD5 8872d74be003a5d25e92c17da68ff506
SHA1 8dc77bfc3756e28c9a2e0c02c9df5a2d15968b81
SHA256 437969cab31da9137d97707e366ee5eb9526c6ef35abfc2fbfa29d133a106c8e
SHA512 148572733bb21eed70745deb6ac74900981d4e81dfc74eef5704e0fbb814c0041050447ea6df738c888e623f432f7fc405b6a0d04490ab608d86d1cd07c6f34d

C:\Users\Admin\AppData\Local\Temp\EaYMggEg.bat

MD5 d4781644727e86fa78202629202ce14b
SHA1 e4d15a34bfc433b1f1e24fb90926007eeec22d47
SHA256 de6dccce841bf4d2f8057c5987863c6775cdf5905623d13d2b76b1618ebb0f34
SHA512 989c0ba3938f62b047c5b6c32ade16b46c7f176f1dce36cacb2f14f9beea8d92bb6c154d8efbf4e37c1ba25fed7649489d5f174f35e6e82b54eafea2596ebf49

C:\Users\Admin\AppData\Local\Temp\mIoM.exe

MD5 b2e29b7a2870050cca14ee36bb65756c
SHA1 40144cf5d180bbceca324038f653a492eefc0c88
SHA256 ae2f6112083fab29a07f0e77fb5f478655962166c386cbd2fc0905b347345e1c
SHA512 3fcea853eb52f3b05e00415c461d6f2c16a9a8a5fce22901999b796384a429d9721cb9bb723476851dcdd931a1bca6fc75a44438a17f587ff88bae3c70139d3b

C:\Users\Admin\AppData\Local\Temp\Qssc.exe

MD5 9141b123018a0444d284b793972a3a09
SHA1 e7c19b4c6727e5699dafe985b426ec0c62cce6d7
SHA256 d45e3f1e43ed3d9c57e81ff2ca7a612eb816babd436cbad14b3df76d23d77f49
SHA512 aca951d7e479ccb424eb7f008335f27f394d638ad3592b23e5464ad3ce5e2c9ddd0bd671e088d811b48a203509da624b2c60961aa968e78eb3b9514a57831d95

C:\Users\Admin\AppData\Local\Temp\GAAo.exe

MD5 138e45819e3fe8532a76a6ab7ea895ee
SHA1 65cfd9a029bf63108fc5417e7ba92e97aae9ccae
SHA256 7ab6d7d4bccc4a6b775ac4a2cca7b4b02ee4a52daedc6da47596b31bfca0263e
SHA512 775119f24c24a1a3277d025fcd7deebddc4cd41fe049c3d83124d6ba94669501fff909de6ce2d11a0a1c6dc2967e0f13e967ddf4b85204f02a92fa6badb8975f

C:\Users\Admin\AppData\Local\Temp\SMYW.exe

MD5 f778f395e1950e943aeefef44e63ad5c
SHA1 d6b6383752e1123e56f5c99653c00ef00c6e9db2
SHA256 7191cd51eaa314fddb75e0c22d610242e45e9c438b8a78e89d8885a6d72831c5
SHA512 debeffd271137a14647330923f194364e71998a9761193b9a15cf6139317916fbf28ebff3622cecec6132d77958275dfc081f6dd254a52f90cdf751e2dfe51d2

C:\Users\Admin\AppData\Local\Temp\ciUMQQwo.bat

MD5 f032eb48760caf8c3df1c18f47083065
SHA1 406cc6aa4a6513553384abbbe3d5aa21d7e8e71f
SHA256 5ce471eb519b64a6a8f0f5ab826411331fa09c019dcb341262c30886562def11
SHA512 3e7efe89c58ae0223bd27b198ae549b2963ecd7db98ab3dda10249a1b0caf9ff2e58cb1528830d2cddb2237426f17bfde69203ad8485572128616ed71d7945d6

C:\Users\Admin\AppData\Local\Temp\wQci.exe

MD5 3b52b456fc955061b0d0aa691fe64884
SHA1 32549ecb0ae28b88a7cb2dae59651455130f3714
SHA256 2c4353a412383c6a5b1f663cfeef4aee9453e84e20699afefd4a1237eb691f30
SHA512 2be13943065d4c5f73355684fe321b1034558f9f98296b71a85cadf56a10de4af228f64d28a6e44643fb5df5c29f3a6889c6f89c0a4607141351264256bd8f98

C:\Users\Admin\AppData\Local\Temp\ikww.exe

MD5 facdea00635f4cd9dca2902b7b4c6615
SHA1 b7c717e65a9f80b20264494a273aa32961fd55c7
SHA256 284e4933b65d2c7e4a55488a7aac7127e1e8b398552235c8597200df7fb43b98
SHA512 dc52eccaac00d8388ff437c2d8e1ed18dbed913fad8dddb5ac05b9718397a897cfc168cb72af063c0c1eec6822aa7ceeffe3c074d26dac1e6e5dbaaeb93551a0

C:\Users\Admin\AppData\Local\Temp\WokO.exe

MD5 a2b661b07dc6c9bc7176f68753b0e368
SHA1 cfbc8b0fa0caa12e076907d9bf7daf2dab36bec0
SHA256 325f0295b7817e47a3f9a27a7cf2e9b40997704565867e996e5a0f0727a10bc6
SHA512 fba5bad15b7e65e928a1ab1712c41e10c4c605723ca6d3be9511ab9dd659a9932e28208a7a8f1ba73f04738af0f032f04a1fa06af280f93ddcc083671f531261

C:\Users\Admin\AppData\Local\Temp\oQAEAEYs.bat

MD5 08c6a79bcd07af751f9ddcedc1789f69
SHA1 7375803409dda54a026ac696d83b65b1781a7432
SHA256 08c1584b0267382a28bffb6f61666957947c576bcb4741d85d6dfcfb1bf7e6a6
SHA512 d8af4e840542be67aa08071dc690706883459868f6aa4d98fe7a0a8f1f016857fe75c9fbdbc8eb4c9dc8c06701fce7ce8d9a680a643dbebb9124a610c8816bf5

C:\Users\Admin\AppData\Local\Temp\ywMA.exe

MD5 6a140a96c578557fb510000506e1e918
SHA1 bffb2431e4852cf0e925bcf7495ecc5744910f81
SHA256 3209029f478e4e5494e231d77b08adb62b471b890629271e479b52a283e944a5
SHA512 1b998e22bf6e3e5fb80b07490392819a3fa51a4a58e33707424d3e51ec249fcaad262d3f19bf8d5c418344c2e03b3cda8ba8a118d880187b72931a709b122e61

C:\Users\Admin\AppData\Local\Temp\QogU.exe

MD5 5d5603afe0efb7e811401b6f8ccabe7b
SHA1 c3539efecb00582ea6c7e49bdbcfe4961649da3e
SHA256 32b84002fbefcc6e5b635a9c9af3c8de3e9dbf8218123b75cffcee5d834c0937
SHA512 2e93cfe6b8c7e47a42c9e18580ad3dc3988c68be3c4d3b0165a2765a68dca044eb19389d785b0e64a73053a1cf1df6e0ed39e168b8bc1ff562c6d3ecc2c6b550

C:\Users\Admin\AppData\Local\Temp\IgwS.exe

MD5 1dc8fa25a134efcce4d26a7c61b3587e
SHA1 fb67775be2a2aec51f6cb5a85d7697cc4dedf0f8
SHA256 04e29b8ec91b1f62030e599d97a55e50a2bb309e971c6fd8111d6951074f04c3
SHA512 af96f0485d6eb12ab0ddd1f6a3067c9236f57861d506b896279e49e8419cd77e51db994ee24889c95eca5d1dc90dc1c67f4ae4d0d658a95162bc8ed7e5c05ed6

C:\Users\Admin\AppData\Local\Temp\sgwQsYUM.bat

MD5 4a3facd1ff03184b6f64cfed95445deb
SHA1 888f143c8c4903aaadc96550727ca3f6b461636a
SHA256 24e9a9230328e9da231bbf1c4cd30b394f16887979289562e05849b34f8fd6b1
SHA512 4c4f818b6b70eeeac4b45e34346de0ac32aeaba5d2e806630ea22b4267a0b6c9045f36ea8ba3d1f9fe04f21c995744940dbb05310a2a8790a39c7ed1860141f0

C:\Users\Admin\AppData\Local\Temp\QcQG.exe

MD5 0d4918d529212a5ecb0d3efcaf88c46e
SHA1 8411c9963659d02a3e08d71ee8ae5b76caec40c9
SHA256 a84c18e394b4961b622d58a21591c6cddf24a6e321cae892114684849011fb96
SHA512 4fe701d4d6b29b1c8efa0a6f0f0d252ad069ffe8323f70c6955b970c42d26b61e1b93d6555fc63f4cff60f98a1665542bbabde7a9ff39563fb973ede0c5cf8f3

C:\Users\Admin\AppData\Local\Temp\GUAU.exe

MD5 de663fa250d6a54a2c1deb968751a2dc
SHA1 732d8cc890c5ef836225fa7b3b0e5f2741d65a26
SHA256 9b33ecab228b34dedc517bce0a344386571067355a328d7e536070a893827262
SHA512 110b9c396b7cef67bc05139d305cf91e8cc87fb9aa754e4ec706aa34133273c0aee2a3c6a5075d0a40eaafb2a50692934dbdca0d949f38e9fe5f6c6ad3c432eb

C:\Users\Admin\AppData\Local\Temp\cUka.exe

MD5 5a11ce2876a29fc4819f76473df946e2
SHA1 1f5c72aa90a00ac298e651e06f7d0256e39c5461
SHA256 d507109dcce895c334d9aee0fbd666b03e208dcb8d7944c22d4a64b7d61e78de
SHA512 89ccc0fc7dfd484ee861c604102f2a7cbf707382b9140909f64670fa6833a797f11d5f8ca8f5fd6c85762e344e2716f58450440591adb1967677e32f5051ee8a

C:\Users\Admin\AppData\Local\Temp\dakkcIIM.bat

MD5 8a624af5326559fb908d7028d8f80a1c
SHA1 010f560ec6fb97d9e2337967f285ab9b42098d45
SHA256 00f795f33da4dfd3cae8ee5b022c7d666af08b6be3d3bc5d7dcd1333b584ca6a
SHA512 c5834be06ba36e354a03d91f24483376d3ec3bef207ad7a4470f4c6967f9c551defb19a08e3098ef438e94c2410f6bb98683f1f5e414b70fc8e29a2560b90dbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 a1c34452590ed7b8b82ab0c60072470c
SHA1 716c694c97943048bdc3d0575fc0e19dd88f8eda
SHA256 8f5522f70a6beae1e1f2503ac6f9ef9efe7d583b0c8b6ed8005d7eca45c0a0e9
SHA512 7c994c1c6cccaa792fb09fbf530fbb71d380bd5fd731126fd9a1e04c5c4b8a3dd6b8f5706b7e042ed919569544e8a45fa678c0cfc0e57a161bcf7b6f33b71b0b

C:\Users\Admin\AppData\Local\Temp\sokI.exe

MD5 c6c0fc241fd71edd2789f10113474b85
SHA1 850270a989af3339ffa680e07a77eaf5de0899de
SHA256 b0c2c7371c30aa476efb4c9257f6e55cb83ec41842b17d966d925b184870ea45
SHA512 8e10313d6f13dcaeedcfd0f7ca2f9c4eb77c23ecacf09443a33a009bb89e63cadf84a039dc66cabccea6a742a6043885e8e9c327fcd707fc5ca4bc9e759886f6

C:\Users\Admin\AppData\Local\Temp\wQAa.exe

MD5 37a01931c669c19121225b9dee359a4a
SHA1 d0e9520dea4810fb608b179a1c1dddbb6103b878
SHA256 6bc32417ca817eae4c94070ca1d6d26cd4bc120716100b67cb195b044ce762ff
SHA512 d06e3febf737ba8859bd6226fdf32945695656ab82584c1dc0f8bbe017d7f7cf40f9532804f90e97c4ece52e5c48010a5c9ad6e4bf85373fcc2c1b255d423d29

C:\Users\Admin\AppData\Local\Temp\BcEUwgEI.bat

MD5 cc8746b8d445bbfc254a94bc2cb39fd1
SHA1 a74c83dd9e5bbfb11335b3b834f3d88d96f92f9c
SHA256 fae43602d27e10b079e40043c035734d12bd0c57208a501063edb0a253a89e0c
SHA512 9c7970b05fd52a5251580de09ea8cd24b6b9066f37d1cc9f725a5d7879183f8c076a5b7e83f307a28a5c22504871ca35ee4de526737fbf3fb457c2e1393db2e7

C:\Users\Admin\AppData\Local\Temp\qwgM.exe

MD5 2784c6d5f4b25342ad3e760d7f4470b9
SHA1 c92293475458830fa256ffcaa9ed4f719bcedb94
SHA256 1a3678723b67fa81bbcab41d73c9fa0d59c43a99addc0d500daac62999b3d53d
SHA512 e177d010a50548a680e3a82e6f55098c562a6699d1c733a8122e48b3727e28ac4d9231896a6ed97b66cb53a7819e8930a21ddcf463345a7a708bbe903bf70f3b

C:\Users\Admin\AppData\Local\Temp\wYUI.exe

MD5 d09c1810e2a91e3d2e5b4b4497981356
SHA1 3a6372cacff94c8f288070cc40056cee5c22846c
SHA256 c84859d2afdb8e68f6efcc001273c240cb9a2b2b7bf53edf195969223611b9ab
SHA512 b34b000a0cff909e903ddb9a2029648be83a5b759885a0ec5ae1253acd63d74b13c20f0b4c1868b073759643d6de9816b4893c736f8c1773a9c50ba11fc730b5

C:\Users\Admin\AppData\Local\Temp\YsII.exe

MD5 09a8d8509946c3838928dbc71caaa0c7
SHA1 908e748c9bdb95886be71b88c738930e7cc1bb6f
SHA256 d5873ae8713524127adbbab0b0d851075e2684bc8fb799e89b6c7cef0745e6ba
SHA512 dd7987a4ed9a5d3a77726fb30e4e161a44c22761cecc1436d93a8e162484a7b773a5e70daea0cebf38cae218223b774625b1e57b3dfa786cc04f5cf3f9e4159a

C:\Users\Admin\AppData\Local\Temp\MkkG.exe

MD5 b969624ba8164ad514344f9468649162
SHA1 56fee8ef2902e3a07b6aa523fb0346edc520e82c
SHA256 4dad2adff71afad6e82714120ef50fa046dffaf2387da7801b4976ae0b18185b
SHA512 2c82418e968f2156cabe26bf98e058cd6eeabc7288ca2d9f58b095cda458b64e4131164a9c779b5cecb319fbcc65e8c858fee120f1644e6e82a1fb2f966cabaa

C:\Users\Admin\AppData\Local\Temp\rAoUYMwY.bat

MD5 2c12dd63b6b36bcbd152ee205b3c698a
SHA1 e843a618ea7b703b55b04f1202582d06423381a7
SHA256 15a1cf893ca032da1e9f43a329558764f959e74ba2b08ed8c6d3381a9fa23fe3
SHA512 0a948b8e1c9dc993b9ce8f6b8838bc476a1fa4fc3e2430c1758d7c213fa1bb046068e4b70ab2c074750655fa1d6dc762262e1845c3965d0f79e57b857442bdf9

C:\Users\Admin\AppData\Local\Temp\eoAs.exe

MD5 9a5b1f693713f4dc87a02c1321b7dc12
SHA1 56065a99ff84d992409814c8457bdbddd3451539
SHA256 7db270ae7565fb7182ccc82b7304d88ec466428a1ccb384b8a6e58be9b25b540
SHA512 2eb1587773f9ccc83fcfdb12e481073c6dd66800200720757924f6717aecd852ae9d2490ed04416ec201e1fd1fdad294fab026d7fdd14cc6c98a00a17494326b

C:\Users\Admin\AppData\Local\Temp\IkAA.exe

MD5 e39ca2e460fde8f50132ae518f3e12cf
SHA1 37b4bc9452c134977df6849a02e13c4900e46eef
SHA256 1066db3eda18a946f5af9d8dc735c4262605c570b60e1e69f93e0d7bdd6bb4da
SHA512 3b76270ce032b172965a37dfbb430ae11c3df7ada64cc566355a21e91810cc6a494163aa91965eefe95424f877730f967d42fa34ed4341b30198d226dbb2c848

C:\Users\Admin\AppData\Local\Temp\Iwsi.exe

MD5 5f114309ebd6e90c9f2966966515a9ad
SHA1 bd2b34ae5d7d8cf9c2665e701128d6ecd89560f9
SHA256 f2dd09d7ef0053b6ebc4fe4883baa1e37bf11e1336aed2ca507e89135e00ffe8
SHA512 3f68f6e1d489bbd695bab8f49368f4ae596f5246c21c71e63403e07feb5d3fcdfc20a81ec2beb291490063872bb24e57d9f1c5142168617dc8be12ee3da7b767

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 bb4ba9915777fe8fa7f60158ea73794f
SHA1 7488a9e23849be2454f3620b0cec01082ee33e1a
SHA256 e60a22ccaa84d03c85eeaf65dd60a681c3a43c58912a8de600a82093d70dd6d2
SHA512 640e88149f94dd8bad22c0d207c4852aa6bf1979bb63c8f8dad4c038d0f0b5fed95d5e27fbc09ccf714499e4e06f99f6b66818eff75d8b3e16af7c8653a06fe8

C:\Users\Admin\AppData\Local\Temp\JMsoIAAo.bat

MD5 5c1c452630b9d4b82aae6256f882f361
SHA1 72b432fec6728a75e6fd855d2ec62ed28e305317
SHA256 8d0fcee451c7a1cce042b83bb9d82cd8ed6daaff1c3abe39ce77ef94c60d2eb5
SHA512 658fd1e7de709f76a2aa39c394a56861ade529d6d272c955c6d913d0133c5f85fc8a1279b898495b33e61d7690fef8eb4844361ae83008d75f89484d2692e446

C:\Users\Admin\AppData\Local\Temp\acsw.exe

MD5 6048fe4d77953f3783c18076ed1f3c8f
SHA1 769ae564c766439db109bf95bb794906201da7be
SHA256 149c2bac81c6adef9a7c07dd33c1fd8454e124de60f8e4e302ce2e769fa0f985
SHA512 a8b48be1336775825b0692fb17d9820d03a54dfe87964de616893ebd665c884c7c8ff229b9c3b834fc84396fe01454a1e6b8a3045a87081edd699c20af30794b

C:\Users\Admin\AppData\Local\Temp\cMQa.exe

MD5 7a693fdddb82c8afac24e1b03da934de
SHA1 e4cb2f2af2f97df3cb19ea4f153ce86d1ad4eda0
SHA256 190517ace35d6a323fc39f0abe5063c95285af90ba3c88243bafe37211578a7e
SHA512 c11955e3b0e217d9a5158d4e2c57904ea2286aaf831584cf7723f8b896730da0c11d99d93a43ee1351c3745be0b94f094736bf08ec669aa17652e426bbdb30d4

C:\Users\Admin\AppData\Local\Temp\kCEwAkUM.bat

MD5 3d819af6faac4341104c6eef0b0f22b3
SHA1 daa39c8f1d8988f8f30a7a860e65e38f0b5694fa
SHA256 be03d34230b8b2c5557cbd42f60c9e21b4b45cc32fef74f954c9e7749af2948b
SHA512 5327407d3f6ceb7e1b4b4f7dee4283ca9d3b37503c0566540a699105205534f428a5218faadf7d9954550fe3f22347f554996c1022e50ca584d45b8c4d26ed09

C:\Users\Admin\AppData\Local\Temp\EgcQ.exe

MD5 dce5606565b8e44abbfa30a714f7bcef
SHA1 d204a3ec8c71ac53d051b685772eb9dcd50d6867
SHA256 1c4cd539f56cdd80b7c0b69ba83d10b75283b816264314b34a99a84737a96ab9
SHA512 caa5e80cb771d33f9614eaebb4fb83433c234671a703d9440799f97008c4904524001cc45f36694c42e633fdc19c2a65830f19bd20a8a94196c19d237b8d34f2

C:\Users\Admin\AppData\Local\Temp\eEEW.exe

MD5 4d9a20eead23f105ab384f565748c86b
SHA1 d0ff991c8cf53b117600d88b6985f7acbcc0f3a2
SHA256 8f87319bb13e19115a8818a4ac0e02f945c4e65e57f65aabbec5060148bffbac
SHA512 a8dd77f7f884eb6e437c43e8d4dcecdfe3fc13e9c75a69d3b14bdba201b79e42f88d7495360aa6b827fc499bcbd85e46397f65404fc71b800efd912a73c78c62

C:\Users\Admin\AppData\Local\Temp\WqEcsAQc.bat

MD5 3c3d270df0aea1a8c20bbe159290c901
SHA1 1dbe86403d6d0239602522a1c07eebbfe3db18ce
SHA256 2b46acad31fd77ca0e5f8e1b71231b7ec0ee9073cc76856c62956aa3d807fb9f
SHA512 97ea93a7df7939b9101eb028ce90b4d11e7412ba0b8f43507a88a62f460a9e5a20ad0dc7b4ce9b69732b328d843fcb356d467d413c62833174e5426d4ec9eeb1

C:\Users\Admin\AppData\Local\Temp\QIoC.exe

MD5 9afd764ef748a28a1fd8d35219b4def8
SHA1 2136dddf8371c0f17174b361d6bffa5c08597dde
SHA256 ba6db4c78b9a67215d2d940439f9814871a944e95e6c2ff6072fab7924211846
SHA512 9b0a3d33302de91aa9dc984e9b43319deb5e21797df9c533022a8086f4b69f8062751f0bcd6e94f75086d2060687abfc4aa42efabccd4c1329913c9ec076d1ea

C:\Users\Admin\AppData\Local\Temp\aEUi.exe

MD5 83c86efd1094a169f5aa1c380d2caaf2
SHA1 e08eb238186d8057ad2d5fc880f72ff12e5d80ff
SHA256 82daaa6259fb6e7c521897ee3b8c265041f9895120601c1bfe9c5021abcc9858
SHA512 b68da7872a89fdb5fa9a2ec5ed3d830140f342bf69eea3c9a54b344490b626cdef1586340833d044832734f3004ded88ea0fc948a2dfe13d4a88ab74c850ff23

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ab52561fbf314caf9a66141c4efe63df
SHA1 ee143867a90239f28a983523563ffe4d275e7491
SHA256 574946e24c69c2f81afdc3216fee08aa61aabd0073d097463670765700d420bd
SHA512 641799e0a101b5ee23715393f5c53cf782c15b2f07006a6222499638394ca335a266e793bffcdfb054cf5b241d25032b63b11ce04a4bcdb5d1cb0aa2cd383891

C:\Users\Admin\AppData\Local\Temp\ESAkIwIE.bat

MD5 cc474850113621e053279bd7f91c212d
SHA1 6606a9c2b5bc7a1aeb7ee748ccd73dc9225fcdda
SHA256 533da67d9f32ceef95e51c50b7539d90f7f4d28e17f6f33aba918bea1156b4dd
SHA512 52d4250082fa1c619697425b87f9e38b3d839c4726a752b1bb4f4efbd34a8758371d26b74488c82e7d5eb72217f40c9446c678cf9887657f6920291706dc7081

C:\Users\Admin\AppData\Local\Temp\wggq.exe

MD5 cfdf5e6c3b8de3b9057ba09bb61d1350
SHA1 3f25b820926577c441ff79b89d631fdc8c2278a8
SHA256 1b234e2151ed1f4ffaad8c2ee6a40d22b2d58d168ce4b9d32b8e5f7d16fc1659
SHA512 0b19d3c44c6e0883465f8885f110dcc1e14366b4c0eec7e39ed58da77e194d824deea70a78a3f3d1794f1a7e6647a6f3dfd458454f42387c88b95a58b6cdc804

C:\Users\Admin\AppData\Local\Temp\MYAG.exe

MD5 ad77dc1d30e9671fe3875e581a809244
SHA1 df0ffa3f3c226cdb622aa912c11cb165c1716b03
SHA256 b6b638375e75a3a78757b150dda4e4bb14102c35bc64a36997e9e11eaadf872f
SHA512 874bb16f147c0d5f72500b779341d848fd953a400b5e6c54f2ba07edb1a04f07589426adf2268e459feb3cb7f928933601cf689f3572c462a06f19d610614838

C:\Users\Admin\AppData\Local\Temp\uQgE.exe

MD5 7f271a14e13a4c170e70a498c8e0deb8
SHA1 2f7cb47722821c8ad8fe8fd5b12504d6b4c26a3a
SHA256 a1cdb71cff70dfe76014d2f58db121557c1c6ca139f673999ab4bc192a22aac3
SHA512 c748fb594e70cd28931caf3968a759a211bed94084aa672b4e03e505d46f0fae0e09ea36b9c68874f8556d8c13e37d080389ad34b2cc6dbae0dbffeac336a1e4

C:\Users\Admin\AppData\Local\Temp\KIAa.exe

MD5 6b83db81585f51ea45328b0c7f5ba48e
SHA1 5fd8cd9c05934de13796dd1fe510ecd76be4f671
SHA256 46e0325bf8b381291c99a610d8f6c25a07055a0b1ee0ea5b1360a27cf60116a4
SHA512 bdcaa7f6e49362f3cfcf1ff46e3ed11a36c7690435c3a03ad495732d16a9d8569cc8c234c0f704dbbf7ce2a4405b0438d0fc174e1cee240b9d3ce5fbb71baf11

C:\Users\Admin\AppData\Local\Temp\wGQEgwgc.bat

MD5 ab51c3a3afc2fe6f0797e85689f303ab
SHA1 0040b05c42b12c0f605a8d410451b60c8d0b1bad
SHA256 7f67cac3266d5f5af6cccfb42f85835c7419aa35fbf6a6ed748f5af4c23d76b6
SHA512 63ec99b0a1c898ac6813001de00bde81c0d37d0d167a5ba78c4ab0e09f2a0fc64b30203093c8ed697b29307170349889bb865d3a93f8d34afd2e6603c26a2f39

C:\Users\Admin\AppData\Local\Temp\cwQs.exe

MD5 3f20862f0c2c867d70ed9caae45064c1
SHA1 5917ae6657d0877726dd63c81b2607c0614ec9ab
SHA256 c7fb7e192792a1307303329441e66b83c507e4693b1ff5bb4c731a7911705b67
SHA512 e76fb5d91311fbbe90674ac3f842f10bc755e63f4a3d8cf55582da4684c2ce54988a722535e5b806a0fe16ffb5d7a59745e1e1cda5dac27ab7a8fb58c8eb7097

C:\Users\Admin\AppData\Local\Temp\oYwu.exe

MD5 69086bd03b75081e58476ae8b4cec995
SHA1 532fde7e79a49aa5d88a4e8a0848eec1e1ae60d6
SHA256 c5735685eb370b1ecd3e1f4833f3cc1ff7b01de7c2db3e0a7cb27edf7909da50
SHA512 10e3fc5daf62424c2366967cd2fbdf8a7052b7133caa8ff7174707c7ea5b9b916250b111829a7735385055710f5fe2aebc988e5219e7143e65d8170eea07095a

C:\Users\Admin\AppData\Local\Temp\Qska.exe

MD5 6773f8c0641b3f5b78eccfe157cff814
SHA1 1e72a74ba981d47441d4e9140c0c9e5d1439066b
SHA256 cfe7a19f5312256bafc6114f34bc5eb67876da9495e98b6396424633f6dc2098
SHA512 ab26e471ba8039c4513bed54eef93b6f5b7b2cebad786f02e2beb6a226353a0380969c1252a6969a2a3394112ae3e68f593b01a7b80f86f046335c3cf5de5727

C:\Users\Admin\AppData\Local\Temp\SQYK.exe

MD5 c108cd55b3965d72cc79b6af57e12e07
SHA1 67df3f300ad974c4cab271c5f7d90b6d7d774902
SHA256 849e2e8f68a9f113d56de845ffdb3d81b6ff1e42e1f12d06e0de3f2f5ad7091b
SHA512 d1a5c07cb1b929a8f2926b11dbb66b3155d0c5492c0c4a22ac869d7383385ffc3dc1e7939826c8a26fe99eb40d48e12dc268220efcdd16993413c55668af3a73

C:\Users\Admin\AppData\Local\Temp\IggC.exe

MD5 923d749afd7af9200d7412433bc0bb01
SHA1 09aca53809b39aa8b60ee2c1e3afe59f725b4fea
SHA256 9cd723818ead9058eceff1f91c11ffb9de788d9ea961f3ebc01594cb605fae47
SHA512 7fe7a7606cbf2073133c4793117acf8a4c117e3d99c373c1b9db6355dc45706e82480fb7bca8c5e623a1b94680be1281968c84668cb15a7efb42fa2faff63de7

C:\Users\Admin\AppData\Local\Temp\hckQkUkg.bat

MD5 85ce137315a4c471fae4e0ae7dbdeb05
SHA1 ad8961e4a3e96cfb643d3934e3eb1b027728104d
SHA256 85f58496df70736fa003cbc5e5374784204bb468c9f755d237277df24d32437e
SHA512 419eddbeb3e903d3445cb2332b725c4c337e0d50ce53c98cc4773cd936e8c744654377adceb7999f7a731295b08b2d6f116159807ff2eb2eed34ae41a5b28aba

C:\Users\Admin\AppData\Local\Temp\MgsE.exe

MD5 6c126359e6b785fb1f3461176aeb8305
SHA1 4417b41b13679574473e7c1b148fb486cfd86dfb
SHA256 b1102f905bb7a5254716d423c4c8f8db498e8248cd7cb6c49b5f41a4bef71384
SHA512 b8424487ba3b983f0d3ff0101a3702aee58e4f0d0c06f1ddf3991dbe977c05cda60d3ce27d5dc904b0d3c1427c04ebee5ada93e998402e7690d785be0d832b37

C:\Users\Admin\AppData\Local\Temp\gMYe.exe

MD5 688860e23638b9fe81efc8001d8a91e3
SHA1 9b7a6b34f1e714b865f0831751a48e08c4f4bd1e
SHA256 ce8eeec653f1a17d559d50b8b783af3a682efe4de2d2ce8f5f6882927e879fef
SHA512 801b31346ac64037a54e8be6392e25dd9e0b98c1b74d14dba39971565282856382bd1d111d86aa20896e6f35d0eb27d1157c6186820ccb236026c142494de085

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 d737b34dae685053d4b55d7cc9b70515
SHA1 b4fb35b30794df7f963111d200308dbb3a5a870f
SHA256 efb9c40931fce06920c460a13a4ecd12c273bd398365e6619bda3dacc960e981
SHA512 29d261ca9c726339221c1076669960b175e5178b1eed81f946001b6b79b648c0cd09d446114a3cc5ab508a71d2078435e8a2f74b3a16b76daf29a97f4bd40a80

C:\Users\Admin\AppData\Local\Temp\hogIkQEg.bat

MD5 e3b555d3f04eb141211b2ec23105c1d3
SHA1 367f9e2fe3baf3d38e2029046f084a33896a1f74
SHA256 9018cd9d27e8a826a2812359fd400d179199e648c51030a1cd5acfd523bcf38c
SHA512 6677320c171e72a7aabc85994a0301d7e5334ed895fd08d871f584b485f8b9310d0545c4ec427847f854357c4160d3eece34208cae3896d4f9a5b3306f93eb1e

C:\Users\Admin\AppData\Local\Temp\ecQw.exe

MD5 7e511763d379447a319784b742b319a7
SHA1 32005d4ac91912c08d1d79ee1458d965e4b4c9f6
SHA256 406dd099fe1a8df2317454ed4f050ac583b2430d9f738ad17ce26c98cecf8262
SHA512 b912e6215fafb4ba52fed9688fd741f98c0932dbf973266490a3fe9c7168f4093fe8155b8ab65347b9e54700a74c4b9b156a1d4e2a0c7296e417378189bf7d3e

C:\Users\Admin\AppData\Local\Temp\HEsAEMcc.bat

MD5 0fd7123ad8440d5f0237dd878c177dd2
SHA1 21f51dd7d940e9eed4d8259d54c0d4228ddc7fcb
SHA256 9fd8f83b62bc35e672b382bc7dd86671727cde7d61d788aa6c257bd0d020260e
SHA512 ee110a2ae119b751e310144bf3a9dc56dc516cb095ba7ccc26284414a3db1e663ddf1db75190849fa6a112d06bcb2e3f4c5f74c42bfc0b96b14ff8dc6c0a5776

C:\Users\Admin\AppData\Local\Temp\oYEc.exe

MD5 90888ba3a30014b590cb4569ebdfd566
SHA1 0385cb564a40fa413d8a55e82ed85762337f8c65
SHA256 fd42188e555e46487abd22657424110537e1cf73bb88f339a4401cea348a81f6
SHA512 68c6fbbe7ce5468042ffb79691eb5329bd60edb41831edee9aaaaf4c17043f9fce47ce829b0ab1608258872140296fa87486c923d38aee4dfedbde90b6e1faa7

C:\Users\Admin\AppData\Local\Temp\scYI.exe

MD5 e0ca01d22dd29935f205acd68c1ed7cd
SHA1 9819dadb061f4b2297d52e1224688c95e236a303
SHA256 2f7a32c55aa9c318e4e24e9f4a87073a9767cfecee8b142a7b87a79a9350b95a
SHA512 da9f503b49bd256fecb4f9f9e0b2177598689629758e64fe55e273a12068352f559f8ac99ca7b2729f168439cd7498700a5889b37d2d8eb483f55b62b992783b

C:\Users\Admin\AppData\Local\Temp\OEwk.exe

MD5 ded5a9bf3a1d54c0c463791392f286c1
SHA1 cecc2f9cf9966b1a6589b06aa2250206b6074797
SHA256 a6d26ede9e63183e289a26d62777af4fa3282e7cde39ca7455de6ce6da91a786
SHA512 b2ce1fe1cb7edaebc41cbedc5dc2dbb65ee7ee7b2af46fb7ab89764c5a3e211e25441bd82e88734bfc81c67b9b03475b4e138090c84c57f3a21640018131ff9a

C:\Users\Admin\AppData\Local\Temp\sIEo.exe

MD5 7216c8ecc025724dbfb373b256908ece
SHA1 0aecd2a0f3770cf1db44dd24953f77a2b277c508
SHA256 f3a733a808e5c53568fe938fd4112a9eec7da86eeeb9aeef6ca0f1870bbb0572
SHA512 9805dac20aa67d1345bbc71df7d30328f7c9decd0fc051ef0c7401e40a87ca173542653a6fe893c9b6b5d3fb79f8092698ab556c64c7730d45ee8aacec46207a

C:\Users\Admin\AppData\Local\Temp\mYgc.exe

MD5 3b2f30745392470108ac466346521da4
SHA1 1e5379b5567b556dd68d7ad4fd756bcc303a49ed
SHA256 f99822e7cca3aa4348288a20be7c9ccd7cb3522e687e1227dbd07f2b4c8b3db9
SHA512 1ab27587ec03a952023aa0fff3fd7bdf2f7d51e8280b39b0d550f076a2a72b07769bd84cc381232632d0848dfb4b11907ff479d75a6589e9df4bd7597aeb3cb9

C:\Users\Admin\AppData\Local\Temp\usMc.exe

MD5 060579231616cadf163b130ac776e662
SHA1 678fe4bc2a67c83caf0fa5267191ab88482695cc
SHA256 ef34d605fd6d218850c689191badbec0155d173039d9597c7aab2ddf2505bbb6
SHA512 1bbba9bf83ca6bd627dfed0057f50ff678bae08136039e1cb9d28cc7c3cdc2d807c34cfabcdd371164da0173910a9377cb5805548e68a457712649d124b58f61

C:\Users\Admin\AppData\Local\Temp\CgIe.exe

MD5 48e11dea618010f0f0d5e2179bac06d9
SHA1 b43bad2b921d3922b6bef1210a12c6030c3dd63d
SHA256 899a6b206a5efc80bd02588d82852c400f869cdb26f7c670e7c8f1c29f71ba0e
SHA512 4c57e121ce009c34a8854ca1430f46658031e2cc71bbdd2785abd4394a63c82fde6f0582b55284408ed65be4b3b2681945a1988e315fb3fc758008dcbc64987c

C:\Users\Admin\AppData\Local\Temp\sMoC.exe

MD5 b2888d3d73d2949a50ebf151479c3566
SHA1 2d68e2ef07077dd8bc9ea12adf4aa718d3f52bae
SHA256 824ce9e15bf5bacb46a10045f10af7b9d8645222804a06a7e4723955ed2774b0
SHA512 ec32435c8e46f9f4e372785c02472a19c1b515016f79aeed7b345a1cf060755473217954dfd788d26f407f6741703191d4230b603533f99f1c9d10c9702002e2

C:\Users\Admin\AppData\Local\Temp\SAkW.exe

MD5 973998932599da098c3c46974d1f75e4
SHA1 d26cacea56e89a7f7f766f18815b7358dca99ad4
SHA256 653c3a3fd591711f3209abeac3f55f79f3c0bef77c69684bf8f530c9a372ff3c
SHA512 5b0d810563fdba94981934ddad262bb7501306ca1a3ce9bf30935931963e2a623c23a9dfad70f452beda872652d48091dfa3907e957e604f03012668cbe2a01e

C:\Users\Admin\AppData\Local\Temp\GAQa.exe

MD5 fe00d569ac18f40b6ed473e5f1a271b0
SHA1 4ba121802dfdb093a1fe1bf0287a113c4abae3f0
SHA256 1f0bb8a63b354b07b839bf2196f260ed333584e91bbbab7c38576fa18bd09ddf
SHA512 d6bacb3c7653c3b196ff373f27b6f6b28f665e4fa135a2891f4827ed2f937446010298b9af1ccfc12b7e8072e59e85241474d05968c15a49bd5c76500533ad34

C:\Users\Admin\AppData\Local\Temp\cysgQosM.bat

MD5 ee31129e85f2d710e5cb69e0e365d7fd
SHA1 2c78ae5467ecaee7f8d417d95cfa42fa2e4a15be
SHA256 58444d4fc5b9fabdb5176ddf1ed47bf73e258920ab5fa9622e4b81bcbfdb4a83
SHA512 d0289f7c452e589b18e19afb86ab5683d9497e4b4fee5cd8fecd0144a990c4bc9d38027c5906cb8b8e36bb41979691b28cba970ab1de7258c35e3a3f38c4621a

C:\Users\Admin\AppData\Local\Temp\QEoQgIQU.bat

MD5 1e91ed4edd3ad8269d5319a2b0c20141
SHA1 30afffa717c0926be2fab7321ec0c7d3ba890ce1
SHA256 b7585ebed4bbf1ac3d709925878f5cfb0ef0a94fde3c7882816aef7acbd3b0d9
SHA512 bd8d2db786e3b5c895e4c810ffd33bfebe4b6d70f1b049dad13114257d0609f4eaf3ca467925ed4fc4a71a931fd2b9343227a8095798f64fcf0a9ac594feb34f

C:\Users\Admin\AppData\Local\Temp\iOgEkskI.bat

MD5 11cc05cb9b158d8cdb352fa1fda37b0c
SHA1 2cce15b7517e5edc9afce3f2a8acacd29cd37c1e
SHA256 62889674f7463227058a4f73401391d031345305ab091b3f8639c58876a3a720
SHA512 e27c25488262eeeb4e75676924b0c82e99ad133c07e2e5e913ab3eafb58054383ab6073e3d3de2eaafae8b848d32c1d8798c5656f745a58c1275bb0ae8fea2db

C:\Users\Admin\AppData\Local\Temp\pqIYsoEU.bat

MD5 794ab904a24b20b90001df8b61036def
SHA1 7f0c6699146f1376a05f5d34097b4725b515dc33
SHA256 2836e245eaa8851d339e5d40ebfa77211967e57b9af6af568d3ac71140b3f6fb
SHA512 efa37b7ef5e5a1f2d1f19a08d5912473451e997d602b05dc62e35daa830302491ff1e3e1a98bdb63328bd5bf7fce804ef3f130b56f100bb7369aff8855e119fb

C:\Users\Admin\AppData\Local\Temp\RiIowUkw.bat

MD5 4e0b008b5729b98fe048a6a0c6c436d5
SHA1 f0497c40c44cdc392dd208d5351be739fbf438c8
SHA256 b1ac9f2b3be1ad86865dce57395eb3bb1710cdaf59a4f26409884793b799bf4a
SHA512 8643d464d59bef28c5f7dc2d93a4c0db97fc2db226f346c889e84b2d380b6b74fde88e10f1e21fe91dd363ae9d6ff967cf004ae669cbe2ff745ffdefa8e735b8

C:\Users\Admin\AppData\Local\Temp\HKQsMEos.bat

MD5 1180329f37262355a5d8446de0ef83d4
SHA1 c2b8cd8da8bf99c86cf0087f2df2f2a8e05c74aa
SHA256 dade237ca4910033c5b9e0d81429d8ab53fc496bfb07c116d756799d305dc696
SHA512 945d6128de254cbe2fbfd5c77cdcd323db3c7318d99b68eb18834fee207d61538e2c455607867d8c0cf8e9392e7055fb0b104ec6c8cda2938cc24b772490195d

C:\Users\Admin\AppData\Local\Temp\FQksEYso.bat

MD5 c4ea2403bb22eaa2ed7e4a3204bec119
SHA1 637e239549e40b0bde1e29c04bc0f35860fd9cbe
SHA256 b9f9985301ee90799eca4a6fae478738314e970de1a752e515ffa4248e670ab9
SHA512 03548cbd44d186247f9d8c57da881703b52b95da287e214bc816ac1b22eb7ca286d941477803dc09b19bbb0001ce145a0c063d111a705c435419ede8fa3e0372

C:\Users\Admin\AppData\Local\Temp\UYcoMwMc.bat

MD5 95043ba988fb694bc454495e32df4226
SHA1 747a0636c66318357a409f297d47a282cbe7af86
SHA256 d85d2100ce908e6d2bfba8fb533bf9843fb0f380b75be9e80b56cf275a8176d6
SHA512 9ea976374a0f60d60687f56cf8e33722762d0f0e7371d2156ebb525bc661076feb5b4334c4a6dbf8e786ec5662fc897f471bd4a0877168ee64b961c6efce296d

C:\Users\Admin\AppData\Local\Temp\EiQcYcgQ.bat

MD5 feeae87f5e9b361d74c4a8b79da30b07
SHA1 ecc4f7c36eb3822f2d91a6fc27c23b9d102289bb
SHA256 c5ab7ed389beb40b510017902459a20140a1bbd75e9cc187c5b87a75b9cc8760
SHA512 3675a20ee080c23769c2165f658be4f8f284cf6ecdb9f5ea3ca0c5e58ed650cee26368e4114a9c28a3136cb06770d650f410846aceab0e06b474f6af41ce9481

C:\Users\Admin\AppData\Local\Temp\eqYIMwEY.bat

MD5 313f62030d52d89cb7893010766d9bbd
SHA1 9e12821b7c24c3ab7cd99ba1d4de9254a41f39aa
SHA256 e3d4a4055c92b91ed6a3ee6f135cfd3428fbed05a9e42230de68215326f8e4b0
SHA512 67595b0efbcc84920dee6b348e8fd6fc8078a83dc777097d01dae562873a380f75cd81c9024d456ba29c27f48e935a15d47d944439006c66e4bac40f05b6a19d

C:\Users\Admin\AppData\Local\Temp\ZwwsQswk.bat

MD5 65c6345d75a1d344da536b2aafd0becf
SHA1 df1b2723548b064e3c5e6d9804ac3d09bc5ce85c
SHA256 f36aadf37b146ce2887a6b6a9b3dab7477877f682c603f0e9d9de907d91d5430
SHA512 e1dfcaee175797c52e2b4f6a78aa45b7cec029e3d49040d3814efe02be6c3342a568e43ad24e41714e761b17c4162d07ce0ac07f71f329891ad8187ae50b1fd3

C:\Users\Admin\AppData\Local\Temp\JukAYkIk.bat

MD5 31ed3194628341a0d5b57e8a8bdc9895
SHA1 093e55a15f25d9b6d73e0be3cc6624b72dafda0a
SHA256 a04cdefbfeeefc0104998c2a139642319e7dd9d00862d000cf3affd305448a1a
SHA512 c234fb649be5d39e050375aae28e71a2f34b30e7bc1b6f26b91a1f2de9b4eba302ebaccc595657da2b8e0f35087384995a7afebaf9c957d1692f082453e1a9c2

C:\Users\Admin\AppData\Local\Temp\JqUQwwYo.bat

MD5 6de90522828a1d63338f98b918a0ec76
SHA1 c5177627dec4559cf61c2a53908d3fad9fd49e69
SHA256 f87c705a022416367fdf339f8ed7d8f3ede9d5135a2ff971cff926ac5c0dbab8
SHA512 1cf683a3755682a8618e79064c96439efbc4ed18ad4367e85b4979e67a03ed975c158e94a05611adbd0332c6252744da2f1651d39703f69a8ab0f15ef298142e

C:\Users\Admin\AppData\Local\Temp\iqkYkcQk.bat

MD5 eb643fd31444319cca11413eebc6b619
SHA1 2da554e1b3edc58732ebf9824a0b9ab8f73b6c04
SHA256 3e6f78bfc7a41484a492c0c594a4928fb25dbffc1e06a9ef2a043ae527b75857
SHA512 624deede381c95be4db2c766f3ed33a8465335fc513e7ae2897b8dff17a370bf9c36db5d33a5b51ca1fd122079738c10e2017f89ded42b246c88256e12a40e37

C:\Users\Admin\AppData\Local\Temp\yegIAQUQ.bat

MD5 20ca7ee3a5e6f724c8dcd187ce108ffe
SHA1 293057a5b11ef3adca3283e85a312966bb49e00c
SHA256 567c4cd3c71054dadaff5ac103e70cd9cacb7c5ca6c93cd666601255f7bcf52a
SHA512 f5259dea4ea07511ffd2d91ba0ffd045f6ed71bf6df9d0c7df50dd6e9e0d3a94e5059008f94d0f57492fc6aa8aba1a53adcd3355bbe0ba4dd71f820aba5a0b59

C:\Users\Admin\AppData\Local\Temp\CokwYIEA.bat

MD5 44827ce4b3a6c3c5a6024a5b19a4adf5
SHA1 f35a38e55bc1d69550035a6f7603a908b6d802e3
SHA256 31e8de6da3e622f0cadb3eaf25fa6a70ec14a6942ae660bebe6c5ad976af521b
SHA512 278fee37a05d6440186ff67ebe24330cc0c9c4ecd632841ea435380776469e4c8ca5b0d4b48f409da4939cdef7ca89786e2f0813a9828dffee3cbee7a68acc61

C:\Users\Admin\AppData\Local\Temp\qQcwooEY.bat

MD5 28877053624d9a404fadcfe1cc4dc801
SHA1 45891203ee4dc5ffca3efcd0541fe8e5c220636e
SHA256 8e5b6ae1c07fb5fccdea337d6757a7d58ffd598c5c0ff342ea8bb184ae5c298c
SHA512 25ef4dd9240df50336063d2490795aebd425cc3f1fc8e07c20ee90f90e231488ef87f00fed0b9bbfad3e1f40c796eca5949bd58d5be991e8ec2806959773336f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\ProgramData\raEAooQk\vGoMEoYU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vGoMEoYU.exe = "C:\\ProgramData\\raEAooQk\\vGoMEoYU.exe" C:\ProgramData\raEAooQk\vGoMEoYU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeMQUQEU.exe = "C:\\Users\\Admin\\xWEAUYcM\\yeMQUQEU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vGoMEoYU.exe = "C:\\ProgramData\\raEAooQk\\vGoMEoYU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeMQUQEU.exe = "C:\\Users\\Admin\\xWEAUYcM\\yeMQUQEU.exe" C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A
N/A N/A C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe
PID 2412 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe
PID 2412 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe
PID 2412 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\raEAooQk\vGoMEoYU.exe
PID 2412 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\raEAooQk\vGoMEoYU.exe
PID 2412 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\ProgramData\raEAooQk\vGoMEoYU.exe
PID 2412 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5052 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 5052 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 5052 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2412 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2976 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2976 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2584 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 4668 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 4668 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 2584 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1448 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1448 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3936 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 1028 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 1028 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
PID 3936 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"

C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe

"C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe"

C:\ProgramData\raEAooQk\vGoMEoYU.exe

"C:\ProgramData\raEAooQk\vGoMEoYU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQUUYkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcQwEAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IogIgEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWcEoksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQAYMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWAMwQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYMMcUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwUgYwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYwYssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GckksUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aosEgQwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIkYwwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqMocYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwAwowMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biYsMskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYsokEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUYIUwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcwwEwUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUYkMEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQUIMME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYIgcIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKMEskYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOksckoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyYkckYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWccYowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIUEUwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIkoAIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcEEMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEAkoQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkkwsgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOcwwAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EowsIAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgAskUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCkUAoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmMAwAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEgoEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKIkIYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAUsAsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGMYUYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGEIkksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CokwQogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSEkEkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaQQYgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FygUscEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyAcsYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEYIIEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikogscwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWAcwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmEoEcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYEcIEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqMUgMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocIUUQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCEQUYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\xWEAUYcM\yeMQUQEU.exe

MD5 6efde196948ab0ca7ba52923049d8f9c
SHA1 c9ea17b24f18c6155c7e58a5c6fe13eab635fbc4
SHA256 2b13ec8e364872a4d2600eff8dc7e26a5b42f250ba1b528933388c5372bf856f
SHA512 1490f4296d9060a460be72e2a04d1b89df486589f877ea6666542baadb061bfed3558026e58d6a7ecdd9c3095bab938850848d06f9d3773855ae3840757d1764

memory/1488-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\raEAooQk\vGoMEoYU.exe

MD5 3e35d849f65667a971af5ca3d7cfdea3
SHA1 5046d5863bbb2821918c499c29837c762767c4ca
SHA256 a24417a31b911e2f00e0b033ecc4f64e330aff7dab19028778ba3efba13ab3c9
SHA512 48a49fef1b5665ee5b063cc5b1a972f2a06a63ec6c90aa3f98d2c8190213623c17f26f96358d543f9957e344b5b5c25d6f56f8e01cd974f9ccae24cf09902a5b

memory/1696-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2584-19-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2412-20-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YQUUYkcM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock

MD5 913064adaaa4c4fa2a9d011b66b33183
SHA1 99ea751ac2597a080706c690612aeeee43161fc1
SHA256 afb4ce8882ef7ae80976eba7d87f6e07fcddc8e9e84747e8d747d1e996dea8eb
SHA512 162bf69b1ad5122c6154c111816e4b87a8222e6994a72743ed5382d571d293e1467a2ed2fc6cc27789b644943cf617a56da530b6a6142680c5b2497579a632b5

memory/2584-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3936-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2036-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1564-54-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4368-62-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2036-66-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4368-77-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3740-88-0x0000000000400000-0x000000000041F000-memory.dmp

memory/948-99-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3648-110-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4980-121-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1936-132-0x0000000000400000-0x000000000041F000-memory.dmp

memory/432-143-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3448-154-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4912-165-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4368-166-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4368-177-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2868-188-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4576-199-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4668-210-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4540-221-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3460-232-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3740-243-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1776-251-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4320-256-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1976-260-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4320-268-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1604-276-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2924-277-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2924-285-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2520-287-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2520-294-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2584-302-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3988-310-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1700-318-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2352-326-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5116-327-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5116-335-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1896-336-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1896-344-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3936-345-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3936-353-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3564-361-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3616-362-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1604-367-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3616-371-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1604-379-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3956-384-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3192-388-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4884-393-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3956-397-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4884-405-0x0000000000400000-0x000000000041F000-memory.dmp

memory/960-413-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1208-421-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-429-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4268-437-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5076-438-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5076-446-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2024-454-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4468-462-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1616-470-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2588-478-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1208-486-0x0000000000400000-0x000000000041F000-memory.dmp

memory/208-494-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1448-499-0x0000000000400000-0x000000000041F000-memory.dmp

memory/216-508-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qoos.exe

MD5 8a6c74d3cc41405364b460eebdaeebd9
SHA1 13e03e6f2fd4b1d9510c946e8ac65e643e755b26
SHA256 80dcd4e1140581baf6685b9f1d353807da8b3cc40bbb782f9aa32f4146505b6a
SHA512 fae1bcda120740f79f21a8bbc8c1eedd3f28e8727ce6b6f00c11e2f4eb7e0bf222e82442d5381bccd7316ad9a69c971583d9aee229ee42ade73875cbdb324ff7

C:\Users\Admin\AppData\Local\Temp\AAgg.exe

MD5 40f7bd49542f992436af46b96b9a82fd
SHA1 26a618a2d21e0a0bd2ec7dd55ab950f68b4820be
SHA256 16eff7b7daca16f6e065d31b00ef1db0577e046c222b02bd3e6c9edef55500da
SHA512 7d8f47fa4b5ce938d6e8a32762b584908f0c8fd021e8756d8f860d15f67348e98665f9c02704f0e81fe24fcde775cd730948722c177397312c8ce1bff30900bf

memory/1448-540-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ekga.exe

MD5 d42dea3b35cf5133a2628a767b0d2cf9
SHA1 3dc50a404b5a76507fa4f0c72d9fbba77f8089cd
SHA256 2dab09a54e9a75f7be13f13e393ff32c14e4452784111053a8e1937014731f09
SHA512 da6c15ebe52f18ca18456ea36ca97fe627b1301c6fc365da37c4c9f66d7cc4dcac90e33fbd12b13a8ffd847d8face128404ee5d4c6f2cd7b0fc942ca4e333acc

C:\Users\Admin\AppData\Local\Temp\AYoG.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 845426f1445fbd24a59e8497221171b0
SHA1 e3d0c1abad00cef0a32e06f3c2f31f8ff0257c82
SHA256 71e7b251630f70c9ddd79826277cbea89f3f487e6103a14c14e287dbc6236d83
SHA512 b703c46fc3ad2c04528896e626a720a1358988d46e55fd11ea730bd322e9ad8d230375e948ff15df67963360230a76f44de39d5cd2ef2136426696640448071e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 21628006fe43dccc7672152620b3a611
SHA1 59bfea3efa681b5f61b20c59063682657c5fa589
SHA256 9e45802ae7cdd216f5b34e14e48490e62f6d09a4c5c516bba5930989371221ff
SHA512 e1c4099fb5619cfcb0269d1eed460afa7238923405f15701ec2a557b2af78cd62916cba7bb469b45c8fa41b3f01853e087af4198c0c92a892f770a4898e7f3dd

C:\Users\Admin\AppData\Local\Temp\sokA.exe

MD5 3647aa173b90783987281e5ff6d34514
SHA1 5bcea2f810316e51c90133e1b03944ab55eda509
SHA256 43846581fd1534b7da425884c918fb1ba56679a24c4c6c0537e7c841c850f27a
SHA512 4198a56602550ab0a9e2f6f9b4a739900295a48cdc1a430b8021e40d13fc26e470d9190f92c07203e13fe3aa21e0f9e728d79fab75b4f23cfdfb796c368c3754

C:\Users\Admin\AppData\Local\Temp\EMIu.exe

MD5 0cb2ad0e0d4634da4fc0d0939cded9ae
SHA1 7a32b6d8db2703b7ccde00421a231f90f78ebc0e
SHA256 18d634ca4b30f467a939b4dca1b685381819ee70e6789ea7937f9ca589e2d7e5
SHA512 3c628bdd4191bbaf1e59a7a67725790d0a0223ae8eab8c953a99937a6caf2466a4b016cdcb8a3dd6e57d3ad269933b0e26a464cd46d24cc77d5d75ee05a84e29

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 57474f79243fddfe8967c19ff973f72b
SHA1 0824d54e6cdd3cb2762b251420fa8600f860b59f
SHA256 12819be787e24b68c7fc8e3ef99c3ae9d7c38ac0be183fec87f0eaf5fe7f51a4
SHA512 6cfe727348029bf79d1a7ff7ceaa7db2e33884c12122ad04f4797629602b80e9dd6ff96f211068c72f094b503330fc0380e5b331cb990fd2e0d2a6f7a9c88996

C:\Users\Admin\AppData\Local\Temp\cwIq.exe

MD5 a7471a838ffb3e4013fea6aa90bd4858
SHA1 0c0a6df17a0853f9626666c18c410fe8f90aecaf
SHA256 821fd1ac29bcc27d4e904f644ac45fc7b1d393e40e8e05a29256f9825b6f5cb3
SHA512 2af3d2bafa93324431f5cccc93ef1c787f3c66c4bc49916a4109fdcfed245bd30528d6156903aa479c3c3efc9033e91b0cc52834e660e66d108fde1772a5160e

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 96731bd2dde016b24f5dcd46c5845a8a
SHA1 dc190224625faf59daa12c41898ca928fd39b378
SHA256 9de58e0d2632a3e03ffad27b82de93a4eb4169bfe6cbea60f67bb0eed5e7ca6c
SHA512 89fe5c65cd307055a9ce42fb9d3930db941b176d3044703534d585aa5a966bc6acb68c2946f4fc91e088900f1d9930d83d232f96dae48a5097d8d8b7f962ba7c

C:\Users\Admin\AppData\Local\Temp\sIge.exe

MD5 5d4382d4ef34f6ff67ec9f8358dd9b3a
SHA1 31c1836afc15755bf0e10ad82ebab77fd9e58831
SHA256 bb08c017252cb48b8fc183de69295ec8a61a77945409a497ee64fc7216678768
SHA512 dd8436188cc01ec914284a251d24891278215e61de0ac31174b32050828b744f22b6f27b6db6cdde0e7e22f9c7b677f872862927a5a848fc54b150405e1563fc

C:\Users\Admin\AppData\Local\Temp\kook.exe

MD5 55d5ebbebe1ac82a69073a9fb0947aca
SHA1 b4436bf71db410187c7b2e5679bcc235870cfc7b
SHA256 23ad8cb966dff29348d3e60523f30e35093ce6521ff0ed11fd106c43f02fd4ee
SHA512 c4b63adc93c7bcbd17c790105c2f6763eceb25bcf263871a5cf73f2076666b73b4ce9028dd4f5044ed5e987f293a1c2a5f9f85433b8dea096cf07475a92d4fe3

C:\Users\Admin\AppData\Local\Temp\YoQm.exe

MD5 2aac206d33da56f728b9ea0f0a383798
SHA1 b97920962e7ee576f19c308151a2436424355788
SHA256 b3414e782910d03c5a87de4a2e525bffb47216995b57f148c1bf0cf2c4651cc4
SHA512 18a62946d8eae807788fb547084fe9a5ca226d0922b76b8abfcf9a9a44fb441af09461891c4934428a64fa5deeea8a95ebf1e5760236ba141cdf6ab9e39abfce

C:\Users\Admin\AppData\Local\Temp\uYAu.exe

MD5 589f21bea3d1f9e2cc46f87d0dd4918a
SHA1 f40e17811701e4a40e937c43b086a53e168343ee
SHA256 40cdb24a2318adb280793fa8f6c58b46b73ddfa081a8e40c280cbf3c3311450d
SHA512 c97ea744517d5da6f738b5b836a7246b80d2cb26d4e1db0bea1972ce170bbfb06ec051db6aaa622e1c43fa50f6a1f76c57947000bf734034d303872b788989bb

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 fb51f9bf7a1e168d4ab385005759dc8a
SHA1 dce08dbf306ee970cb911e986ba8c374a8f90c29
SHA256 d852fc965f9a8364e717cfcbe0dd1f785a918d8fbab2f1b46f49d0cc81af222e
SHA512 0a0999e3d79d4e6066d41da40f069adba498344623a9af109bedbc9778b00eacede1e098dfedd50d982d298828eb075170b4e5b6c64cfe212cedafe8b2f50e47

C:\Users\Admin\AppData\Local\Temp\SIky.exe

MD5 35a6241224c6827bc3fe55b126aed2ba
SHA1 c7d0a8abfaf086f1f954a11c74abba7493411577
SHA256 bf83d644f7e4c6a347e98c20d5f6bcbb08e6d948e03b639be27da2153866a832
SHA512 255afb713cd5c1ab57a4dfcd7790ed1b7b18b0fb348b66da7bb6a0382753eefedcbab98b975aa96396495177dfa39322ffd3f3d2bc94c6de39aba4d9c6338314

C:\Users\Admin\AppData\Local\Temp\acUw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 f589af2030ba3639dee60ae2ead8bf0b
SHA1 886a7481ec429658553ea6c3a413dec29397fd34
SHA256 6f57c83c24cdcb1fbccc8a6a20695ade9bf734092ee42459eb5495ab0c6d8bfd
SHA512 b6715206277667446a5d57def23d6a6bbb0c4a39f2bb1a4455b5bf7b5bb7f9f01fb6b7b094176a95fc2f2510b9b29260220e92a8ea8bfdcf682d8195221bbd90

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 eb4d011d2e77467023b0daab4c3c4002
SHA1 ab0612ca515439b5fe4b10d8b69d8ee474b8e13d
SHA256 29d2b621d2b9438c61df5a004b543628d57379e9d101fa15bbe5a422aac05009
SHA512 7a61d82eaa88490d42dba68fe62ebf8bee0145564d240c3c23b055a08ae347d9956329e402690171a51c4fccec36c680b988ef7c63e8a449edba7bef70b9df97

C:\Users\Admin\AppData\Local\Temp\IUgm.exe

MD5 b04f78c248a51086c10f69ea969b250e
SHA1 e683b5778a13afd665921081a896ce1e6763dbe4
SHA256 0166a5869ad4fd10e696fcd5936a75d2d1c78ea50f85e0953f3e0479312c09ea
SHA512 9863deade00e2263c4e4b356b37d17a744693291c0837c6de9f720418b6552b66dc05268e3993b7c3e8a1f1593afbd31c249ca850cd4d73779c7c4982942ded8

C:\Users\Admin\AppData\Local\Temp\ckkS.exe

MD5 c60cf5c0d65adab32b96a4e391cee308
SHA1 bb7b9e6a0bf77ea1105594ad888d56f449d817b8
SHA256 0f91b65ce6461ddef15bbed3bbafe887fc626003e7eb8796ab8e94d7112dda5d
SHA512 08149deff83223d00bdcd892a938766c63cc6c26fbe85272e4abbf74359993ca4aa00aa0fd8bd8d721071bb7da6e3a24394aea3ec623de7731b83b661f7fb939

C:\Users\Admin\AppData\Local\Temp\GIYe.exe

MD5 b4e810a549781d3e1dea18c18b5da7c5
SHA1 fad6a648340a0b842a4d69489ffbd29056c124e0
SHA256 7fca94760382bc3108d0f4eee2b1929b0cc63a50a9d299cbe5d95242f1e51fe3
SHA512 5f9a607f919fa0ad84610dff920aa0dcc7ce94b0d5fb4c3befdac3a6c92834928e71f6a7de8d6ccae22e55d2dcb856eb0a3e08fe966fc124ddda74a8ab24c811

C:\Users\Admin\AppData\Local\Temp\uUAE.exe

MD5 08e96292de073892cc1bb7c50567b585
SHA1 2715fe0c693af6b9023cf4df6f30e28d6f10a878
SHA256 91724e06069d0154370079c883e215110b2b2ec286b582b2191632dc3c03cd6b
SHA512 896a43f94e8096ed4f60d5a9ad4bffdfbff5ec53e55f38882d84663687207d03416f09db278ee231ce9406ba3aeafdcf8f12721e22ac0ecf0c12377ffbf2857d

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 3959ddce5da2b812032a69f56a2fca3a
SHA1 024cb54b3df795aa0a6fc9b8a1b414495544b739
SHA256 8ab5934c6324675b232dac064eaa32d4903698654439cbf11118612499f8423c
SHA512 0f625856b95295d0c08c562580fb6c23526e2539833cf8ff3df286ed456b827f1dc52ec6f6cd4ac46d29b6319050f8eb682c06c8ad5f676ea4e30fa42bd92a4c

C:\Users\Admin\AppData\Local\Temp\usQU.exe

MD5 abf46cd4045213f9674e5ac58f8f8a75
SHA1 0fc75f0fb808e2fbe58d973871e5080348e9b3d1
SHA256 61a45f591fa7fa4cd70090144b745c044572f4501e7229947faea37e8c8ba20c
SHA512 a7f8e6bb7c5cfab4310c940383012064ab191b8d67d8d92c0b4c9189d94ba040b6c81db5307da1c92f769823a9ca77ca54f048071272c0ce2a40f84caa1513af

C:\Users\Admin\AppData\Local\Temp\UQga.exe

MD5 1daa33d1635ec47261df87ef721d92fd
SHA1 e9e22da39c14033f6d0598842f7dcd66cc3e3565
SHA256 6ca2672a78ff3716a088d8c1425b540339189a54a3d67d28c9da266761ca4848
SHA512 97f60de6ba0229863a1f50028e8426b79449ea0e0044afb860a55834f96182a7f88507b0f474c864249c529ec745641a5fac840abd6bece7e92302a544f2b20a

C:\Users\Admin\AppData\Local\Temp\iswg.exe

MD5 a5a4761e537a792f644b0d3b8a9d67c7
SHA1 8b60bedab95e6ba7b199d42828ae7d9a1c1b7eb8
SHA256 90d4cfa23fbc31e630a9da3b6e7227686c190ff1e04508d91ffaa0e747b2bf6c
SHA512 9dcd1227a435fb8dd723cddc927322c7281ba183b1c71be9971a74adf4d8b6c98913412a5c1dc0b6a950141974f66c89c7ae3caf4b6a49e940caf9853888e3ad

C:\Users\Admin\AppData\Local\Temp\mEga.exe

MD5 3f27733ce114af441d5df0a0f77ee346
SHA1 29f135f52db9b2023b2b8533b14a17e07f1c21d0
SHA256 35e5f7b11c696a3d4697c07fb3088f425f1f25c2a2049fc09eb0995659390ed1
SHA512 fd481db0e43669298606e9caad4c0e87460fc80a6a312c6958f1319e49736ce493f64cecf6441ec87844335b58820e52926438d0feb3ab33746076bbc202117a

C:\Users\Admin\AppData\Local\Temp\kUwe.exe

MD5 60e9d7026f0d2618a6362d3593a9a4bf
SHA1 ae9ebd56f87cea213ed99e8d908ac2b821f6267c
SHA256 7f72a67c6e496a8cadc6247bc09bad2b49a7f2b20b3ff8c493da52a07143c739
SHA512 f860b5b974ff8f0ed16f0b0e8f1ddb4b59baa1c465d924e4358f4b36d86e6ad548a7febe73300f7f12d4598afa2bcfa71ce945e7f9c70d376f0dcb58d02195e5

C:\Users\Admin\AppData\Local\Temp\uwIg.exe

MD5 80631a14e08ff91c21e507f4a426a56d
SHA1 2e052900e768fd7f67e58ad6d532658d82ba337c
SHA256 b3a4cfaff956028f97f79221c89be7671c0dbfc75ba33de06be01a10ffdd3b7a
SHA512 6bb2457d298dbbe59f1422945b570830dbfb33966c3af7dff97a2f04abf90027eb6d2418b3ddf300fbb95cec552bb752c0cd1a0854cdc0fd38d5d548bd84d9bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 141a3281ab4f3cf1eb32826233bcdc48
SHA1 651ac139f7d503bc42c06c65c23b19dd3b284b16
SHA256 76671724845da4aed3e72eaf35fad0ec955eeb84e06edd7326eee73411aa8ae7
SHA512 fe0ef1c2f1a03dd04ca9fcf6cd4d52ebcbccde47629b8d430a32541293f0228186bdc05c379a4702d1b2eb122b984abb66d5753ec492fbbf8722d18cc21c2e7b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 19279e016bf67db021fc60fd900559ba
SHA1 84ecbcc69ebaefccb6393e8880e14ca0dbcdb979
SHA256 9f01f3b2b1b9badc26da152c35f2fc1e81fabaed767847996e5dffdc8a18e45d
SHA512 25274eb6e6798663cb4ffa9dddce2f3b52144331f9d8301abb795a37fe348ae24f6cf672f888a4c716a64ab1ca192e62be40fc0fe29ce1b9ee1c67f231e992e7

C:\Users\Admin\AppData\Local\Temp\CYAk.exe

MD5 906280976f790ddeab30b0debdd1f9d1
SHA1 bc04edc48b1bb193abe42aa7f1dc09b15826a3c6
SHA256 0b3e491b87a2dc7d5aabc18f37b034113fad1fc1b1614225f6bbc550e70c9f33
SHA512 e24474b418acb347eaf639662392cee2ef7a3fad98ce6068848516f3c0f19b5852a9624541fcd6b766de99c2733be57fecacd8d40064f482009fc0f2ce4ec7e1

C:\Users\Admin\AppData\Local\Temp\MIgS.exe

MD5 d1e9ecbb73d3ca4ea892881b72f5fd3f
SHA1 98edbc79a3517a31724b18560f13538d295b25f0
SHA256 182cbe7b341d75c8ac42ba19208674452717ea7ee9a40c91be30e38023428199
SHA512 b3df336f8341c93507264a427be99589d4e7a2fde3dd9c7201b3abae11cbd4bf884ff6061a59b9d6705809ea31a66005ed06db373c5c02900ad3ed8726803464

C:\Users\Admin\AppData\Local\Temp\YYgG.exe

MD5 5117fd6b4a2314384cb73b702bf0231b
SHA1 7f4889768a7ee258bc7ffabbdce3cf2e6dae3534
SHA256 860b24507b943eff97a458e560731f293e67a65881c48c49567e8654f17e4aeb
SHA512 c7017edc727aca466c46fcd8e566aedf62cc8e1cab4a1107b9d471ff32d1d2f4aebf2bfa1203fe1cfb6bdbc58f74f8e3ce436883ab3e7167789f6fa30434761e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 341022085d3ef26c568a06af6b9c606f
SHA1 7a9be91513f925b761100fb3886cd9cd2c5970c9
SHA256 9166b800263854fe16b4195600677df17cf2758b8332778f01bfaa52aaf62ab3
SHA512 e31ee4439699582dfa4e8d977a90a638205c1b9181c0d920cd794ef77527645a3f36f5051fa5fa6bce471332a25a1e0dbf8c02343ce546a6bdb0b90a700f8f59

C:\Users\Admin\AppData\Local\Temp\kQEm.exe

MD5 77cc80798f75705b6c8888df9891a9f6
SHA1 ee1000f42c8004e2a56126f650a0e1fa32b571e7
SHA256 a1715d1b6db13e051dee3d75c0c89fdb3049957d5ca1676deb77fd880ff01d0b
SHA512 8f2913c09c196036a40f42a0cf21fa26eb2ec753c118638f63be62d10a6a03b3b4d4d634bb24c42ae35bbfc52da106c934d8416a8322769790c7edfb3e8f9906

C:\Users\Admin\AppData\Local\Temp\yosm.exe

MD5 9a868115bd79058b1076291f776c56cd
SHA1 61d509f4836ff406c7e9a8a1a22181d740c82638
SHA256 7cded918f7aaae4648d3e88035cce47d24181073f47460edfff20f88e0b77499
SHA512 dee6e370bf3be4626b45232d80e877b5f33d618784b70af3d4af3c5263ecdb85fc8551703258961a8c5816cfd3f6829445061808180fa3bd66f78d8f5144aae3

C:\Users\Admin\AppData\Local\Temp\swwC.exe

MD5 7048bc8c4e4ec5a8ecca933cd7bee4f5
SHA1 c0881648c98b26a6b583964f57fe749e5eb1fa28
SHA256 508f80299e6f381dd7cdca2c9d064903af025274821ac898f2b5a32b0f23ff6d
SHA512 a145d163f0c3a574b40549258c7ff9edaa27473eedbf4737ff2835ed9e54a9717b1671da2b1ce5f41c63b859e9643894ffa0e94793fafd3f180895b4d93c5585

C:\Users\Admin\AppData\Local\Temp\yYYc.exe

MD5 77d5aa334465ca542c36b0b2cd383fd6
SHA1 79d458a9e3ace1bc0be7909d7ef0cbe135b41682
SHA256 12aff3906902cbcb80c7343c61741f22f69259508d13606821283f6fd55e10b6
SHA512 44b4aa8e5514a011a8b308cc0574ca620a75cdb4d589ccb68625fc8e29cea1808aaeeacde3fb132eb468fcd9780de2273c7f008d4f20ea853372de9cfd204bc3

C:\Users\Admin\AppData\Local\Temp\ycsE.exe

MD5 9ced54c6a339261b1d1ef0443e7e0c14
SHA1 92a325bf9e2b636fbb75faa8e009b036df75d837
SHA256 756705faa7dd36171dca5f6756a03b9a566c51576df15744885753851aed3647
SHA512 0038f4d448bc504bfb6341c7be39bd84da093a1705a7d306196e14afaf726aab22b9243c850b322deb39554edb0348e9b218cbfe46cb7137b66b5a4a649e0f39

C:\Users\Admin\AppData\Local\Temp\EMoq.exe

MD5 d4cc1f33b94d849acc0beec2177ab946
SHA1 7b5925261f0c1689abce40309201f425af8d67c0
SHA256 6130d5fbba24eb3ccd3f8394299032b73fe80b986005ec466e12ae983e6b172e
SHA512 06c926aad99adfe8bb648f96bf32bc898ef864cc0c267fbe7581ea971e05c41134c63c560121d48a84bf08be36344607bd514a70f3bd45f315dfce4996a02c73

C:\Users\Admin\AppData\Local\Temp\qUcw.exe

MD5 729e7479f3f6fbee7a41bd65eb1f3093
SHA1 ec84c5a9231bf33742077c22820856ac8c5c67c4
SHA256 351aaadc5bcb0ca28511d2792d62a146de44b71974225130fc7a17b3b97d5f9a
SHA512 268196951eee9e2af12b5cd91ac1a66990a902f1697e5240bd5e3fe2b6cc47737567b6590a4ef0b8a5dac30ed323754480f0bcff8f2baa8d6d59fd726fcd780f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 d006163000660fb5fb80fbd57e335420
SHA1 9eee44ec7b125c99347cf8540f9b3609e8826f07
SHA256 31fdc66de34eea6b31ba15ab06aa33b578b70f9396a0ae93607d262948020159
SHA512 f638e998559b67b0c5fbac4c7ff5b0585075f5b5bc0a5d299060e14dc06077ce1731b06e3b580e2945dc00437b22b95633d6e7f1db95eddc596f2cdd15e756fb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 2c617cd9b9282043ac17a13668532174
SHA1 a3808a2fc19d0f755ae80d60d02558d0091e1ad2
SHA256 466761d1581624dc1ac32f1f009ff713980cfa5c6f34010156f53f474686192b
SHA512 5de4a2d9ace268a0ca0ce486af5aba05af6b9041d9478a8ac3f8dd0e91b2cdd60e3600cff9e900d5173dc538c4ed380092827cb17fef58a23215959b969c71d2

C:\Users\Admin\AppData\Local\Temp\sowK.exe

MD5 c4ba3d661000572cf36474269186673f
SHA1 4ece01d98bfe84bc6300eb6cdf505b383d8d68a5
SHA256 3bcb8db99a75e601a7c676b7fbe25327ad1b84dfb18534806e7f5b7c82ba9b54
SHA512 0660c549df5d1a5e54d6fd854d82c2dcb4e5d55d5989fbe90ed4e890bd22f3da98f1f20b59f0db09969dec6d4ddb4421ec697df951701aa0bed17d3ff3423589

C:\Users\Admin\AppData\Local\Temp\OYUA.exe

MD5 e5fd9991139e70d0cf7fadd2cc3d04e5
SHA1 aabc931a6f98b33617ac017f80dcd2ed03660d90
SHA256 074a88342f820b93ebc77493b9b56fdce6c9d865eb56a0eeecfc1035d84892cc
SHA512 87052f2c947f839e1c93ef5814a08a602aba660dadb8d99522f6050d8b3edd69ef47c795ed8a624e7f208c0f55cf9df90f95ae0d31d184bce22fc4c8f52f1fbe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 93b6149ceb81bf57ca58a2460ea9267d
SHA1 ec320c73b00e067b9a9d8609265c7686edca2d19
SHA256 b7917f7b2bda8e63e73bfa1fc38c6f9dfe48c070628e162af622065c6961737c
SHA512 fee063f4c6ea9eabb61b9bda422e1c79edb7f88dc2860905bb726f59198d83c94902f8eb111f9700bf4c45625b4e784f2728eba80f6ac08dc5d2582d8364a258

C:\Users\Admin\AppData\Local\Temp\sgce.exe

MD5 f524c1919f181df479382434c44e23aa
SHA1 ec7c42fbb0d7e627a6a211dc84fa1f2e1649c755
SHA256 f1d8065dcb3f6d615b9cbdf27c1cd7f9748cdffe2e2c68513772d1de113b647e
SHA512 8a7212c7c56169c7f4f04c63a26d17e92383824c001e07fa30ecf1c2001c56e1dd1d4d4399616f28badf3db1f3d2f30de3858fbd99a4ecb81d29176952aefbaa

C:\Users\Admin\AppData\Local\Temp\sAgK.exe

MD5 fdfe72d895c0badc026e89eadca710ab
SHA1 e6e50a86db5b3332f469a5f55dedb05be0c07bb2
SHA256 76e228229d62276bde806268e99d1a8e73817385dba5c8d48bdc8c28cb366123
SHA512 55ceda124771d9d7a5fac11b9eddd2ef8937e41874e8eaf56bfd835ee045de42677e661174d4756c709ab478900183321acdafb4f64e70fab51fda5d54e6a165

C:\Users\Admin\AppData\Local\Temp\QYYO.exe

MD5 97a21a3b1754c56453c090988f92d582
SHA1 1775a48c1cc7d8060c1b1b12cd23702f41700658
SHA256 7bd586c4791ef4f294adcc550b256074eddf006339bae1a6f74a60b87d8ac333
SHA512 ed518242a11ad74231b8383bcbaee9ca492242252608f0805ccba0633ce0b853cc7ccbbc6153e1557bac330ad8e98ffb47db01c46f37b930c2ebc2be05feb970

C:\Users\Admin\AppData\Local\Temp\ygQq.exe

MD5 a50ea000543fd095fb973ed2136645bd
SHA1 65783a90288611cd1af9a1462744daea434f6e12
SHA256 43dfcf83ba0be9566e5040986fc900e91d650dc7b473b098b0b6043d3a3b52c9
SHA512 b566fa32d9b70398d38ee093ca05a914e4f77a11c2c7e1dc15cb460a21e9426884d40ad5704e5d6f11d741fde77111a2bbb26fb9ef7a9bf795a41eeb1a23cb73

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 9e39bb02dc627b0b61deb8ef4b3360b1
SHA1 d5e9e5a8d33b2a38d1490bf97ab99360e7fa11e6
SHA256 f728838372f9ed7377861f5f844d25d7eaa7d3762bc984b7e8f03465764c4d9e
SHA512 39dba2d6e67c45cd472a9a6fc8b9fc799bd68235d0a7b93c6a83281a3b47aabf95f9cf110b7542ce515b1bd97dbad38eb70c2be2a2e0f0c2cac54a974231ad5f

C:\Users\Admin\AppData\Local\Temp\wEcU.exe

MD5 0ad6d5fcfc6460914b4e3e1e4c2be92b
SHA1 8b212cf386882cfaf16f4cdca265b950e8231194
SHA256 f9fef028a8004ef6a8ee268d5f4c9c4b9d2dc294c86730a5e88f54d27523c864
SHA512 d45008cfb563423417bf6f3d0082456387de323788cce40aeb82e561b95d9e6a47768ed29e089792ab3d587cf4a2e3b718311b1b325d30619a24f88030bd39a5

C:\Users\Admin\AppData\Local\Temp\uoIQ.exe

MD5 b5aaad60dff54dfebff53b2e6fcf3622
SHA1 f563b0a3674bfa4ac8aa74255ac2038758f282f9
SHA256 9341d312f71e282b01217da8a9cd882e34cdfc3e0c8a8295dd70bcce616792cf
SHA512 311f69f26be984950e6efeb671e0f1dee169086172a79fcc3a2182d1c8c27e016c6280522d0822332cc86e0f2a13148aa1dae93846a70c193b4176776a48e98a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 0429a0275f222126fb96fca28c48536d
SHA1 19c22e5d47cbac0f3dbdf00e34251ece5ea746f4
SHA256 ad6734a2f54cf9bab5606a5f6d4922d20c7fdc68f9e92673a77bf43ca4468c64
SHA512 e98242998c5666ee6f7de8a2c0c48e959e4214c7314de671600630ec6326724517da5e0d0814cce6a9a4ed5ee81517ee164b6e33ea6a39e050ab0a0841dbde91

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 7aa943ad68bd822a8070bcc4ec002a8d
SHA1 09ff49be658b4ddaeacde3227378488a0b168724
SHA256 60ed48eca8b6536809142c18424510ca6dcdfb1fdbd4f5cf5acd86b91aaa60a7
SHA512 848fd06e5f12b6ca76631187e14fa7354a217926832561c995193f5daa3ab6381912e664ae6a50725852090d193e7205ed628674bef33e3fa46b4c2362bba343

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 5edd2042c7722c1ba1f48d9a6b1eefdf
SHA1 c609bec26e8b55145e955bbb9591ba38afaea7eb
SHA256 782e4930ebe7fdaa552d9331c1690d252bdfef1aca8955672013b900bd35a56e
SHA512 9ceb3f3a35a30ee3510e21aa81a7edfcc2d12df1d6e39dbd10098ac289573e1e9bb2d6dda2bc114cd4fc27308e383234a5d12367e7d436b88dd230d45969e42e

C:\Users\Admin\AppData\Local\Temp\YsAA.exe

MD5 0eb1116a1c0730756a8e8f512f71f6de
SHA1 8df99d5025d8c49f980fef0535e02887d6262dc7
SHA256 f759290ad3f61dd9a7a22c12be290ed23fbe94a18d9c32bdc0129019fee79dc2
SHA512 39ef003ac547a84f2f9f5676c96a97157e77078826410820ed3fcc9365602c84ea9a0ba79b011c7efccbb872c14694a3049f0c3e7dbd4945531e51775e9fe09c

C:\Users\Admin\AppData\Local\Temp\cgMa.exe

MD5 7c58563d58472b03de3ac1fe7e9da982
SHA1 c141ac5c1e577fbffee2ec5a8038dd02b74422d3
SHA256 254bdf40e3f47a47e5cacba07d4ab13cbb75ff8fba31ff3ceac3f4494107687e
SHA512 35b3f885701fc78019365a8d5d7d714e0f7e0b167635d3da204d6b16e08202bf0967a00a148c796c2552e240854385f4cc54e7a92b9d185efabbcca4a7b856b4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 3ecd2b7761c6c8d4f9aa39dd991ebbcc
SHA1 61af2bc8f4523d4d115f6f33510b31aaab1528b6
SHA256 c3227d81e5ba2b00bf85a9248f9a3aaee9fcacd604210bb4b80e2c72b0ae56ec
SHA512 a2151254c16fadbbae843b425a7d5212514c2b49fbcfe9e79252c705400354f88df7264f59ea28a5a9c6bd3214b1635590bdd3671ab81c4a97e7624c2447c038

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 af7c0cfd2ead8315d933304095f779fc
SHA1 c7b6a185820f318f01bb4e2f319db3a09fbcc5ff
SHA256 d0ab0b8179b0529adb058fc601272d67712f5bf0c094b6ad8a172db668f04460
SHA512 39a5399fe7aab8eb5e6b4a13018c02f1932075770093a413aa8e704e9cee1a6ca866445b2003c0e0572894e54a944bc6aa33b09c75c2e1464ea148bb39b6b82d

C:\Users\Admin\AppData\Local\Temp\cQEe.exe

MD5 6ec0c192959fdc81afb6feae127364bb
SHA1 a905433726072f844a1478476a356abd5e8198cc
SHA256 af607fc67ebca17e47f0f127ed89c315204247fee593090d7c7de8c67dc5ca99
SHA512 d8b070c1a6d11dd3f3d0e321547f67fc4d90ba3f92f583ce6982d3dd2139e015fadd7d6d8789424ffec3bcce99ccb49bea1cd6e5177438b329ad433dda964cc6

C:\Users\Admin\AppData\Local\Temp\aYYC.exe

MD5 9026fa9c9ae1dbfe101da71c4aad6dda
SHA1 9de50eb8c8f272316b07134aa8fdbfc87e3113ec
SHA256 9cfea1741da1ed90dd06984adea4e9b41eb7d93b5ff304a1fae60b6d0cb259bd
SHA512 42e969fdfe04092286d299e0d9da38663510797ed2786cb87d546abfe6fc9ae2b8f5c67984f3136798159ae2e63556365ebecb53e46e8951759ebaf629bef6d7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 bff0d7bd87cb2d13e91b70199767e1b0
SHA1 1ec7183a30375d6ad98b99c8b137dcec5696bd09
SHA256 5de4b8e1337d62c1d29a9b88069f7715a3d02b94071a902aaa67089c5d6eebed
SHA512 4f00b825c3b53656df76135057918190e25f38dc2b1312dfa76118f56fc157e2ef144602536882bb8247b1f8c8e38d4a01859c2a9357d4692b663d2011915455

C:\Users\Admin\AppData\Local\Temp\SYIM.exe

MD5 7065ebb0fa91fc8780458aaf74947ee4
SHA1 b79b16be52fea79bb779d3e2a748d26d94aa33f0
SHA256 c035f5d682037bc23970caa9bad1aa23ce73837f0982e7bee9a143672d136e56
SHA512 58544a8b9cebce21535b9c8973b1197cbb434e7cd529b5efc815cc830e8126dabee8d084882bb87d73b73ae3269c43402c4619d0c7e6fb2f23102a8cc61c2020

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 b838105c66359159c5263fa6dda00683
SHA1 7e9c6f0335abd30c0190d54747db224e6b80b400
SHA256 d4543765bfc63174f793551d3d4c8d725ec9014bfc3073db69c0b1c150c2e3c7
SHA512 2ba5616b4befc4d5ed8313c3f88786ada6ff1ee3f28b9f7da0a8854ef8af6e82daf0372f67e7ab9e837a3104355eb01b8217a3f61d88dd54fb57c07fe3e917c5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 ae78ad85cd590c1ca83266180514905d
SHA1 90456bac7b5927e4111f13207bcdc9d55d34c2c2
SHA256 b142b01f42359fe45eafd1ebd9eb1d23c8b85cf63e339ffae3a809b8f57b3783
SHA512 7e8dcf9369c537ce2c5b35aa54669b10a533c9fc91ae6f6d189a6d509802ca98a38f11cc5090c462da79cc70dd6a46e00c04f8ea348c839b927fdae3438ff068

C:\Users\Admin\AppData\Local\Temp\ogIo.exe

MD5 e987428b7b9cc6c3a552cdb3156e44eb
SHA1 5628348716fa1d756c8d81b3e6e6d604d96cbda3
SHA256 ce888d3ed42489efeaaaef6bd44d43700fa4bbfe0a9a54dca6a17d77b64f3eb4
SHA512 5cccff9b34ab6be40a2764cbe4691d573db34b81504fe1b7679e1c3dc9209ec98c09516a73640468b80bc3a1c2b4e63ed2b03b94ca51c0a0e6890c429688fd91

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 f327e407b8faa44e4ee927088558daa6
SHA1 952ba576c79eb3b09be09532f45429bc3a30d78c
SHA256 1150ee6d18bebd42d707ac6d34a26551f107e6f21151a647a0088057ed52ac2e
SHA512 4d563756491bbbc46f0210732d9713bbfbf241f49613f6747b62df488f414891424e192499c1b112733f6a2dc0754a45845e0b2905ba9a710bf74eef69f191bf

C:\Users\Admin\AppData\Local\Temp\EcEa.exe

MD5 fdfe6eff6a476f77a2c232f7aa03120e
SHA1 ce2d1542a322676ac271341d5414cd359c181fd1
SHA256 3cfb5588d1c265ee1409e29a7474b27a667aa96c884cad4d52aa0084b7eb9deb
SHA512 f1e336f699a38422c733b1b3369e4900232f4b5e0bb1ae2d2076d9db35642c6a584e46917e11274d98b8f43f6cfe0564aef59a5d63e32203ea506063026238d0

C:\Users\Admin\AppData\Local\Temp\CQwo.exe

MD5 7df14f85d27b9c1ed521cfb5042f4650
SHA1 292182e26b123bcf43d7ede6e285b4fb698bb427
SHA256 b6e7fb9e4feea9c19f4621e4f843b3d22c2dd18aef90964db1b01d75115fd220
SHA512 f7f041fffd26afe5a4edc107ed7a1e80de01df924c5e686fd83a18ffdb5b9e678da484de1a90cfbed7a0a3a7bcc3c15ecf704f6ebe8ecf6d67ba4e91af417399

C:\Users\Admin\AppData\Local\Temp\awQq.exe

MD5 b6af16590a0c727b96b1d89bc7b88ebd
SHA1 0d9465a8c1351369f5b8d9d7278620a0096a7975
SHA256 95b9f884782bac52efdbbb963171a7e57f74ffe9d5e829941399b622ec4d9319
SHA512 a17cf961cef6d08f3b36d18b5cdb000b52b8f1f6ee01a15d376713a2e3214e220ba84dd3a5bcef0a91923f442a174cf39f28faaa47f66c36f1a3abea7f5d9afa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 845cbf66e0dc3e1d57ba53a312e280b6
SHA1 d9a318b4871a6627b815f3100a4b193678f62de9
SHA256 46c14eac2419dc1fc50af6060e02c6feb56e94cd9501b36e6699c8c3cd0bf689
SHA512 0789800a827caa6798ec34392dc60c245723cbeabd89e6f708c1a1065defcd3c8197ac445c1a0304f38f935d7ae679aabb28bd548dd25b29b51831f2c7a8b1dd

C:\Users\Admin\AppData\Local\Temp\eAwO.exe

MD5 b5785d75d9f7654716b9a9f1f07f8ac6
SHA1 a71f9086b22c6990f0c9db5eab9538746a87ffd2
SHA256 972c8eff57cbd346ce808af46d41ed89a80f856172febd766cc166ee0f9e0e81
SHA512 c2c241271a28cea0cb025e5d1e6fd6954eb5d0b0908696008fff4cb9515fe7bcfb513c1a8293ccbb634ec38b2c0f37b3e3bbd3846aab04e34f423ea0020d969e

C:\Users\Admin\AppData\Local\Temp\GYQY.exe

MD5 b0e4a09eddd3e97e945c9739c763fa3d
SHA1 88310756ebf5bd7820b6701d17641c68efb0c6a1
SHA256 edba1500b08cf8010ce8d4851a19182a082146980c22788170ecdfe9ab1b51a3
SHA512 88919558cdf542feaf9cd491c1955f869d25e75274f2b680373a431ac44bdb7e0da523e058aa1a7870412e52c9d22edf0df8efd2896d1e5b10dc46c78a459eaf

C:\Users\Admin\AppData\Local\Temp\woUS.exe

MD5 d601b4990fc7aabc7de488533f1d973b
SHA1 72b9bf93449f0e3b5a020a58531c68702bb323b6
SHA256 92cc1dde0a889f6bd4627a976e47e86dfaf20bab4c772f0ff8b558c62d7a99e0
SHA512 03fb18032617737a85ff82e5f77aa3315e58b2d7b8c9914d79b06f94eb82add161e165aa8895151b86f856fe077199cdb437b4b7b5030cacbe90dba5bd9af3f7

C:\Users\Admin\AppData\Local\Temp\ksci.exe

MD5 c50c98583a70da50c340b060adadeb83
SHA1 595104e156f1dd40264b0c9900c99dad92d08917
SHA256 78ae286d8789fd648f3ae2b8adc53048b4604b1f05f10075d1289dcbc565c2e6
SHA512 3bf9708dd5ccf0e390eae07e38db04e6039061bb5be7e628db15ab671eb04b199d636125a5c8ce06333e2d4b3867b6c2e5149fb2f484852291b2abe5b314346d

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 0f355c9a2703d2ed8897ad2783e0529e
SHA1 c93c55ab2ab20ec496499d48b7006a90519be312
SHA256 f5ec878da1ea04da7b2fb5d6a5118ca93db8dbd917bab83ed6ba1d365ae87717
SHA512 749b771ec6e12dfcac84b75a9ff3aac62b2877d6f5e6636e25568cbd98279c62c01684cf2a33f1bcdaf40d0276dc4dbbe8fc070be172c3b7ab117f8791341142

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 88cc7c78c535ad3605914898d75917c9
SHA1 f34ce56a7cc6aada01316b8990bd00b24b130548
SHA256 52bc8d334fc5555f255e2731ccd3b79d714a861b5db7a1a24ea293601c3f0c61
SHA512 f70759fefd1a93118c1d91e424918d9f4df6f633f1634548e33a0280f8acb77187c048a1406b23f2408570e78d9a9b2f51385f122dd9a3a3f327619ae3a195bc

C:\Users\Admin\AppData\Local\Temp\IAUo.exe

MD5 50560dc04ad5f718c37df6a4ebf0dd17
SHA1 f2b78f4c6e14459ca520562a7cb261e4bcf87bc7
SHA256 ef4d196808088a402073299439b912a30f8ebeab558a4f3a11f99cb52f415bc9
SHA512 0873beeb68ffe51dce3f2080b469a5ddbdb8e998d41f01ef62f2ee9099e99c6a98bb545c35b95db9c3015f05982e84967a845e57fbe76b10ede9b9a3203e0e71

C:\Users\Admin\AppData\Local\Temp\gMwW.exe

MD5 def1f1813f74032a0bd72efeca3ec5cf
SHA1 cc4220e5ec603d9236b665401254af4e69816758
SHA256 34809e5e9de7e5a1c8f58df37bb45d9abf1097306c2ad35358362413d0ce2931
SHA512 171d28ab83be3a44988b3c152a8e5fc32c5732b3e2cec09573c95e677b88b516751c83b6ab8c6016b7c088dfe866c78fd8560d8f107905af5fe6e861618ca4aa

C:\Users\Admin\AppData\Local\Temp\SEcu.exe

MD5 200f85209c44a70463181f719192927d
SHA1 b23db1ddca56a2559a444b63cc26a5c850b87cb5
SHA256 21189d15f298148aa1c2c7ef1e5425785bf94ca1c8322647e0c1892b17b0b5a8
SHA512 afd9eb094f021899658e39bd64d0fc2bc41028af6cce2576ac8ac1dafe65ffdc37df8ef4a7b7cdb112f5d18bc1ea62989bb373137c0eeaa1403792c7937b1866

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 bbce166d8967600fe36d40f771642b70
SHA1 4f5ed4389d0c14f80cff49c5e8f85c200e14d32b
SHA256 1c2426a27f6ce0f1d454b0b35b8bff8002a597c2ebc05076a87b2227e6a14488
SHA512 58146d6fd432555b4907b570dc6d918471bdc0165e376f76a4d5defd7a73329329990521cdaacfe5712b4d54c4a6952b78884360a37d45dad8e700e7784bb1eb

C:\Users\Admin\AppData\Local\Temp\WAgI.exe

MD5 0f9b1ca50a5b0c0c829ffa324560ff84
SHA1 73dc0645abcad3be19a6fdfc17d643cf51b0cdc6
SHA256 47f717cffb1f244dcccc22405c4a291242af32719015fc8b42dd7affdaf2e4bf
SHA512 bef32e26999a6d2dd09edb3f9de0402ff723255d386b8cb32c84a7ca06377ba6c124c04af5337b268ee33a3e7a3ccbd2236e611b0dac7a0d60a3580f729ee7ec

C:\Users\Admin\AppData\Local\Temp\gUUm.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\QEok.exe

MD5 d05ae5f17c632749d720d227581b2a59
SHA1 8aef01b32afe8f173fc166bae818835828424ff4
SHA256 c7306237acdd2eb0cf6a3ad83a5710835353786585dae22de3face56a9c76ff2
SHA512 c721f4a1c240bb447e4d7b763d03a1514a8892474bc26c79e33182ec771b1e23bdd4ef0a1507856323672a2451f8fc17262019c58d243aa0f544b4bb81e6d705

C:\Users\Admin\AppData\Local\Temp\qssY.exe

MD5 130843fc063bfaaf8d423c078fe16c4f
SHA1 62385fc244e46adecda055de605ed4147fa9b27b
SHA256 b081a611db738be622163d692c1aad841952cf8ff5cbc84e3f579a0369bf1ead
SHA512 8576e70efe4d939541e1cb5fdaf7e1c913254f1d11d8fdcc78068e2dcc4b093afb7adc6c11f9137211ca4a865f67cce9d4bd36af548d000d0295598caef4bcf6

C:\Windows\SysWOW64\shell32.dll.exe

MD5 b9285417b4af86f43f968c9507d1143e
SHA1 79bae1089485fdaadb4147ab2062617cf734bb45
SHA256 2ce4fbf16c7138eb52e215837b7975983f1e0bdd79430ac6fca149bfb693f092
SHA512 8d7f7832c0ac295717cb6213a372aa2c75123856dac1c015637a6c06b7e24b38d40d12c072ca0ea2725146b7c77b1508583e44eef53b126f184d2167325ac25a

C:\Users\Admin\AppData\Local\Temp\gMIi.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\qswo.exe

MD5 a58cf8dfa05c07cdb042b6d388b6d5df
SHA1 dfc132c44ce6b4a7aacf2ba4c177d4b8af198889
SHA256 ebf2d6f06e78c2cfc93a169d9c5f60e01a4bf52510fdb6f47ff935dc14945451
SHA512 9b3a87ed98ddd924d820c165daf8bb1d79c863acae96003a1c55477f83ee30fd776f130b6e832bdfaf9d4ab6441805bd8268fd2425b124ce7c861fd12719a2c6

C:\Users\Admin\Documents\SaveConfirm.pdf.exe

MD5 c1a5bdfc02ca041f7c03834ee7ecbdb0
SHA1 480581e6e4dd0dfa69f67ce84febbd5832da1eb5
SHA256 3c6f14ef7b95fc11bc08bd95530cc7c7f3afcef58337824b779da044fb275025
SHA512 efe4d8e3eba24a46f485d5ffbb5d972e03e69d737264b1515829259d0b112382788b6fe2dfa69bd45bc8cbe4f99736d6cab6451da0d87ad4c3e1249b7147eeea

C:\Users\Admin\Downloads\SubmitCheckpoint.exe

MD5 394de52ab8342da3644b91d63ebf4c3e
SHA1 4d0e0268b5a19c099da0c9563d4b930695f036db
SHA256 0634b18e092da78a7ec8142762af394429574e7e3e2f2b3e74526fd3534fd5c3
SHA512 31b7747fd307e970f637b18d317fee50c8c7ce91e54a76bb3de7cb701de7e3965c38d82f162786710a83d3161e93ed14e97df13c251f48852fcbc1c4a16e7199

C:\Users\Admin\AppData\Local\Temp\okgI.exe

MD5 ca77547da6e9fa10fa1fef4fcba90b3f
SHA1 0b093703fc90eb9451807a32942668adf47690d3
SHA256 d00d2aae0abeae882021dcb2065ad188f28ec1547b7a09b5985fadda1025a9b4
SHA512 aa9636bcdeb45e0cddc3c0adf1c4e03eeb2bdc992f17cd1211ffcb2a4161ea98e40a0f5418dab449aa308c2ca4be43f3e88417ecdf6748c413e51fb8bdcf11d5

C:\Users\Admin\AppData\Local\Temp\AUAU.exe

MD5 47cd1346b3c19ff19f3acd7ac13ba645
SHA1 fce5bff0230af0465e002fc74df4e8ef830925f4
SHA256 b534e3991267f96c902fc66ee7bb89d04814fd9b4e6a586b4e3a9b4c9105f5b6
SHA512 7bed126e2448f9ab6f511c5267821a81ac8e7703dd6566dc346f893c53a0ded82f2d26442770f11d37b3e2a75df0b2d1e10734754706d22d51ce5d6192985faa

C:\Users\Admin\AppData\Local\Temp\QcsO.exe

MD5 9fe235cbb2f0c06eacc2d265d796d68a
SHA1 51481ef8447a0e5592ea34d282e6e5cbef4cc2f8
SHA256 0bc53d1a68667b44b6a4cc92ca78ddde94fc4861a114a1386bbd56d37d6215e6
SHA512 729dc74c1c3f13eff54af861b8b21bc6f75391c4741ebfe08f8df8141e3e8c08cd5523022d0b9afd5612429cbc05564b1a94bacc6870cde2524eb6bf661b890f

C:\Users\Admin\AppData\Local\Temp\kUcK.exe

MD5 03a72f5aa909ee5cba957b321de099d0
SHA1 5116dff34ad8b395d1b399b6bd12049463b6c025
SHA256 74899a00b583018083ba37bb038e4e3e76f9c414f35de1b26a8b5fa8774055e3
SHA512 f11c4f5cfeea59cfcb59661b2541906e5af66633b241015216fe303a65a00426ffc3136e09854aab9bdda11283e2e5be01c5b9e1c3b939449bb6987d37def766

C:\Users\Admin\AppData\Local\Temp\mgUU.exe

MD5 7267e959759a8872df2e27b0ab7012bc
SHA1 13d8c62adb1cf655449787d458941baa98304552
SHA256 01fcf733a5f8e3a6974e47f31dad170ac0a6fce4128ace1b6447963914d85a93
SHA512 10b5a4dd2ae11527647e52f3607b05c48934737c0ea2fa92bc0413800a3325f1e5f4e7300dccf1949adf2e2c5eca8b18121246d3edb75ad42e457b6b224c04ea

C:\Users\Admin\AppData\Local\Temp\Ckwy.exe

MD5 9e79f7f8447f8b972189c22caf1ce7ce
SHA1 77acd9b5fb0800529a1f478e2131bc1683225ebb
SHA256 13594121c1eea0e72a504ba12d5477cfc01b1aebb9755a8bad2905085ac0cf3a
SHA512 147b182a7aac20a101a4f20e81bec0bc29c867378be41ba35a218d9375b2ae2b18d01f5be13aed2ad798f68aa4e57052a9c2d0e5467cef078a86c816e4cf2f4f

C:\Users\Admin\AppData\Local\Temp\cgwQ.exe

MD5 b89193cf030f88193380c047d8e6c8f4
SHA1 42bc6d3dd2e2781f54563b5f9b95965956093bf8
SHA256 bb959d728f634e5d44407c034b1e65b33646f7b67f2d62abe776b2315dbb53f1
SHA512 0a9d00f443916f149f48942c7cf86ec04294d547b182f270d46316a819cb9636c1220368d32483fb2bb150edcf50e651d9187f1a204c0933d975766faa9bb61a

C:\Users\Admin\AppData\Local\Temp\UEEa.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\RevokeConnect.jpg.exe

MD5 fcaadfbe817e88d97bf6a6525a202b50
SHA1 f243aa3b6cf536cc07e4c0a9697c046a69d666ee
SHA256 738217f5140d8a242ad78aacec601a54a4b1c1c6a7a56cf72c590bc802ad58b8
SHA512 98b6566578aae4c798adcaed5c5abbcee0d45af0026761579e1c559b9c28da1bdbd288d66d7059312f639d18a58c4196ee91df2889b6b88f95ee4ba3dc3037ec

C:\Users\Admin\Pictures\SelectClear.bmp.exe

MD5 2f0e68d6e846bdff76017b5ad919e79a
SHA1 6615c1a72b3505580e6af030ae70718ea74c5991
SHA256 a0ec39315757ebb147861666480ab12665afa5e964d0b7542ca2392d985d9c58
SHA512 ef661ebbac609a9f8cd65ec097f261bde6c11a1eb2fa686d3a9ad240b0d7e4fecc88510c34ceb5c19bbd5e3f6076f939cb1c38006e0a0757df788efcff4efe7c

C:\Users\Admin\Pictures\UndoExpand.jpg.exe

MD5 12a51326fc431a0477f4cc2e109f3d08
SHA1 9808e5063daec1e61affe5554528253b36ae08a1
SHA256 157dd20dc3174a48f98124dfdb3259b32f9330f66afb6c67bc11003f404f4f92
SHA512 a7ec651737fad758caa86d3c0a0d45d10cd317389353d22ac3f911fc6c2d9309de818df9605bbaeb1081cded4c2b6e16fb822b3ce5da94b07b473816a9025f24

C:\Users\Admin\AppData\Local\Temp\cAYM.exe

MD5 ae407f6d457b22320aef87f8a8aad0ab
SHA1 61e23e68778aa268723f96ad5b5e84428722b925
SHA256 cf702d06481b77421adead265de0f08d5696da1a956c11bc9b9ed3fb7c741ed9
SHA512 4fd1fbc82731b29667d90ae40f5e61ed207cf910d0f67e4e82d404b649fa06129c4e26630a7729056300430341472dfd1ada4eebd1caf8c686d4a8fa57152b11

C:\Users\Admin\AppData\Local\Temp\KwAw.exe

MD5 6003f85bccec6ac2fdf7866bb0b736c1
SHA1 1744b7fd258cb0ea39f97f0533d963636de6c24b
SHA256 bbd9aec468b6e4fe0a027e4414a505611ab950b1d3a4ab64e2e33e6a257457e3
SHA512 d2c673841ba6b6854c66a6b81ec254362ff9c379a7166726c6c45db9eab397c6ea54c2aafd5e034625424a0e660b83874bfef6653140961eed27b203cae32000

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 fc560f22ef5da49e9d6f606254329f86
SHA1 852c6cd6a0889b2f2008d6975c42dcba1d451961
SHA256 4d03a334d31fec328e56593c94b87bea4079ab4c4536bbbbd5adc098ed5f4d46
SHA512 f4d25e5605237be2f43bde9fc41c5126111cfa6628edcd009b592e698ec86f354e9f27b32a04547d0f6bed956b28078fcd9c98e1d8dedae50db4918efbd790fd

C:\Users\Admin\AppData\Local\Temp\qoMW.exe

MD5 3c2c4d783eb36e2f944732e8159348ae
SHA1 f4894775e2f8b0284f8f38b8ffd95b8f7528bd43
SHA256 dc7e6366c0b6c8b9e25e36812792eec171e873b640978809ce3d610891f1f1dd
SHA512 829d86584692a2f0fd18b59ebdc033dec2a6c8c33e27fb301a57f96f75c8e93d7cfcb935bbfc472b9111dde04e5baca96add618a020e583b06cda62b245b8f1f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 60d3b004dcac874df1f13996eb1e4a27
SHA1 ee650d95e8f8376eb7b898661d242fe7df2ab2cc
SHA256 d48c9c59f0b51fdb2c8c76c70f5b4489fc3a7f5096a0ace8115b72d49a270900
SHA512 463d6e50a824b80e54bb028cee457a5a602e9e1e00dc67f98103400e8f6a2b16050a2f27f6654eeaacece480d11c46b9e7e878b2d207852b9a8bf774f46cbe5b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 060bc5704591638e455b41647295fd99
SHA1 fb27c0bcab850590bbeeb20831dacc0e99d9ce8e
SHA256 33d284d8c7c7b5bfbab29669ab7190719487b0eed471a4d37f993187068ff362
SHA512 9ce179a033f759a7fcccd40084ccfb3f61a26f217c580c9563fff35798fb64c052b33cb4f01644ec21f3680af459be58a986292a609afbf923539509f3a58aa8

memory/1488-2032-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1696-2033-0x0000000000400000-0x000000000041D000-memory.dmp