Malware Analysis Report

2024-12-07 09:59

Sample ID 241114-rtrr4stqgm
Target 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock
SHA256 0280fd3dee9b09cba29de1539dc6d16be55c15b49e7c3f672508f4b4ed8ff6e5
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0280fd3dee9b09cba29de1539dc6d16be55c15b49e7c3f672508f4b4ed8ff6e5

Threat Level: Known bad

The file 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (82) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 14:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 14:29

Reported

2024-11-14 14:31

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\cGAogQQA\wOscQIIA.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOscQIIA.exe = "C:\\Users\\Admin\\cGAogQQA\\wOscQIIA.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacosYAw.exe = "C:\\ProgramData\\LMkwQUgo\\FacosYAw.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacosYAw.exe = "C:\\ProgramData\\LMkwQUgo\\FacosYAw.exe" C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOscQIIA.exe = "C:\\Users\\Admin\\cGAogQQA\\wOscQIIA.exe" C:\Users\Admin\cGAogQQA\wOscQIIA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A
N/A N/A C:\ProgramData\LMkwQUgo\FacosYAw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\cGAogQQA\wOscQIIA.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\cGAogQQA\wOscQIIA.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\cGAogQQA\wOscQIIA.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\cGAogQQA\wOscQIIA.exe
PID 2816 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\LMkwQUgo\FacosYAw.exe
PID 2816 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\LMkwQUgo\FacosYAw.exe
PID 2816 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\LMkwQUgo\FacosYAw.exe
PID 2816 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\LMkwQUgo\FacosYAw.exe
PID 2816 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3000 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2220 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2220 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2220 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 1836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"

C:\Users\Admin\cGAogQQA\wOscQIIA.exe

"C:\Users\Admin\cGAogQQA\wOscQIIA.exe"

C:\ProgramData\LMkwQUgo\FacosYAw.exe

"C:\ProgramData\LMkwQUgo\FacosYAw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\smcgEMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYoUsgAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaQoYcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgQcIsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkwAkkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\psUUkMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QswUwwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaAkYIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKMwYckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcccsYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\deAIUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyYkcsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyokIIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGYEswso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCcwIwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\smQYAEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSIgwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKgcIoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOEUkwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "561917108-2096832744493217214-1024250436552974898-993512805646373543203045447"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "948742961-1568059132-438898342130954552-1643941197-1396835572-9466735061815067714"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwYQAAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOgoswEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mswMcQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIggQAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5508120691946044753-276461877131364988431829993-12260535622730508411380971199"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyQwQQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "728322574-37706389718602693514398618631064152577-8788777765622008716241976"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGoYowoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEEYwooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYsIkMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAAkUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "47105829759786875-51136067-1835827855-84342590130993899412007701091498080859"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmcYcEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4588434051402394152-11322477611357818328101469898532042819-752650254659423546"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiUEAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\omkMwUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1945401875-1662167431712753509-1892434263290185360-1892590640-197620215784656457"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-212346094613184528361356340424394136694652982520-2005611025836915960-1412034002"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsUIcwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKkEMAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-439676969-1276073945294637661991753805-1597398329321623354128799232-823728735"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcQgkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-28122251658711058997143304-6937522501962301032-1367878458-1118054029259774817"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1430299543-3799936721408981650-747309677517676561-147671654819669813781329831275"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkggoksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1619840055-2043850748-1558222546720553471523659776-1702167950198701404-1018297663"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUcoMEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1090591934-12643516417175756276780203206830279821824842111-1484683170-410503899"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-403085340-5981417271023975861-15716871708131309381326864188-771614066-1188171181"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIwcIogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUwMoMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWEUEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1635230244-13650543031462688336-1839402961-6687759251672201353219449503296130676"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyMEgQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1263103069-127760479-9877757531153758160-24465958316534490831756672970278432443"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUIEUsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-487354076161837532515331823051708642456-1498543885414345742898784834-332828061"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQAwkUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMkwwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKosoEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1118209165337129555-143004816938472288813647390581584308000-4926034941894405307"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20133229498356756918913287161407753958536214023-1746051655-1881618855750006329"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMIksoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\USgUEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6434291481061483456572614373-21330148272100989747127052627818962986811405857037"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuckoQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "351061186-134205631-10785919771936192575-1814916927-1450080820-1376403783333798402"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "215490740-1547578659-3806828072021859144-548404046460150963-21678665-1259903805"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmokUcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "869777245-2131044923-18294601851982074610-1838738961-2947038851291523153-528111546"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1211057625-4455637481917370562-4745596941373356390365856813-1442350207441379474"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1917495739-28231836-748582919-32342747819989976901617615455-2145667531752656201"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcsQsAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAwUcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-482535155-1714138197-1015380566472416398-392293290-20789828252698084162073112682"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2112359914-1127266063-565945075-897468787193456495429604095315989484041506012324"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyAUwsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-526880511538369754-4764805025907636961097085091-732744790-1053783101-1574226916"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmogwsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1187567914-49200173749552834573224575-1105463044-102356386918007426202100291010"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "967183856-828934936-255450569-367686812-159357036-1493219841-1299624556-1010740859"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-84563242910744303414722686653089599-1813152357-1953656219-5609070681665668144"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKkooQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "663609396-206385821-927700481-1711842135-13777538901959272735-20087711411703945333"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIQIckcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5650977561420162464-187298742144883280225498604416826727581421849178-1218789801"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "46199396318869025651115270729156919810014583990571408170837991628675-523569011"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1152941741-13672903858059800001681596308-64923550572322877613092756911199651275"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwAoUMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "78107292410572061711706027075117320150259947881290141476-113222404-17861874"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15036371614846923632099285032-1956654662-5613432991983955523465953072-1985221204"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcoswIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "613851185-13256622041242347059570984671-12046190772042737134-257317527-1207749722"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2816-0-0x0000000000400000-0x00000000004A8000-memory.dmp

\Users\Admin\cGAogQQA\wOscQIIA.exe

MD5 f455e5bb3365bc156c651e9e70213b87
SHA1 db7175f384c3301848d9c78ce088f0850d85b11e
SHA256 095e1b392222949fda3b01ac7d002d81a5b9fea72feb1d3eaecba61882243969
SHA512 3e9a45f8a823ae068a3d9b9009b2f675ed5f9dd7b2a057c47cae2e164c326796021cf07a1a0a0cec740a51b8fc5f55b4c547297f570b8be70467a576ff04951d

memory/2660-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2816-13-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2816-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\ProgramData\LMkwQUgo\FacosYAw.exe

MD5 c71b83c1be537993ab0bcaaa1b47c558
SHA1 c29e592323147e1e4846a513c6c8ac5ce696add6
SHA256 b1fdd1616e19ed76621ca4e6a43536a5884d5e24539541ba08428c33900bf83c
SHA512 dc2e3a4e0593756fc8cf5310d3dd6781fe5ddec71eeff1ac611992d1525e9b41adc3a82fbbfd264ebf29dc1caff172908edd747685d18fc4e848b2fbc37c9139

memory/2780-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2816-30-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYoAYkwY.bat

MD5 b33b4a27dcf85ae3c886fb804bb54f2c
SHA1 ba2fc9dee5cca5b59ebd5d2fb9eb1df9c4d40386
SHA256 1300fa8e050e483cf69b1a6ed31f2cc0f8808f4a161ad274b1bdc140850225c2
SHA512 89266a421d8cb5905e9e0a7ba6dec13fe091c2b61e86db2e9c0bb4117ae0f055316bda8698460ca2ce614c65c0c0f4d01d7d34f69618806758cb2307f54378a9

C:\Users\Admin\AppData\Local\Temp\smcgEMos.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2816-42-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2532-41-0x0000000000300000-0x00000000003A8000-memory.dmp

memory/2532-33-0x0000000000300000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACMcAckc.bat

MD5 010fe944d39a4693db9fbc66a43c814d
SHA1 6d2515d2759d34721f0900f9140b29d2c74f4ee7
SHA256 1e9214eef0765163f8ba48ac705d934446cccd5c4c6ba989be93fd288a9de3e7
SHA512 0f5d723fef75e249454b04198f2c799c78c10fc99111cfd574dbfaac8128b511564b417e5c8656132e745c43cb89073aefdbc2c9aeee1d3f34bbf28c394134a3

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

memory/2604-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1104-65-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2220-64-0x0000000000120000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vUYQEEQc.bat

MD5 7c6b90a6ec9834280130b6dc48c97cac
SHA1 5ce2d89cd9c47a51c8abe7aa702f70848f5faed9
SHA256 f3c06351260fcffb65cc952cd9800eddb4651049956d91e0e3b90f874a5e3300
SHA512 99be94576228154947e94c29352a38d156685e5e5ad21ef07c54f395ca76ae28827cce47d7fd7c102699f35daa2de84e3ac0dc60946e6653d62f6ee93a3064a7

memory/1708-79-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2024-78-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1104-88-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RuYgksIw.bat

MD5 feebc354a5ccf28a28ecdd854b76a947
SHA1 0605345b33c836eade27c3f6dcb4f57ca12cff69
SHA256 e96c4e20ffacd9f6eaa5a9b8ce9af8471d2c8605b1ef4ed26249cc48f686f995
SHA512 56cbb5d1e855846434feb405ac80cc3d2c2f92ace52cfd8fe44ff9cfbeb5cde2a73156a2a1e99cc1f137e3d190d5f8b4a7843b3eaf32ed3117a5aa39cc2c163b

memory/236-102-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1708-111-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/856-101-0x0000000000360000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jyoEUUos.bat

MD5 924b4230991e80b36ff9718742489521
SHA1 2b954f2485ff2345537809064e4d1b41ee101535
SHA256 970ed7a136c56cd5afdca59f339f1e684009b69f40b0a3e6cb60426bc3db4ac6
SHA512 32976785d986cefbc31641fbaef11c2fc7f04db64df85a842ac2784e5b9e9a5001da6a27c164304f1f5b66e3672448b45c86394cd391910ccea21b8742d2b3c1

memory/932-126-0x0000000000420000-0x00000000004C8000-memory.dmp

memory/932-125-0x0000000000420000-0x00000000004C8000-memory.dmp

memory/1988-127-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/236-135-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hSgIgksA.bat

MD5 ba16e6a76414ef5cff5f010ec5e24dd6
SHA1 a88b4e1bc54dda7c0e52728173792424f52ed335
SHA256 ed3d4c7625b23579ab6fcb6d2b4b9dc1949e8f9063eee30df31fe6ef418d71bb
SHA512 9d7975cfb87fb31602d09959827970e936277f370dd0cf6dbe11f8f12d58695ba689894c2a5f7aae514f1039196a21c60ac6caa8cb69ed0a82b049e4e20d0109

memory/2896-157-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2668-158-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1988-156-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MooAEwQs.bat

MD5 2486d9018d816991354e646cb4ac62a7
SHA1 53e536f6eee532adaef270672f82274e657a4bd2
SHA256 962379c6cc73389d928d829ad0a8ddd6cf8ad0fa682b7309c0dd35a1cd158794
SHA512 4321d21d7a1380c35d27dc402e2dd5782e1250e75720dcd149d80ac2432a7cd8bcbda793ba744e89efb6421b53d22aec8caddb9a5267c5f0776bfa838d7f2548

memory/2668-181-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/532-171-0x0000000002250000-0x00000000022F8000-memory.dmp

memory/264-172-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AWMwEYgs.bat

MD5 c4bbd72995a84fc5177a7a3f9f311495
SHA1 5d8008c408cea4dd046f2cae2f74766f7f01bdf6
SHA256 f31a4e9d06919e425480805d877d06c5b248aec4bb16d1b9f668074d9ffd388e
SHA512 39018248197e3e521cea761e47949c5d4804f3c5389431e6f396fc41b92d373f766e7e4d17aefd831181c58ca97b8c5c826141b6245c12b29febf8199d5b9c44

memory/1544-194-0x0000000002300000-0x00000000023A8000-memory.dmp

memory/1140-195-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/264-204-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsYIMcEY.bat

MD5 e2609434877c27247406120d315dcaeb
SHA1 ab57085f77603b615c767c638d677a90684e66f3
SHA256 7e68926810e099ff9542c6154f9fccce8e1f21455f32e69ce9f96ac7bcfc8bd1
SHA512 ab53455d3153cee53bbc00fca33b43c8e910c7bf836050555c202778db2651ba86c5d25160c0495699e6284a77fafdb4da037d2ad714fbd0f2d26c1e18f724fe

memory/1140-225-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1932-226-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aqQAYQQc.bat

MD5 fbcbd70318c8560eefb8557bfdfb5086
SHA1 ad00118edfcdbecbb20ebc4ff7b3850a95456ee8
SHA256 a874fbfcb29cd2140589ae548825bd2ed8a7356de74eaa8936870181a327e113
SHA512 86f9b0083bc9cc714e4194c8499517b994ba0d6a939f3dcbcc1a917f5dc7d9fc706fcba75f055d6cfc6b7fa327f75b56776a0e3c3d41db0fd29be04455424a40

memory/916-246-0x0000000000160000-0x0000000000208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PAkEEUkQ.bat

MD5 9349575a66d4a65723e28f19ffbae75a
SHA1 db7b6549c6052aeaa8c67c4b9114e2cb69e027da
SHA256 98e33da9e0f39cbf63161422ef22a23db97f1ded54d98a5a61be470edeac8d3d
SHA512 da0b49b55051f7549d9e3066849d61f37234fc9699324ef7bbbcd3d7dc9b3eb4ebb04c4f9a78909b1b65e6e7e31771507decc56fd9a1ec9f26414c35b30c82aa

memory/2152-270-0x0000000000360000-0x0000000000408000-memory.dmp

memory/2236-269-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1900-268-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xCgkYgcE.bat

MD5 ed1ceafab396dd03e88986b66ed6fc69
SHA1 2d25dedef9447e48bdf0484506b5af9c05576cf4
SHA256 832ccc85dc8ca597af06ef91238b0739fe0187e5a35ab7d26a560d63ad2a00af
SHA512 958099eb82def7e32b319c89a913b055173eab070e402c10fbbb39e3ca77f2ae7998720884597482ddf9357038e46231f55fb7251bbd6f7dae9dff12c1f7ada7

memory/1520-284-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2808-283-0x0000000000190000-0x0000000000238000-memory.dmp

memory/2236-293-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rSIQwAQk.bat

MD5 a092d6cd99b1436686877978ad70db72
SHA1 27545de09a662a8cbd4c9f6f717c8f704183f479
SHA256 983e2ab745876ec33649604bfe0426f9cc1bd2a5fad3f0600dc7547dbeba5a64
SHA512 d210fc69965dbeb85b4a51cdaff9d247ff5989e08d55cc856aaa9d71c4bdba4099519d062c14eb28c3c6be15e808f4cd919eb975185baabb31615bac9c062bbd

memory/2560-306-0x0000000000940000-0x00000000009E8000-memory.dmp

memory/1828-307-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1520-316-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vaEkkwUM.bat

MD5 a42550f7fe46f5643af2362bfd3b90da
SHA1 16e11143e7150740fb22f65d9c5dcfcee6d1d890
SHA256 5f6b2fadbad384cfe70e73a6e306610477f5b81d9906a3743b7f2d64bb8bd403
SHA512 b1bb8858088f4cea957a9270204f7f2d42d51e4120cbd53878112c8baaa610f92d0d1c7262e2358784d0e8b3dc9036129ec78813620970652265b01322f98589

memory/1828-337-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2516-338-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msIsEAsw.bat

MD5 43dec88c345a5e28428e5038f35e518c
SHA1 8fb019c3c6173d383af364eac0286aff4b526a45
SHA256 f7bd6afe28b5a6c4a0d75cc6b6eb308e4299d5f27a71af8d0ec696b9b39c073f
SHA512 87c2b453dc032bb87e169c408fa2dbb784bf4e6aec81a698e5ec6cbdb008fee6249a89972ba9b632b7c35703d1b3246dd5e96a233c1d21eb845d78d5b5f6078e

memory/2232-361-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2792-360-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/2516-359-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUkkUoAU.bat

MD5 566d8563cbaa347729ba4911d112eb5e
SHA1 038e1373f3a5aed6c2da5ed4c38fffb6b2082e9b
SHA256 dedc3f0033907ecca77345c25c8a197ddef3ae733cbb332f5426ee75a65c63a5
SHA512 5036a5612a7c10bb9824d1ac9a0fcb74da50a4e310c99ac43ab8eeeafb524b7f1be81ae19e76969024319f126e2a97eefbd05c460fc02df7b59f4e1da61c6d6d

memory/1652-375-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2976-374-0x00000000023E0000-0x0000000002488000-memory.dmp

memory/2232-384-0x0000000000400000-0x00000000004A8000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\KwAi.exe

MD5 83febf6160da1dfbeca12fbcb7f155fd
SHA1 534ef894c49890a59d4e1969bbcba71764395111
SHA256 60097afef5a5348a13d00cc5212c02d3c1988e9c928649d49bfb5d0704c09724
SHA512 fc3cf1a59bcb90cacb208ec698af4516c927e43875bcd723f8550f78a88ee82ed5c90c7470a3bc94e64523ecb9f9ddc7d4f81b3c80c9a78026092f889baafb28

C:\Users\Admin\AppData\Local\Temp\qUowAkcE.bat

MD5 36c94bc742ff76151ca6e89390a01b75
SHA1 3d9c6fdbfac7ec0c733568089d5252244775da3c
SHA256 b277ae0137d4228a659436414d9083d75ac37d846d11fa3efd4d249561a41a95
SHA512 9f20f31b50273619e3909f7abebbaebcc76ddf004b6182f36f8f2ad09a3c3ceb8b0bea952e1f7e57127afd7796c9346cb83a4e29922b7a3ae923d1d6d3f12f73

memory/1652-428-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUsm.exe

MD5 d19fc25ea1fa3295c3701c670021a2fe
SHA1 4b1ba019781e540fc7aa16308c9a99487d6e754c
SHA256 c1809b4bbcd81f67b3166c030aa94c1235c91acc069e21a4f9131842a4c95c6c
SHA512 2dd03efaf41617d58151e460a6eb1da270fd4a32433d2855eee2770cdeaf73416c6b325da2133c88e577b00c77e8cf66dc3a9930203726bf95cb085d28c01bea

memory/2140-433-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAkY.exe

MD5 b676a2776c26ed8917b1bf8740b5ba23
SHA1 c01265f41745d84f3547190c85aa53ac6d2b19ef
SHA256 36fd4cc06b2d59d665501d4b9dfbd0b4470de3b24bff51b3773244895e174950
SHA512 7795e089c77d730efeece9555a4200be7ec505fdea75a9c1c98efe1f070c45eaf0b5ffc59edf87248d36b52da53c201123673ce125e3df773bdaf8fd1e55859b

C:\Users\Admin\AppData\Local\Temp\qEkq.exe

MD5 f4a7b55b0c7f5202efd90711be00de32
SHA1 23161305367397a0aa6e8bf23e5fdbaf507e68d2
SHA256 72c9c076b9aa8046de1a0f0d2b2735ee55112903c9d07c1329c625ed90661b41
SHA512 e892e273077e88dc95d2d821dc231cfbd16f7abde80157c026c33b32a1570f51b23f5791f899646679f02278f44d524b24fe96d4791b46b53c98dbc359bb46cf

C:\Users\Admin\AppData\Local\Temp\uAgy.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\zCIgUMEE.bat

MD5 ae125a949f6c96d98864daea0b25e7f9
SHA1 c3d2942cafc1fd36ba8d5cd14f15d4ced5e36cab
SHA256 1e25a6d6642ac27232edc9ed325eb99918d8cd8c529687c6c0e4232b2b625f5d
SHA512 d5f4f255bc492d5e6c0ff5f87c770c4e87bd7bf2344cd1c66de863f5bd85335f0dc80da90c44ba6581fd2bf971966216490d481ee486c69e3635c01ab51f8ed2

C:\Users\Admin\AppData\Local\Temp\SkkO.exe

MD5 4391cda063eca5d815ecf1da50bfcb19
SHA1 330720b9ee8a79e5f61c662b409e6ba79a7343c4
SHA256 c3eaac2bbb2ad807cd92579d061181903db69ee2dd27a09139a9747c005c7b9a
SHA512 8719677fc080691b74807ae783a93eb0cf1fa9080738fd150db352180e0e46fb068b7237642061dc532d8f2f0d1f76a6f8d41806330493dcb5428426750c8e2c

memory/1852-499-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ysAm.exe

MD5 c2ff8454ce945d7e9552a61f472f757e
SHA1 55531c2d26830a7a0f1bb6d0a62b77cea2b1e07d
SHA256 7e5fccc7aabad97dfdbe4da9bc24981d19087bb28f48179c542d1b29efc98043
SHA512 d087a40e85e8c9c832e917ad13acf9d8c4be76a30f78a40db725ab897179d0e0447401b50f7665e2826532363b333400d4b09095535b4094da6ac7e3fd0c3dee

C:\Users\Admin\AppData\Local\Temp\CQEU.exe

MD5 59a8ba3c0ae6ed8d452a66cb0d423f22
SHA1 0a58ad54ce51d5297518620a13364ad7a9df09f2
SHA256 a5c11641136f89e20e4145566ec7cda016f4a0dcc8a5c25f4e13b753159803f1
SHA512 e7ed6ec4de2bcc4c507a55f41a2d99a46e61fd577ce8cf7923ad8adb91ac9a1fe4afa3d5eef452dd78fd66af77620fae445bc8243e8e6b11a2820b9c6ce69339

memory/1520-498-0x00000000004B0000-0x0000000000558000-memory.dmp

memory/2140-497-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUEK.exe

MD5 8f377c3d17611555f5a4f61fea7641cc
SHA1 143080c4982c495494c4bc659a4e9d363ca9ac1a
SHA256 f8a4f36f6afad3afbd7bc69d200a2dd9b95dd76ab9a8bc5b3574fa1323f94f62
SHA512 1be166f0cae36abe888824998e0732cb80b10360a9453c585c19699107ece8a58e87c13c4677124ba555858392561e4610659b89d0f2035a09479147e72d7502

C:\Users\Admin\AppData\Local\Temp\FqoAYoAk.bat

MD5 75f34cb60bf851aa06ba892befd4a58b
SHA1 3412d58e1216a6592751177e2f0bf8898271405c
SHA256 fbff2b3aa4a3c799eec2cc884bfb45ecfc04e8af927edb238ee3bc3170f4aa68
SHA512 cea95f460364258c4443cc976e5f89dafc7b73c78c9a2af12a1562d88487907fb0a784ec6d7c6f4c0c3216a8c8bb3d27bfea82a446ed031ddddefe999275f520

memory/2800-550-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gMYg.exe

MD5 28ce33f9d119b517dde83a558971bba2
SHA1 990c922b506c18a2a8327f526d6dae3b7f5007fa
SHA256 5faca6ab5f5733982919595897f1c0e3480083ddf2a88f937c7bcb13635d1a81
SHA512 46889f7b30755d8270d4a1006547288de0d28c56c19aca431f191ebd33dafc39666046700d87344af8161badfc3c0b7310faec556ae29beecbd59d2f0c443c35

memory/1852-572-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYoI.exe

MD5 8ff38379a5913177d26a551f6b4a9ad1
SHA1 8e731b087be33b8c396c6c6899182fe3f107adcc
SHA256 8af2b588aee26897cba26d731a652d1618f32b57c91b41f711435063591effcc
SHA512 b137aeb0f02c299e227ef22796d04e6462fe2be27d21e6c1976878eae921f41baba72e772506e2f2d00452b7a83dd8d5fe253c41900588a92954cf1257cd08ef

C:\Users\Admin\AppData\Local\Temp\aUQw.exe

MD5 c103293c99a0f637d1429314e07697a6
SHA1 15e9c43bf3aa87d1bdd743ba7970efe7ff3c9600
SHA256 99c8b3918bdedb8abe12b312b77cd468a7cdb34de86459ab415cfe189f74a962
SHA512 4989257a4fb410f8b8c55d084d36dd2469001b047cbdfded7157375666511217c9fe77db7f0487dd5ceb636ce7a5ba78ccaf2f64d698d2a654bb74d51cf12ce5

C:\Users\Admin\AppData\Local\Temp\kwIQ.exe

MD5 2293583f006ed3428eebf336b3a0c0b4
SHA1 91c72eeb9a11e101e9d0e3b9aef716c4e70e1135
SHA256 8af2159b3b79db60f94bdc93caab4da41022a700701d46de959aa0ebbfbbc621
SHA512 b1309b318954b673cea3155a228034ba3e3f3f7860eba8ce4624d95699c1563315ca1b2bd3abfec067f62d4373a8be87752b41f42e234dc690cbf3e0d144e63a

C:\Users\Admin\AppData\Local\Temp\ogEg.exe

MD5 18aa482f020d01c5fe0a534b332804ac
SHA1 7b365ab52bee180b828acd7b563c4aaf6214732a
SHA256 77d3c6ef34bc66e6270cd8cef6a5f9f27bf875ba4c49e991e752822abdaa7dc3
SHA512 7cc0e052c662d57c283569acffe60b21208c4f3ac2fbfc6e3bcf1042ce8d423898d744b3173d95362937467482f682c9baf9849cc5468f2668f5360f6e34e5cb

C:\Users\Admin\AppData\Local\Temp\IgIw.exe

MD5 dcea9e249e283081f45dc3de772a9306
SHA1 0c96ad0d72b15a7c976bc6f969bf2edac01de7c0
SHA256 ec8c92d7e44313684a261f2d7f6df71d91e26b3a2d7fc94ec425fd601ebdea91
SHA512 068b262d93976f08dd090d61950e814dc54b2eb2ce6170137b9c34fd397fc73d6d5a739d606198a59c7528ba8be1b074d9b9f60874fab6eaf4b7510d58e68f8a

C:\Users\Admin\AppData\Local\Temp\DiMIQcMs.bat

MD5 b5993201ab76e898e1cbd490769d8647
SHA1 4a94a46b1dd827a6f1828aa37f8b2decb7a8ea93
SHA256 10f35dc842d0f824b0a19342046f6c723639a8253d392b3e4a673646470ae43d
SHA512 b0ecc870640cd34ef61f85fe878c2c9b36b414c1fd0923099452511e5d52103056dd6cddcc0ca5abdbf43a11ec938b2b351350dfc99d16728084ae8efb6bb51c

memory/2976-659-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uYQo.exe

MD5 8e6fdccf86aa2b608943c21dba24d90b
SHA1 636c6f5487c21a35f3a4a568e5e284fd4d6cb6ba
SHA256 a6bc9247909910b0d82dd840cd9762cac0a3d48174f2248f00e054af1d9d9e4c
SHA512 dcfec06b0bca936d78f3b1e16ba0411e558d7be9500e581b869621e9b330decfe4ebbf0b2ac857ff2da8ddd12d4b6eb638f27708754fce5aa7ebc19b1598a9fb

memory/2800-681-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUco.exe

MD5 bae4cd829f37dca76a4a05a3df9ac552
SHA1 863b26a05b446568616a259e288ff16efce7f700
SHA256 b0762fd69198b24441e67dcb512e73db581aabf04d1fc125398caebef593c89b
SHA512 555305f2921c96c8351e9f4be387209e33275e49ce21498f13a03d8db33a078cbf6dba17d3c34bedf784f9262b956d520f0de397062b5d51cc9f11e8364b7e50

C:\Users\Admin\AppData\Local\Temp\GEMS.exe

MD5 edf1f901fa09c472ad442dd678f6ce28
SHA1 8ddbac0cb7f394050bb10ab6ba2ea8e76d7ec9b6
SHA256 f1a256e2b4bcdffa7d0a608156f8d7bbfdf9956c4e92f4a0bd07b12f75154a55
SHA512 db68334d55f6e55167f04365b16f98314fce7fd123349abf329fc0fcafa9ec3e1effef09927133a8acac3533d4a13a646b6ee5e757b32025fda39319d5cbcf5f

C:\Users\Admin\AppData\Local\Temp\Akok.exe

MD5 176ad1a391794130250c866fe8ea2b13
SHA1 7c9e5d9466058e87bf85ec3b889a7e40d8e32d5e
SHA256 0821144b379997c3cfebf34677c1067eb12ff0012d3dcaa8f268a8425c15b64b
SHA512 b52240c6ee39a89fe1fe1dcd13656af60ff3e52742f656f5be568372842a1acf1e1f2b1b3eb28cc8524f74de2ee274383616f86d9cd1b65f0b7dc65be66cc6ec

C:\Users\Admin\AppData\Local\Temp\cosW.exe

MD5 c3c77a8509deeb9f4ee805f066a2ec40
SHA1 dd0708ce48f65708acc88dee430904b60ea7a231
SHA256 a292c32d5ac050cf10d9f5a4a3958ecae5b0b1acaba813e0d39aa2cc4d53cf0a
SHA512 9013fbdbaea1efe77b4cb1901dd13a256d6d3878db7eb2d972e305101d60f0f1a3e19946ec188e2b55ea6fc2e9da98c3c50306fa61991ee933ab2f750710443d

C:\Users\Admin\AppData\Local\Temp\aIIg.exe

MD5 f733c3d8ae2cb45ab128c9e60d3383ed
SHA1 c5cd8b4f0e4e6f7c4a9f3d14b7ce252ee7fccabb
SHA256 dc639d59d5e329bb7700af3c32e92ef227aaeedd13ceb63a195f444732d5a281
SHA512 408197204119a79ac46863fe5b2dc31b0c5a6453440ce5274c0fc66a928f760a6558b0cfa493fb528a0c091c6578d4279bcbdb760a61812ff98824cf5b6320df

C:\Users\Admin\AppData\Local\Temp\PGkUYUQM.bat

MD5 4d4aa5e786602a1fcaebc4d1212abec9
SHA1 d44753364c0ffdc7bc627f31529dbdf6136cf17b
SHA256 041c4367ab12c2e5e9e8e21ed58b4c869c4f4062392527a4a2d298a5845caea1
SHA512 4ccb9e95cc9ed84a407d1cc5ac06a8a2404dc643e6454b8c7b05c33da047a1ae00cbd3db89441b6d9c9229bbdea8dba5d398fc017fd2c78b1f71bd4196997911

C:\Users\Admin\AppData\Local\Temp\QcoI.exe

MD5 a3b0f4b2373a63d446315a416e1a1193
SHA1 0917e629e9c06a310bdb3cf53a096e076a35f5f5
SHA256 1c166fe7b26d52535d96fd31de5f2430bec22d11a159056b4b39ef619142dbf9
SHA512 12862f1709935d1d526cc17462d7eab47f70a8be7f6b0f36ad91c26420b63c5c4457344392f5c347b4319094bf707ec9bedb9046636dbf25750807efae509365

C:\Users\Admin\AppData\Local\Temp\cYgM.exe

MD5 647916f970f2985632be91e6b08176a4
SHA1 a67e1dca28b1aa6674ae6b595d6ea31a52b901d7
SHA256 1f51a926497f23b13343c1a4d2bd234b677978718efb365fc9d8610b7ec0b26f
SHA512 e74742f06679d11e5dc71ae3422be089d7ea6440a03adddec79cf49dc43d620da5b82c0ae9c8012acd604929f829797bcac39aa522085aae601f5904e4464ed5

C:\Users\Admin\AppData\Local\Temp\UwEg.exe

MD5 17a8d8a8eff762d67dfaca6c54527ee8
SHA1 f3a5e1cc08cfaa92cf23cac9dfc5c2e890060e75
SHA256 2a96918d1a632317dbaf5fe05372169c3d91326177941ac974285fb6b1544d21
SHA512 d329e76c288efdedd5e3f23191d51d83e679dc985d6df1c49d093da17e2c28b679c4bb9de6f4b493d87acdd3bd7a41129595a2fcc3f6bd31724a680fdcb8e6fc

memory/2976-803-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQMq.exe

MD5 15519f668b2c57a2565c12784363a522
SHA1 f7edfe96271be8c55e8b68e5d6e7c43b43b99c41
SHA256 614fd6bb7d64b5e544cce3858deeec4dbf7fe0a19654536492f70465989b5a85
SHA512 72c169ccc565c9ec6a42c654359267b8bac99cb62061a167399c798fee0c6bec397164838bc34af918e4be4c460c33af4ab3a184877b3bcd578ff53c99c13e6c

C:\Users\Admin\AppData\Local\Temp\woIC.exe

MD5 0fabf04b55cb2c562c9cbc4f84b09c28
SHA1 016958c4f1c1933c8bceec637389b2c14ceadfab
SHA256 5e9ff686e6ffafd36d04828733ddea0306a75f8899755dac3fc97deb764e2e30
SHA512 e41b7b2beba5dc223ce467abaf9ea829332e39de19f3b7bf0862978597968801f74091499af4366048cdb1ec2adf15900ee9639495d17c086ae429361021834c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 5e1a27683d428bf9bbe8d26f4dc62808
SHA1 f1cc36c27a150adcdf680ae7fab0ee2959ccdf7f
SHA256 e85cbe25feb4ba3e4399ccf13c80af484855957ab4707d8fe19ac0ec7fa10c31
SHA512 e92b6e3c15175fe1779848c66a0547fd5eefbea31027d9a6d7abc27e28ad87979743bbfd6859117430e9e5bc598f1967c8d12aeede3ea589aea9395d5a90aa2a

C:\Users\Admin\AppData\Local\Temp\GUYccooU.bat

MD5 35a537ea1eacfa5a004fa568468af0b1
SHA1 cab0e4b1f4f5e28fe33f69fcd7e370dda88bf1bb
SHA256 6af0b3021291bb65ecd5b58b2a722667d11c9307af46e0b67171f19358087ffa
SHA512 74771270f015ba5bf899f46375b031679da24e798e093d62e4a36143ecd8827513360da9615d9d39eabbb49f436ce843450fab453611827c1060a91361201636

memory/1884-866-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/904-865-0x0000000000120000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GksY.exe

MD5 5403de3ab4f95eabaeeaf02ce2e9ae8a
SHA1 1bc2449f07eb271d494021aee0f4bdced6b55dcb
SHA256 4ae31dfd46f51fc5dde621954fa5dca503fb3416eec5cab4b668980754542a1e
SHA512 eefb601cf19ae3280d747a561972929021b4740389358faab42ba6a336101ba8a523d64e04e0ded70b1f0199bcd64c2430b88adef8d1a188286f94398ac87b8f

memory/2764-888-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMwg.exe

MD5 2debe83fa6000de52f124e9502278378
SHA1 fc58d4016d1ac83819ae39324a862c5c89e095fa
SHA256 ff451ec044ad1b8fbd60c7480fa8028242249c57aea3e38683733855ac82bcf5
SHA512 dcdc3554611accd73b786f3cf5ee9a6073dc457bfb2efa204df6ac98a67c6af3ac344c5bd7dcbcbbb0412b0dba8b27cf2b39607de6fb21aef3d501d29d23a461

C:\Users\Admin\AppData\Local\Temp\wkcS.exe

MD5 cc20d327ad385acba7fb0e7cc2bb0088
SHA1 7bad8e5a7455bbeec0f847527927903b7d15ba66
SHA256 fcc3f4d99fb357f54abe5ca6b7ae847552bb254ceb92cc3d64216cdfdd13d770
SHA512 11ad61b19b704206c56b3c6e7d3fbbd6163c76dbedb636275ac0edad0d0a9c8b275995951b8ce2201fa8c0c7f2aa35c70b946d7cf5c76df6cc8d4989c5c6f323

C:\Users\Admin\AppData\Local\Temp\GMMa.exe

MD5 e5eef40b6b0fcdd932e6f4303bc4804c
SHA1 6ceb76c80f1c67f3584f42d5fadbce154bdd4524
SHA256 1165b2d1cd12dfa9848c2d62e9ac4f56d7bd3ae5916c8eddfdb35fbd0b95d109
SHA512 414178f670f7a67e74aff80fb350364ca4c60bf0945d660d235bfaade9de16e4c39620ecc880cef05193e5d2b4ea4d36510e94b64d9e701ce943c77e38080762

C:\Users\Admin\AppData\Local\Temp\IQEO.exe

MD5 2fa69358a7c2ba3ccf799cb536482e22
SHA1 72ee8123312bcc36c765819f0c1495c6979fd8e6
SHA256 d10316c7c76c30de67bbe67cd433408ba40470d0c241f1250b565ef9d5ea9c35
SHA512 c3946b2abbcd72a96aa1ba09d04ea3bbdb286ec27b91323278d3e2fc0e3e1463c08dcefac3693ab2d715d10c5bdd30f938e87daedc06e3945f53e1195458743f

C:\Users\Admin\AppData\Local\Temp\UkIi.exe

MD5 4cd4d1c26acfdffc941e262ba8132350
SHA1 bc27ae37084301606819c1b76f07db9e8f203a0a
SHA256 ef3a4d0fa0061b9043daf394ae6912c19261bc0fd5258187c08e64104feb140d
SHA512 dd85386507bd2ace8871e9e3972c3555c7c9906bc231a0915bf793ec0b059c4760f5fb0c45410908166b7f1d7d49f9e1bb8de52d2572fb9e10fb0c53e895609d

C:\Users\Admin\AppData\Local\Temp\cWswEwQE.bat

MD5 b1a07a7e1be45d15c47af171665e35cf
SHA1 9cf779333932722b9243535c442af6cb8a07234f
SHA256 0393bab8d26ddbe496d56fa3b557d52ceaf3d0ec4d0c9816cbddb5ab8055cf75
SHA512 6762ce80a559f65b1e3e7403b58b3137cf2cba0c11bc4e73041125125a01860bb3db49946cb2d605927b1b3281b285c0cbf872b1fd84eead4b206643dd5fd278

C:\Users\Admin\AppData\Local\Temp\kMYC.exe

MD5 ee5c11974c333dadd941aa5ae07562ef
SHA1 a642521ce288f806c0cabf9db83fb5f8488335e9
SHA256 49a2f0a718daa948829219c7cecc6df81e3e01ab3e7fa50dca6af3b051c83f40
SHA512 17f9dac4e7c83c0c5792a2a572070ad595f96aa6dd542e776770064cd2d164c9713ca724874b578ad127a7543bc3ab6ccb4a74bdc228691279a3d8ad29ceceff

memory/1884-983-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1704-984-0x0000000002310000-0x00000000023B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kUwk.exe

MD5 b54cf81abed5e86c8b518dfe4eff003f
SHA1 8e8a746b846b0fc8f668296fecc2827b6acbf5b4
SHA256 1dfaf1662382b8b03023ea0b6939572b82e11824a48e90f7c3aa5956b03390f0
SHA512 26864ee054d166580fa01a2f440101cc9125ed8cb308db709183802fc41b6d9c92e8e4858aa902010093ad3c9b6aa378f6407e33c456e351248495050572cb5c

memory/2388-986-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1704-985-0x0000000002310000-0x00000000023B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMUW.exe

MD5 e18cd8aec40daf626a0b4e87430dbc77
SHA1 97d20acb4d62c7dfc6aff3d9409e9a0b92d0602a
SHA256 ad0138eff1492ec747878f7e8a9e8dfd170ccc0be366272c1f3922ffef421427
SHA512 41d976178484de0d7762d053db93a52420cf28c93aee185e7045cdf49cfc9c27e6d53630244d36b3199255b829b93b3d21e90e51036c9e8f99dd8dea435bb9a9

C:\Users\Admin\AppData\Local\Temp\kEgw.exe

MD5 be41635b82a1f645e7aaa332cfc134da
SHA1 bd33bc9c42b184cdae2b1e531685915dd01e869b
SHA256 7c53c768f11be63ffa6e7a599e0b79481f9a69cdb0cf02d5d42722d6e270ee82
SHA512 2e30300ebf820652cc7fd9cfd1dedb81edc779ab57689f17a32443743c690dbee801b9137abc6656842360b37f156fa762c152f803973b44f30bdbb8a285ea7c

C:\Users\Admin\AppData\Local\Temp\GsYi.exe

MD5 74738fbceed4aa628601d2bfb8a0d66b
SHA1 6cad6cfe67faaa57383c41f367e6409ca4c6956e
SHA256 8cae6e183062d2500f8b37cbd426791e9b8cc67e74ebc6cd39bf0b877d422c09
SHA512 c5a90afcf862152cc5a80b48d9a27c75ab7c159ecd163c4fecb8351a66c58ee3d4c3b9515ef76502a305575c7dc7b99c5dee592785eb12af27d9aa194040a111

C:\Users\Admin\AppData\Local\Temp\aUwS.exe

MD5 6477954424a63a4b1110182c05d59590
SHA1 dea4381040b43015bc4e51840406a1502b7fce75
SHA256 d9414cd6213d4acdb1d4f8c022342a610deb3d1b667da5a887f4f87a2ddc67f7
SHA512 4acb1965c1f484a7b753f17345c0985205ebab209eaac010c01b05c1ee032101c8ca218b4cc5eff1c73e5ef4d5f084d1aca87ba7ba7b2052ae71146a51d4b3a4

C:\Users\Admin\AppData\Local\Temp\MKcEogsc.bat

MD5 48c423c165e85d7aefcf7a1e7e9d7a23
SHA1 01cdadf09c562f856888280691e002dd3d9aa817
SHA256 d5afd8e7e2fd56a3089722258d4b372046e707b84da11ef0483d44753469019a
SHA512 b218ea78ec516219883274b92256d827c34b3924b7b74e1f4c335aa2bd969ae7a3bf93185f18548e95a37e24de90c5b1d38ed8fb6749b547fbbb191fefa53deb

C:\Users\Admin\AppData\Local\Temp\UcYq.exe

MD5 fb14a5ef4e4685a8aa06618b18612a9d
SHA1 4b874e1a78a4f801f28b7f2e4722798fff820a33
SHA256 8725b520f2cc12eb3bf7cb8be2ee6926752784ee37dcb8bbd5272146d91dcce5
SHA512 6637dfa60d380bf9a42cc6f5286a3d7b6c10aed063749a4dd5cf5d5a5ebbc20b19e84dfe0b0dee0a659ffb04373f20c4db42674daaa8bc5470d2b5b22f395bf3

memory/1404-1083-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMoQ.exe

MD5 b231bd74fb735446d90a85edee2523eb
SHA1 2b168b5bc7bac0365021ffe8b46434121e6be530
SHA256 02679f8cbd8ba15c864dfbd94f24846b5104e7e417ac4ebeefea33d734140060
SHA512 33dc20fa4b32a46c156ac216d61fc35072c7205d46994b933109abf37d362882e1496681164189b8c96c0236279a9010cf732104272216a52d98d2987d1fcafe

C:\Users\Admin\AppData\Local\Temp\YksU.exe

MD5 f7a50ee475b0cef0828e1d297d791a98
SHA1 2f3bbcf14f4247e975159e6f393f906fe27f1f44
SHA256 11d0bd2e052b5bf82e60e425d9cb940a75bcc68558080a21f937d56e20dd5485
SHA512 bd117b1225ca185aeb43efcab60958f7eb3334ff41b11398ca377a45b989bc6b34110ecc73200fd65da9a44d9548aaf676426807efe9a3da346c7967a02179e2

memory/2388-1082-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oYoc.exe

MD5 1387a2d83c6acd0cb0a794d4b3900e40
SHA1 12c80055c2a6194597496075c0a5516f598c3cb7
SHA256 6c67ae520b64480a3966bf0da45830f40e147e05478c44d9429d7608b47a3ddf
SHA512 bee0dc1c43be499644591710372e0517741aeacef7c3ae5db7ad467c23fca967693ed7b527bf688278d99914316e7fc8f3bd824d17e430af203e504f465ea190

C:\Users\Admin\AppData\Local\Temp\MUcA.exe

MD5 f02843674264734e9b07767689108711
SHA1 80f1e3d4c6e84e6b8c4611625c60c44ba84fd4c1
SHA256 0e540eac0da3cf7a5e38bf460e04119edae457186efcd755d3913959219bd2e4
SHA512 ceeb8c580e08f3b01fba39ac49a3b7693a3958af2ecd9faa23225b747734275a31ca5e5ac5ab8832325c9218450ac02557e262773609fc620495e46ed8d4f802

C:\Users\Admin\AppData\Local\Temp\siYIsccU.bat

MD5 3693126d6bac7d449a812a02c9ea3055
SHA1 43382d00b903d829aa3824d8e108d09dc2254704
SHA256 7fa96498156da1cc7df26ee8d3047405c953e4d3ab227961a53dbd1ad26b5801
SHA512 2478bfda0f5b62dad4865aab07feccc7c8633500dc6498a94bb969aff1a155cf5b48d0b78f5e39f716829b089a9797975ecc96dab6bed8d8d4c58722c5970dfe

C:\Users\Admin\AppData\Local\Temp\GUsY.exe

MD5 36cecbb4dbb9349609380f345375e4f5
SHA1 26b566207246f9f2bc5eec56456c56e9bcdc8b51
SHA256 f94cc3f0371f387a47e31b83d289ad3fc6693dd2c37580477582371d9012a931
SHA512 b07abe18cca32be6a6439728d7de215dbdbaae0bc50749b58f76e737f051282ab1aeb01c59935d6219fb526696633f96b718efc1ca80ce4411c912ae9f0ee28f

C:\Users\Admin\AppData\Local\Temp\OAQw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\YsEq.exe

MD5 6d7026c4a2d26335d455bc131e5a608e
SHA1 28bc32c8c12e13ccd8ae70e1137934cbe8285a8d
SHA256 3f1aa692b1df68f8f5953a1e9d13e32b480dbfc1c5f8216671286f245cd429de
SHA512 b24ba4aec54bad1fdf57b2c4e34409c22e3efd9d4aa7d30b0201e21ad46df3173601a6f396b4006b02cfa8a0e9042ddc4b616757c0070244db506c53209a6e8e

memory/1404-1193-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kwcu.exe

MD5 7b789cfffb7f42a181a86824db7eecae
SHA1 fc78fe1b1cb9f4380a479516b7f694d73f1a3978
SHA256 cf9b3a63f5b8895658b456c8c5b1dc8a5de8bd9d5ca773d5e99bbf47c1c7d482
SHA512 cfe7a333bcf2df9ac41dd54792f821914b403f334cf7fb80190879cb3c95365188cfd696ee8f459f7055a57bfbb72cd96b1381f1abfb88dafbabae05f88e36e9

memory/236-1191-0x0000000000120000-0x00000000001C8000-memory.dmp

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 4215e496f81d0d7078cebc2644f0b2e4
SHA1 66573afdb6dce654af8fd48b8b58c53fbfdc9125
SHA256 3aab569366a4002036f0d466ddcaf2857200abd18fab65a0b21b1ff7d89c3326
SHA512 df53c9914a957377598be87857ea44fc87e13fcc4d36f654e4e3f5fd444e738e54f085d186a72f969a2a585c8b2e8602d64f4e4c68aac968419431ee6f6f0782

C:\Users\Admin\AppData\Local\Temp\QIoK.exe

MD5 60d42cafba7918859c780614a021b4dc
SHA1 3a49dddebe975c86d97fb8a596fe821508c79fbd
SHA256 3d96a99007f4c7b458052d4793035d0d1f616f1b088ef71aa2840e1bad3b6bae
SHA512 c6f8565d578ad0ce227947cec5597fa939cd6e7153fc596f5816962f7236c621e3de915ae1781ed01ac2b62707bbb2d909d80409ec1d027367dffff787d0b501

C:\Users\Admin\AppData\Local\Temp\CYcq.exe

MD5 55cee43ebac4ac4d8762a65e343d9726
SHA1 e545341fc588abacc2b17f7c2a321c8bd0f6ada0
SHA256 7ccd57dfbeab8112e0aae4875caed50d07969c32b317166c4069e4daeca0f25a
SHA512 1ff008cd646656e8c933826d400264079ea6e64cb0c62c9157c1a075d27b19f260c4be7d7fbfb4edb4a6286935fab58893d329ed45a20f004fdb7105c61bdf24

C:\Users\Admin\AppData\Local\Temp\mkIC.exe

MD5 7fff7b4d40be837ead5beec0aad48cae
SHA1 33a3d6832b943b1226199ee46ed97f824cfa080c
SHA256 1ce20a0222625fb13b83b7b3e001da8be02b655860e29489df73125762b90d78
SHA512 af596b459ab60a874d3274aeac7dd0a54cc3500fc76d170b6550d83e3f1b549cc810e3db4bc5cc6da12d7481739f095b366c78400a25d7e9c7d7948cd25da22e

C:\Users\Admin\AppData\Local\Temp\lmkAYUEw.bat

MD5 8d208e3823bc1fef01c983bab4a699e8
SHA1 641c16a9235b935545e4a295b9285d8d6388db3d
SHA256 09f38b9abbbbc7cb7c772e1311efa11bc9d824f616898f9a96fc5f8f456ddebf
SHA512 0567ea772e83abec9daad908b398093506fa57f91a2771719d3934459345a9edaa538a48639132ad6a47d7c65ab8946d4b2a193917a9ff919316ee19862f946a

C:\Users\Admin\AppData\Local\Temp\MQoy.exe

MD5 082b5b962ec51462fb2d46b3e40ca8e5
SHA1 b04757d0751d9578218073846b54b8c0b5a80161
SHA256 f3f9fa726617304ded8780d211091ef06fd438c8e9afedddf0d18d403e704cde
SHA512 9b322d4aea89ed90b1e6fce7ffc7208438059e7af181f0dde985b70f42551988d2243128ce0d53543c2f844f2d53141e6813fc00f128c70588048e58f07afc5d

memory/1632-1276-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1860-1277-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUcg.exe

MD5 8f097768cbead77a2bae9957cb9cbfdc
SHA1 6e48583e4053b00f1ed41d653b67e9b2001d129c
SHA256 e033aaf0d6b1bc3cb21a5ec3b3976fc11ed06cf7214f9538edb0a59ad7f148e0
SHA512 8bdbdd973c708a950196d30b09f8bfa7387b75f4363e61e21f9ec3622f977634ae5574413d885237429478c806a04d1ebd5a317354846ee61a6f4aafc01ada5b

C:\Users\Admin\AppData\Local\Temp\UIAi.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\YwIY.exe

MD5 76fb088c31fa1ee85f3a824f9b908663
SHA1 2beab722a3f4b19435c9b50ff4acefaf444e9d27
SHA256 b209c3f3a79793e69aeaff100683d1f470abb5f18cd2357ae9d2e81c517edb46
SHA512 ca464ed1233fc8b28ad10e1d8ac2878565b66a119005e2781d417823254182169ccab51bfa9890f5d0fe45c7230609f00198cffb6286df7faf108e3a64f1d321

C:\Users\Admin\AppData\Local\Temp\yUgG.exe

MD5 cc11f9c5a20122957966d03bb8f46b37
SHA1 6b9fc812eb12b332b75b0d0eb3e8d969e46ff364
SHA256 889e518062e90e0c17ee54bf0b16b971706f65fa5c6d9b2b9fd5d1b6632ae514
SHA512 5434742868e52d7ef3edcbc5b194738d459b4cecd4ae1fb9b4a4f7ab85b0a1ef15b493dd17673b09f3580940bb11af3d795f9d789f16ae4092d1b3f01fa324b4

C:\Users\Admin\AppData\Local\Temp\WIIq.exe

MD5 55ab619375577104554a7d50685e5d49
SHA1 46f6c1ebfc9918f1da45d089314bafa0486a5889
SHA256 fc7566faaabf33d36ffd56803ce9be488850422509f67b1f79e61a29ed1e246e
SHA512 f94df4bc8328be38aeb8aad94066392cb6f7ec03e3b2d87097a2f5fed777b6af644d03006ba253173bcfe64c6ea90b5f393e7901d8b79bfbba8fb1b8dadd66df

C:\Users\Admin\AppData\Local\Temp\WUIk.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\igUe.exe

MD5 98919ee30b68f27799135dd7345bffd4
SHA1 84cf9ab4a4d117a198c4089168aaf3e7b205a1aa
SHA256 95379e18f691ffdefe119014108c0738ce0e668b376e3aa58a41fa753eff4cc2
SHA512 d57aa9d13108816f1f2df0a6d8810ef1eac27a00a14b1f61d81bd93f89629ae46f641ccc954604fd43046f7369ce2918c046af2d72198adfa3574802aa52c064

C:\Users\Admin\AppData\Local\Temp\kIEc.exe

MD5 e49e09a0665bd7e539259994911b5c57
SHA1 b09ae7c6070f09b14a9fbf913c88fc532d28a1bf
SHA256 9a3a6fa7f4c369fa08ea6a117fafabfbec765b7a855dc9ba470575d373d47d88
SHA512 31307ee6dceda40c39bc2520058667ffa80af860a5abe7270deeae0ec75ae6d4b069ab903c8a94075ea5f11f707873f467fbd28740303c843441b90a9841d81e

C:\Users\Admin\AppData\Local\Temp\CMUK.exe

MD5 4438762851330f230ffcefa8cd53c6ac
SHA1 81dae3939f9904f0d2a4d9e3185e90c4c596e17d
SHA256 85b8b78c35df81ef491c128530b970e62436ed5f3da0787d5d9670660c5af90b
SHA512 bcb9735e83ba15de069093fbce3bc6919e587f9cf1a263fbc49949f396344cb7c123fb0ad956b8fa2a3d0718eb2eb6efcf8e140b758be7a01469a3c2b2e7e67b

C:\Users\Admin\AppData\Local\Temp\yokU.exe

MD5 1f2e465b11bc553d6e59b002e6b04a8f
SHA1 1d42ac8f57ac2a6d07e9417b117431553fff6346
SHA256 f5c03f62dc5c976af77a491fb3eed4c5273e6220908df65044e3929f78e839a7
SHA512 e8486da0a15d1305a3bd888f04acaf11c643a88640621dc36c2e8b90743d0f2c811d69a55d084be8cd3634c963a708b34b7e0506956e7d2984bbe2e10a9b900d

C:\Users\Admin\AppData\Local\Temp\XMoAUwQM.bat

MD5 89e17eb9762a73899b7451fa46b2c44d
SHA1 b2a15679837f47dea4a880b97b84cd0c8bc77ca5
SHA256 1638444964cc6671f4f3a14b91f4867b2a4815f3ba24390bd8fec8bb720d0879
SHA512 03c8a1afddd49ae3f833f284ac17c4b0711f72bc4c12cf872d8e0e59ae99d0563a562be1b6514d6437e8329bf9bd7d3b849a00c63ba6bbd6dcab6ce9ab31bd20

C:\Users\Admin\AppData\Local\Temp\Kosm.exe

MD5 222816a8d5f474dd3fe3c83358c79da7
SHA1 7d857a434ef089c0a34b06ada5a5c573b6a7fd25
SHA256 8f604cc2784a3551caec6bc0ac3607c0fe4cd30f8ddfd50da1cc1369dcb0d899
SHA512 85f04ba8ee36fb7e12d528f97860662c4491dac00cd049601490c5297cbf5b97e91f96f3b6635f5f2b37e28a6bb1e001387774a6113075dbaf887bd923984237

memory/1788-1407-0x0000000000470000-0x0000000000518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coEY.exe

MD5 b68739479d227c32e1965dcf213a4047
SHA1 55c20ddf19e7c87fff7388dfa8400d1eec036184
SHA256 2f25a63a2bcad58c422e022a48408e5e79e8b8ca8ea7eab31f986064b75630d4
SHA512 130b5bc4a626fcebfa3815d8df709006479ae6adc5d22a94d872aeb3e430b71a7c6bb37bb2ca38f7ea0fcc85c6b32205487a9010fffd2fd8a5934323ac26bcdc

memory/1860-1432-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MEEe.exe

MD5 a76f13ea4f1cc3079b8f92915f4d1680
SHA1 8a4fc069d552e5e8f7d35c148a65fa4fef8a0392
SHA256 a544a6fb33c8cd1ce67d1e24c51f6858c2358ccc1bed8f4a30de545a6cc0680e
SHA512 810a13ca9af8f8bdb4f96b2f902618e88ef23b000250c874f6ab8460f4c91473eabd1c328d474c8a8aa6669b75a1831bd2f7228ef31db0f28b23417fff2270c7

C:\Users\Admin\AppData\Local\Temp\qQQe.exe

MD5 6c79a542ed4f87479049bcd357280504
SHA1 04bc9c3d12ca1d04b6e535c131ee4d5f909af584
SHA256 eb6d363ede03732922cb751e51a9551cdccb18b69ac5a6ee3745559821245b97
SHA512 ab62aa6371acb5cd0c09b2cca7993b5a554ce75cbbe0254d0cfa65c624a4275c14469fde4a710dceadc69f2b7c92728423fa9d55bc09e6ef98d120500b27fef4

C:\Users\Admin\AppData\Local\Temp\yAki.exe

MD5 d84b4f3ba2f032dca910e7107b65952c
SHA1 902fc51e2b063fe3fab8f0e27e8d323cb434c6e2
SHA256 7241ad12f10b2dc6a49a097578ea9e1341909f0cf580911c0c548140d78347d0
SHA512 21b300368b1e38af57adc7dce2b64ae9217a98eb8cb12ac64241678a630309dbbf9db5c85e510e26de89616d5a2609c258be8eacb241335c5c910f37af0d97fc

C:\Users\Admin\AppData\Local\Temp\sEYgwAkw.bat

MD5 cb878505f018f5f15b3728103acaccf3
SHA1 7ef37f9a97fbd9a64e645695b2952694c7e565ee
SHA256 0a9108fb8642efc7ac969451851722229379f56243aa051521401dcacece9079
SHA512 897b45b511a734aaccddce6dfb6d42ecb2e700c79079945d11b2372c1adb1342eb8fa170a6e8e6d9b3a09c7b1a5c518eee2be1dd7012b8c597c6f3c6938fd15c

C:\Users\Admin\AppData\Local\Temp\KEIE.exe

MD5 ff9587456967aeed9586409de8b6c53f
SHA1 441b4450aa664f9e8e5d85e84987d944c7855780
SHA256 d5b63331d83aa82e1f0008740e6c0c5f3cdeed9ed57b09437c1f14829c218987
SHA512 4bb78fcac8d18f29edee0eff71231bb48a0d3cef63c12b77bce54d3600c248eb233589e15a612501fab9f416d53946a8b5bce6558eb654cc83b1ee05849f0d37

memory/2624-1504-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1984-1503-0x00000000002F0000-0x0000000000398000-memory.dmp

memory/2628-1516-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikcO.exe

MD5 d7a73a5454e59f6c06da6b493b7da05f
SHA1 b3637fca0618ccc8755e5d952711fa3327f6f5b0
SHA256 679e3b8c81471f0887f5234db824a3d420ac1aa2c6225b19d66260da5dfc8611
SHA512 195af7825227facd02e476b1fe5af943796d7cefd0dafcb97dc046f9ff2a65301cf4e6f2aa1fadab01a8d38c6ff71b002d7db6c6a9ca0808468b0083ee768c67

C:\Users\Admin\AppData\Local\Temp\yAMm.exe

MD5 d739665b5f409c26b43e9f902db06d6d
SHA1 dcc344efd0806ff4872d9709e6876ac998fcf30d
SHA256 63ff80d3033652afd340a8b142132101c4b09cc897caad723c06774fcbe0077e
SHA512 a2979a24042ee8e6dec91a8ca3da8a965c09eba9d6e46b744bd645389585e63b765d3a809e5971d6964b15990f49ef24578c10e2e457c82f64797475ab934160

C:\Users\Admin\AppData\Local\Temp\oAQy.exe

MD5 4895604cb9580a65fd421df27bae6cba
SHA1 57f3808c1b0caa62b60fb6d1cab8be687f9bf67b
SHA256 2119813b920a97e6e35692ab35c306364af11aeb37066b04befb02da4d70926d
SHA512 0157fb2bbbff644d62ee3f7ff9f70b6fa7a793d608ff5365894fe10ec744a264b2c9325db33702c3583673fa48faf44e75529bc488ad601eda5facbf13794d14

C:\Users\Admin\AppData\Local\Temp\moQgoQUI.bat

MD5 1e8a2c6a883ef921828700ead35b31d8
SHA1 06778915256b597f8265773ba323113d19ad0323
SHA256 47d3c38d701d37fc4b0662ec32130c6476d07ef50e6f2cfd56d325154a64cc04
SHA512 9bd4bbafd233e8f2ba0b5a7a835af0fedc9e2fb85ef3161ada18c564a232acc5039ca31c30480bc287c73a0a9cec3cbe32648eb6fad04070e86edfe442e017d9

C:\Users\Admin\AppData\Local\Temp\UEsK.exe

MD5 7e2ebf64450906e36155896f50c90bd4
SHA1 689bef77c1c2d21f60826492003147c1ee21eb09
SHA256 cfd22f9bf9a7bb6982b54ddcb4596979eedf1b0d361b50de3a78d0e2a9fed89a
SHA512 75a02b68628b4a8cd0c1e87897f730d62d92aa40faab8203afd1442779bb540368e67b1cdad4d2c27ae8537a8c5dc8d2b201d5c68e4f7cf66289493f07fe5d56

memory/1412-1588-0x0000000000160000-0x0000000000208000-memory.dmp

memory/1412-1587-0x0000000000160000-0x0000000000208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yMYO.exe

MD5 5ac54e66efcdbda0ee9c73b762cbab16
SHA1 be870b119bc9461f6a0f0c694a913de5eea08f87
SHA256 d8d674b7de5ff3f71b9f727071ffb41a4473a22620f810cab21720d0c05a9478
SHA512 e8122e6ee3ec0649f9fb7227c3fbea56f099f09f7123f2b316ba49d4f51b940e290ee6810cb38c80f9af574049728b1da76fdca9a3b9710805cd754b077f691c

memory/2624-1600-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukks.exe

MD5 7abfe22d3ff73be0b7a2ffee4e636fe9
SHA1 3bc7bd9e24d78aefa0e8d3c181cd9fc4879d3405
SHA256 554e995a258e05339ec07c82e968a3067e5936abb73e4bcf0750d9505130b80a
SHA512 c08c59ae83f32728bbd98905ecc745c2c1d5d8dc5ec610077ca215572a8bbfefb5b8ad1cb86f535ea0f5214615b2b3ad18eca11176fe00c02ddb0da52d33fa16

C:\Users\Admin\AppData\Local\Temp\GIYYIEgI.bat

MD5 5b344bc80bde552fc4391edd2ccf47cb
SHA1 1dbeccf66f96a9d3ca4c6a3bbb385ecab0d3e044
SHA256 8cf903130b0c3d7c29f112f8255056d2037982ed0d664b96811d043a170e3f4c
SHA512 ab48dd4b4209cbfc804b98add60435a8859e500ac4965c5edc8526315720f1eb77287fbac2516c89a68d5a8a2ad7c50d558b6a9bb7c7a993070eaebbe998e3da

memory/2740-1643-0x00000000022A0000-0x0000000002348000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YwMi.exe

MD5 03ededfebc93edf11c195dad44e61269
SHA1 c72a315e18f39c0452b8991f7887d477fceb5c66
SHA256 152723e315416a58101871af6f6aab9b62cd19e57d48f8575c09d9bc0b92524c
SHA512 fb7bd530764079546d3b0f3fbe54783c6eb73113e6fdeddff8b86af3c1c980a81515600c1a8bafc55fbeaf5fa678ecb008b722d76b43e17bb2302faaf52223df

memory/1584-1656-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAUu.exe

MD5 837a9cd7674b4ccd4d2000ecbbac21ee
SHA1 0c8fa7e33e5a2c86562b5b5dd6c990ad8966c997
SHA256 38a93311a2130eff48e2b532da0c9cb9a5b55cba7eab98b5e3cfce8b94373939
SHA512 66e564cdf47e0ab1213fed1f7a983df2ac1e1ef33d1b97d740fbc787b690d9986d7b5621150ade7bd9b2511610c283f4e3160179d48fa1bbaa7180d2ee4ead60

memory/836-1668-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gckc.exe

MD5 6f75d5bdc1db350bc36f34644b1505c4
SHA1 b28044511b1bd2af031a8db72dacc86a5e13b750
SHA256 6a84f72bcbe70a4eabbf73b1cb7a9ee50cab4d674cce425a23e652a914a492f6
SHA512 df12404a1db32f97eadafa0bb94272d36c5037e90c25b5b27eacf36cea1657af7ba6bb909e29616e3fc724aca2552c63cf9f1745883edd650025ee813d26ff15

C:\Users\Admin\AppData\Local\Temp\swIcIYAA.bat

MD5 c57e65ee2222a165a16569e35c1abd9a
SHA1 586bcb3455e3707e939b3fedbba1795af24715cf
SHA256 f53f13aaa4328c40b116cd2c5fc0abdf48f290c6c6a31b22f27aa81065ddc27c
SHA512 38bdc7571fb898d21b2da6c0ba0cb8f1a9c6dcff4173bb3853ce8347a38e131578f8f8b7d21df75897610da88a6a09db16e86b1d704e97b56c12061bf77e5ef9

C:\Users\Admin\AppData\Local\Temp\mAgo.exe

MD5 bf4372445ca75ba0534d0d0e3e34b36a
SHA1 a67ae74deadd5422956d28cdf56901fe173ac854
SHA256 ee8958566c697f634b4bbeea36c9e71623646d669c573b5ba6078662b7ef357a
SHA512 2118dadb8a26c412cfff1aca0daf206a49c2d6f50967f4a69f76678b8e736e4b8bf2d1dbaee223a6144c3ce6dc848fa112f7ea763598bfd24347981e3353e6e1

memory/2984-1723-0x0000000002370000-0x0000000002418000-memory.dmp

memory/664-1725-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2984-1724-0x0000000002370000-0x0000000002418000-memory.dmp

memory/1584-1737-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkQU.exe

MD5 98d2f718d4f28a313f242f5af3c08722
SHA1 6be283fca7d093563d90a9a3fff74b964e37e7ca
SHA256 edd872a30c31224db1344e3ea69424f56050b7250ff21bac1befdd4ac11754fe
SHA512 cc2581232c7231e9cddaf234a225b8eedd7c205e06304aa13162fe247c76caffe99af9e4a085fbd33982064623fffcc4c6888a8c02ba21ea6bb26df052273257

C:\Users\Admin\AppData\Local\Temp\kcAY.exe

MD5 e5707e2c477dcd5e9a23ce6dfb5c8349
SHA1 4ebaaf466d38c43f09c86e8146c65d8c69d4089e
SHA256 7136f6d9fce5957c080491e08eacf3a7e0d57f3dae56e63f05bc05fa4a9fe3d6
SHA512 70d7ebf42bc439397daf2a6646e3d75c32c9925a5a36606b96094bd45f12d9f86d23831e59c5bc7e1f9718fad08f71e93b4b8842e5fc4523df8d60af503c3d1a

C:\Users\Admin\AppData\Local\Temp\dwEkwQsI.bat

MD5 ad626f4d28617b8af709cc729e627ed7
SHA1 98d84dabbea3f632602ef9c2968a3c18aad3ddf3
SHA256 ce13d6329bc0670d7e92c403dac937167e6ba1402005eeba915f57daa63cfc65
SHA512 7e14487bd0059fc7b4c93d61c2486ba39eef769ad182fce8cebf69d6f1972e566bef99b3c0f15650dbdc83bf1137e4fd9e11c4c3e60e6e71edfd648d259d9d82

memory/2540-1792-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwQo.exe

MD5 41800aefff274ed9a546e229699ecdec
SHA1 c0c2a80bddcdfe099b4ea03ad383abb3ae1f7a60
SHA256 fefd07f22ebc998745911f125a4292aeab0983a902ca1b9f83185a5f3f14b5f0
SHA512 2b856e27b01531990e50f2e3aa04d9cdc75d2ebd0f2e287a87dee47a6c23e60ab9d2b1fff591319a76d40c59748d0f4d65cd98222589b7dae40c5e8c7bc4b63e

memory/664-1804-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aAEY.exe

MD5 468e27a28f37efed52b3b29bf50a5a25
SHA1 2c5627f8f77a72fe62685306145b24f23ee48e25
SHA256 8d7a6c98b1f25864b742d0eace1632e8abea53710511f7ae628f0a996a353d7e
SHA512 97dc8ba0b807258f39bd6adcb1194ed5852b01fb2ecfd993eaec1815b235d79a485dfec61e48b7ff6c906fae2d8d413c602aba9215df5a2125158a989345da3b

C:\Users\Admin\AppData\Local\Temp\OIAM.exe

MD5 b4e53e9373ece9ed74f868d6ad1a423b
SHA1 567f460f334e1dbc84e09781707ca9cf9d26573f
SHA256 6b2fdce5a8fceeb9ac7ee151027df14bcce847a94aeae83dcf7e400a720b1ece
SHA512 ee8a34253414ea82b07790e737562852305b97e9650d1afd2809e892731c6f4cf3552a081d37e19becfa44af226e50bf5d612addab89c11dbac8be251c2940de

C:\Users\Admin\AppData\Local\Temp\DaEsgcIM.bat

MD5 ab9f9abeedf61a3946d25a0cbb0e6281
SHA1 1d4fc42a1e449555ec3262380db4d99e1335a2a0
SHA256 8b78c1f5b86240dd8e258691c890bceea1a2e5382c3cf384a723e11bd0c17bf2
SHA512 30573deeee3b86782c80429da82ae4a801781fcb25d905599d013e481cd4b7409eb6fad63ed93450ab14ce8c3c1ce030e4ce8e7c486cb98620cbfbbc981d2c65

memory/1900-1846-0x0000000002350000-0x00000000023F8000-memory.dmp

memory/2700-1860-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oEkQ.exe

MD5 073056aeba914161502918c429dd95dc
SHA1 10fc78f7e69357e451a45050ab4f1cf06d041006
SHA256 fef5f61ab39330030e861b59e3fc821123f123c486305a40b70227e518812192
SHA512 1cf1bd8586324a5f27e95eeb02bb1cc46087e7c30fbd89905f3e1bc1fc83aff03d0087cfab24ef3774abfa5cfb5c8da8c1e0af8c6409daff760580a94dec8ce4

memory/2540-1872-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocMY.exe

MD5 9d78e0f319c1e40d46532cc0b748e0f3
SHA1 4b752672fb938369b6bec3d9383e60d59f9a963b
SHA256 ff3f5d836011d9fb4d4703df7a48ba1eb30f678aa3519ae1e865d15cffee66c3
SHA512 d45b70dfed401bbcdc9f7c540cb2601d1857389e7f1ed47e83f6d8d18c7a39958068738c07b3e4c2cd50bd82edbcf8c05b84555d8c553dabd65a106998511636

C:\Users\Admin\AppData\Local\Temp\QcwG.exe

MD5 612533703519e3829fcda4af118f0216
SHA1 ec451d71510cb41128450e7e86008d54075614ce
SHA256 a7125aad09ea7b3bfe0db6c8e5f159e60c03a68e02e6c3c45f5ddf0a34e83b00
SHA512 ce32a7dc16abce47d6317041ceefb3d989bd84c303f50879c1fecb66adff57bab040a70c3baf05982152918ea0b60c82e1cc6c365c4ecb9d4c593d5020af967a

C:\Users\Admin\AppData\Local\Temp\JyAMooMY.bat

MD5 4c4231f527f11ddd977b5036b20ffcfa
SHA1 e91f08a58d66c18fd19c23329aa0b6d0d723d448
SHA256 54d18fad275c914d36771466d562c9cafaabbd16c631ebf9eb00f94bb08e825b
SHA512 d3f8afe4a308bff0b3fa1615f70adde68a96712181fab99b4b76e4fe9233b275e421b1444f888331eb58f1ea9f865165cf16d0020d0e6a8da92ea7324a4509d8

memory/2660-1915-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2588-1914-0x00000000005B0000-0x0000000000658000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYso.exe

MD5 c1cd06f0664a5da3817558dde7ebdcf0
SHA1 2236cd0937034617c6c7be37b3f07dd8b667008a
SHA256 e324be6b3631a31c9718c096bb013b3fa73fad6cbdf55f686620a417535351f0
SHA512 f6c7d8a6f832854f828e572680aa1922610b0f0ae60891f78f2332c8bc7ca93b3b701b63a4787a35a3789abd52ca2af9bf2c5e673dcc7007eda6f7a7a706be69

C:\Users\Admin\AppData\Local\Temp\yoIi.exe

MD5 d1b1067d2ca5d7496203f5c3597f4f45
SHA1 8c552b2c84e9d1ffc9b60dae14706ba443d83851
SHA256 3e9bcbbdf7023d8757cff2dbc50395542a55b1906d0854bc920c9c76416a3770
SHA512 28ff5120bf3d4f72b908c37b1fb83f4463dd34ba17663b5d90252f9446ff9c7bcf798619321833a35d69b35286394d0ee5e208717ce8ce6770dfb346c0af80bb

C:\Users\Admin\AppData\Local\Temp\AgYC.exe

MD5 bfdf0007043fa80694a60e1c37f91885
SHA1 9fc63a6bf39417092036a90e2b35b69a52eea364
SHA256 9df208b3600f5cd9f5cbd0eea3ff027f95b8f1d51ba59a25d1832b427b999690
SHA512 b9848d6a569f3134a3373702ba05afc7d3b6ad9ec8c6692fdc59501482182542c9a66ddb01420d5dd1286e1d4634582a0aff754098fbe5c10ec825dbbb3486f4

C:\Users\Admin\AppData\Local\Temp\ewMk.exe

MD5 39b438c047616a937a2b05b149c5dbc3
SHA1 d5c5fdf5ae5ca6e02a5ff2f114afde982c6edd2d
SHA256 a9c562243df464be2512f3683415c82a9896fb8c10a5c0ded6ad6cf12a3a10b1
SHA512 6276044626d866c1860549bb1dce2063b7b770ce28520488a0a27c41bcfebf8a2fee3b66734879dea2b3182630152654e1918926158d153e4f15eb749947bb35

C:\Users\Admin\AppData\Local\Temp\vKQIwIQQ.bat

MD5 7d30d056211b87065b78a267c5ad75d2
SHA1 e3ed1cedc42bdabf1b81efb833c65ad8b5622f15
SHA256 482ec120e8bd60f376124e3c4344ab9c97517c6ef5dcf7e2dc2c9d1109fbd3c8
SHA512 4ec468330230361ef7f9a344f1c948c61877315a0ca164540d6d1018ad4cc4986c7150e524c19f5006a05d421e4a45e8a624a33936d063289883b9a19745f384

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 faa7c73e733f506c9a6a4a8a7ec5b646
SHA1 60e395d1f5b70aa5eaf55a5c7b12c36d70b2280b
SHA256 a2215cfcbf5a13ad0eff4f777667ad1d9c8baaa53a420e72fe34aa63a7294492
SHA512 7ac0443c3f1c77099e2081116f4e1d7a584838e7013cea18e78c8bd668677a4d1e686becd08f6020c3e5ab102fa098dc3b63281b039265c75d94f480c74c6da1

C:\Users\Admin\AppData\Local\Temp\Soge.exe

MD5 405611c2c4393e67dfa764eb012d3694
SHA1 30b9e5d14eca7de5c65acfbae7da61db921d0066
SHA256 3ff1f4280d82d9e96a91ba5872ad3a44f9f050fef66614f57b8cb774ad52c081
SHA512 0dd6166a7f9c88ab4f5251d5ddbcc82da19d65f775f7470f50eb71c3717a03595f3c0ea53b1665475ff1adeb05373fcdde32f0e55a7d677fee19f6ddad3027a3

C:\Users\Admin\AppData\Local\Temp\uQAU.exe

MD5 d5e4e5394862e6f2c857f57cf616b517
SHA1 c1c293928e9f6f794b72e24ca075a224f4e7a6fe
SHA256 c80a873742604df5e2e2cd40744a56bfbabfeb3102e9970d34e54343ec5c2cbb
SHA512 422fde59c4847379b8fe5cb7da2e96ec10cdf3b4903a53d0614584cfcd00ce52e431d49f19535584f31086cf704e880daea30f5ac3c126012236d73493a2c96c

C:\Users\Admin\AppData\Local\Temp\aIEE.exe

MD5 73673c0409ad1b40fb80db886faa3274
SHA1 89a03f66d0f15dc0115f04018b489a0708a5d8c1
SHA256 d5d1cc2393beaa86ef3ec0f15ea9a25f537a18de582db76d81b165d03cd4e60e
SHA512 2a48deb393f1539615be17f0815a3d3ec2d6f1b3915a86ce6b390700731a34d25403ebea2cfa90909b07901de3bbeee7de68f66ee0e58f9cefb4bd749d9ef276

C:\Users\Admin\AppData\Local\Temp\gQsw.exe

MD5 e3e184963e8f86b75314afa4c0b9c150
SHA1 867e1f8e8d9103621e0cd5287534c09fafe3192e
SHA256 e5192f1abcbe3e0e815dc7aabf1ca534ed946d52073b973998c41ed9574d9d6e
SHA512 a84891b97d609600de1da149df65049ab52e98ea87cbb9a47d47f7394fdbf9c74bcb7c0a05dc00aaf09455a3403ff5bd1939d3f4933007aafa85c7026dd8618b

C:\Users\Admin\AppData\Local\Temp\GcwwEQMc.bat

MD5 59ff784cb2d1e97f77c848714c4c6e41
SHA1 0501953f2e937cb5cf8896e067c172046c6e0e39
SHA256 29f0cfb3527d37880bbc4f4280a3977b15bf28e481a881b78430503cb5d046d5
SHA512 a76f05ee3b8d33214617a71a254f229204cd3b11818a41bf02e8c627ea1025a25c32a39ae9888c9bb6bddc985cd5357eddc33ac2fa23e89219db8aa8286055fd

C:\Users\Admin\AppData\Local\Temp\wgsc.exe

MD5 219a44d9222a4645ac88456988f2e5d8
SHA1 a27729ad69971826837de3edb4e7084aac84fbc8
SHA256 8d416231d991b0da6712625a51cae2fbf4c45ad9e8e775d4993b5176001efb9a
SHA512 3d76b7c67c6ce48917b83109c7f99629191d47765aa55c5cc99c3ea18c71b83d95347b14e3bbadf1b7aafaa64e23f4e5e64d865f2d21ada4dc3d20f46462553d

C:\Users\Admin\AppData\Local\Temp\Qkgs.exe

MD5 41c1f5cc239fe326bc40cf385f37f28d
SHA1 a04438dde3ee405b6d6d69541f77188ffadec4de
SHA256 6670b68ccf91f8e0485ed73d1fa66630bc756eba38704e2fef72419c9a9918a0
SHA512 65477fab5527dfd22399a6ddaa659cd89ac72bf42b99b0c22d61a59c1c640d76ac64c1f5c2f820dc8294e79b67df051d9ced6675bc66002ec70941f557c47e99

C:\Users\Admin\AppData\Local\Temp\WcAa.exe

MD5 20249c2429c5a17e8eca429780402c47
SHA1 f2d87747b37b37f7329ccedd8be49d5a5e3f141f
SHA256 74baa77540cce9dcc285d89c15e35bde0f64ba17ed636ab74a5d491364e0c9c3
SHA512 402f390f3c0f90127c67304553c06166a19eff38b8a1672182a68ffa849930801c80de813c6a7164cbed20a975a49f055e227ac3b6dd06227d148891a2b90011

C:\Users\Admin\AppData\Local\Temp\MIgm.exe

MD5 bc8669cfb07497a6bbe7e541b6bf321e
SHA1 f9fec901321382e7ec1782314747e9591e3c0d10
SHA256 09cc138f8978623cc8cba5e034366b7b4fc21573d47698fdf3beaa6bb4c95441
SHA512 0ea9e632d72a3cd72462ce3449c6049a016f57b533cc7ecf2b737d9b0454484264352c7fbf91cb68464abc8d0e9cf731c6ec85e334a26c3f5ac6fbed98270d16

C:\Users\Admin\AppData\Local\Temp\IKIMwIAM.bat

MD5 98722af74476c80856c995a96212534f
SHA1 47d1745a73a75aa90d65bf48ee857ed5735be21b
SHA256 c216e3edf210330f0498dc6b6dd2afa02134d8eee6847fd78726ce7b0d0f1cac
SHA512 aa3c93e53442c500218b00d9148472d30b537c45e7cef4123e56db7bba3a65da66a70a036e7b0d880648ffaafe5feecd1da6423e7f25e193f58614d4d6314586

C:\Users\Admin\AppData\Local\Temp\CYoA.exe

MD5 106c33b1943d9b0cf753d12e4e3cc13f
SHA1 951f364295f5de58c8c886a8d3e65177890aaa1b
SHA256 18fe23fd22d44800d191c33152142fe4bda0f6e591f3691f005fffe4a181868a
SHA512 10436a35b10e04434b7cdb4c61bbf45e02fedfd587053f9e852af38154b563ccbddcc2b6dbed822d484d4075b0c6fb3b2048a8793342e124fbe37de8e0886be0

C:\Users\Admin\AppData\Local\Temp\kMcy.exe

MD5 8b1c1b4dea75d6939635f31a827681a0
SHA1 0817286cb0aec607b9b6e53f5b8cf2dd1e82dfe9
SHA256 c2c24b611cba94c29912e1db1a9437faeada287d26f7805d0018bbb2f39490ab
SHA512 103cba09dc5bff093522901915a688d5a4b19b8d31d7b0448a1c7a793025a9d1f0c468e953e9364587251637650151ad8c5a5ccb41c8db375c5f9290fc7d59ab

C:\Users\Admin\AppData\Local\Temp\mkYu.exe

MD5 72e1f938c18d30e113ca559e1413dad8
SHA1 ea8f5a87ca7598ce246e4501104d05da2defc8ae
SHA256 f4254994cc20edf6f2f5e1569231c6c059af82fb0e25ccb09c20268dda9252ea
SHA512 94611a10002e00890fa7e4483f28512f820fb6048b8c5612decb932ab12b3d33e7fd1ea6a1e6b3e5319990f23b5fe4286527dd102b7223a458719302ac0e1ade

C:\Users\Admin\AppData\Local\Temp\YWMskEwI.bat

MD5 f7ba1bd58f075838ddfe4a9df5f81ce8
SHA1 623408b36020c7b349ee720a0b1e841c19ec0094
SHA256 51bcc56c5ece533b0cb79e59e287d06a223d108894e9625ef6f887970a771163
SHA512 ee05caa0a8b1f94396ebca59c92edde0bb50b0fb5b2a8624f62651b7804b180aafa1dfaca8fe3036444545a2606fa04a995924ff3b9b5ca8df469b3b2b3800e9

C:\Users\Admin\AppData\Local\Temp\UcAS.exe

MD5 e69d8c0314aafdf08034cc8552beaaa1
SHA1 7efbe85dcef533746b57472a6709c3d40f625359
SHA256 46ff4c301f76fcbff32d67db7550051e22f7dcc3384807eb2579b82c22684cef
SHA512 a68ce4e4c0b29fabd078ca279e63f792dc1b89e5a886dd7e62f9f650976ffaab8df1395a76e8f8ec29886b084f9a2d0c2a92d6536796cce57252092b1af73c30

C:\Users\Admin\AppData\Local\Temp\iUcIQUYs.bat

MD5 43b58d5776dc28ff760899ceaffe1977
SHA1 22725759c12efd67c54984fd4a49abad60e2d9e2
SHA256 02e15af5e1d7667de9a38081a807a12ea0ea78468cf48b517b6f1047ba723675
SHA512 5b4efadcf8e91c99fe3e615adf1acb6dff06038d368ed13606e86efeeee4c32f052636b1bf670791bb27225c38d7ea7cf0970c08d794fe85f921a8477f53fb27

C:\Users\Admin\AppData\Local\Temp\PKIUYsYs.bat

MD5 a00d8f6dcd9f41640a2646a4af11bae9
SHA1 7c7379afea7169c3784df8a85cb99be0fbcb3d64
SHA256 b3d413530b01b16b82f8711ff2536c40831d7f3e82c01a347bed284dbd4aab8e
SHA512 cc790d9410f29b59540c43cef855d2d6cfc8da8873a502edab8dc209da5e58a4287cc67b09f67bd4c99bf4f3b59c10546a9af6cfd37e7bd5f0b66cd408954787

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 ee5a000b675e3c53e9c60ab20ffd0b10
SHA1 0965d4c1a5bc2501cc79c33bc0b99744567d6086
SHA256 d347406950e42fbfbde82e6922be0032bafe852b3b09a016776bc3bfd2b1029d
SHA512 a8d1f04bb4cfe6a61f4204863e8086d3e478e5a4df0afd0979389d6eb37a78475633868ee5d9e80aed8eb6cccb05f7c0e891c980836d104b94e3cf590138159c

C:\Users\Admin\AppData\Local\Temp\WIAw.exe

MD5 b5ccb3171110ece9bcf540d87ee0f4ec
SHA1 b9a4bb2ca45fba73e4359c55bf70da801b25c60f
SHA256 5660b947d4e11a990d0d1453b35be071e112604b50334691dbf6f58a25ba21d3
SHA512 d611b1f025d241157bc7950318d2db3ab21d44b662f6e49c60c42aa5c694c55d2e369387b94e3ca8877aa4f29ca37aca1953f635299fc31d818c01d63ff21228

C:\Users\Admin\AppData\Local\Temp\CMgM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\uQIQ.exe

MD5 80f10f6bbcbac1586e20868565e8c5ad
SHA1 bd847009a4f75cac0c7f897a79114fde91ca9cd4
SHA256 41262e91fab54d1a403d15e75f5d224e8736c9c5967e39be42cd2b7f5cea55cd
SHA512 6f51d41a922cb2ea915e476a75017532d26a3be2a35645ea5f0813c48226e3472692a4bd8d70b063943b7aa4d4f40b6fbc244c3cf937d5c2f7d2820b048100d5

C:\Users\Admin\AppData\Local\Temp\LWcQIwso.bat

MD5 f4e4fe5bd58ff273734228b76ee71cae
SHA1 b2504a0ae1b959d006405aee78f7df903b3730be
SHA256 2d14beb84a1146b9d08a7a122b91651446057e797a6436497ab21e986fa3fb05
SHA512 3be2d0913992c839391544cdd56c702f217dc513b26209f10d2ae5962ca6667061fd36cb69a45adefc5477d326b9ea6771d86e0273339b1a67bcddccc894908d

C:\Users\Admin\AppData\Local\Temp\mcUs.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\YoQk.exe

MD5 c40081aea6ac79b2692da3119a36d919
SHA1 17aeccc3e28246a516319f91e39132221a81165a
SHA256 0c2a249599b666f9f7515b04b06a76ddd4a3755c07f013e0f6aa23877786b99e
SHA512 e0575846b3cfed4669de05c74e480205a83c36967eee8d9c997dd1d3cb94de21e2d831975dc5fffb458c538ab8eead048a1322b21230a2fa476b62d79327b819

C:\Users\Admin\AppData\Local\Temp\GkcO.exe

MD5 1b118d33b91ca1485ccd470f39e5fa29
SHA1 7ca28bacd1b206e1d1e1f4d9f54ea87746cc4c39
SHA256 a50a0e8038dd5ec2c26e09e7a532cba6d63b4d1af27f2eb9b9843fcc11af76e4
SHA512 2225c4aefa68f67319fa5655ee07aa55016af1095724b1cef8f10bf944ca2ddde119cafcc703f150a70fc4edb559dcbfc844fbaf921f1ac3356b13b9e22e59ca

C:\Users\Admin\AppData\Local\Temp\kcwW.exe

MD5 f2c36458f25c7c67573b26171237550d
SHA1 428d80caf46a9a83e722c49d715daa6fac8ebd8d
SHA256 0a117ab593e041d9d71966238f5b7a4a38f9ddb6ede64d4947caf5d666e78062
SHA512 a9ae9991f3623d13c1272feef39d855449e32d36474ac27971316090d462a982d1ad77d79a07e23fd34d41f1bd8971a4b0ac9a14e4c14ad597aa11278e0ac079

C:\Users\Admin\AppData\Local\Temp\yoMQ.exe

MD5 bad7e15103fd1645e1c562220b101912
SHA1 fd700c6c116af76a4931eddba3f30b60d61d308a
SHA256 4be2c364bce174d50a1258ac02a45eba9c5f6e25fd4685640700b648b343c1f4
SHA512 7b7bae72bf199d1040153da10247f53a5f646f2fb881e4594f0243d0dd98c0d36a0caeb0eca589b49f0f982dcd474b9d9433110d5f318888ef57bb0c842ec7dd

C:\Users\Admin\AppData\Local\Temp\Csks.exe

MD5 9eb5bed7964ff549edaf8cbd73600a20
SHA1 e2b4bf315f6c9d9024ed5b3a5339ec96581ca450
SHA256 9a161fba8b1f5502c1c1757f8f429e2b8af29272303c0dab31f9d2cf6b678b81
SHA512 83dde93ac234a8d9f99dc862f2c9e5cb8408cfc07305701861ba682794e3553b2b2e8e0d0af9903e2fbb1620ef1b1510b9d5566c4f020041d25d83435fc72f36

C:\Users\Admin\AppData\Local\Temp\uYsk.exe

MD5 bd4e13179f9ca33da0e595b0929909a1
SHA1 386cb0b35e8b2a4eb3f3968d264def4ce8ed7f05
SHA256 50e9bb4c140cd91c35261606d590902b8f37bcc6490cea87a0b9cb2b1e81ce57
SHA512 6d2ed1e38623af7e3e7260022ff8a00e04fa27b7e0b548a52d564723b030da44c186be617febca863456abd9e9dc34e93ac834449ebba49695a83ae6baf4e70b

C:\Users\Admin\AppData\Local\Temp\CAYs.exe

MD5 94d1a28dad54f480f85bf36e445b116f
SHA1 8a82136ee010f32f3514d9b6275e2e5d0657f678
SHA256 cc1dc5fa0a30ee02f79961f7eed3ee23799edd15f895243302880ee69ced5faf
SHA512 d6289e212e5757244156b994aae7280010e5f4c7b36ffad5a02dec8da7853fb35263c4fbd6cff500a43fa020e1bade3305128bd427bb50959d7259fd43a10ced

C:\Users\Admin\AppData\Local\Temp\UoYQ.exe

MD5 3d66597df6216a6a81f3f4b3e7f688c4
SHA1 2ddb51eecf25632833550437f4b209d149fb0fa7
SHA256 4df5ac1d1e86744840254c13c235e097907bc7dced6c07a9dbe4c05073aace32
SHA512 cd1c71eaae2e53c588357083e50f90e408e40bce8bd57defcdfa5e80a07a57d9339d01a2cb29079b770a41cdc0736cc407714f850c150673c6fdb23c16b4c65f

C:\Users\Admin\AppData\Local\Temp\hckoUAks.bat

MD5 07b39008813b2c31e20d2c5ce6963f7a
SHA1 fed24a703dcc555603999e95ec728242f64dfd1c
SHA256 066fcc87838a37251790a962b4814ba1696956e212d3fd04cd6fae71c020b820
SHA512 570a36898532ba65fbd24f6e682ee6d687c384f72ad188b92dcb6fde5fd95f2ff2b3279ac394e99492ab76dbaa66f884d775028d499f20d895ece23a6fb64787

C:\Users\Admin\AppData\Local\Temp\AUsQYQIE.bat

MD5 c17eae50d353839ad7d7e6181a6afb34
SHA1 d5efa51e3673522a6f89a891809b6722b6649935
SHA256 128765cd1ca5ef652722d8a85e689bb99f94ed232913130cb913eaa702371149
SHA512 b4237ef9d434e863eb352e9cd9ff3a0c761d78f2af97265c242139aaf2f09c91bde46f7c1a14e8e5c7039015990263f1e796d07e2e6ceeda0fe12e53e6c43b91

C:\Users\Admin\AppData\Local\Temp\CaMocAgs.bat

MD5 42ea1eaf9f07755e59364e4d598ddf4a
SHA1 f59e608695ce12ad05dde856c0546e7f4f557127
SHA256 8e23f966aec8bc15e147b869f725b28461d5071fdd8297386a7ce1634416e4bc
SHA512 e10d44a4ee835987ca705258e9e6527eead204705acd6dcfa9c6beede842c38b8b644ca20ccaba6d66a342a925a3ef4617594ddd5d584576cb133f903c4bf7e2

C:\Users\Admin\AppData\Local\Temp\GOoQMkkk.bat

MD5 b6891b06c3c652690bc10e55f49b9728
SHA1 09c9be10b6a46d59497d3f3d5364e59280c0cc1a
SHA256 617d655d2b4b001bd7bb19750c291ebfcd86b7b7783c040b60249eb708f9adad
SHA512 a48096caf34032625c5a58910b5e262477f3051d808fd1a5cbb470ced06cfaba6a30fb42fd4ab6e52ac77f4967dd65d0edbf77ec470624cb86eaad07473e280e

C:\Users\Admin\AppData\Local\Temp\migswkQI.bat

MD5 14cace4dfd0079896ab89776c95a6ceb
SHA1 6b6f1d12acc2e20605dcffe95f369089855c4d13
SHA256 9f9ddc40ba8ced669fb29b65b74631db9e21525f57ea0fdde1eb24dbae303f88
SHA512 2b6c7c752bb5e3a15188419870da780d39b95e546f8c37706815c1febca7f4527a33eecfc0bfebc915793cd036fffa0b94f14597f5b67ab98d25c15c409d8bfe

C:\Users\Admin\AppData\Local\Temp\RMkYIUYQ.bat

MD5 7299818b037d147011548642733c3b2d
SHA1 cb6af6fd99f1ba62653c2138fe562eec63b6adb3
SHA256 4e7bf5571d03146977b55b5cd2a7334693cbb2e5339ab17a3286470aaf9a19ea
SHA512 393c88938796605d75af8cfe436dfd428ca7c68385cc82abe0de6fd10e40bb3d7cf246559426e2182e40a1c8fade497e952f3e54b215c62fc2dbff02fb56d76c

C:\Users\Admin\AppData\Local\Temp\xusccokY.bat

MD5 9fd2471a23c461a082cb1225f84fb319
SHA1 5351ae10e2b40cdaf5a483e70d7684bb72c76e8c
SHA256 2b4234c7e964eefba108daaa30e1ff9d63c0ff5934e212dd24cdd8a7312d1501
SHA512 0c281094b4f0522023ad88adf615178ed5acab151136d1ecfbbeb062c88eaeab62ea3ccc3f471f98d24168c7e2361f7b9094747fdf6e24088cdf63be65baf832

C:\Users\Admin\AppData\Local\Temp\BSgQgAok.bat

MD5 1de3d34fce1919938c742785d13feec4
SHA1 6f3c7eceff1a0d8105f05e4424c3079f340c4d9a
SHA256 4fa5b5c06aa7830fbdaa9b5dfeec26e026d21d61a047c6484657746d88f7202f
SHA512 15f54f86cc1f2a9a69de2ac3cce6d4048ddf3d2494cf14047c996fab946c4f5d613eed19561e57bb558bf59e71c4f54fdecd2b7867efcd678b236eb9977d7499

C:\Users\Admin\AppData\Local\Temp\foYYMYYg.bat

MD5 032f41a26effd0397c32f29b6bf5c510
SHA1 8e7938c9ed3f0f5c0067538b8427b20ed5103ccc
SHA256 d14d1a4de1aa1dcf0072017943fbb9add27c45a6691f9590adc917ff418c9619
SHA512 976bbabe6e28e368f1a22008009c96cec6c0c623dce030653a75699cb03592411440fb12dfad994e8414bc80230b8a17c8504b9e08043539bebb1bb97ee39bc0

C:\Users\Admin\AppData\Local\Temp\oQYcEIow.bat

MD5 27e155c0700ab6152ddb2632f590b447
SHA1 721c0f69765f8a8869d26ce2e7a0d19daa18b75f
SHA256 3762cb1cd1f8323cc36bf2c646c4c96f30e73b81820d42c068763c2c9ebbb351
SHA512 e5e62c93ddf98154ed448649765bbf8b3168e3d7aeacbbfa71e339928a0b54b6bb5ab187c03d8c6a20d7dc6134fedab2ebc908e067abf48ac2eb6507ed258c1a

C:\Users\Admin\AppData\Local\Temp\kkYMAwEg.bat

MD5 19fddb332f487f0d76d0295fe375f825
SHA1 21a98d944dc99f3cc319538be09315857883b420
SHA256 679a45d72fe17ef29de2e51c04be2e20de1cf8cd5fecb22100d30d0011e8cf4d
SHA512 fefaea355796749f043ad8d2e7d2d931463426f624f11ae463b49c0ac6805068f350c3c1cb6f2fe4f63ddeb734bde8c7d17c02b56cc9457ab6a10918c5158fff

C:\Users\Admin\AppData\Local\Temp\uYEocEQo.bat

MD5 41c0966c7c3b2fd64ea1fda0172e6566
SHA1 07882903ec2cdb221578012e040b726d0ffe293d
SHA256 41469075af9640b45b54aef5b791a9968fb7049ea579e67290584c19cfb4ecfb
SHA512 f7e81f139c5ef09888e5e8512a93c152fea0d9e2fc07c18ff3c3c05c82f6e4f3caa2e51cf9a7c09295708b183ec344778baa9d9a989628ee9ecafff2dee92bc9

C:\Users\Admin\AppData\Local\Temp\EuAsckoQ.bat

MD5 e0fdbd543e05e799a1b6b17279720c92
SHA1 47aee3715686638b83c78f73aa1ec7f914a94971
SHA256 e72494aa44f2bbd93ed0cf3793eba23147f9ad3ec22043e99b952d209f3f4be3
SHA512 76a2114835ba57b6cef4b2ce475baf42631619ef10d6df68a8c4e0a33f53870799ad245ef5f39aa893a4ab7adec94d7709d49e9e7806628cdcb121cd7c02cf4b

C:\Users\Admin\AppData\Local\Temp\RacQgwco.bat

MD5 b9be55056a8ceedf42a6815a1889fa7b
SHA1 7c9fe972dc48c91c30f10e85eaddd3e2385ee97f
SHA256 ffff5cfd3b8e4a7b16b375196886f05d56d09606a9cef4126e1df730b5612269
SHA512 6b1d94429a8885462af80504d576d43c5c8884f49d814744f7e7f543381185856066bd8be79e43444e460a88b6b45339686c8f97ccaac487a3de0832170b1ddd

C:\Users\Admin\AppData\Local\Temp\rMwsQgUE.bat

MD5 8c3ecbc7a24449654cbe9f7fe96d35b5
SHA1 a931d949bbe98bb43f9fbfdf38567a24904a9419
SHA256 82478e674c2e7fefd535fd32850c5cc9c41a254a4bbfe45ffcc9c4f1eafd77d2
SHA512 51ede6c4a4f6f8d9e56def8e0775c32eb032e3029928d2a058e74a4db128fce3c34dc6f238bb56c22877df88d187f6f46341ee1ffa3aa0a5712f0dc316a0a281

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 14:29

Reported

2024-11-14 14:32

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\ProgramData\jokkEcko\ROEMUsck.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" C:\ProgramData\jokkEcko\ROEMUsck.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lIowYkQg.exe = "C:\\Users\\Admin\\mqMgcAEg\\lIowYkQg.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YicMUgIM.exe = "C:\\ProgramData\\ViUYUEwU\\YicMUgIM.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A
N/A N/A C:\Users\Admin\WYUgMAkg\TyAggkgg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\WYUgMAkg\TyAggkgg.exe
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\WYUgMAkg\TyAggkgg.exe
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Users\Admin\WYUgMAkg\TyAggkgg.exe
PID 2740 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\jokkEcko\ROEMUsck.exe
PID 2740 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\jokkEcko\ROEMUsck.exe
PID 2740 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\ProgramData\jokkEcko\ROEMUsck.exe
PID 2740 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 4844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 4844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 2332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4740 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 3520 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 3520 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 4940 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4940 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4940 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 932 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 4720 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 4720 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
PID 932 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\System32\Conhost.exe
PID 932 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\System32\Conhost.exe
PID 932 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\System32\Conhost.exe
PID 932 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"

C:\Users\Admin\WYUgMAkg\TyAggkgg.exe

"C:\Users\Admin\WYUgMAkg\TyAggkgg.exe"

C:\ProgramData\jokkEcko\ROEMUsck.exe

"C:\ProgramData\jokkEcko\ROEMUsck.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYsoIYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEowMgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgAAsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msgUgwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyksEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgAEAgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsIAogUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSkkoMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokIggsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USgogQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyoEAoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOIoYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQIQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIsYgIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeIMoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYMMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgUkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icAUEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYwUkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imgcAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGsEAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcUQccwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGoQwwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQMssQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUMEQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CssAoUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuIAYEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esYAMAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feEwIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqQQIgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEsIsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkwQkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUsswYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAMcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\mqMgcAEg\lIowYkQg.exe

"C:\Users\Admin\mqMgcAEg\lIowYkQg.exe"

C:\ProgramData\ViUYUEwU\YicMUgIM.exe

"C:\ProgramData\ViUYUEwU\YicMUgIM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1632 -ip 1632

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuoIYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 224

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQMcYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQoEAYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUAYMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koMogkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAMgsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIoIgUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMcwYIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGcgAMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwEIEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsggYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCMgEkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWgIggcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYQgEAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmQcEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUkUUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQwAYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAgMIoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMoAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqIIkAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsIIAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SccYcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKwQQgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIEggsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp

Files

memory/2740-0-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3048-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\WYUgMAkg\TyAggkgg.exe

MD5 020b7e28aaa5603f884499647d89b275
SHA1 87d2df60ca64507ea212a1a0728722dbb4170538
SHA256 2241e36607243927742bffb7e6f75c9b48fbce0f637cc355989ec59c67e63779
SHA512 a4d9e7fffc8769c00da78b01a7b488b325d2d01e7b82868a5af5e4d17a479d36c0284615b52686569a9f2851266bbd19cb6f5715172b2633bef8f1de9248f922

C:\ProgramData\jokkEcko\ROEMUsck.exe

MD5 fc8e880fe808a7e54a8b768a0042de99
SHA1 8f39a38db9a7042ddbe982bb27d3b3cf1979928c
SHA256 f2802e56bc99d30c77d4d550c5c2863edcd8903ccdd6dacc64cbed92cd51c29d
SHA512 07aeb3296ea028aedbca9104e81d4d5cf46070cdaecdc16d714689e0d7b1b0bb48f38d8114841aae49cdde7b4dca2270899a5cf4e88ddbe4903afca021898fd2

memory/3524-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2740-19-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tYsoIYMo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

memory/4740-30-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/932-41-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4184-52-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1228-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2632-73-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1664-75-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1664-86-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2144-97-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4184-98-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4184-109-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4472-120-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4616-121-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4616-132-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2924-143-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2864-154-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2732-165-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4176-176-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4468-177-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4468-188-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4756-199-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/428-207-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2840-211-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/428-222-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3624-233-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/608-244-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3060-252-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3632-260-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4576-268-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4952-276-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5028-284-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1392-292-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4428-300-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3632-301-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4428-309-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2984-317-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4516-325-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3036-326-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3036-334-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2380-342-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1364-350-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4084-352-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1632-353-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2308-354-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4392-362-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4084-367-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3580-371-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1664-379-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1164-387-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3380-392-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4264-396-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3380-404-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/912-405-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/912-413-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4836-421-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3664-429-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3580-434-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1404-438-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3580-446-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3520-454-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3096-462-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1284-463-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1284-471-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4872-479-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4120-487-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3632-495-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\koEO.exe

MD5 e744ccb5d89708955314a82115732ba9
SHA1 7d8cc0254b57f33f4542d056cbad6bd004ec42dc
SHA256 6433fecb0c91d17a5131b3b9e8020c59b018755acfab7db14ee423502d05a7bc
SHA512 167cc5e9d9020efe3d65e377ef3e22922b0fab216742d864cec34f49158516d6ebb2f37c6ebb41505435e62e2fb732ecfcf9d853595f807487da92f2253f0eb1

memory/1764-519-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4764-515-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KEoy.exe

MD5 c15f4fa742528df97bd4a76ee869500a
SHA1 b713e6b996cca6ed3430304006d167fabf57450c
SHA256 e6b84e3fe49d7877224c59f3355d95ef5a30efe6b9d7f4861b950522c38a7408
SHA512 25c9be5674c1ad9f411fd40509c29e36c5ab328c43f2c7a2b9191b6642f18397b802983ba3ee3d29d539b5ab166bb2bc07a07aff053e319c93dcf0a13d552ed0

memory/4764-541-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMss.exe

MD5 56f0accce0a7479c302f995281ab58d9
SHA1 1276de3c3c31e0dacfb307f995141be32b6b3b1b
SHA256 a7609552276e02a76960e3791128a2dcffe87dfb66fc8cd2ea9c97f7d812b5b3
SHA512 f6444b3b01c0a8d6c2ba9e6419ecf75ca85e3d9ec5074b1ad5d86706552c43276a6d4e28b352e47ca84c59f7de1cefda617147c39b14e3d4895784495414d275

C:\Users\Admin\AppData\Local\Temp\qQIq.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\gMsq.exe

MD5 4d77c6f1b1f2e1c8998b016e5bfb2fb2
SHA1 b76d525968b5e5876ec1927235c1cddfc682da37
SHA256 76c9a141868454ac9dff74666654f110798bdd25dca48478d16d5bb454a9e838
SHA512 cafaf4cacc43c700fa3abcb5792b676370e5e31b18213b8a3d56440732bb7157227a5cfd0d99524a78a74f197591dc8e5c5841a629fd07719c7baa96de0347af

C:\Users\Admin\AppData\Local\Temp\CwAu.exe

MD5 0ee2546c554bb836c2c12a5316226592
SHA1 b2deae607103f95f54860ef4538b510347323ccd
SHA256 9c217eb7577ac38bae17febd9326da4c422143b037befa578b6e98fa6f26316f
SHA512 f30b110c95d6c81e10e901dcd7907633bd3d8d8aa7c39f7547ec9ac996841e8f18990eb5433ccc9685fb7bf25e098e33eba613cd23b076c554dcf731bf469e0d

C:\Users\Admin\AppData\Local\Temp\aUMe.exe

MD5 06039ea324913efb0f46876390f04554
SHA1 302ff8dd19a24a668bc1587e6ec1b62ce64f6c2e
SHA256 c375c75f5059a420781b5e2360adaed536ecbdf1414cc1c6f2bcb1c13805213b
SHA512 227c8ec1127a0cb13177ea71d727bd8d42a09efb41492ff05fca2816c68fb72e70212255b32ffaa6474483d9fa38f919fb4461511368be94babda762e0d2f37c

memory/716-606-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1560-602-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agUc.exe

MD5 778e903ceb260f80cc13fc1e34daf76d
SHA1 371227e8aa3e67d65c29a94dfbffc8c54664cf15
SHA256 ab4ce68371674fff13a5fdd15509630cdc865ecacd653cc508e5f0523970c728
SHA512 51b9150de03f47dfcdee8e8e28f399f8c804da38409242c3202336382ca5579bf3884086dc1e82c15e776d06b40125d23c5afb54c8979e010bb664bcc3537bc5

C:\Users\Admin\AppData\Local\Temp\yAUi.exe

MD5 f6a7c68d50d529f07af8e5d04e36b943
SHA1 de1665ff8b5c8ccfffdd0e31987aaa4811d8fe26
SHA256 31e5f1d0e21deb41e9f558d8fb03d9df197452360f94ac3759fabd7b3c24c008
SHA512 ebd4d40edf183bb025e9f2990c6d5e76653cf684cc6130db5953a7dbeceab575b2f250f5b6942d5f861947f77f7324ef62b36bf33fc9a03f8ec1037f69bd9283

C:\Users\Admin\AppData\Local\Temp\ucIc.exe

MD5 fbeed85ba4d9fe3aecae688ff02a0367
SHA1 ca4562fa6eb974c0362a677f31768dbf41072572
SHA256 4b4f4ade103b2e89fd46e5953ba6ab2547720bdfb296a35dbd42328f5129cc8f
SHA512 b690145218cbb367ebcf16d174561ba1aaefa69d725d4d9f7fffdd7a4b2f46d20e31ce6c30ff9b081eafffcd66f8bdb126dc335ee93f730d2b33087f5134d7d8

memory/1560-656-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUUo.exe

MD5 0d3ea61c4bda86a8490b85872d5bacdf
SHA1 13bcfdab05838f3a812206bc42faac577da0a580
SHA256 e3fc4765080d423d7e91261b467f6762360d174bfaa8c41a257cb2e366a701a1
SHA512 c78d3e8d6e726d14a904f53fdf36eddb64af7c966b2261ad3cfeaad35dba6a34fd17aca3b61364cd9b7ec03026e80dc9de7668a789041e4edc344f9f51633df8

memory/4432-672-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucoQ.exe

MD5 91b08c31018a085fed4979adbd665ab9
SHA1 3f24e06308c28bc5ca1a91f5cf3fa587d35a0065
SHA256 c03110c91544855b6ac9994dd4d93690195d2d2c106c9935d586f4fc4a67f6ab
SHA512 e27e7bbb197ec9803960fa808ac03478a4388b53feefb515283b16b45061df06b5de24430e1233ab933a1cc6f4a63fedc686d139945959e90a1b517fd5d501ca

C:\Users\Admin\AppData\Local\Temp\KYUQ.exe

MD5 53c5a7b65d258337602503f072ca8801
SHA1 59ce7d428a5268e08220d5c9c07dbdaa9278d09e
SHA256 b8391890cc7c5911f82cd0f13322ecccc6a07e82174b8a6f08107a4e16197659
SHA512 31bc748b988f3c3e1b6d2ee81ca5a6efd3b4e08446b894af15e08161c3d87f6e20ddc54a987876dbd7789f5a6a311b3e9e73e90221083ab248ce396c73dac465

C:\Users\Admin\AppData\Local\Temp\kAga.exe

MD5 212d34abd6571f8456471b473b4f646e
SHA1 9520d4fefc6c6ff11b959b37ffe794df79901e8a
SHA256 d5f7a3ed313d91c48835af1e8f43155353320bf328a08a92d08d4a8822ab9bde
SHA512 e22f048fcbdf3fde5e5b91ca524509dca4346f67a37a0e105c1a25092ed6451660fe8024de3fc8982b6573cbb12e4b78392542fedb6cbc69c073cfc7cfa47f86

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 d7a494127605d6530e3596ff7c1eef6a
SHA1 1cca25f991951e51b111694ba91ce27f67a639b8
SHA256 66da558a52f06d1dceafd42931509335cfe3514e23129f7cb6ec38dcffc38214
SHA512 8b2ccff7fd56aa11369aceeec73cac6b51cbd350b7953e13cf7b6b1466189d016b5e284f8297fd6eb4313b1b37e98c090c9f4e17cd28132cc882035a30bc85ac

C:\Users\Admin\AppData\Local\Temp\SMsq.exe

MD5 077beafa9ebbf98ce73d4dee33b24688
SHA1 1acb95466030a7f91ccfddbd247a0f25c6dc09eb
SHA256 2731dc5820a7c9ad866bdb76511f8dfb48ac7884ae02a8bda0f0a918aea6d8be
SHA512 78c0e9f1fddaa5a5de3a2445d5de80651afaed704f6a7107b0d738a80e3cb6c3793663cb69a184b72faa0b0bd2400fe7dc4fdc6cf0a297311160659e54743249

memory/4432-750-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SooU.exe

MD5 5821ed939c8530f303550d2f19941529
SHA1 ca738951b17e087fe735095c0427baa4ad8b3c3c
SHA256 cb78bdacccc63b8fa3450203f629b2897a2a5f7671ebec5f2cf504b40b992897
SHA512 c620d28de38f5fadc5173753a3f9f2e1b0842e52ca42d1a1f111ff3cfed04373e45a1f0993063905692570ba378f7eb34f4aa873f5aa7ebeb2ddff8f90704b82

C:\Users\Admin\AppData\Local\Temp\cAEU.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\YQUq.exe

MD5 91a1aa1f477a33c85ef9f4884aa4d923
SHA1 1199e5747b289f92868f1fed9736953d78f8dbb0
SHA256 f928aac51c64e8ec4838414a8220250b1e51f50e57d67e9fa927e6999563fad0
SHA512 fdba352e5af041751ef830a5681a6e78f7f9f6be527cf6f4c9eef5320aff51672274e3bd82ace45f5b3a5b59c567aa57d6093145c0bc788e23ec9320a9973a19

C:\Users\Admin\AppData\Local\Temp\ogwW.exe

MD5 7ef6211ed02bf83c3252d500c6352a6d
SHA1 7a28f118f4360115b5b39e6100885b7f06d55618
SHA256 c39f5862370d8df57dcdaa2938c27c2440d319ddf03e2aa33ecd06b51f799c60
SHA512 cea823778247143a257f869d1fe8d6b828c3e9781758e6d3a30353694fb0fde1477bfc06f4fd8482f5391f9e39d8755fa6be769910a05bb311c5485c6a753415

C:\Users\Admin\AppData\Local\Temp\issw.exe

MD5 09719b7148bbcb095250afa3578e2880
SHA1 5c99f43f0a00ef72e85c657f96ab1c7124b7d61d
SHA256 702c611bdc1205dd4e93243acc041b3e05b22471e70971044d348029d9631b5c
SHA512 6a3a3746f1d8ff21787189d111827b78099187b370138e6707a8d31f365b292a268d298802388e4c2455f311606d4878d25f98dd7aaaebdf735184e60a00658d

memory/888-814-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkMe.exe

MD5 29e36c191210b789752983e02b87e7fa
SHA1 43fbe2cfdac76cc247b55364870fbc4fc777cbb4
SHA256 d0dcb0e311cded4b6d335712fa6cb549e6cf2805cc37429f102d1c8a68007c18
SHA512 f7f934e3e646be1c29c6b8a8b0ec22d46e8ae80ccd642fbf3fe0b43e37f1742de8ae2f494d9d489ca7eeaec66c6ea552d196a105160fd708f208f21b64763066

C:\Users\Admin\AppData\Local\Temp\yYca.exe

MD5 c1c57003ac1e8b845c94443374dc16fe
SHA1 f10b00d339bdf49bd793a390c93de7c984b7d715
SHA256 8df88b617dfaba6033f1181cdf6fa63f2bd77072717d5fa6b8c23cc0c882ea60
SHA512 8535f7c7769ddf4cb81aef5981dbea3de0f90e5a263bb850f2a47c1fd2b358c706ac09d83ecc1c28a8a4f38d8a3b107b3e20cab5065fc136b54ea3c1551672cf

C:\Users\Admin\AppData\Local\Temp\qwss.exe

MD5 164aacef4a2d9be84b255deda7c15fb7
SHA1 a45f6aea1bf7797e7ba76a727700a166e68ceb58
SHA256 f7ef2400d182e1900905ecf94735e460a88dabc24227926576fbd877c68de59f
SHA512 e4a29d39e292ed247180f9357855624274f7d7c6a8e2a43e3b2b7df28c76b9c6139567e9f1956f1529e5f308cca0ea310ca5c304b2cf90a073cfdeb501d6fe9f

C:\Users\Admin\AppData\Local\Temp\OoUe.exe

MD5 f9de03fcfe7b188db692a27a8ce6d1cd
SHA1 c22e530e81fcd3c23933b892797b5bf548761126
SHA256 f7950eb8201f195b3709885ee346951634d454c3e0956540d1dc89bd618d922a
SHA512 d92145db10ee7c986fbe07e0a3a631c0d478330582b3b36760da52760c984ac985b6cad0ef6e86b7320b3fcecbb060f8f9e43b23c6e3b034e477684cad79005a

C:\Users\Admin\AppData\Local\Temp\oQsS.exe

MD5 369268d2c48a8b6633ba76ed8822dc42
SHA1 d16c2f366a32035f3fdb13be1149f70d8270bbe8
SHA256 63bc49afbbc6c76848cc09eeeb90ec6708e97b3e76f67bdb66f8474d5c92ddb1
SHA512 8f5c1688f77ebca3d693cfbfc821f7e75a6a8120372bac2a705833f7056361bbe8cb849ed1f99df1ef7b494b8ff64de0f1f6a7cf71ab9f515e3adc9eccff05a5

C:\Users\Admin\AppData\Local\Temp\QoIg.exe

MD5 8324a86ed4099c6ad8ea8af5210fdaac
SHA1 3a5c31534e4ec1b97d383bb17d2df11fbf82f57c
SHA256 5a9a0da6f5d1bf573adbf239893018b26dd4807fbfe0a4190e482c079e7fb581
SHA512 b616b1b896d10053d408b1b6dfa861184ef8f20a6f489d1adda7fa34520e33b351481f4b8102bb597786b843e93b0bd9a2ef593f50e5041c6f43674435a7eb51

C:\Users\Admin\AppData\Local\Temp\SIga.exe

MD5 40917b3fa82c8e9456f61f986c581726
SHA1 84baad9ad75588dfadf0203fa3b5bf44be6d4ac1
SHA256 ff581e16ba91dc990d058fc37285fc12b589ba1c8b5dddfefb6c9f909bb3e126
SHA512 d74c483cc77ff744b4c1844c5538fd00025b1dcdb8bdf4ca8704d9efd33785e6d86781e26e7f6919e4c8d13be7335500348163df92e763ac91d892d0a2a27012

C:\Users\Admin\AppData\Local\Temp\CEgy.exe

MD5 fa92c5b4b0634b75d45d792181fdeb3a
SHA1 db12922df83e9f95905cd925ce71500b90ce9915
SHA256 25319978a5c99f769dd02c4f0f98467a69c566c7c41405faafe3759be014d924
SHA512 8bb03acc78a39b8df142c83762e6e8c1b7e05e3d3b54abe18738555d109468735539612d1e1e9218d90f8882d50e13002dc47a7defbcedad41fa298fdcc19692

C:\Users\Admin\AppData\Local\Temp\GgsK.exe

MD5 b2808b343df6357368cb213082ba0232
SHA1 3d387176d481bebd3394c4cb40ce321655109ddd
SHA256 153a7a5d5735047a373c4a148ed4e9560eef592b4e37b4c42a63ad775e5fe21c
SHA512 d736087d7ec21d7240fca7e001be298fe418bee37b066a5f1922937fac23dc83d96e8ce2e500e48aca4c281b27cff4402ea99af8d76025d6a1c1e0519cdcf6e2

C:\Users\Admin\AppData\Local\Temp\aYQK.exe

MD5 59cbc7c4e4fc1b2d790d8357e3922e98
SHA1 7d0b3a713232b6eee30dcb05dfcf39d97885059c
SHA256 c22b8560dd0736f78253d610f23d5775752a70bd7522c6e8386c2faecb082c86
SHA512 4b89804db5d981acf3f0ce3af247f05eecf2ce324fe288496d4f38b67a5b2520fc6d3d0b2f9180819eaad9d4eab5169bee0add94f0e4dc65a35223c50e0c138f

C:\Users\Admin\AppData\Local\Temp\ccoo.exe

MD5 81910edbf5c6f98c54bc6a7613d12ac0
SHA1 bc27b5be9dc53f4b2cbb785119445cc3d4a18dd5
SHA256 7fa647215f126dcc4d0e70094e36146ad9a10525b1bbbd9857b75158e6dcced4
SHA512 620e31d72a714163171acbc2dc40a50b5d2a0264bf5bba09f6f3933391e31e4ef06c6fdfac1dbe58901da6c321300fcf3742b9d10dd477f96761382364976b1a

C:\Users\Admin\AppData\Local\Temp\CQMK.exe

MD5 e0b02b007d4b14200401a4a2667bbe0a
SHA1 4c501296ebd51d984f5ab81fe3c2f8cc004c1cc0
SHA256 441f1eb7465f965ed144cbd1962c6e1c87551cd70e8f85f090b2679f4f31fdf5
SHA512 2a06c4d7f18734720cdcf1b9758b5c56dfaf15826ddd80e10b33997096890d36010d0615550daf94e27e84715eea667e39caecbb358dd369aab8f8520eb80665

C:\Users\Admin\AppData\Local\Temp\UsUw.exe

MD5 e49146c112869250e2c7aee9e783fec3
SHA1 8cd428fc60cf168945f98aab3e38e8149c525f81
SHA256 7c30797e8905d7f84513454c1465bb04badf1661883e034a0cc48b89333138d1
SHA512 ebc9ebd398f7b44ba1d49cc1c11e61b8c5dcccef73b3f0b38099f7cf2bca6c1ea256d843e371322e7e0b1f377db6df5eb504a7e17b59a15f2ed86b6f3a754711

C:\Users\Admin\AppData\Local\Temp\eQwo.exe

MD5 0de42fda6d86dccf24b1fa080a5513cc
SHA1 472170c3e5d96565c307f844bbced8c1983abb73
SHA256 44feafdf55fd9d788619c129c0bc8bd81776b49bd71d042c5c39037b4bdc2c58
SHA512 277483bc2f6e8ce1d0d716af830d55675cf238240bdc0ee25aea2feb7405608df10cae771ac2b1cc865ec2057c61378a2f41b8904e1be5c23223c26b307da7f2

C:\Users\Admin\AppData\Local\Temp\Agcg.exe

MD5 640ac432b7948b500ac5bca5c119b163
SHA1 821189fa8804f2663f05132e34e5e7e8ba55b6d3
SHA256 90a3488a6c6d21118365d629815f7f9106d23adf0d91343e2898c4e9ce8811d1
SHA512 56afd4f3d8d5663c24c4451fb872bad6793682f2665891d821af7eb6508c1d85d78f385173ea619b8e44700729e2341e1440cd4d3d1ccd8fafd7786053f73f39

C:\Users\Admin\AppData\Local\Temp\eUUU.exe

MD5 807475649b79fc9da0a384b6b86646ca
SHA1 6b835c1b49c94380dd5fc3b4da03951415c1198e
SHA256 475366b3399b6b802e84ac17752cf064573540e1277caa97e815bf4add00d3dd
SHA512 315ef0b8cadd70aa95ac026177fd382afa0f73df10cd1e8d3f82cb05007288f59b1ff446790fc4ebcdf1d012c43b331077923dceede7b8b2488062d8a3fca77f

C:\Users\Admin\AppData\Local\Temp\KgoE.exe

MD5 8a6608007a81e3e47b065a3d21a73019
SHA1 46e04d52854566e2aee1c56fe4bbc31c5931e6b6
SHA256 532250337b5eb75423400a5e824758eee4d465d8495fbc89b79a68b91becb3ea
SHA512 723195998265700c6c8c25aa40d80cf38947cb18226372e48dbedcfe232edfc7db6b0c8231bd2bdcd1a03d52c9fc3d0606fd32fb7238c3e74b444ba860910629

C:\Users\Admin\AppData\Local\Temp\gwww.exe

MD5 5123ff7fc4efe563f7a156120513d414
SHA1 fd0139c8c8c8e3b99401f10bb19303274916f1da
SHA256 a0e352624f15a2a33f8a0b0e97941b9fa223ae6f4308933e85b15f5fa969a60a
SHA512 a309a11d067a3d22afcdce35a087cb6c6dc0997e6e75dd38b63ddf51bd4802d9d1eec7cd0b4e4345fc0135d9fa9a91b5f369527004cff354f95934154d5e4985

C:\Users\Admin\AppData\Local\Temp\eEQM.exe

MD5 1ff29ff3eb4ebc69ad7a705008f24fb1
SHA1 a88b87b47fe40e95bf5c2528b81b12505804f38e
SHA256 9d16f2b18305370eaf9726e1b1f4bc72fd19b2faa295df700e0e016459b12204
SHA512 b56887e53dad484438b479868da41e8049a8ddbfc64c6347c1d6b86b361de5362d5a5af938a82aedbae40368ef3d3e89c7255ec17766ff339cf7541b3928f937

C:\Users\Admin\AppData\Local\Temp\cgYQ.exe

MD5 3908ccdd798cfc3124da2a77e19f931a
SHA1 763c223fd7318380f43009f20a13686c209ddd1a
SHA256 f8c75cdc7501c7c9bfac3433aff183670f363a0703ce74ab861ef1faecce20d3
SHA512 54fb7066e1060d68a073a52139aa5d823aecd35f553dfa15fae0dfa5ef98bb6aa917cb50625ccee369c6e65c52ecd23a258adc8659fef3fe2d525f441f81f224

C:\Users\Admin\AppData\Local\Temp\wMQc.exe

MD5 6ee7683fb27160ec69eb2fe85db4f9c2
SHA1 d46172e943d60a402266e815b21788b871ac3005
SHA256 461992507c093b7f2f27f1fa836b8150a077c17c90de3abf59c17200050f887a
SHA512 1f6cf5822f85eea0e5d898950a4290e5801c57965bc197e29fe6cc1d49e59784b14f840ee1cdbd85b7303bc87a4e36589b686195cc595e16bbbd14bbfeef26b5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 affb493d4224be051ec87d5440764cf9
SHA1 298017e8aebbccd8b76bd01049450f06ebd02f04
SHA256 6031ecc413e06b110358b01a488b7142bcb5cfc5ca37fa45f7bb4ffae3f0d515
SHA512 739709fc4ffbb36adf48c67fe6533c984e6e8c0d88faf3fe44fd342c5ad443ed976bce0d3210b8eb7fef4f10e540363eb2c674aa64cfae621051807fc6d786b7

C:\Users\Admin\AppData\Local\Temp\gQcw.exe

MD5 0ebac7cd0af21f8677370b8433257811
SHA1 da65be7522f3f3da10ba39f5a53431a4d01f5511
SHA256 c2306680b7182e90b3579e85217696accc5d9f3a71f655dcf75abc9613dcb189
SHA512 8851939ce6ef753da89e446ef6f04dae6b731b583a903cbf9c3408ca81b628d8c38148cf1c55b1fa76fd90686d6d6fece683b45c20334c6ab73f90ba9545d879

C:\Users\Admin\AppData\Local\Temp\UMoy.exe

MD5 f60b8af931c693e50fb2a6bbf8ccb7e9
SHA1 4a5feaf1e3265a4ceae8f577d3254ac154fe9264
SHA256 c9b72ddb33fddd4636652b04fff923101d6e172f492c546b04f48a4f31f6f29b
SHA512 6076ef25c5525aff5c4201db661adc83c4a01a52b23bbacea67bdf62373232cb345b1ba8c35af78a52b543c24fd9a35933da9e7a00ec5a7a6918570187bcf16c

C:\Users\Admin\AppData\Local\Temp\oYEU.exe

MD5 40cbe00f542e7c00d0cd2a33bd61876b
SHA1 4c8e7e3d257708a70d33edc145b585c6d7e1d79b
SHA256 b20d66f78480b4517c45aeea83a7a826a89bb9425acd3ea9b6120f1ff5e3d06c
SHA512 9f9c78cdb676ca2035946b81dc8c674080b8abff2e0da9ab5bc39172392e8d77264ee3fc1ff3989fb84acf10236050386997c6b501afb191e38cc8601ca151a3

C:\Users\Admin\AppData\Local\Temp\Scke.exe

MD5 6598d39144870dcc088da21051ccc0fb
SHA1 b8aba4621658bfe0dfa2b1b1faf5dc68fac39f18
SHA256 ec3e0db47ba7bb8891cb35c7cee32a29b6315d0fe59c55e935e1874df1ac89b9
SHA512 5f417e838a19716b22ee9d637c251768e2cfc108efe789ce00e8bcf35d247284c1e7e49c70780b892b995f1ca40b6a35db136c03be9b3993581de9aa274fe6ed

C:\Users\Admin\AppData\Local\Temp\wUMQ.exe

MD5 38eb80e92e8f50b2003f3d934c22cde3
SHA1 6802800b28863efc41fd3bee86aab50819b1efcb
SHA256 a4fd84dfb52b1f51f30cca070e81fd70835817e42be847a9c3cff095b539f7c4
SHA512 e74519f1ce5cafa742df38964bf4f413a309aea0fba1c7e243fbcadf81a4d8cd250be14cef924462ab130468c13851f55bfd64fd1c8eda807793967f3cf7126c

C:\Users\Admin\AppData\Local\Temp\ksAC.exe

MD5 abf63fb03ed6f785dc83e07678a33624
SHA1 251b967518ee451f889cb95a2b59806b32254d41
SHA256 4c784e3fbba26d607f63284ff15d3d4349a0b36b6e9efaa1971d825ce7e806c6
SHA512 aaa91ec4315309d503ac778e510082a7ce569ca7919020dc9da87d2882cf51335e1a0187008ff024eab3b5dd8bc06fac9a9a74fcc777695868f09f5a669a3179

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 1a07d130fd5f8ef30ddcc130b04a8696
SHA1 8dc48b53ee6002e6b2f994e0222baf85bcf501ae
SHA256 686712ed079cdb49cd86f742a7f9e2c6e417bda74024b259baa17376414324c6
SHA512 efade4375cc4f5f36096a9eff86b57eb001fe9d1bbea1e7fcdab99ee4f05560dd4f581366eb52300a43e30d8990ba5ac9669404270e90a5145e8f349ec65dc5c

C:\Users\Admin\AppData\Local\Temp\KoIY.exe

MD5 6c736238274eae08e0efed61a1b1e76d
SHA1 f7730562ee09d7bf1869b6cf9204b389f9c98adb
SHA256 21d50b4a7efa05562a9f19dcf44eb6a1b59aa7644ed3dff484371ea35a3ff295
SHA512 1fed4d25d13eba6171810e3a83fa4e7bd4bbcd5447d50df7d7ad9148a57941c3f98f48f19651d84db151f513a92152fbd88267adc2004b375a0351998a1320ae

C:\Users\Admin\AppData\Local\Temp\IQUy.exe

MD5 7f4ecd9adbf0e1d32502133febdb0d70
SHA1 c06a85a41cd92a39880f4e2b1c108d358ff981c3
SHA256 9b7b0d9e5f9c7b81ddc024ec58833d230911c2d864067fe1b6d6b5bf95f1ddbf
SHA512 dff4ffe7f01326744b43b55904601892b479f3beda705e9a1d8b5d46cd93fd8978201f1279afcb5a8d5a6ed4e6e4d80dc1603ce94ec03df00f6fd46935de7f61

C:\Users\Admin\AppData\Local\Temp\GEMM.exe

MD5 1478a7d852fdfd88c3736feab93ae438
SHA1 adf3f42d8ba2ab3e8c91e89260191b35a95f8ffc
SHA256 bacc59537b8ab67dd0a043a75c32bab2d263496903321d091577ad16652f544c
SHA512 d88eef989699c0194bda1f98bfdade0932c016d99e68441df41217bf44df1b8bea5459df0eb31cca298a64c747ef7501b0a303b1180210e0c255a65d2061b55a

C:\Users\Admin\AppData\Local\Temp\CEwC.exe

MD5 a726f0532f43f1bb3b2e7ec7bdad8507
SHA1 6c95e481dc1d82ba765633cd91073835ac038007
SHA256 f4e711c8bd15f8f50bd27a1de9cb8d39b681804b48cc1c825ff3498e999f932d
SHA512 709e1de5f89760a8e15fbfaa82930215cdf08fd55cd9834a697566a364a2a6f06c98556a0141978dec0585dc93901bb5f9b46f59da4398bda8adc129239ff73f

C:\Users\Admin\AppData\Local\Temp\qwck.exe

MD5 9c0d8be291c19b27f5d20055c57b47e6
SHA1 4d82d9786f7b5b69d1cf75b727c20ef77f0e98ed
SHA256 c1b7efae1610154355dd1f0d51cc1bb246298efc9939ed207d45797b6595bb4f
SHA512 03910b69484e1f1bcb0066873c9559ccc2fc9f4f48c11a70bedc05b7e44f88fb4586076a8dfa835fa0ebd1bed83511f679a3318347d6767cee3c6496d4bdd357

C:\Users\Admin\AppData\Local\Temp\MUAs.exe

MD5 36bec80ce16087131254fb9e1a96c934
SHA1 87df6d62dfd1e96c64f42a5eedfe18a3b515c4c4
SHA256 012e7977e8b4d431000b6cfcdc91f6a487798bf9cb15f1b3f918ce47e41321ef
SHA512 04b5a47c1b4265257eba0e2cde4d38c942fc20fc56a4f2cd0a889cc48f8d62a7d7f549de113dbc3403404153c08031fcf80e7b6867eaf35a158317ca5597347d

C:\Users\Admin\AppData\Local\Temp\Qosc.exe

MD5 5a60e132162c379cfe4d657b454fbbe2
SHA1 792731cb5ca825f1547f7d7dc1d07b0a21e43b84
SHA256 eec6ea0c345d616aef0576821b0162e3fe74704f7e90e96adf8ddbd31c82dcfc
SHA512 ad4430fc75b28e211adc9918e549a0e16c11c15044729038a94edd94951a8b791c912ac06ea852a845beab3394009b710775908456582b4fa9290fabd6114142

C:\Users\Admin\AppData\Local\Temp\WEMG.exe

MD5 cb7950b42ed1f922cdf00b7f3e32ce67
SHA1 36e42c3b7949af727be75c37ede7e883ff4fda05
SHA256 9d15ec3a9c07db90f8d349cfebad726f30ebee5bb6180b676a9ccda390426c9c
SHA512 083e058528c751cdc0f7f499b52b29751e0238ccf1e05e0a3d9e3f3d1a5a4acca7e577535810c622c09cfa952882fafc99db1f168d6ac3efe3a80819da7fbdab

C:\Users\Admin\AppData\Local\Temp\IQEi.exe

MD5 18018edc91d6358db49b3fcbce3a3833
SHA1 c8678cd3ad6cd4516a30e0db301e1507b4cbe001
SHA256 73394c2beca735aed1a2a7e219e7a5d1fb9db671b586b324e887206057296240
SHA512 52536af6fb1c51a4e3d54870707a3f45540a3992d79c3ef219ebdf5a64554eda5accbc1178f8ee8990e1c5ed939955a255b7625ff81f8bc15eae9e0cb002ccb1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 f310ae8b1e5fd0658bd7d67f38389b2c
SHA1 0176d201567d781c27a86b37c82a30c6c9ed651c
SHA256 86eb8d45083ee11a5db0c3efe63e0cb3e3db776d229cd5619c089e9d5638ffe2
SHA512 36314a4cdf97cf512a2142f0ab884497d3b44b5c8df1cb1439d3122c64e6d3c929dc034c3c265b578ad1d6548e3db1b68e66d0b8787400698c0cd73f72093491

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 67a0e79d8b91412191bdb0804e7d81f4
SHA1 5ac38caf0cd61148a81f922b3a52ec586cbeb4c1
SHA256 9178d1685b850fb5c99ac1d8bcdc491e4bdb0db757ca2955e1b469059157bf83
SHA512 037eef889e8c74ffa075d5d07d490c4d9d4f6b41e3ad05f9f6bfa1c4b5e16c90362620353360095ccf4d4792e78112ede5ca34dd4619d1c9986e9a1c7779b5b2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 8d2fea5cdd8910f11175bec6a098ece6
SHA1 c6967f92036ee87f854532d35a948c6537ef74f3
SHA256 5f7dbfdd4fab296157867d106346b90f20ee20827d53a57bbe6d3ed5c4d7f9c9
SHA512 1caf169300fbdd8e137d5e85db36ccc3a0eb7d9b05f375558a9e1786747cf8beeeef3721b6a44cd6ff6e001d04f890bba7fb6a93166ca19dad88c47b6e116273

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 75315beb5d9679e954ec537ba7816c76
SHA1 aaf2a2874b6e01a7c756a31805f6078c16fe0d47
SHA256 75fcaf6f0973b46d71675be03ca6057d1c387ad471c0fbbda75cfb1312163d9e
SHA512 f5b5bbe5badb3beb734fa660030626df180f4ee3004bfebca7bc294adb928ba0b013c12f996cec420d5bddef1badffb385d28aab302f392dbcd8a7b844ee3877

C:\Users\Admin\AppData\Local\Temp\IcYO.exe

MD5 59221d71dcd37a156f7ae841adbf967b
SHA1 c6691d0340b79579c9560523014dc9d70d940a44
SHA256 07f041a18cb337870470bfd9881826819a03c70a00d97599693382a7795eefe5
SHA512 3bd1a0bd06241875e62a2661fadfc554f9ad05e6a9964563e433de6ce92ea8277fe9bb08d1db2f3f7a6fe7137a744ab4427b81b7a475ce5169b06dd9e2411afa

C:\Users\Admin\AppData\Local\Temp\uoUG.exe

MD5 17507416e0abcfa270bbc0545025b3b7
SHA1 1008a36123a77d08f053d2e1b4f0027b0fdee86b
SHA256 61697eef0bae3a26424d98de4a50c7dd5fef5427264cfeb86a8c1447bbe3314e
SHA512 fefc481305c8e05129c1014cba8c0e141c4beee46df70dddcfbd547c882302d147f785d3b28d184d4a4380d93ff202c771fa4cb19b6b45d5a5e8362cd4b7632f

C:\Users\Admin\AppData\Local\Temp\MUQG.exe

MD5 66b3084c7cd6e1a999fbd1cb98bb6a1e
SHA1 3bfc511b949fc05e6ad4d1c4b2d725f49422c023
SHA256 010adc783da42410f695582321b817d15d2be52fc8f6bbd355b06dd156fc758e
SHA512 ff8ec3235527d451116ebaef62f038e89b219a5ee35b1dadf2a301209ea20110b549c567ff7bde1ef74b7e16a6cd3a7cad3c781e22a6fd64f01bf1bbb040fd31

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 5b031ce485c6ef69d755e5fb57b689dc
SHA1 dbd0de43deb40d4a4e29529825315cc15d4506f7
SHA256 b4d7e69b4511ac709a5f995e342786ef3adc59ede053b9371302488f7639c586
SHA512 6e1a63aaf1e01f30f747324d300f73c564bf706e62fb6750e8b3693c6f9851dc88db6b6c22ff678dfb57b6754fa01abc64aa92bd0b96bc7d39c1645915de391b

C:\Users\Admin\AppData\Local\Temp\uAga.exe

MD5 890c1e9295e4489687e5da06a1c00d50
SHA1 78f22e551e4d34e36505bb66cf79dd89b2e7984b
SHA256 33638644706aaa27de870c71e6a9cb999648c38572fcac468a788f6051c84076
SHA512 de756c9957d0877a6169584755edbf6577f4e510acb53b305d7c4ed38b90079c85aaeb7da2ab8a70fe2f87ad2b3f618db9d3959d5ea3b8bc1d20a02fba9c68f8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 28b5640a24b20bd955ff09d1b2f20c05
SHA1 515f5ad53a80de20c2d72ff1ff3924c5958653ea
SHA256 63f213c62514fcd30a4b17239b8b9210153aff59c4151622b3816a0d810988da
SHA512 64c5734e79e6d35d0f07175ea1dacb08b13f7cecdd95f78497f41b1574fb4a2f9538ae6e436c0d3548da4cc8a62e7bf0c03e76b341fc802214ece444eda285f7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 f63158ed5d62c81072019fce6a3dd624
SHA1 c47d19cc08dfe605ff24ddb4815081c41acf217e
SHA256 ecd32024c1439f6006052e5338c14b281f12d062e115e7a1cccf80e92bb38e1f
SHA512 357e36ffa10103ab17e75195b13223fecdac5f33e2b60d3aff376f91504922a98cf97c71fdbfadb225b9b19fe1368653235cec086862b2ee62e5bf2dc2e992f1

C:\Users\Admin\AppData\Local\Temp\AUQW.exe

MD5 a9ec2817addeebf6075e89ec5e71de7d
SHA1 f59a39d50b38616f41624da74c7fd3f507aa1700
SHA256 427b92131eaf103bd388f0fb6191f3380b96258eddd4a0f5e3a6ef6bd3390507
SHA512 f03a142540d48926685324bfa8894ba9294ef4390c37937f4904603a287d7f71b4e9037b0a9d67a9e1e85dbe05483416b937f56c6da0bf1f419d68e4954cde21

C:\Users\Admin\AppData\Local\Temp\eYQW.exe

MD5 91ec0a59d3a0c0fec6ecb382dcbb5888
SHA1 31ebd97f52cc4c7b8d1643b65fa28ccb32470434
SHA256 6bc135a555c52ee3ea32308d8d9cd2297c0f22f591ed7def4b45f4a46f9d76d5
SHA512 ca341df3d99041338f3abd033ecf7a532e07f74350debdad24d131da6f3a9bc0b91ff7208649354045b696362ed0b31c06873e1214f89ae4ed78268b6333c14b

C:\Users\Admin\AppData\Local\Temp\mIwK.exe

MD5 70301272395644bcb8bc6c7dfd19aa2b
SHA1 18d7e57b6b73065f49eb70c7c1d12ffee90163a9
SHA256 a54593fe5e79d4b88baf0aefa8a5b7057a11968467af6091dcd23b44205a5ad3
SHA512 80855b89c02dbdd43ff998d171839d8ffa09680ac559a6e9acfaaf3c113159a52bf273b612448485857d967e8cc71cdfa6b5e3568a7cb7810e6fa84312ef452e

C:\Users\Admin\AppData\Local\Temp\KYsS.exe

MD5 ff9a0640fce1a018484f738e5bd9376a
SHA1 970c0c4d861d5f77deb28179f76ac91ebbf39eae
SHA256 bd9fc56892d6677f96c8f1043e822daa6005e716b38a2efb0d0eb53fc3d578d9
SHA512 bc4d130bf663f4d1be08b2a1f8eb4585688985a1adb4fc269c88de701eefc0e613458dc59b61888fa0f8997a75b48c9d24cfd4dd0e9823fb6d75be8c516a002f

C:\Users\Admin\AppData\Local\Temp\kQsA.exe

MD5 5d526437d2de91210c2b7b5d7a6e5814
SHA1 ebb87cfdda2c4dd0e10e11611ffd20f4e9220cec
SHA256 5f964e81e7b8273f07ea4e45ab8a75004f489ab70dd7cba7f172e885f4e02dfe
SHA512 7141a3ad99948a241c0dc893485638f79bf73e90622faa3167dbd28e63a05c987ef9fe8aa95275420601dcefbf3db44e6ef3b9658fa7a988d6b5e0e4d782affb

C:\Users\Admin\AppData\Local\Temp\IMsA.exe

MD5 82751a6e328f150411f3640d9dd9c1f2
SHA1 e64dc9c8edfc8a381b0aa30a043a753199c057c6
SHA256 02afe897cd2add499a4b4ef5ed2965351c3500adb69b8e4d2f9d13ab281e21df
SHA512 73491ea48c163f5800b256ffcf1c8fedfbabe2ef3e1996d605a8e669d53cd82bdea1f8d161c9a6c98c8e479140a581fbc9c3db57f4a031257cb921264a9951c2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 f1184a87ee04a70155fcd27008c21a38
SHA1 63c7c406fa2dad68584b8743ec3e5eafe4c19e3d
SHA256 5512d173ccd06efd94f90376a3d017272e3724d0cc7ee0456c494440dfd7d56d
SHA512 3f538edc7e34a4ef2e95e8e3e39c4e52dcfffb09b2b5567c7dc159c8b1239390351882e55e16a22267f65154d58a2be4675ea6bc74084ab2fa51d74e4d852111

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 3c6357b3da7dc24e933ff5ae39ff0934
SHA1 dd6a4f2709a8b029f8bde69de3865d1e9004f09a
SHA256 510edc4452dcb9a9d2c28d6d545733623b7cb82021f8d54ec3cfbde6456a66d4
SHA512 d8098adc3a8fc8bc9914ef71e95dc378818f253174a7cbe1edfb72e399706c582001f7ec26ef6e009e9fbccc1c5b7d3e66a8470661b9b51dc3d4e9c120d81236

C:\Users\Admin\AppData\Local\Temp\EUEa.exe

MD5 ee88e777f383194e7b5f6adc5eced1ff
SHA1 7df9370e46125e0afb8407ccbd4ddc4939df710b
SHA256 778021f2a24dbfda56505fcecfaa816a11ed8f9380f75a991a1b814b4c26e9a8
SHA512 9d985c4b18ffc784da63628cb75bb33c36232dab91b0341de1bdf84a3ff33bc40bf48703388861fa067e392c8bf42ed075c922aa67d3a394161f8389711bb460

C:\Users\Admin\AppData\Local\Temp\AsYI.exe

MD5 060ce866b110b90f897851cc3cabd49a
SHA1 af53444fd2ec63d57f0657ebe91c7e6ba4864aad
SHA256 8edb64531465a8c8cf18497d11954e43b43c206dde081cf9387842772cb75ba1
SHA512 2742194de4d9bb2963863cee97531c1fddcf9758b221e8b49fe6e27ac4f7fb5fb2ab16786f4f2a6755e7e678e8a6e9c0b0f15487d4c1b2eaff4127f958e47678

C:\Users\Admin\AppData\Local\Temp\uowO.exe

MD5 db589d0cca72d464eb384fdb07a0f295
SHA1 6aa0c7fd25d8619b99d198fb6d5ab70cd1d9d059
SHA256 cff8daccd2163fa6fb9492812cf265bead0422194fc8f4833752a5f6071397b2
SHA512 5e2ee69ec0638000c9ebaa00e71d338a993b3698c7afc580ba57322fea80fd0dc2f50944755a4eeb5aa971e1be931ff8a975d73fd851b2e078e851fe5378af8a

C:\Users\Admin\AppData\Local\Temp\skgE.exe

MD5 dc373557f20ea655d8fa0de35c946c37
SHA1 8f4f91e7ce171b31e8f54183d442ee10bb8fb04e
SHA256 3b74b9008ccfe0279a8aa342f24c0498041cba4632aed103972deb1782614632
SHA512 9861758b0e787856501fd65705010db520c1c6765462ccb4e3b25ee14e14ba8f58351a87532c25cfa652672c927c8d3083e36883a3357a6228e4c41b2c34b4a7

C:\Users\Admin\AppData\Local\Temp\EwMY.exe

MD5 668b2b701c08c960dc1f00ed7f9428af
SHA1 849f7ad895f9990e31fe62a0c267703a83eb9642
SHA256 7a40880d0d6efbaec92cb9e06270bf6f774dcfb3daf1a5a15fcf03a692a2ae18
SHA512 42262341a72a18e520ee6541a712c2f37b5875590daecbc1378576353b2f1ff6a998062eba60135b1d26f1aa36c00fe830f846446e464012541ec8fc7f9c54d8

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 026a9a04b153c7e365c28b44ffbb727e
SHA1 1ea9a0df70dbe50bac095507799c87fb188a0ac8
SHA256 e6db5f6a24a20100a2b71540895744c4a0d034f5be78bb1f1a8c78d1d56f6564
SHA512 84b18dff9aceacb04ff72aa0fbe61c68fceaba609d45a37aa00925aed00106ce28c712ddebbd1c39dcd5eccf0ac265f69f3fd989bd6c875a5aea1cebd6b1d34b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 a8b435b6e3d6c7db68b440f9721b88f1
SHA1 0885a16243c9da9eb1ac826eef69d696f813d689
SHA256 97217e694be59fb779cf6c002795ce7ec74167ac44adef33518ca07d45b20df3
SHA512 998cbe56dac28fe3cee2d2e779fb10b46c5fec757c867e0ffd398fb010191d13575f9481be3a966d46781c914ee617c984a1d878e9f3cd5722b82fd4e0e22350

C:\Users\Admin\AppData\Local\Temp\CwIE.exe

MD5 27f6bc74aab566d7c2cb2132d62ea1be
SHA1 d5b3381078c581fa0ea7f03638c7c028ed016ff8
SHA256 a381737365ed60d15cb1c8be9cc8c578551c4b67117c837c96f51db96a6ea76c
SHA512 5920917ed288735c46aea9a01543f88463cbb336e5e5e3e4feb6da4bcd7aade0ab1c5850d94e6103fb4c01e95a2eec54ed37d969417eb322428cfea8669ccb2e

C:\Users\Admin\AppData\Local\Temp\SwAe.exe

MD5 75333e0222a63d025b880588712a7996
SHA1 f3dc0877778dd7d1aba5d631c6c579fcfd5469cf
SHA256 f43518608dc657bd658a82abeddf31797504cbe8209e65cfa6baa8fce0db2a81
SHA512 29e42396f6e45318b80a940acedbd338813fa02498222977738c621ced7f5c79645e085e78f43f62e680f781ceb3b479d957163308f366d7dc48384852313dd6

C:\Users\Admin\AppData\Local\Temp\GEQw.exe

MD5 7b8367d71235b46478ceb1049bdc15bb
SHA1 ad99816bae295171af72a6926e238293b5bf4cc7
SHA256 ddacca7c8fd00e327ae41e48a65cf4abf07dfb316ade00dbd71cf54208c3fbfd
SHA512 92dfe41280fac942229648423a22c91bc1e0086fbe79dfa3fb5c640148c675687045572f3003f8c15348ed375f7a5641378787cf4be328d338b33500cb94b5bc

C:\Windows\SysWOW64\shell32.dll.exe

MD5 802c283b2782fa9ef940b8f2431e659e
SHA1 440c4d9b34f58ea8b4fceac43de47cfff070eb50
SHA256 29163912014d5ea41dbecc19971c2b3d8cfe34ef67c289d8a954aea51859cab3
SHA512 a27c32086444485f0667b1d5a41e7634b13a30631cb95b3044a0fbfab19a3ed4ddeb9d8d28d673818c34557eb5d8c2e37919c08263d333992cf8721cd2b5e765

C:\Windows\SysWOW64\shell32.dll.exe

MD5 eb960e1c34c190832a725a4342ca6471
SHA1 5d49603da173bcb6daaca8fd81520b5bfaf59473
SHA256 9d9b0c37c5a05cef99f947f811a4fc004099f3d7a8cd8be6adc0c0b801be75a3
SHA512 b920d9ffd4d6d6778605d77f34f1d92296e50cc9d404ee46326d41dc9123c0719a448a4c8ee6f5638528793781885ea3ece8d385d84e36d4fcfe5826685bc869

C:\Users\Admin\AppData\Local\Temp\UkwI.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\MkMK.exe

MD5 4bcac7e2cb5657a3d2400b23c49607e4
SHA1 faa8557fd201e89ddb676da08bfaf347f36f098b
SHA256 1db7c1414ee8bb44f6a17e9b0f1629cba812a5448cb2108a0f1393a1b31baf4a
SHA512 45ec63b4b1b29fcf05c742c3ebc4c2bc1c8e49e0a78cb38edcde93a4d2f8c0bd52435bd863d660c9a95bf74205b7c40c4657a1681618a8ad33d4ce31cc5caf84

C:\Users\Admin\AppData\Local\Temp\qocc.exe

MD5 b366f9d2989fbfed138fd72f4a1972ff
SHA1 b4a4dbf53968803bd7fdcbedbd627765d5670262
SHA256 08bf3ed78db202aac2763ea2019db41b0eb716284748c04ba9f8549f97e8cdd1
SHA512 65018d603c3579b2520df9ebcf159581b45c240ca25d298526a45468a88d042dcd4e999d0e59c8dda0e46cdbd3d8a5fe33b84f15d093d0e826cb2a2b0e03decf

C:\Users\Admin\AppData\Local\Temp\Ycwy.exe

MD5 8494e2826023132f2783518e22ab0e6a
SHA1 64cea02925bf85965be921b299367a2f6114992f
SHA256 39dc66ecfc17818dba9ce5abce1f3bed9efe0cecf4c23776e506a4b77e93bcf4
SHA512 1c0ab544e8309658f9c3941aee4b40c3baddeaae81f026215d5abd3c7ad8a22f3af7088978693b8d3f6ea3e863c1646e530c84556887f82b04bc068560b30374

C:\Users\Admin\AppData\Local\Temp\uAAS.exe

MD5 4def0ca4fc3e66d5867223abe4146157
SHA1 88bb503424c1cfcf5ce72d240dae4b3b5125a583
SHA256 c4fb1b93a99b963f7d5df084df5f7f32bb0b2fcc00213c26c29205b73115a348
SHA512 47553c57c8ff3837b0d1e61a228e8856463c8d58b40d53208f81d407dfb1ce7163ae4748d4ff3e469e50592d9cf54830cddd99b80a911a6f7583d8614ca2ffbb

C:\Users\Admin\AppData\Local\Temp\oIAI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\GrantUninstall.mp3.exe

MD5 bb9a976ed5b1c52055e681ce70f275d5
SHA1 071618c826cd9fd52a4b5b26b4a0d84aef9dbe25
SHA256 4c2150c734e923131f1e6bd000c9c4cc9529fba467d40969529fe4513a73029e
SHA512 cf26316e0e4b373390dc5225b3d9e0b08457b3a49a149049701c8bf4409325be43762a6e128985240c304d1a227a535ba723d2d4b280581ab955e57d9b6a5a17

C:\Users\Admin\AppData\Local\Temp\iYoc.exe

MD5 004890b00a3c57bfd79656bb1d68b44f
SHA1 cebbb611c53c35928f2df56365a8ce0535a391d0
SHA256 d4dd56a63cade6a881015ccef7233d200296b06e459377b8f9c2df8d36ab4a02
SHA512 5d8523bd67177553c7ce3bb7cfe725c33dc6e6a7a04e5ffbae5da646796f597f0b85239a4fb45100200b6017c461a2e3a158260767bad7d8762f3c3bb089c0af

C:\Users\Admin\AppData\Local\Temp\qQkq.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\Music\DisconnectSwitch.gif.exe

MD5 8e7d7b113e2a5d5886f09c6ef22bc906
SHA1 36b05ee329405aa4d9825f86fd345bf2c0b98702
SHA256 594647cbed5ae405fcc56456c6cbe40df4c7147ca524a4b002d6c55f8c6e5447
SHA512 03501e564f30300c669def101ab998dce09dc529be42a1f93a0e43cd9aba125c0b6bb46c3dfdd829e36f1d944d59e9bc701f4bfd856251daf3d5ebe6b87dfdb1

C:\Users\Admin\AppData\Local\Temp\QAUa.exe

MD5 b3b14250ed6e21da573768bc9313dfb0
SHA1 eeadbb38eaeae5a2bf65499ede213733f691b57b
SHA256 25228751488b35a70f5b56c3fbe598c7b6cfe2e8d07268be09add4db0080858d
SHA512 f8780a66c339e8d877f27673bcf056b969028c370611531d66c58a1f4c0f86895c5d00f4df9da400af67ed0b08c156c9a8f8ab4ddd819e8d0536cfcdc79399f9

C:\Users\Admin\Music\StopDisable.wma.exe

MD5 281e2fbbb997726c612a25d31507c7b9
SHA1 69469ba30e38206e8d26fc7f412368a92171a5e4
SHA256 966beb8dc501008389a1f436e55b42ca0c2915d736215bb9d26f3f074e171aaf
SHA512 927f8eabb24098bb65951d88232ef987832fc07c646f0cd8706ec6dc41d97baf3bad7c59599d0c73d8c391191e030a320a193ed627bb8d60d7616361b33ed7d2

C:\Users\Admin\AppData\Local\Temp\OUkG.exe

MD5 ef011f2d76cd987255beb18bcf7e7b74
SHA1 6f6aed484a3c6202d8467dd8964a82300e6d85d1
SHA256 4549d47ded2a39f29b6f96e4f0bc9ddc51eb671d5e6c4dad2d77e65c6ae454c0
SHA512 6517edd672a8410edd4758ddaff1f3b032a8acf26d95efc3ed39b422c62ef5b19ea13a38b1f43f3df2692beebfe587b064eaf990d3d2c528d5637b39a53bd28a

C:\Users\Admin\AppData\Local\Temp\eEAA.exe

MD5 6eef8310227c935194885e9b0ad4b610
SHA1 1dbffe4693491f0d6963feb71766c19f7dac158c
SHA256 8d3ea9826a58a68cc2316c91a8621a25cea5221694348d165b152de6b6186486
SHA512 cc8ae4065f26fd46f250429893fc4fc7825975a4ec328ef199065616e866fe99aea288fa539d56cf65a6bb5495bdc23c020af59ce55f6b172540f3940c35363d

C:\Users\Admin\AppData\Local\Temp\GYgS.exe

MD5 ac800096f254a3b828f149a7445e212b
SHA1 193e33408593f750343b3505f25c791ed1b7d2cd
SHA256 03e7948a5b66fd5bbbd9b2b811f845361359bcfb6f6ae62bcffaa64a55b17bbe
SHA512 2f9debeccdbe3511481b7d7324bfb83d168ddd423b9896f8a59a508d2ee3287832552bfdb300e9e05df4d11e0d5c78c281abcbf8c4b105e33f3af34381a2b306

C:\Users\Admin\AppData\Local\Temp\mAce.exe

MD5 6b22509e243ef8790570046652fe8d7c
SHA1 aec4c71dcd86efb67b7b9231968e4fdd5c0fbd82
SHA256 f2c9ce446e7e065373fb8192d5904783e8af025d7f18419a42a3bc36f15d403d
SHA512 fddfbfa80f5eae07488956ca04b10336a07a141318deeb0e45ed64c7bb6e00f45b95a00be754733c6921421b18439d19fb846f842e3a3c175278d5a822a99c34

C:\Users\Admin\AppData\Local\Temp\Ywgi.exe

MD5 78c3ca20f5956667687f9a0d193d7297
SHA1 71d8fb97efa6482379302fd5e785b989c8fb8303
SHA256 398574569350d956a2bb80f1e57188805627ad4503087394676163c80ab8be6a
SHA512 89791c8c0b807299ff1b074f1717b2ef7c6873a5a5974e99165564a181c20ee03ed6e501aa74f68f6459978edcdbd8b445533b624b98e5f6505261c6f636e375

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 59992a67074d25f1d37cb1ddfe3cd95c
SHA1 3d58c058561cbbfb8e4f706ac17b5825ceb08a85
SHA256 114ed41f2a754b9a0c890f9b0dfc7db7fb5fa445f4a7bd7782f3b984a261e939
SHA512 bbe9c3ddeeee92b19f7bf51f691de53e4f5975d389cbb68a83b9ed29f8fe35a642866ad37252e3ebf4e27a37009a9834300fc51267ee17e274c716fdf109f6b4

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 020ee36c7fdd8067aa806078047b4c4d
SHA1 19aaab0876906e53ba759684bcc6f95807185b17
SHA256 59d6bf8d75d62384858fddb70451865d3c541f26152fdeaca9b5ff7bc109dc14
SHA512 9b35941d48e45ac81fb9531fb2e6df2d630bd6e971e5d0839982c7eaaade5820ebf6c70464d37cc9ac41a457eb64f1ec277935cc43460b497ef62e0536a554a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 fc0a1acfff440c8814c4c800f3c048a8
SHA1 5035f7b9a84703e6b872fc6d61f035ad738359dd
SHA256 b095cc37ab999da0afb26f588d507d12ad253e9d9b5d92f79a0d2b7d6c54e8e2
SHA512 19e0b7547274d5fd0f4afd65b80a8e6205cf1b22d12b09f8e94ea36b010e901aee08c752b8326e047e0f3c3198c22ec01caaef3e5fa4a66cb6e645684158f1a8

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 80f926c2e78655f299eb680396e2bd59
SHA1 81ae292967369b3ef9d1dc1ff007071cd1172918
SHA256 e863363d157a531fc3110bffefb9208827e33cb9ec3a3c1033b51966dcd6fa9b
SHA512 95627cb1d1fc1c71a640fa41b1a6338cac851e2117f9b4c8f798bee7b36b745ad3ced90b229cbff6354ce64ada40b204e7030a21af5610df3122f992a2c6cd47

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 145098d23bac2c746b17ccc11ea78b01
SHA1 159a67247c7e0ee809a58949a2a73162aba7da0c
SHA256 7c2675b50cc14773beb56710c878a98676cda2237e13a430d7b34cbb7ae9e639
SHA512 2dabd2ca29d5238710fcbd2300a829a12b7077b2239716c43c48acacfe505d44d40a58fe98689b10b6609e199cf716452c75903ab9a09e0fbb47f041f290cdab

C:\Users\Admin\AppData\Local\Temp\iEgC.exe

MD5 7a1e4c25616aa830b302fddf84bc31ab
SHA1 bd6805d28244f7fec46c165b6ca10b0468c01350
SHA256 8198a234b383b8ac8a82f5f51396e90abd7fb78f9bec2822942b6d0fbc35b393
SHA512 013c91fa67634eb0468d64badd12c9e5faa08acb1e5831d89528fc0333df3861c8e6852c72b1865686c18b64601947fc941c6c78d6e7b595ce9cfd2d5901ea9a

memory/3048-2099-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3524-2100-0x0000000000400000-0x000000000041D000-memory.dmp