Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-3cqn9shg44
Target 2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
SHA256 9088d6a1546ddfe83f0ddd30995a7fac08ee96ead9cb948761e272ee80ec260c
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9088d6a1546ddfe83f0ddd30995a7fac08ee96ead9cb948761e272ee80ec260c

Threat Level: Known bad

The file 2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (88) files with added filename extension

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:24

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\ProgramData\ZeQookMg\mIUkEMcE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kkkIogQU.exe = "C:\\ProgramData\\ViAssEMI\\kkkIogQU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAIgUMUk.exe = "C:\\Users\\Admin\\bQcEkQIQ\\BAIgUMUk.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mIUkEMcE.exe = "C:\\ProgramData\\ZeQookMg\\mIUkEMcE.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mIUkEMcE.exe = "C:\\ProgramData\\ZeQookMg\\mIUkEMcE.exe" C:\ProgramData\ZeQookMg\mIUkEMcE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAIgUMUk.exe = "C:\\Users\\Admin\\bQcEkQIQ\\BAIgUMUk.exe" C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiUAkssw.exe = "C:\\Users\\Admin\\SSsAUQIk\\jiUAkssw.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A
N/A N/A C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\ZeQookMg\mIUkEMcE.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\ZeQookMg\mIUkEMcE.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\ZeQookMg\mIUkEMcE.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\ZeQookMg\mIUkEMcE.exe
PID 2088 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2656 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2656 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2656 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2564 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2244 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2244 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2244 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2588 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"

C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe

"C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe"

C:\ProgramData\ZeQookMg\mIUkEMcE.exe

"C:\ProgramData\ZeQookMg\mIUkEMcE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekcgsIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWgEQEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\koksoUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIogsUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIUYAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCUsAEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\SSsAUQIk\jiUAkssw.exe

"C:\Users\Admin\SSsAUQIk\jiUAkssw.exe"

C:\ProgramData\ViAssEMI\kkkIogQU.exe

"C:\ProgramData\ViAssEMI\kkkIogQU.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 36

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMYwogsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceIYQggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGIsEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAMsUoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmkMAckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYYkIIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkcoksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcgsMYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMEYAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQoowAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeEUQYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSwQcsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2088-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ProgramData\ZeQookMg\mIUkEMcE.exe

MD5 90800834fd22a9d08e2bfe162d0bf32c
SHA1 485985d18ec86124af8c4701752c6dbbaecab027
SHA256 3cac47a93df604c121b2e5c6d9deb9f39bb64d6b89a02fdd9bb8f39b96d35497
SHA512 2a0744cda8d6d9deb477e5b9f10dbed4fceee3fad1178197fd00baeb245f5de770560a86e1cf3a9f08d9b9ca530a81d5f49fa334184ecfedb8a4afca721cfb94

memory/2088-12-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe

MD5 a18f8204f1f0fa4b1cff965a664d0c84
SHA1 d58c7134bbe1a97cbaa0d2d536a58121cfd8c5d5
SHA256 4b148017b7a78cbcdd5dc586366311fbffafb64b14ca99283bdcd43082fd8753
SHA512 f11da6c88c208fcc76f4420e5155eeff817dcba3fd7ba6d4f0180a5866411874f7d8bf4361cecea9e8b7744e9990e6c4f6ad97b6a52f815a29c3740c8a482575

C:\Users\Admin\AppData\Local\Temp\NYUUgEEE.bat

MD5 aee081586535b3a078927e9db8042ac3
SHA1 bd1ad1de6b32d695067aa05a3d4018c097228a1c
SHA256 b8d7c8e2116f460884c4f62d7cb419d8883ce3601246fb1b019ae05f6f64cc44
SHA512 b9a9161b18d07797101181138405b5769e191f0d16ce142a39a769a15a26763825fb8f7efe36eb8dcbb3a1e6f883e782f48d3597a8a964d8e038d845e9bc69d2

memory/2088-29-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/1724-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2744-32-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2088-31-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ekcgsIQA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2088-41-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2656-33-0x00000000002E0000-0x000000000030A000-memory.dmp

memory/2656-42-0x00000000002E0000-0x000000000030A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

MD5 8069e690a23c6c533e7209fc672f9b23
SHA1 7c4c896dd84d8cf02eac5f74282a18323a0304e3
SHA256 e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0
SHA512 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

C:\Users\Admin\AppData\Local\Temp\NkcoAIkk.bat

MD5 561c74155c8911327a4440738bbaef24
SHA1 c43354347eaad53e53e52b27c382175ae64c05d0
SHA256 18b94c903b79f841b86dc6849a482485a2fd2172d0eb940161383e818a507331
SHA512 9e111b82549a07c1baecf88d0c74011a802f1a6f1dcf5903263920b60960a94cda196b2fc877a7924c32ac7be1b419e0f6a8fa83ee6387fd2885171e9554061c

memory/2588-64-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2244-56-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2244-65-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2768-66-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oGQocAIo.bat

MD5 22c8de4ef1c173048bd3067a267ac4a9
SHA1 68d739b18c1c962c585162d4c2442f8f452166d2
SHA256 d1fc6fdeb0f838597a040cd424165e1b4b0f4982c0c7435f7d8b4d934e87bcd7
SHA512 0546db212826d364e86441522f783bfb800672cdabfd91c703c86a34274c26800f04d0ef7f6c9bd97ab1fc558d4e1884bb600565465cf873e28141aec07aabc2

memory/2684-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2684-80-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2248-81-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2768-90-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fKowwAoo.bat

MD5 47323687b2541bb6ee1b450815b1b7c2
SHA1 e5d480d57bd013955a5bc1b02c530099c1135d67
SHA256 84eb9a4b13ac429ca882fdc2dc24c0565076b54b841f4612fc791931422c91fe
SHA512 681e29303109859ac0eba7da000aa8c91ee56143da6b06bf03751a6e916f0835a57e08200e1326049eb65cb8a7c5d5612f96dc6f637fb238618b00bdb6b9bfaf

memory/2248-111-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1284-112-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1284-113-0x0000000000400000-0x000000000042A000-memory.dmp

memory/756-114-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VOAMYMME.bat

MD5 49a619b3f6b43011e72b1176c66671ca
SHA1 84a038b5e7ab19cd01ddbee9897fab8357f30683
SHA256 14c929b99b559e69f5a0da4d37c770cf42a63fe41fd154fb9fe1e58add1bd933
SHA512 e0ad6fe3a105f4f0c8c6011655f59415bdf7bebf1c3c7bd4b179b8db079d8a03ac3441a63e971094e646038e7a298ad791857bc1ba98427f05552e1c8eaaa2cb

memory/756-136-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1084-128-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1084-145-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jWAEkEsw.bat

MD5 99f62e28bf513b5091a4487161d800e5
SHA1 3ca8096380d321de600e9386c1b3033df0c2c0c8
SHA256 6fe4040173b57e0d3d94b0c50c66e061cda98f138b4cbe8ae552fb248624adfd
SHA512 864c0508113284e98e2b619e656a85a4044c4210c16673b98eacadec23bdaba98543a712244527d75d10f4b44eee8bdc08d53e16786034ec609296b31480bf02

memory/308-147-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1528-161-0x00000000000B0000-0x00000000000DA000-memory.dmp

memory/3060-162-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3060-164-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

memory/3060-171-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1684-172-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2184-173-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3060-165-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

memory/2716-174-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2896-175-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2716-176-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kSskQYEI.bat

MD5 7f9bd27178aea3c23e7e824275d3d172
SHA1 55998423b1b8fa233b7423784b2b5531c74ae036
SHA256 30201111d3962548f23f4cc4afc8b4baf97ce09db393a199aa10174873755a26
SHA512 c191953dbd173d5ed050063e5c2193520f11f6fe758b61b2cad2c27a0c52edc912d2913527d2a1b8dbda565eeba57a631d17537008833095b13b7b31c01645f7

memory/2896-197-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2868-196-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUkQUYYM.bat

MD5 55fb7e57cf9bd635e32e933dce3d9d23
SHA1 aacb49a45a8dadf12c5cece3b0a69033e97059cb
SHA256 fb3c0076a6da6725acc62a80b32bd88cea4985c772043d4b29a80bb49020c30d
SHA512 c241990c7b6d33feaaa2b3d68e4a4594bcbbb80f06de52c3749f5c1a39567f159a07d42b31c359a034c55f49b1e1962a08618e761c418ee221b97efd0efa8b34

memory/676-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2868-219-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fMUcIEMA.bat

MD5 23f11d9010cab312f161681203b130f4
SHA1 5108e43c622459a29ed9f328e4caf99b5cc5d0af
SHA256 962ff7db4aabf228edd0ddc3428207124ef59277ce1d27e5ef8ecb36c5b738ff
SHA512 5786f905ffaa0a225c712f4f8c3e1668869d62d8864950506c5748add5b1d9fc30e102387242343517e752fea00995262c37ab2b4926d7711611c962474026da

memory/1100-232-0x0000000000170000-0x000000000019A000-memory.dmp

memory/1100-233-0x0000000000170000-0x000000000019A000-memory.dmp

memory/676-243-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xAUMwkQE.bat

MD5 a4be4eb7399aae478258ad8b1d931597
SHA1 d3f6c1cd1af6283a6780af5bb6bbb3716d388929
SHA256 cdcdbe89b7b62fa1c25da39ccbee183c650f523a819b09fd139aa7be408be3d5
SHA512 75f2c6fa3e47ea7a8def1db731d0754ed4a83f23dd5ed8cd36452399a8cde63c495ba6cc87d0426256bcd9250f548198db5aefb0c57e80f2ae66d00a3c8ccbb1

memory/904-234-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2028-255-0x0000000000160000-0x000000000018A000-memory.dmp

memory/1388-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2028-256-0x0000000000160000-0x000000000018A000-memory.dmp

memory/904-266-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DSgswkkg.bat

MD5 3f87458209e229a513ad2535411af96b
SHA1 a9ddaca706961d0ed61425ef49ac50fc0a136f1a
SHA256 f8d0b6acb099a116a90384cbf9deaa4d6d28a9b6b77f14b6220f0aae10778932
SHA512 c27526d9cc8d4ddc1bfcf17e9ce408035b49cb52d8276873ac7fc68f890d97c47773cff5550be8d274fd1654280d96ab6b032fe8228a2649aa3718d54f86bb73

memory/1388-288-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsEcgEkM.bat

MD5 05e497951d51455a50415b30e5ce7480
SHA1 4cbe658ea701e201e37b5f2f85104d8d4a64825c
SHA256 8a18ead161ba78a9e9062f6b1fca2963a08702bcf0999c37b353242f12dc36d2
SHA512 8117d7ce48369c553409573f4e097c64f3a82d3a042a8c4ff25e2d61097274084a8ac6394d9e4434a0727a9a18adeae57f6cce49d5d3ff074966cdf93e48ff1f

memory/2732-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2928-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2144-311-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IWwgYMMQ.bat

MD5 f34d2ee2ccae54302fad652e6e2ba467
SHA1 2449755b1d4bfb29b820580503b64ba84d92203b
SHA256 f2f9b5a6901ef4bbb03661823ee57739da7744a480c47ebabd7bf9fe7512e3d6
SHA512 b2e741f420bd0d279fa19e781eb46c3901585403f0cf49feeb14e10f65064a4dd4504fcee92e3e0785c539aa7005aee5e30873b07c5829bc969c4e2aff9866cc

memory/2800-323-0x0000000000300000-0x000000000032A000-memory.dmp

memory/2800-324-0x0000000000300000-0x000000000032A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bOAIoMgI.bat

MD5 4a17d3cb8078713adf5759694eabeb58
SHA1 d81db22d16c78f374f816d46a9e3bf41c0d0fc61
SHA256 0407e9feb15cfeecd7d75e14e17ca048f080020f4badbab75518b3ef8385928e
SHA512 fddf72ff59298da80f7a873e471d9c4931cb996fa2db147aa5d438dbb4cc5e2a2ad652262e50f56d6bfa6b3bec8fd6d3d6735b25b9c71fc3c6bcdd7ad8d2d9d8

memory/2928-334-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1672-326-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1672-352-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2504-357-0x00000000002E0000-0x000000000030A000-memory.dmp

memory/1328-358-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LIIe.exe

MD5 e6db382d60a99dcb38e882155c966c2a
SHA1 e76fec3e7af82419b47fa0dd441754c7876a260b
SHA256 93b32f6b77c2600837212f9dc9a7735ef6707ad7496c20f547a717c992b0542b
SHA512 ed6262ad66d6c0cb03a81689813018e1ecca718d8690bfb24407e612ff03e32acedaa76ee77bd3680af9d99e8e1979db714af558ed345ea732c9343ccf7c759c

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\BMYQwEgo.bat

MD5 30f562db4996b162dc5e523dda5a3b15
SHA1 7d97eac8fe9b6386091ebae606465080504410f8
SHA256 c0ce1d56b01e0c3bbdabcc2e915d893bcfabaea9ef72dfd2833a4990fdc6f36e
SHA512 ffa37da535453810ed79e32988b0a8a2256334c4b6e01af89c2e9a8f3bacfd76eb492d90dd8e885063646d82c19b1715cbfabfea9aba71d0e9eb81ce9a8bb425

memory/412-387-0x00000000022B0000-0x00000000022DA000-memory.dmp

memory/2248-398-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GwwYYcoo.bat

MD5 34364b73bb78f22268400d8aa5e2ec9a
SHA1 3112e059189120e1a42324140f8431b32fe1225e
SHA256 6127634954c0b0e74973c206d00ba933ae66e7c1ea0263df3380efa600c4f94d
SHA512 c01af30f1d3578cdead56cebdf26e02a3240b77b3ac1694165c49b22f72461a73d27cb33ef27ad4a80142ce3235ea698c2d64158cd70bab7589aca3f1301af72

memory/1328-397-0x0000000000400000-0x000000000042A000-memory.dmp

memory/412-395-0x00000000022B0000-0x00000000022DA000-memory.dmp

memory/1792-432-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jMMI.exe

MD5 35eb1ee81a380371ffec40fe78442b55
SHA1 3ecd324a3dc8247aa684c13e4f018cdf84e2fb82
SHA256 99b76a1734d5f4c987fb44a52c896af4c0d0f0e8188247ae9b13d8aee1fb078a
SHA512 dae84e19d9b5c6849bcb8848fb525c6a630ff7f4b3cc16945cf0a5c338890d2ceaf8ecaf4311dee6c384a64bc07a368e99a88f6fa4784095e7dfb3547f510ad6

memory/2248-418-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEoQUcUo.bat

MD5 27e2b3a302a84eac8d631fcd4e364cfa
SHA1 eb303ba90424eee6aa075b20c503d308179122bf
SHA256 3af9c42b39d0ae641f0093c254f2a3ceaa807fdcd869be33a122738891213bc9
SHA512 7a9099c386567dbbf53707ef9b5023d5d469de6df68924f418b0f3714aa6ca3053dc922eb0a78e4fbfc5b0e3a2e349e60ec18c80099533ce072631e92f272230

C:\Users\Admin\AppData\Local\Temp\SoQk.exe

MD5 721960775d0bea31429dc376845d300f
SHA1 cc38f111e774639e703f84e3c0ad2b914447cd0b
SHA256 b983284824ed9fcc0a6e224fb0bbb51fac0a29e0899e1b4320ae464af7aabd62
SHA512 b34099a9c4479a57e30f0fa05d9fc1c2844478ac0f526f923511929c06254d2b28027fb49d9427b7d10f3fffa085502a69a04d4befd3d2ae980b13740471872b

C:\Users\Admin\AppData\Local\Temp\SocY.exe

MD5 7081e639add1d2903492fe38f913d600
SHA1 6930eafb83bc487623b63c2020458bf97b3a5d64
SHA256 aa2c5067100bbc85705091fda59f267ffd4274ccc837b41339e480fea6a1c280
SHA512 cbfcc2d1bb391ca9c3261faa8fff7e458c595388335313ef0c6c6335fc37cead34e6acf011e392aef42d06276ca55fd5c37d88e020c27b6206a29ef679f561d2

C:\Users\Admin\AppData\Local\Temp\PQkE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\pIYQ.exe

MD5 23c6f8fe166be2639903c55f31ca4ee0
SHA1 c8219481572a714f66e6838fde0561808c94d049
SHA256 8e0212f3292ea673f6def88900cc90277ca64fd9d72f81332c02f733773c90dc
SHA512 750a05cc5f77e8c9a46a4e7244d3a772b67c27afe98988165b0cddd7588d6304e9722df8d58149eff870aba5ca46fdee72ba4e8feeee2bf6fc857d52d7651301

C:\Users\Admin\AppData\Local\Temp\cwAK.exe

MD5 225e716f7f9df71914efd51e3ae218b0
SHA1 7505f62635c5662da0f0a620d2e7b2f4ec09f9d6
SHA256 9b33687335ebe467ff0c004552472af8d530895855bd866cdf9c281607a90180
SHA512 be748445634b4c06389a89e60dcd3ce56dedc53eee3f1e597c1b26f6a69fc04e755bbb7a4256a0e065695087fd9f4990e7efc0432ec949f3b9fe27b049dad075

C:\Users\Admin\AppData\Local\Temp\QsMw.exe

MD5 8be6c02fc04cb72911a6bdf6c5787938
SHA1 152385013696a62296b49825d919ddbcd4e1a292
SHA256 172a14851b78b83d2fbbe697965da99c9830d0fb7be86b6f35d5667689501227
SHA512 7bfd6172987c83f81c12dd8c99be89c5fa49ed1f71f869df4156a496301d36ba6a0de55a6931d43e83e12c4605404b5364274210aacf1e144abace133372f904

C:\Users\Admin\AppData\Local\Temp\EIoY.exe

MD5 11ff6a1cb039c4625207cdc3e20ce413
SHA1 61378598ff98c07767a6916371f2e14390d7f0c7
SHA256 20e34f300046c78545df466d7c72d3db8c39f5cdd0b06dee5915959b7b6ff5af
SHA512 05285931f848914234a358a878293864d6b58e629254441b6ea0a76a5f420febf760c886620677daad96785bd4ef97ca15921f4a5cabb6d38bccce81816b78da

C:\Users\Admin\AppData\Local\Temp\UkYI.exe

MD5 091b7e873dbc541835abab34713192d4
SHA1 9037c03abefc177febbe0848004536b1d4182ef9
SHA256 c14bbfc42049faab63d7d59d0e54862d529f0acbfda54fa535ed36c7e03fdafd
SHA512 d03d4c211f426bf14203e4efd3f17f74860d63fe21990860c3e73beed59674e0369f2cf27a034d434adb2f260e52009590324a2250fc8293020304970201c7f6

C:\Users\Admin\AppData\Local\Temp\uUAe.exe

MD5 22bd8562179f07765d75b69f6b460a23
SHA1 e290efc509b25a83c727b7a84c5b1fdf4f319404
SHA256 93c19dee7d009f119f5635e98a6cd172be580d9e2791b1cf308c70a8ae515450
SHA512 a01992653bf398d4535aa01337b8ead56c5bce5bcf1f39b3f05e5b5faac0a24f94d4f7e2ab0e7337f81fd1c705622a7993760e51f1707b41a36e3b7842a28c51

C:\Users\Admin\AppData\Local\Temp\nAAI.exe

MD5 48c4ce8b85e944ce12bd88cf7df7688a
SHA1 bb596645e1fa99039e40c587beb26200bcb93005
SHA256 6a8a0cc45ae7c956d63d6e00c9a3455c0aa0420d66e617dbd19167f740ce9542
SHA512 f812169a683380d44666e5aeb5cdcd9adef9a76b3b218e527b0a5cdf1d5c62798ad66945ffa15ea4901ea2041ebe800cd9d81b3d689d238ac7a91c4dc6864453

C:\Users\Admin\AppData\Local\Temp\vEAQ.exe

MD5 d9524081220df57c69e89d128705dbf1
SHA1 b3f80c5de7bb9a959c9bd50faaa77212a0f481c0
SHA256 9cd3f573f2c3df45f25049424f48ee237397fa9167b6ed03b126e6ed9b97cc31
SHA512 44fd053a6fe1a83a2fb823da6333adb1b386ba7dd86798c50d14f3aad141256401ee2bd8bb8a09c8c306b13b3277e61586133a475411c80f8ae1cd25c48d4aab

C:\Users\Admin\AppData\Local\Temp\HMIw.exe

MD5 c24beca7273675f206549b57787e7caf
SHA1 199795d3ab4ae47edffccf891ad135a08c43f9d5
SHA256 79b04490fd6a63e9f8cd3704254cffb1bb3e503234eec69665f8e95e58018f31
SHA512 7a9cc57d6b21ce9f402c28ffc707920c910862a446055ee0d7d9be44d6e3199f0232dbee7bac9d673c1f7fd99f5382e5abaf2fea1eff85e5445ab15dacf890cc

C:\Users\Admin\AppData\Local\Temp\ucgo.exe

MD5 f9013602881add9019458fd22c5c3251
SHA1 5301f64cf924f71aeb0e49eebc611b9a54bbc76a
SHA256 a907ad01bff6356a1776474e84c56c3472c84d1f455250bf6f0750b20712031d
SHA512 5825a15e207831ba895d1dedc2d4029e8d89e37040471f50eb45f2c6173857f337a53c2dc498d09a7deb8723c0331d3e92c40eccb6fb40da70478ce09392dc45

C:\Users\Admin\AppData\Local\Temp\TsMS.exe

MD5 671349995a0548e4c65e78a4667176cb
SHA1 7939ebc578e10bd214d87d17ba7c33cb1491c577
SHA256 8f7131b416836de67fb9214ff6c22b127af196fc25c139718cce3ed1ba12792c
SHA512 97f71273cdb1a62872efaf2ceb25a14f96e0870cdaba168667a91916788ede95364fa33c94710873e0d73712372df16cb049ad59e7dc3997857181929f83f58c

C:\Users\Admin\AppData\Local\Temp\rYME.exe

MD5 ee4357813ed6020becd52c3bd3a381e3
SHA1 32748e3b4e9a64af770eba38f6d1a7510ce701a0
SHA256 605aa54d44c93310b91a05c45350a168e4908c4ed90cc6378b9b774d141ca164
SHA512 4a35dcce7075d2f6f9e20eaf32f13c5d6cb969bff58cd8ecb085598321b3209d7cd884b8f2a0626574ec00a3584ee82766445d0a5e21dc054906860dafbc4645

C:\Users\Admin\AppData\Local\Temp\XwYS.exe

MD5 118d116446ec4785f02c0b81c78cd1d5
SHA1 0376209042d3d7c3f1983c4880320ce555f5e903
SHA256 37b458dfe7c8db2d91529af4f27ae26c84087e1a17358bb2e798dfa784f7f5a3
SHA512 ab28f5ccfc16742d0eccc720d8983f596c5e8413aeac32999debb49b80624b7160d700770ce195a614bf0e2d79038c9e7d50859591830f0fc57086bba787556a

C:\Users\Admin\AppData\Local\Temp\aIgm.exe

MD5 2de0bb81783d019ab84afd2e128323b7
SHA1 97579f19d32e8759fc9e08cd584d044dc4341517
SHA256 51433d00c3a318fa99eb496db2e10160c89c25ed7fac83e55b9fc275669572ef
SHA512 fc473c54d61ad047db98775a384158548f9e4d60d332504616bbc505a076c20525edc4dd64a0f2dc480b7320cfd34baff7a4ad006ffa45d84ce31a68d9cae178

C:\Users\Admin\AppData\Local\Temp\Jkwa.exe

MD5 e076ccbe5c3f45eea8cc738a84326d89
SHA1 4923e19e0f32d29f01364101282f4cf5555b3dd7
SHA256 d9469c5ad01fe5481b860a38fe689c96a7b3af2deea5101af637a27d7d62e765
SHA512 f62ad0d379ef6f5b86a703017f9705ed7792e10d27c09ab51597e2ef142eab7e3315a7be5f1a0a916df2e3bcb5162440e46bc55f8c4f43a25ce1017c6d86b64b

C:\Users\Admin\AppData\Local\Temp\OQAk.exe

MD5 5ecc522bf1b4825695a259e455ffa4fe
SHA1 738d81442b3d2c525d575ee9464bff58a4cc8f74
SHA256 e15d858cd3ed1b8a8eb952cd1f0f66cef1d5a0a78bd01d0c4f63b1202a81f9c1
SHA512 d8163760cfbb5be19324fa4aea7d79b599769e3dececcaa9efbd6cb1013ecc0dfaeb716c2e2692ceaedfd5d75741346e8e6e8f486c19ba9c1cc7f5339c1520d1

C:\Users\Admin\AppData\Local\Temp\sEwq.exe

MD5 d11f55fa98dd6f7bb3c7479768472547
SHA1 db1778de943e4ae98f3de5554c89aa0cd85bbba6
SHA256 9e821d32ca88651bf7a52a668efca84962a84ba7914c76ae4f572b10ee228387
SHA512 342cb5d8a8c0dd4d6b8c684d0deff0a937a9dc737fe0e6d3389623a031e4babadcd49289b6e187693d4ba88fda3d377cf12b70c0e053da4680eb8e7300a0e193

C:\Users\Admin\AppData\Local\Temp\MEog.exe

MD5 fd8ddd6e12c58a6be153583a585077c8
SHA1 40dd778f92fbb4649c1449c9b21fb477c0aa054a
SHA256 d032cc5b427a81b54d45b75ab70a5c192262c43145ddaeee24c219701d47c764
SHA512 888018cc252dc007fc72354908813d704a396e7b6d706346a3968549f0ce855d9e00c491a4b581871f53c4b9c7ec0c2511d95aac122eabe6954324cd55e35802

C:\Users\Admin\AppData\Local\Temp\fMYU.exe

MD5 5194e4cb79432644970abba9cb80d043
SHA1 26d5507a5aca6117d0040a069648bd48c766c3c6
SHA256 e16e90dd3753ef8e8bfdff9bb0814c7b2988b2d5cc3c8e385048c453063fd3bc
SHA512 e720beb9e505decc4178b2aefef5d8b6a0bbde2c551244b0e689b8d599c28e29eaf3cdc97884a7bfcd44be183c6150c1cdd442badcfd05f500757b9b7c0c80f5

C:\Users\Admin\AppData\Local\Temp\Hksa.exe

MD5 ba7e1bea0828af3290223458756d8fa3
SHA1 c02c34cf1102c875a6599fd28645b70f9909ad92
SHA256 e59eb4a9719163953d6a4d125c0b36a492471f5916bac10ba050f15d9f2d46fe
SHA512 46cf3fd5eb5dc1c7e8aa31cd144d57b9ea4be6f299ae4ba7f3995e281288019f4113dd6ea5eae1fffe17e87e3cb4efeea88dc2927987956fdaa84167ebb1dd91

C:\Users\Admin\AppData\Local\Temp\TYAk.exe

MD5 e7edf35c2acce78e36c20c8a0294f0cf
SHA1 7b67de0b8f805366560d3d1a43b54d80fee286c7
SHA256 75357eb6ae51eca6dcce7ec58d2c3eb7ed283f68128c2dca22d41ad94dd9b7ec
SHA512 eee6f9ecca10cf03694ca1830dfb344bb6d00789dd0f8f24320fee88ee1531eac992ec7146ed4dc4f01d626ee731917f651d24cafc7456074916fbfde5c479ca

C:\Users\Admin\AppData\Local\Temp\gksU.exe

MD5 5fa02074594a3f2b86daaf2fbf19c021
SHA1 b079178d215c7b692dba077b97aa7c5c72be7481
SHA256 8ac48cc8bcccb95ea8c67052ba25e877fa2771158b4144d204f4af9ed96a427b
SHA512 5e7679150e083c19d15c362e40e59835a26b0e38caef9e9d54632beeadb4cced771d669334c4a98f5bdcaa1b449bacd656ec69a02cf109df87e141bed415436f

C:\Users\Admin\AppData\Local\Temp\cUAW.exe

MD5 39828c92ce90bc4d1cf03fcd503136da
SHA1 fbbe8bbbbd0b653a00812e67040ddfee1fcaee12
SHA256 2c6c0c43cc1b4724978ff6094100754367d9f5c1548cf7f970292ea59aa8244a
SHA512 bfe59c35155f3073c03b3f54aca23a347bc96f931345149ce05bb53038e05f871e2e6db5af1a7e5c7eee04e733a1ff9683eb2851b9cd0050f2e27eb45e342f84

C:\Users\Admin\AppData\Local\Temp\fkwc.exe

MD5 5002cb189117e41b16efb5e1b803a3e3
SHA1 769c5f2ffa29e6de01b6f42fb15748a71ea1baf8
SHA256 e9de62088b9846a540fdfbb5018ab06f5ce03e698abaf07b035ae6410018a2e7
SHA512 a5aeafbc206b786413a1f7497b276efc2580f8a18cabc2adc173e4abe1f95059f1bcc6f8d7b5f0cfd8ed77ae85bd21871ee8ce6cd8efc649e8552c5ddbf28c49

C:\Users\Admin\AppData\Local\Temp\ygYY.exe

MD5 c8dfe65d53697b98c0dda434a7814dfc
SHA1 c6e5d53b7a5a9f0ed1df73d0b746a86c5b2ac6e5
SHA256 42485f9350c468380bf6b67d9e710241470eb2ded6e8f59da28bfc92bf627f18
SHA512 d875a14b217da15e539102eb3ea086744914626d3271f9348c0cd08cbefbcb5c527dcd51fa0314606b404a68aa2a673e2eb516b62ace37167d70adc1bfaaf9f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 819e8aa83b5f499919e6ada08fc5cf5e
SHA1 455342e159fc4dcae10b19ad1c86b34e9ea847ec
SHA256 cb4d205a7f19afbc9ea65d2bf8a8483b5d03a62cbfeb99711519261492ee0a1f
SHA512 30fb09e8c70a35973360cbaf65a73a5557edf81dd5179ff7853ed540f5bda634bf401a76596a4d386fb821e508ac48e3933931a697d5a27535eb217ece805f20

C:\Users\Admin\AppData\Local\Temp\VskC.exe

MD5 6882162d36cf87550030d3b9411bb4d1
SHA1 4c986dd2b35ac6233a00581c5c4c2e9c18100cef
SHA256 721eb05652c192985cb8af3ccc6f4e6654979417fe2c6f8bb91bfbf7530203be
SHA512 a688a50f280bcf79a504f5eeb752247071bacd1e46b785f5d92f58e737d612c22b77853d35da9b39d554fa2a69352112b7f1f091d5c7cf886926ea2793d653d3

C:\Users\Admin\AppData\Local\Temp\bkoE.exe

MD5 af33531d3a938795532431dae96a079c
SHA1 975778a0bbc601adefdeaa7fbb3058cf04017076
SHA256 8c2b66b97350b31932bbac753b939a39a4ce7509aea56f1def3802e1d68b5075
SHA512 2b9ad9a744e73aa92cd52b2c1505d6bb0b0499f191d4528a396d61872ae67968c92b73c884461c3982601a8019e464a4c5775fede3c99b43369e3d18acc193b7

C:\Users\Admin\AppData\Local\Temp\hsUu.exe

MD5 5c22efaf0d8723d0f0b50560881139df
SHA1 4a124c21b34e428a35df0355b7adb6bb38385d4d
SHA256 cb0fc3c1f74ab1dc40e2a26cec23039ed870f98db9129da2aa2d2531249a4f56
SHA512 c20bf9dc03d3445d68b099047cd9632d349d879272e350eec627f3c0f91e35bf6bee444d33aab2446b0d4fb48ea1ad164975003cdd3eb3471fde1fd9fd8917d9

C:\Users\Admin\AppData\Local\Temp\TkgC.exe

MD5 89f77dd2a26e7128f9e745c9546fdf8e
SHA1 e2cb3d45294127d12e7ca29bafa22397c2035ad1
SHA256 e163307d984ecd69adbf6b3ec01d938f62db53d4a71b67881dcdc657e691d06e
SHA512 6eab03248031cef75dac9e1f439c7eb2d6df2cbe1f4b7a22330687585dc936342857188e9f508a51fa903e286adfca4ce85a292194ef0770596573a612737e43

C:\Users\Admin\AppData\Local\Temp\Ogse.exe

MD5 50ea412ae78a26319fa52f59f56b4372
SHA1 276aa5c064b6dcfe098e8138afd43770adb90e3b
SHA256 97b56c87d6170ba0c583ad05a160f5ff5c705da8958e55a14d947e36959e1b9e
SHA512 04e05471fc3044f32375ee748829115b8f7897062c0e219bb55344e2697f200db46d717698ac60ef3307805757d6aa92d8fd6c0e79cdea78e150b42572226aa9

C:\Users\Admin\AppData\Local\Temp\Iwgo.exe

MD5 25c18c577a59dd3f9078bb0ba78d097c
SHA1 93c84bfed97224f64318d010f25425b095550dab
SHA256 699db47dc11a7ead03ead46a6e02004184a5b6e150fbc532f495d72efcb0cab6
SHA512 13d7551006b2029637acc746a37d7d5b0e4404dd35ca26f218d755a4467976532f5b2c98eb6f37c62696c58de62b7503206202082be7be9b61dd99ac8d5c881d

C:\Users\Admin\AppData\Local\Temp\dUgg.exe

MD5 b7fb6198c460c4448dc32ea316f842fd
SHA1 f73ce6d633c24f6c06d9ef3e81e4b559afb059d8
SHA256 9a01c8bb04eafdb2eb118b632734f07ff36ba954984c830aa255d72b0a4ca613
SHA512 45127715e3b8711331c686e79dd152f7a1c84925a3bddaff2d0453fcc2307cffa639b3d354c1a08bf6c376981e226fe876f66163a5a52f4a192b5dcf5fda0eac

C:\Users\Admin\AppData\Local\Temp\EQwI.exe

MD5 c49c6928c7e7140aa96cfafc3ad84e79
SHA1 189ca4e49dad7687b6d1dc3eb887c2a35d287e6c
SHA256 af3709ec19b0b24eb7244429c24aaa9d27e28569dcc5843a7853d0ad07908489
SHA512 f2085caf6b73e7379b6646df3c86814b9885f3e51a774bcfd952622a31b3857980f862014307dcc1d4d14e56b6d8465626636a097783a93c396baeaedf9e63d3

C:\Users\Admin\AppData\Local\Temp\YsMu.exe

MD5 58284e7f1704d942efb5cba175bc4efb
SHA1 b8745056ca34d7274862bceed64a88d02a72c9b7
SHA256 c6be0c023b2d8aac745800ed2a4f51d84c7fc786f17420499adf328b81eb2ffd
SHA512 71b5bbe4f1158f6d0453add3b88829c706cd622d2abc1cad4066ad5a92491eeda8d1d40f87be026e3334dbf4be9626b6a06c992ef78f76b699f36c1abd13e7dd

C:\Users\Admin\AppData\Local\Temp\gYEq.exe

MD5 4ac1689e350b1100c1b8f00b938c2073
SHA1 b9bfba123a68ee49df41fbc6c2ab73c7145243ac
SHA256 0b18c9b440df0f5b8537457bfe69c5ce22c77c0de70cf3e426232d071df1c335
SHA512 668801eddfeea6d7f4209e22550e7b63a5d64401ad68adf03409f4af8af2bf10d65c1d28ce3e81877f1ca698bb9e203a860063a4275c77c87ddd0c7541b192de

C:\Users\Admin\AppData\Local\Temp\wwIm.exe

MD5 215f4ffe944b6cf1f23e6e8af5bbedf1
SHA1 3e52492440c85bed9494e131b89660c8dbd3a035
SHA256 0c0cb863121a7ffd627917ef22200aa54fcb826a6ee363b6dc829e748bd4b105
SHA512 565e1174b9131d145d4b81dc35ba0d84659b32aaa650104156eb274a56e09868cde621e6d80f39c591e9b022242a63f8582e711c176f262eae8b5e03076798e7

C:\Users\Admin\AppData\Local\Temp\vYkK.exe

MD5 392f11c071c407a8781072b7bdfb518d
SHA1 7837ff9fc38d39e2fbedc7418226d7651b4725fa
SHA256 b056110f64fd692133d37475135913e064f6f30204bc9591357ee1bb92ed72d9
SHA512 73d487b65331ecd5340cd337e349d6124b0d2332de53ed640eab80c31fd5d737036dfa5c882ad1685f897b17f984739b2ae0c1f6d9c7964dbb824769c919fbad

C:\Users\Admin\AppData\Local\Temp\AAQu.exe

MD5 d71543b827485ddb1978e1212de4ef6e
SHA1 7a3930171a5e8120a74a5abeeaffeb11671fa18b
SHA256 a0088bd716b4ac49556b87b611bacb0e6fd2344c7d7df0ea8c1ddd7fc682b210
SHA512 81c7529e0a7d090ab613322599d0284faa5f271b296a0f227bfd0b3f635f3723c2f7c022d115e32fc19fab34fcd1477c18062bd57a6bd279d6b915e5cbe67688

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\xggQ.exe

MD5 382b4c0d2834f2618825bc41979b2e74
SHA1 aca21dcf73ea7621f2d73ba4080b3d2848ce4428
SHA256 e8771dabfc08c67dd8ec39b78e61c91f14ab99b4d4464018e90898a8b4e26744
SHA512 7764a446c80d48d7640a6e5b098c07bbb80e21f9a1d0a2ad430a3d0b9c47de008176804d99efa62e51c875a28fc56e989d26e69eca76d7f77eabf28b1be8110f

C:\Users\Admin\AppData\Local\Temp\SIwG.exe

MD5 6c1fa789b7f2f978b9a2430d7c432c92
SHA1 2064b0f41f8ce546ce3596cb23449eb7b4be5ffa
SHA256 f1247a0ad4049dc0dae06639c987cc9cb72f1695120c2f695166d395c0b94f9e
SHA512 d6346c16dbf4d68a0e20a40688742ec61c1300f193a1170dec73503676e911934ae7dbbfad5e042a67ea4de09c7d7f831e5be064857c2a611d964c8f487384ed

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\BIge.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\WsgS.exe

MD5 5388e7fae8d4179ac0391c9416f8548a
SHA1 da40d680ef09137ba3c5f1e593a36795ced3be42
SHA256 30eaf57d0c63fca668fd18c394a81dadafab4467fb1984daa87308f9a0ba2cfe
SHA512 6cc367519c670fd8b920f310d3f2c68d0aafc30006c86399c1cb12b69233ef281d1e4dfa4c80d967dd0421a72d50f3347a7bc3a66f818a60670626cff8be4194

C:\Users\Admin\AppData\Local\Temp\tcoI.exe

MD5 8b814b5a0c23b36005a0014091c1d80d
SHA1 0f8962d07fb4f91302cbffa7211a59a5eaf92346
SHA256 1eb8b703cf93d455e18250d87eee50b51df2d0fb47348ae8673253fdd0934a3b
SHA512 dfbf59857dab2ca3b25734a9795f67653119a4e4e89bbb222b9657e6aa425eefbce359d113cade36ac04dc2fb99599ad1bc7a883075ad660d4a6b848b5a7b334

C:\Users\Admin\AppData\Local\Temp\CowK.exe

MD5 680790ba9f35c374061e1d7b7ac385b8
SHA1 b8e1aa451d4b00c228a06e44bd0b1ae67debf4ac
SHA256 4b431042750a745912564573631c85852f4298ddee1b83f6d2bddd5d2036ff2d
SHA512 93ce88e1d44280096ab4a852cc4711844f35fd4b82e90a3aa991dfab02192e669ba6fde7ee5dbc69bd4ac8bb1cdc70530fb54aa645c4037fc31de34e02398a1e

C:\Users\Admin\AppData\Local\Temp\HAAw.exe

MD5 7c0b8c7d3a14047aff4a98a87504670a
SHA1 5e13382d9bb04ca32928bbdb68d98a30fb25ed81
SHA256 72cb6d031f1c35e961a8ed1565463c227afa97ede492447d65ec88bf8840d847
SHA512 41d04ad106df4bba7ebca2f2cab551ef628bbb2af728f9397d7e9b9055ba7285533c61232ae6b06e42d94fdd2a91eb4186c5d7132028f361216a5ba15480aee2

C:\Users\Admin\Desktop\FormatUndo.bmp.exe

MD5 9baeec01dde3a5d41cd1794d86bd3ef1
SHA1 ce7bc7a326c586b8ecae2cccd3d9b2a3536e9bc6
SHA256 7361e79711f0bd797b934dc8b5958d073fe476312226b98faed60ef907e49bcd
SHA512 b1fbfc7223f1ad76d2c9d53c6af14372b5b92784e5dc5d6c4ea0cc569c9be3bf3d022ca2a7b66ac19d20feb57ff188e41307c0df5cebeddf70ce9be7cbfd4dec

C:\Users\Admin\AppData\Local\Temp\fwUU.exe

MD5 d523cd5703f6227f98ac8b464f9d0272
SHA1 179b087d4cbc2149ed375acd42bf147c85460c86
SHA256 62885205f4b4ada5e3b08d885703bbe0a98799ed0435bb034637cfe174ce0520
SHA512 cdfa0b3b6c1c3d684aea815f3d434d6ebe935f023e6ab4e3353e8a841a851679016af35cb16c7b2c4fba645bdb1a51e52d95d4da5c5df2c7b1418b3cae59598c

C:\Users\Admin\Documents\WaitFormat.pdf.exe

MD5 6256a784a7fe3aaf524fc09fe52e7003
SHA1 7d9cea05a633d93c02e2685e471db44578a0de4b
SHA256 7325e39fb1de81a41e4545431d2764e2495d4c4617fbccebe586520c88d18713
SHA512 d6964cafc50c3f77eecd2f6b151aecca81eae7fabe0f4391e7c2395175ef905def5f93eee34e116c002a2324b53e7bb8720ce4298b98c7fb1cf1d50e45c3ffdf

C:\Users\Admin\AppData\Local\Temp\oMQU.exe

MD5 ee0ba3da6fc8a3cbf62a33a68367c35f
SHA1 4523b9ee4380c087a19a3bb2b51b6bcbe1e96543
SHA256 799e9e0c47ff7dd4f4f3c8810b0141a9728bdd744fe799f5f625ae0c357bcf17
SHA512 2bd55194547a5734f2a2d1518ab566a0cd798fa3ba003c025671e37193e4ae16369e1e33c95d2ef56df29bb812861094f3ec5e32fa226e4848b0674adefcafe7

C:\Users\Admin\AppData\Local\Temp\KcMK.exe

MD5 9f87a66a6d7aae9b6d1db166858406bc
SHA1 b64bf96c7a4075b1225cf19b62bebf1e88c19f22
SHA256 217ac485cf554aac486681a85306f53eac5c88d3124fadaee9ae0aa7c54c6dd8
SHA512 0250cb10e5ee2667d3ecaa1c9a254a159c7d0ba80aca34273ef8cbe7619bf6117363b5c221dcf09c57e7040e87a0c7cb808104a976c1d1be657e7c91fb201e96

C:\Users\Admin\AppData\Local\Temp\sAcS.exe

MD5 30b24f63d4aeb4bc0e3006f12d644341
SHA1 79ff9e1043815cc780c4c2e132c81b9ba310b7b6
SHA256 06ee33400ac0f3909dd858691f5c34478037b1e4223d5d4e4092b79dff28a6e8
SHA512 c6a8d8263150d1f00df484c6d125ce0c8f8291aa5d8a569fb204894b1667aaf7666a0014e5166532d4ce96a518739bd2b0c0c27d3bdbc972f9458829f7f414e9

C:\Users\Admin\AppData\Local\Temp\kUgy.exe

MD5 b9c7a1d74a533379acbff79683613767
SHA1 b2d990fc1cee37c277caff6f68f789e12ccbc8ea
SHA256 a0fa33ad11e1d98fe4dfef031792af483d015d1e0909a504a1e782f89949c61a
SHA512 0f1106fd691024d3e9d0e18b968980c4f1c5e31d8f25af8a1cd118a13db4c0971c3e48afb283a13399fe9f853ffce519b49d5dd7ada23a24c03223fc422aa831

C:\Users\Admin\AppData\Local\Temp\LQQc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\oEky.exe

MD5 b0a7e1543eac44636c97d7c8184695b1
SHA1 c42aad8ba2b3ce3173be12abc4d3db6611879455
SHA256 96e338472692f2a573dd83edde24163b13815668cf5e8119c2fd5afee8e28ccf
SHA512 d08e90a7790fb979b5c2d5e7733ac89ab4fddeafec7b2221449639a48d5b1a9915c852a255198af435da39c44eb39bda532605020540fe3e52e8549530f1608c

C:\Users\Admin\AppData\Local\Temp\rwQe.exe

MD5 839af0ce9a232d54eeee91790067d046
SHA1 e144420272dca9c34680eaf0d8dd20ded1fe37dd
SHA256 ad25cfebbe7905f4b5321ddc1487d6d4551bba1ba796f13e35a9d6f46f264bd8
SHA512 4254221e92ef39e871a081e4f44d1e230ac7cd161d7056ee01594fc0e0ca42e7df2c125cc8dcb9ac4b0a5c0740fb9846de1786b50e1959093b2b01a35761b237

C:\Users\Admin\AppData\Local\Temp\NMos.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\ksgi.exe

MD5 c672644fe15d6cd7b5d4bd59e1c92e5a
SHA1 7fa203637c8a58d6058637173b1c0f983ec970cf
SHA256 9eda63477880d61ededc60f8258868351b916ce53f94923e08c19b086785bb28
SHA512 78c874152485e641cd89e3ef81a590ee9c6525f7c9ad77fdf0466fa37d25ae420aad0341900f554deffcde62e1ae8b8fbcb0b2265eebc4b5033d4d6407a22cf6

C:\Users\Admin\AppData\Local\Temp\zUcC.exe

MD5 2e95f462ce3ca06735f67738f0ed201e
SHA1 461ae511c63c3aa6acf4a99a09c31214cedf926e
SHA256 855bc37d9af5f88e6cab9c405ebf938112b7e12729cd3c51f9c4e374e2e11e1e
SHA512 624014f533e063ae1ea3d3586c2f521b8ccb1f730976a738ea0b7bc041bca072ab9c5c52bb2bff56d3c209d118beb02252056d1e500b776ea89782bedbd5d644

C:\Users\Admin\AppData\Local\Temp\EYYQ.exe

MD5 d4ea98b8ddddffeb7786a74764f4fcbf
SHA1 b8fd1fae783777a9ed79d838ecd88ba2e3184c24
SHA256 0b70882f4433c9ecd9d106aa1e68d9266f4b4cac18e2537049582f7c2f697170
SHA512 3b070de7f8bd7611fea9ee7fcfc68c1ac592297a06053f3524fe62cc676ac3bb77a322dfc4b6c2f345979436e4b5012173f030f6f827440543088f6a0989aeb3

C:\Users\Admin\AppData\Local\Temp\jgss.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\bUMM.exe

MD5 2e53f021ece9071aa7cf855152a42dee
SHA1 97d8fd2741578bbe68045ca760578f3b006bc898
SHA256 f24d9d4784d4485e08ee83d4fef69d76e50399ddc8b2d7bbef26ab0af84d73fd
SHA512 52e1fdffe4f3523b89c1bee4461e593fcc869e5ac4f7587f2b9ee319570c8db6f93d0a982de69f47b1091b8eaa02083cf973fc98dafcbc8da551d216e7b036c0

C:\Users\Admin\AppData\Local\Temp\IUkE.exe

MD5 8fd2ca5a72c17a7026650396a095fa44
SHA1 4ba7485cdeac0859e191e7b848a6eb7111a599ed
SHA256 7e050ba28dbd986c61b05f0f76861096b691938878851706e612f3f9418395ff
SHA512 4cd74ecc151b1edbd6fd8543b1006784756c83cc084e5997bbdb27e881974cf0eb90f01ae2db606f25d073ae341707e3a97510db5c3a04387d8523dc4c165e77

C:\Users\Admin\AppData\Local\Temp\tksE.exe

MD5 7c5eb4d91f72de231ebb748af7b2a512
SHA1 48efa2e0063f2e7f59476132ef7fbca203d890c2
SHA256 cabc88e1f84d55274eb004c552759d215c54f8e03358340431eec62f3ef3e6bb
SHA512 06ac26de0ae75de576a9cb9911bb26474956a7c000e3cbaa946600a941e9072a6603f28d243421e6970c0677ab474df68d055f4b3788ee728b83f60b3a8c50bf

C:\Users\Admin\AppData\Local\Temp\HgQa.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\gggm.exe

MD5 49854cf881d436440fb30e6b683d63eb
SHA1 3ff17b6f1ef3844ffbf4412b550d665208b65e8c
SHA256 2a353088a896439aafea59fc3455593927d005c9d9db666bf843b0459c386dfb
SHA512 d73b918d901b0cf2d17c351071a0d337c41900635de3d848fb9b43eb3ee5a184e8d8face4602c495a3eaa8e8f0e69dced73c81dc445e15b64fa43039dd89c039

C:\Users\Admin\AppData\Local\Temp\EksO.exe

MD5 51b33c16bff89cd5e295413a0baef2bf
SHA1 f90f25e6e40b577957b62df1e795a40de541258b
SHA256 9478b4015119e1057615616cf9f3f76088d1d3b5f079aa2bd30b5d137e18b263
SHA512 42a29e6b032226873e930bc35da319c43b276f9c21b1527cc529f0e94f75ba0b952053022e70a2d82f7d37b93f0c896bb51ab0b3180f9e4ae433362b4d7141bc

C:\Users\Admin\AppData\Local\Temp\oEIE.exe

MD5 59f2709df0b0e7b3a42d11b52fb2e27e
SHA1 06ed89b856a925cbf235232414bc4d50336ca8ef
SHA256 e5a02c67940170bfd16ba73bbc7642551d67f9ef0e5a8e1ecdced241276b3770
SHA512 6366643fd901c75e9eb201a6618ad43c25e3eee5beb1ba916755eaa146e1a251e4bf3736bb3aceaf3882b074dba08dae46c7f185b1ffc378176d622e2d946499

C:\Users\Admin\AppData\Local\Temp\xcIg.exe

MD5 f86f4caf8e631918dc5eaa6ca84794a1
SHA1 a0e373ce815103873740d37e32bec19fd1a9230c
SHA256 431dee897b4b83677334457463d68014486783956f31748638c9fa53a5bb8dd3
SHA512 93bb55d6c4104ab78b0a632de86917f4b8ffd6ec71e143726f4056852c6254dd86797baae3e69658f6f68f2d0806cd6003f317626aed1cc162af278228bf1c35

C:\Users\Admin\AppData\Local\Temp\jcAm.exe

MD5 90ca992503ef5d3325970361f722e33b
SHA1 bf37eb8d143240efb30b5845c57d5c2a0db08d5e
SHA256 63b9a6904b59c7e3df052cb05963a8da477a9ffc47e96cf5d975a62eff1984b8
SHA512 0bc99bf050a5933ca12d6704aba731447eeee6557923c572ecd8a18bc98272bb8f9b1bd30e29393580f78803694d040decd0e17a97fcfbc2371a78613ef6f588

C:\Users\Admin\AppData\Local\Temp\LIQy.exe

MD5 34dd940e447b7b13eb78bd75089b308e
SHA1 319cfcbe6e697061eb6918589a7b070aa7e51a47
SHA256 f3af0dc9ad1dd940562010b17e436a5b98a64de95d897feb69af48c32c5c4f8d
SHA512 fe9e65d6e0b88910cc2ac18a2a7476a1475a3f2a0ab075d10fc7f7465396c4835f8f05bcec63dfa2364a44b9fc543fbff6abc88a33b31bb4c59a796f8782fff8

C:\Users\Admin\AppData\Local\Temp\kAkM.exe

MD5 9caa265e6ece6a60d9c780acf6044e45
SHA1 a0fa0e92d446b78963dc79cb100f75b4cb927848
SHA256 7437989f6c68ba197214a595f4fcb34689c922063959f7106b4132a4428eee68
SHA512 214748d946a5a4e595cea38df0f47e5462987ab4bcbd236d77ea3cf52f620e2de3a3024e6d70416ff377d2accb6a66cb939917847fc5f6385bd74eafbd601d62

C:\Users\Admin\AppData\Local\Temp\poQY.exe

MD5 5d7898923937365eb27e82458c86b21f
SHA1 9e39d939e75ad420634395d8f3526a0d8d6766f2
SHA256 2e3d747974afaba58f6ed00f072f966ac12c007ce3a9ab56c9d2eccdff8bae2c
SHA512 0a5f207ca90cc2eb35859e8c1a7a6ba00896b0411dd903682e96566e488a34e0ccfc9ff77ecce0e50d3f083eecd38bd6548c09f67ee3457cee181e812b275f9c

C:\Users\Admin\AppData\Local\Temp\mgMU.exe

MD5 9fd034f4983eaaa015f4e98b24cf6ac2
SHA1 5d70e443f2dc2e42f886affe34b78f0f15b87ed2
SHA256 2aba10f6ada29446b17fd9446adac322a3d0747dee3ef3fff44c06998036f917
SHA512 fd700ca22d1c246bc5ff3383ee00612875569b68990a1375a783dc6994e9c355486320606cd86e9dc60a283ea4e7924eb777d8b33c16dc4fae301a293510d28d

C:\Users\Admin\AppData\Local\Temp\ucwi.exe

MD5 99feb704f8b839f7b62c45f5dc6d6ae5
SHA1 5b097fa850607a4b47d9b6b0b2081bc60089d282
SHA256 c2e61d4a3073d059e7105988c258c3499c860ab7c19d01248256dc093e690fff
SHA512 dd0336e3f3a25f419062e3ed6a77a0a8d6ad32a2036d9912ccaeb25b763a2fcbf06e6902c3171f59caf1f01114d07b95746bb2317b47cab7e29c4da051e16929

C:\Users\Admin\AppData\Local\Temp\Akoi.exe

MD5 bc3ef8eec9048be62d8190311af66f62
SHA1 88db331aece182a738f6ad38de819d9c61416e10
SHA256 4a8bc885eedc1925bbf134e77957582c04cf40e17fb14a1b76e3b6e5f3a98b2a
SHA512 3d7963210c9a125732ddb64d811d01b1eb130a741cf7a88e4097235ffd3f80ea7258fb69e109e23cc4b78faec0a189d4cf1a09dea4fd5543dd77c96590021eae

C:\Users\Admin\AppData\Local\Temp\gwUS.exe

MD5 11881e26b734ef5d2a4fa8c126793a81
SHA1 09cb44129c2e76edd9593135a93bd109d83fa9f9
SHA256 f066d84e6c78bab2e602770f86c70e695a520c208cc9860fec7a6897ec3c202c
SHA512 cd7a20041e05266c1a9a947e08b6c74613691c50bd916691f72945a0c89e60aad5606112db4b36217348814915edabc240c62ad20b8d388fce82e76bcbd2c9be

C:\Users\Admin\AppData\Local\Temp\wYUa.exe

MD5 3f80eba34b80dd19e4555fac38f8e49d
SHA1 4a9923f5617926730248b0be560c03e11d7dd875
SHA256 9230278e4653d5394cbbf03691637105eecb968f6ad1fc40f490e3b72faf3be6
SHA512 62b13e5b88ffa7d9f5d1ad83082586a981660295c06cf0077d293abe9a98094840d6b79c70b4231ca9e2634d83ceee88acb6dd89ecede84c7eff761f95cd54dd

C:\Users\Admin\AppData\Local\Temp\PYAi.exe

MD5 51f1ae8139b44f9dad63e2fa52f5f6b1
SHA1 8120a61e79a84477bf4f9c9cc8106f6ed4d16954
SHA256 1d4231c2b3d7e1b3d50693bd6f47e7accde9583dbcfd9f02629dd47965bd2a43
SHA512 0af5ef6c9f8a7bf152c4ed15ae385aa9b7578e5fb8cd76caa65d5ce88f9c36e5c9817b30d2501b0685a7adb5e36ab5fe018e9a2fc988f331144eb90c9427ae3e

C:\Users\Admin\AppData\Local\Temp\SwIq.exe

MD5 aeee8278322d3f660cccff801e589ce6
SHA1 4642727ad1fb5e6bf7eba109d201f5ab2ea8cd7d
SHA256 20b435b75a2410e99331f8061e96d50e67bdfedfdccdda0c25aca0043054e985
SHA512 cc3fb9ffd54a5aaebb4559ff9f3f07774fc6fed140818a3ea34140959ff537fed0f8c9c58e27caa0669b1a51cc689eab6c9029f6883ec7aee63eb62eefc5c0cc

C:\Users\Admin\AppData\Local\Temp\JUEs.exe

MD5 392fb2a3638e039785baece78106f072
SHA1 32daca7f0309013a418333089b90fdd219af6572
SHA256 f19ffba8ccfbafbc8a6da20227caa8abcf07a65ab569fb43bd9e3244e51ebc49
SHA512 a1de0eb82705b16a89788875dbceec26b887e780f0f008af48a8906b39501067c3c20f9884cbba670b8da4ea4b5a021c0f18da83d1af37979bf337a819617ba6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 a65d1295a47f7105fb0984ac85b75632
SHA1 2b9a662d0ca87f467175f5f241f271db78773312
SHA256 de229f5afe61849703759c6db5c915d68ef32bd04a5c3e89db57b7894f5d9d8e
SHA512 179ed56e590d6fe327cf9c0c3efd1ba9efa2273cb49dc241164361559984df46298fca054ca1c84ff89e05d0a5d5a2dcea41fc9ceb987259bd3bc459cf70a975

C:\Users\Admin\AppData\Local\Temp\pYAo.exe

MD5 e97bbaf7630f5a9f08000f64d59d12d1
SHA1 82bf729199d730283adb72ffaab327f8b4ba23c9
SHA256 81909368fbf24fbef2e8fbd9ece9124bbe2a8454a3b6be60fe0e04581f911c76
SHA512 6b27ab35783af3d9314918f27bc85dc051a368b60bb044b6b846aa22d693ad68bc5c6bae1c975632861c7ca4ac35de7e506a3dafbb71ed30a7033c3e9dc61742

C:\Users\Admin\AppData\Local\Temp\zAka.exe

MD5 9c36aa2e0aaf60b88e64d4164d4302f9
SHA1 4faee585c0ac94656b486c9e7715496392b578cc
SHA256 481c6079a22cd7c41f3739533246e155888b74c9daef40a50a5ede78ef113c55
SHA512 194bd5b13620000dd3d63b2b137021e350f4617b24fb315f0b5968512b726ed60239dcce50020d9c3dd140a00f92dc9661902c106fb988cb0df4d1d2771f7df9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 f7d207d56e47f65d515bd6d98f4eaaff
SHA1 6969384a39b7a70f8f90c4d455ccc669d412896a
SHA256 fe5ce5c49b2404b8ad1b86ea536ac79aca186f7705f62a2a18d70a2c0c9977af
SHA512 70eee81252da891ade8bc774ee65ef4c6279ea6b84408ccaaf830937e01f291419ebeb0ad37c4110de6175545f1f150da3cad9b66489774085d4d322173e6412

C:\Users\Admin\AppData\Local\Temp\zQEi.exe

MD5 64b8789212d35b5987bdbee2e89d1c21
SHA1 2b4765c17ee0cf6e6db898234a4953d1cddf949f
SHA256 d40f0e69d8e81dd4188d8253013a4ef3015d6b5b895d07f124c6e263a6baab44
SHA512 f4444f2d54a1062a4e2607c2c8e137a2d10b1357fa9e9a4fd33744f7eb8f3d8c537510cc9465e0ea9371594442b3a0a92397f52cb69f23918a3b48c59223471d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 8126e332de118f8dfc6f6df249e15973
SHA1 03a6a253aadebfee38a4d0c32d5a7713d41b4232
SHA256 ef619c69a9588d2989c83abeeace43ef99590cf7bdce4cbbebd0c534d1bba608
SHA512 f1e03d5213ae68d74daee265fdb75cbb5124c7d07b55265134dc99e2a3508a956e6f7083747ad0d063b96c051f8ed60ea067333971b3aa9ca18bd14705a0eab0

C:\Users\Admin\AppData\Local\Temp\oQkC.exe

MD5 6aa8d6804efe1d64ba805a6013dda3ea
SHA1 c97ea1acef55c4aba1296a50fa8809c18da8b2a2
SHA256 670671fce3d62b0f2980b183bdc5c7e3315ad83dca65261659d48a13f3b5d11f
SHA512 753ec1794d0417db41b34cd5388c80d105db2ff02a9fbac3ff5016ca54b560ee89dbf96e26527c8c267df76192a8b4bf4c90d0d7f8692d8933f65c587dfa055e

C:\Users\Admin\AppData\Local\Temp\AsoE.exe

MD5 cd2d865c36acc210034c774d5a1ae79c
SHA1 954448b9ded7059cadb0a2ac553e8ed44012e591
SHA256 5362af2eedbee6064274c2b3d6e65a3ad95588c9b4257bb66b3c934489c1e802
SHA512 51da438785034d168600e66b556344649da8acff8f0011dda95c58bbde1338e7e5385f96d9207893d2e0e4fd4757e731a670fa6f0247f11112e7a612f88717cd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 715939cd78d4e26016717b9cd1206b4e
SHA1 581e51cbd7dd04b1e7e78bca06e2ec78111b3e74
SHA256 8daeae2f58e128e717f5041c2ce63f0fca18483f61cbd232f0dbd2bbdf9a847c
SHA512 662d47c6317867daec6f33a90d4e2d4cf3a8853c5b9966c11adcb4c6572a09036f203e2bfc08e1e1eb4b8d10468405f9449a7fe8a4f890a7f69415aaf169182c

C:\Users\Admin\AppData\Local\Temp\hcsA.exe

MD5 8832311d2e5f177525db888b889a9041
SHA1 2cef63f4743d991425e6e431ef07424f449985d5
SHA256 617b32877244269b3680b0dfe19fec2df54e67254b53195fc7ab168dd59db311
SHA512 f7f2213ab52ae6f07c7da864b7d7a769d40f39512e5fde52b57e6692a555094d77fff22731062f8781a97d565ea078ddb4066907bd03f09a005cde0db3369ac1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 037309a46b49c54b414367e7c694cc81
SHA1 af969f3bb4fced9c41da4dbc430d2ffd582e9bfb
SHA256 88a8a3505ba856c5e383c87f6f222176d42d034a93337790915fbbbfc0a6c7bb
SHA512 22bba88772a3634916fd4175fc7c10ccdba496dd9e06d37603b10b1e34b7b527aa72df1f0af99f924bfb012af98c66d572e068bfdf64727e6a4f1859e1fd1dc9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 62b77f96e735ee4107c16e208f131c0d
SHA1 e4306cbbb4ed31154fd3202e4bdd1ee79b22ea02
SHA256 b1e594e52429236f6ea007c021f925d4391cc58065dedd70b6e99581c22bb49a
SHA512 ffa5cf5bf09042b7acb81c57af05fc70fe110eca381c4c54d29c0ba378e344ea0c0e754b95719503747ae4ae0acd6f1bf7222691c492dd3dfb59f342a23f6a47

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 034ed0a0364728381ada25feff44853b
SHA1 700f32bd750a2efef884aab905bc968c0a423441
SHA256 5d3f4b32c44329a5866df07bf4e88688c40c7114fa464da8c8b09c7fb277096b
SHA512 6370da598bf37271a48d2a4aa3670481016200438ea022a0f69efde11f095a7313f4e17725458b2ce7a51d6219a25f134cf126f0c3227fb3f74c92d41b873a42

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 a9a6a7e1b6665dd090fcf9a8037eaae3
SHA1 6e9f9f1b5cf7ecda5d79285ad37ee1b866c907d0
SHA256 8e27377e91da35477207d22cc8c6b55314112261eec3a1800c021771f3fdda26
SHA512 0e7455f306c367d05a68971b0ac82d0e9b43e32d38d87c84336c84a1916f28f7b282bf555d871107342ed0dae2f87dc168186c4fba785d7048a211878c104f0a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 8e871bd449ffd59ee4caeaefad0afd81
SHA1 7cdb3e172b2c8d42d0260175f8ebb1d333aac5ce
SHA256 b3b7cc83a1f4205e58b8b0bbc3f3e0b16f7aad16a873d0d606934d22c07a0571
SHA512 321746aa99b5979a8a755a5d041982340bf7eb012080ebb329a743a6c4b590521eef225d8f81821d255246cd18590acdc4f891c33af1139ca24da742ee734599

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 922781b0deb633d5ccfad6c00a67db79
SHA1 cbca930b8e5cde8ff5b63ee2a69619ed7483f2a1
SHA256 18cd7bda9195d0aca938c158360b361b38826e6fc46645a6c9325fb09798de68
SHA512 4123e326d7d37d65795e0a52b5b9d464cd385f4b8727d88decdfb9a0b273168d0d77f6ace2f1625cb6adfd187ae6c910c72e8d1e7eb56437b7776fb1f053f6e7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 851ad6c6747ebc86f09474d570b54a01
SHA1 ef5fbf51c9d3eafc7dc4e811ba2b414dfb0c5ca5
SHA256 bd82dced2bdc5032ff700ab66c177c28ce91165a4a85b4c91b6d6aada50e6c7a
SHA512 35d1a5794ed090673830da183f320c1db1aa85085ec57a8e12694f9ad9a82ed4b2ac0469c8227b51d35c47c816eba92c681ab7429b3e391028063348847d5009

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 1dff88ddc81c982682683ce91042d9c3
SHA1 5bc49389543706ac39d71faf2631586e7919707a
SHA256 50bc662a15801ea2ac431b67c1a8dc707852ca6633e86ba813268c7796cc65bd
SHA512 004e3f779890b829c9f05bb85cf3f29c8d39dc94019525db2d698271557f19a82504a0597758818a215b46440249d6db130f1987011ea207678f705a79dffbbf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 2c11d7bd36e0df22fc2bf6b64fbc183b
SHA1 e48cc26b8cd408c14e4326b391a70c6a5dbb886a
SHA256 5791f2a8d043e88bb6e8b8486d43286c7765ab741eb2feaddda771e00011f5db
SHA512 ad5994f8751895e52932c79d2da3d8b0088fa97e360b3a25ce1a0176f94e08f15c584d03aa91d2bb7cad4117939fc48e8b24ec800e1afc577964f5d8442fc1fe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 4576b24266e94a43ff9e214beb8f5950
SHA1 affb563ee72d89c08fa7581a67e18c28b8c8046b
SHA256 1a470290feba20f903a7672ab95399cfa12fc8090ef37633c0858ace7d76c484
SHA512 62ed70d59e76ab1be3ce6be739b64c364fc04f1aedc4f482a020c0cfbd61abe9ab476c86e1cdc5dcccc256f686f92a6d32d4178619d78b0f6a9c4205b1b83373

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 4b398eb4a64000569845528f0d85f2f4
SHA1 1964f74d517cc8ea86787418b71be06f0f3b216d
SHA256 1e849d6504a689a5bf33078de84a9500f75ff0f88e818fd03fb5112b077ed99a
SHA512 3140887b69732c2121c723963ce0e25d6acd64be46217d38bd7fd46bb8ccdeded8ff6940c276c665a99aee0c49796695b9212d4366b7bc8248eb0fd36a713ef6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 7ba97385821d864897e8f5bf050f5ffd
SHA1 ed12accb7f1ed8d2053723d65a8a1a7f80b203aa
SHA256 de9f1f5241a3fcc61b18ce07d48a188f46549be00862a2c3a81ba21f9c25d734
SHA512 e6be4973ba5c0b8c6670a103895e30760e8d945ade621b2e6329d521a73aa6299a39bdae47f55ee6c5aff183cb2937606c2b127fda20624b0203709b854e4fd2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 45d6617134b3e9288602a605cd1ee547
SHA1 e7c057141993bd196d9fc7db33b6c3614549961f
SHA256 88edee405e2d54ef31d5406afa8f8dd03efb292f2d78c10e8268547f515d9d66
SHA512 7db4d105337a189aebcea655218b228e7d75fbbd29ecb4ab0286f0cc9b35df5287cc2a00b5ae2e0f3de420b916111ad3dc55ee688c78c663d534b51cf027f092

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 9f09ed6b9c97f20f86acb6c5020b2559
SHA1 5e8b57b40ac3168b09a07c62df8009471c258c80
SHA256 e30bee97ff4b3f6cb7743d2e5bd4ce264bea2a4dc4a23958c2e05111b7114f4f
SHA512 e133a7cc7c16f9f695d3da21e93f26d3f3b3acdab4aca075d7fc9c6cc150817de1ba742d2227458dd505eaf288863b2669a8995eed10d070a50a858e1ed1176d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 dc9e8a619dcd8c29e492a62398edb1ef
SHA1 0f874b1d649d7240ca6840a33e1fd881d0b096da
SHA256 bc9d24ad32a9fab183a024c62d4c224980a30f83ba960e6649d41ba05afc27fa
SHA512 8e6ab14e761c22999ad3f8525dc3802c1e1d71cb53d276d395a8edfd7e95d35495c351711d9dffc128e96b5b966a8adac307eb7c7f3917cbedbe81cd734fd8b3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 583ae06dae3893f442bb80c1fa6414b0
SHA1 eb4039854f3a88525a2736f8b9f0379b548ec6c9
SHA256 5ecdfc34718bc504d5f3682daf030522fa1302483e14e70f24391bd8af48b6b6
SHA512 a83448ad562e2a77c3671853f397ea6103edde854f67b4ee571c6a96b38a8717cf1ed4cd9238102e33b7ceab54c2bc42173bdeb27d5647684097d65cabb60ffe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 9c0e6b2464e9bc29f4342c00489ef59c
SHA1 68e237e8aa0d92a8bf6c920b7e870bee03683892
SHA256 88e37311bf8a9af261d131d181cd05e31b52135081c6395022d86317095c5a3b
SHA512 fa069c4a2c6b7ddedefe4bd30974d5dce3bf47d6ad60635a50a6759b6f06e1d0140403111e3747c97be0163add3d1e4ec9be83dc2cfab3520cf3ca5bcf7c6650

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 34a849729a9704c692c4919582e69a06
SHA1 56263aaff5ed829bba77ab42012a4e353ed04bdd
SHA256 b93140c5a62a151f2c7e48bb37716a975ae3a91ad2105567b6000457b977d370
SHA512 d51b7f1921cd92448db69ac8a51c5bc5d20309de59260c65410384cfc5dd2a30ef4d76f059f291c110c55b1fbf94cd7dde45e51d85c17afc1fc495efbcfc4f4d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 f6241b53e2bea33f3393576eea4a4d6b
SHA1 9c36a2aa7b5c0293968fd7dcd03261513dc3c687
SHA256 6bea10f3d1efbee17d31c22486f56c6d3e7efa086b823cf9e26a7468f21520c9
SHA512 e2666ace474d61d86c6f362244ac0444c7b22efed88393392c9b20c4f8e6098d985e86d939d3394493e3e46d449627602374dba13e1b63d7b73e2387ac019a0e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 463da6afd05833a1aba5b9db382c7cae
SHA1 52e909b3a5de42c011753f52a1e20fc69e0c9de1
SHA256 d561eeef76d6a8ccda754f8aa36c87988da28f06981c7f95e5de42fb516b3681
SHA512 e9e81d0399ccb51150cb8f94950162a42a97c8c2d909e66752cb2b5702f3ea5bd4d427ee26f32761868ab7d19465ca770f2f89f9deb94b73a2108c2e5e161f30

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 a8a3fa615b01f2b83068d1f80337e897
SHA1 494fd103873fbc1339aa566deccaff64d0bd2a9b
SHA256 c10f1186b4a6c09560a23a34bbc792fca773fdeaf25ef8d3f28d3c94dcc58856
SHA512 95d19e14b2e625a592fc777bbb2750d9c8b0aa7fcf7722acc29b4b07c69d864b6667838cb13b60246e72115543f5703b1c24bd07996456f5a3e52fd9a1b1605b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 88286d1d132c6b5c27b1f3a877347f0a
SHA1 92b20aa86a781db67a4f191e7c2f9cce22af5afe
SHA256 068b92cdf676055a4f13780d899dad5522b40ce1412489a25977b2f5e730a339
SHA512 d5a337456871aeff0f5c6beb74b5d6afeb47a6a626cf00a061e8072ea173bfc874fd9d3d5c89ddebe73232f9f98726eebc4e17ed5e98b88cd8bca9936250092a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 5cf7f5f1b6d4da21afdbb24f081fb9af
SHA1 fb3d17126b4d7b577fa4d1265adef799734fbaaa
SHA256 d62a77756bb84b594c435fdfc45bccc928db4bf9d879049e6b8b41857cb82845
SHA512 6fd3600e91cb2ea36a4ffeab529619400769e0bd981171ef56752f9e0717e0095da68a6c1030db23ecba51b2a0782f613b37f5b924dce321ebe096b233c989dd

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a7976e6ce30172ac0102681dce809eaf
SHA1 856979d5bf0a98b262a7eafb706e0f17fd641a2b
SHA256 d5acecadde9dc7fb4de0ba1a2562de4279a67a32d2c15629479151af93fc15db
SHA512 e54daf9259fbd800e4759530056aee4a15a57735a1b43d8790e59fef712b0d621e76265c97120bc7e29f8eb8f1f20f5b296e0d6c0c53592aedf05c23a39b8c1f

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 c17975a7d1eaa92e7bb37a538c581f1a
SHA1 06a6030b706232483e7b073be01d8e4ef61b8f3a
SHA256 15a4a0cd4214685c7a23a430055c94e0c932edbd99e983c1b27e0afa593d37be
SHA512 2019ba772e2da27ec4a0fb0c427cb0df7f93fcf6e041fc85bfa55650075890e656cb2f12699ffb9fc54d2688d6587d550039d78ca5ed923479b6e528e5192029

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 2d03b2201294b2cd2162bda070509285
SHA1 7661ec632d2ebfb1e1f7d73d67c13d28dd25f828
SHA256 8ecc289fe0ba04a1be706af0c953804604855b06a473ac9af1eae7f17ea7b26b
SHA512 0bf138e2c400b267a7961247de84bb779f033e6fbd9baa6685a538a879ff63e8b334c06b85688a2819de05eedff050ae2e1434b484212809b00df016d64e371d

C:\Users\Admin\AppData\Local\Temp\xMcM.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 802bc9d6f3f1792d20d183065738f11d
SHA1 5ecdff811e21841b3188b99e858c6c32223144c2
SHA256 b3abda15697e26ca3bb5e1691adcc5e6ed69030efe3d0ec14d0b11a5c643bc09
SHA512 6425834f9aa0fded6ee39bd99b40b42710dc4b10414f6c2f98a1cec16996c550f23ae7221a7cc9e929596c599ed079179a5d0cab7961a494452029d2ca6d2696

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 b12ba81cd39ae438d740cb7be76114c3
SHA1 1f826ccf2911873efc200ae3f74f29fe0355fd30
SHA256 4ac867e443aca8d2f17ebc1b7bed36604363ec0d4e74a0556b221e955e058739
SHA512 0f66dbbe626914cc71e5e2effb8035fdd6fa83b3c7fda2f7f349eed00d2525c3a2536d0120a35c973b77bdf34a0c34bbbba872b09276fbdfac7b2bd6c7266e26

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 f6aa4b762fce453ff3bec3e82aa9c81d
SHA1 94dc6e4de1416190d4186151e2f517e926aff292
SHA256 89ea0cd6ed3afdc0d0e29166fe1192cd2df35282a60604a05a2a2b7ef19c3e46
SHA512 6ab9d76b57eb0116d28a777fd3126e84cc966ceb1ba5f7df7aea08b694f37874a10b74fb1d53141dc1d23be1b1f70122119750fd8325379078d0e1076782d927

C:\Users\Admin\AppData\Local\Temp\RAUk.exe

MD5 0d65f60115744c0a034bb973f64fd92a
SHA1 c0f6a48e93cca2c51fd7e8fab43e4feeb005677d
SHA256 d600f8f1496e4780dcdcc1394eec22891a5eb428d6ca8e88bc9d782e4c711ec9
SHA512 66d44fa5e06e2d085b90ebaddd9138f033e0ebe11c4207f8afb0472d0d61a28a549f9c29b092404ac2bda0339ab96bc711473927165d0a9bec2248ce24e0e980

C:\Users\Admin\AppData\Local\Temp\FUYi.exe

MD5 afc96c589aa5e4b60ca5bbd08e088237
SHA1 329828466ae299b8b32ba3b26d115f6b4cc67e4c
SHA256 245bb671be03c40c4dc0dfe52dd514c4f43214f0282c11e921728393607d2a89
SHA512 e6534895a8f94776829c8977444dd5dd76d8393e5faeffb0dac9861ef9cf234b71e41472da7c36ba42f26941131862017699846d48c04bb4316d5c959f6e51d4

C:\Users\Admin\AppData\Local\Temp\dEYG.exe

MD5 608d396f44c76d20b74c0881f77a5a03
SHA1 0aa0cee5152c324a7ad67b6ffef73a1007425bd7
SHA256 9b3615f5b135d4292a5a90f5b01b55b34a160acd273909178dcc10d4babf5314
SHA512 cedcac985a1d80dea5b0f6419a2226ee5a007ccf729d3df0b84d70851f544cbe791decdd54a8005c46cf271f4a95b2e8eee400ce8942840e608095f7d04257de

C:\Users\Admin\AppData\Local\Temp\Pcse.exe

MD5 02cec0458c3030aa5666a52b0f293117
SHA1 8c6b0835858549563de5736a14000d30949a2d7a
SHA256 fe757b04da2040960ecdca125c1c8c53d35434c2227bf8a870f3d2bc7c9beb86
SHA512 ee6441fa158794f3404fc0a31e17c9ef007ac4ce1d7b2885d7aa526c3088c0817a47eb29d03c50be0c5a07acb65efcd0db49be9347cc821d99adb8f5a003d419

C:\Users\Admin\AppData\Local\Temp\WYES.exe

MD5 dc146308eae6553769570363957e0932
SHA1 8a4340dff82b9103a6a2590083c79a2842e13075
SHA256 e13be386479c2129acc9c8880d7ac1f96326a47fff39d66fd64e240c8cbe9334
SHA512 69e55d65b62b89b1622e572bb448b94d459dd6469dc27ff8e6aa07f8cde16f51e50e80c7f3457e26da318847ed3380688a12ceb17778dc813052b0bd70a4656f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:24

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (88) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\ProgramData\mOoYwMQM\tgsIYgcI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nCooQcwM.exe = "C:\\Users\\Admin\\aGckwEEs\\nCooQcwM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgsIYgcI.exe = "C:\\ProgramData\\mOoYwMQM\\tgsIYgcI.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nCooQcwM.exe = "C:\\Users\\Admin\\aGckwEEs\\nCooQcwM.exe" C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgsIYgcI.exe = "C:\\ProgramData\\mOoYwMQM\\tgsIYgcI.exe" C:\ProgramData\mOoYwMQM\tgsIYgcI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A
N/A N/A C:\Users\Admin\aGckwEEs\nCooQcwM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\aGckwEEs\nCooQcwM.exe
PID 3312 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\aGckwEEs\nCooQcwM.exe
PID 3312 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Users\Admin\aGckwEEs\nCooQcwM.exe
PID 3312 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\mOoYwMQM\tgsIYgcI.exe
PID 3312 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\mOoYwMQM\tgsIYgcI.exe
PID 3312 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\ProgramData\mOoYwMQM\tgsIYgcI.exe
PID 3312 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 4140 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 4140 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 3312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2956 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2956 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2840 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 940 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 940 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 2840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1180 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1180 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 3780 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 3780 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
PID 3040 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"

C:\Users\Admin\aGckwEEs\nCooQcwM.exe

"C:\Users\Admin\aGckwEEs\nCooQcwM.exe"

C:\ProgramData\mOoYwMQM\tgsIYgcI.exe

"C:\ProgramData\mOoYwMQM\tgsIYgcI.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOEEcoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsIwIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUUwsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsYMcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyIUsUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIEUkoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQwYAokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeMsEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyswEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwIssIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYQccAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsAUEoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIsAkEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkQYogAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsQIYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCAUMwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkIYokAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKMksMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKUwQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwwgYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeUoEkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkIEQMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUcEIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOUsAEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAsMAsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEEocAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQUsgwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyAccsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wioYoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckYswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOYsksQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwEwkkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgQcUQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smgAgUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUogYAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByYgEAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKcckscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCcwIkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMYMUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKsUYQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keoocIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkMgYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiEIocQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQkYMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqkcQocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEYsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYcIIoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGwcwEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcYEQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMUgsIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoAsUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeEIgscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKwcYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgEkssgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOEookcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGQcYUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUgcEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEAUAwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQIAosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\basAocgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMMwIQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqYEoYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocwYkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAYkEgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FykcAUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAkMEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgAAkcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgwAIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcswUggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoIQEkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKsYQIYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGssMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqsAAUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuQcckIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEIMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkEoMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIogUIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgogQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcEoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosIowQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKUIsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEoEQcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWMkcEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\augYIUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyEYAEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUwEYQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIgUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgUgckAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQYwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaMggkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOMkIwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUAYcQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowUEAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMQwYwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkoQEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAMwkAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWYoksoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
US 8.8.8.8:53 46.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3312-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\aGckwEEs\nCooQcwM.exe

MD5 b78022379fee86193ea793ce4e45caab
SHA1 765c695aa1adfed4227ab7d8fd502d28fca62212
SHA256 9fb9be23e5364190c76e701eb193c259d506c11bb8273806ccff10b957ee48c7
SHA512 f14c7fa49645a2e7af3f6c54e8681959fca489ae2baf2dc07786b4eaf0257a88a797def5af2079ad8528b5cfbe2aec8372bcfec38f20a11dde4db381932a3b8c

memory/3276-8-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\mOoYwMQM\tgsIYgcI.exe

MD5 1c60c9ad61e00123998080270c0e31aa
SHA1 ae9b7befda4e935f85843d986a631219f4173efd
SHA256 698d3a64c7f972f1095ebd34a50fba1bf4d74bd4a164e8180278cb7cd17ac76a
SHA512 ab76e7175e459e8e738f9eeb7e1cf5821047c4ebfe3d1a881d470865618f5b5327e2fd80bee3b052ab9d22d4e888461bfcd35e848c32b721ee3a3bfc7847a240

memory/4248-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2840-19-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3312-20-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TOEEcoog.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock

MD5 8069e690a23c6c533e7209fc672f9b23
SHA1 7c4c896dd84d8cf02eac5f74282a18323a0304e3
SHA256 e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0
SHA512 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3040-27-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-32-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4724-40-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-44-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2532-52-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4724-56-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2532-67-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-75-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2140-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-87-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-91-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-102-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4876-110-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4396-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3696-122-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4876-126-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1588-134-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3696-138-0x0000000000400000-0x000000000042A000-memory.dmp

memory/620-146-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1588-150-0x0000000000400000-0x000000000042A000-memory.dmp

memory/620-161-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1860-162-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1860-174-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3248-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3248-185-0x0000000000400000-0x000000000042A000-memory.dmp

memory/448-186-0x0000000000400000-0x000000000042A000-memory.dmp

memory/448-197-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1948-198-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1948-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1140-210-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1140-221-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3092-222-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2416-230-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3092-234-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3116-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2416-246-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2704-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3116-257-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2704-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1860-268-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2516-273-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1860-276-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2516-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2168-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/636-294-0x0000000000400000-0x000000000042A000-memory.dmp

memory/636-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2344-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2344-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4588-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4588-319-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-320-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-328-0x0000000000400000-0x000000000042A000-memory.dmp

memory/212-329-0x0000000000400000-0x000000000042A000-memory.dmp

memory/212-337-0x0000000000400000-0x000000000042A000-memory.dmp

memory/916-339-0x0000000000400000-0x000000000042A000-memory.dmp

memory/916-346-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4660-348-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4660-355-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4924-363-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Agki.exe

MD5 c589a06b2a9ab113977bf76a953e8751
SHA1 eaa8b051efb1d681f484377653078e88155aa417
SHA256 dbf2919ddc4a4dff9ed207fe936cc46973bf9f609d9d229aa6d6db0848e56e51
SHA512 accc0b2b04b0d67c519d0106ae095636512a8cd04f7ac70add7170ea0fcbb8b7d9060540da3e8078e255664d464bdaaee87bf51f978aab4c1df4c90c441bd519

C:\Users\Admin\AppData\Local\Temp\EAky.exe

MD5 c423a524002fddcc09cec01a4b66055b
SHA1 f827709bb592b2d4c7ba6c0fa2823d7cab8fe256
SHA256 79e4c21d0a38576755f6d5db5f9cfd50abe95a4a4448b862552294510b09f399
SHA512 814e81000f027473fa9e38c8df20a6d07059b12547db9f55f9e1224a2036953e5268f623cbe6ecaa18b1529f6eb022058b0de0bb470187cdc3f0a770905ef5fe

C:\Users\Admin\AppData\Local\Temp\ScAO.exe

MD5 e9be3f95723153c59d4649f919716b66
SHA1 2d63087868ec3611c046c4f7179b4c62a6765691
SHA256 cbaf705204b35f156ccce70ce963a4bf0ff96e7aaa0af1fab741e1a54c6fbd10
SHA512 7faec05c5be7af0a2033af9208fdb94a05f0d8c99904c4d177a874a4c81f9e0ff24f33906b804ed79d99c69411eb97e05470b9d72c9515450adadb36bc4c9b20

C:\Users\Admin\AppData\Local\Temp\oMwG.exe

MD5 9ef4af824d39e66ac80a7315c8f61788
SHA1 3aded817dfce97eb3c6049f82f5c1da25b63709d
SHA256 2f83fc0e93c21424c3517de125ccf1b5ddb3a155f89aa90a74d8174036b5a2a2
SHA512 48eff5d777cd96a980574d32a039976a3fd2c4411b66c446c1bc075a42a153a5e417fa9becfe1e4891ad4a62a7a3b16bece62764fb3e40e6a1a36d33459a7f52

C:\Users\Admin\AppData\Local\Temp\WUEy.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\IMQm.exe

MD5 5429b3af393fa7cb4e45be7b7ec9592c
SHA1 6dd1e6e87c9bb20906bd0f05b58e36e9616016d5
SHA256 207019a29de150955aa44ae7a8f24c8f1040da39994bcc4b53c9e61affb48e51
SHA512 a3fc26bab81e6fa3ce0350523c171b09c8947ece7d1b4024e200ef42c966cd74f752ab302b0d5ef3f24a59ae2459d16f2ced87f45a4700134214f35ca5610359

C:\Users\Admin\AppData\Local\Temp\AswS.exe

MD5 4e701a44d510e7e9a1d96dfe225423c6
SHA1 d36d70d4b3ead57ce63abb0c52663afefdb77389
SHA256 cda86499387afee15c64f58abb72bf8a0d68705b27cc754e90fc0880880fa8e4
SHA512 c0b7cbc05d421be58eb5ade338b2ae40637ffd63741ba283f3520db78c177a8f65d378b7d2c18a9a3c47efb400c0753238b0277eaa5519dd8c030f9378ea27f3

C:\Users\Admin\AppData\Local\Temp\SMUM.exe

MD5 534649734b3151a86440f9ed1e16e91f
SHA1 61449794981a74881641cf3bec87f8e4d1e5b4b7
SHA256 a6eb14f80fdbd23220ab5d2c752f70ba04dc7edb3f253fba18f987305339cebf
SHA512 ca6b33ed27b9012c4de1109e9bc1fde2ffd389bec2c09418eeafa66e4509c55e2b148ca1457436facc28938d0797193a331a605e437854f919aa7be439509431

C:\Users\Admin\AppData\Local\Temp\UsEK.exe

MD5 670f691b40e1c4e56a02ae652c1d9d1e
SHA1 ce2257bd45b6aa1c66c2cc973078d02d1d562a66
SHA256 c42e553429fd2c1597c103a6827b523ad48d2719b074d271d513aa5b32e775cd
SHA512 60d3adaf2b8220f72dd6e8305b528749ece462bc5686771cecbc3629ec6c476fedfdf103c96a77b4c03d0839a5563d54f91b968681e936beeacaf9e2e04510a5

C:\Users\Admin\AppData\Local\Temp\MwgY.exe

MD5 6730eefab191bad5e451db36dce36896
SHA1 a707e40f78b60d0893517ccea75ccb3e2c288d2f
SHA256 4f64835ab5e9d73dc89f27162348d2b3519bc3210c36bf90be621fe0ce8b0683
SHA512 7c2781d0d1353169f22d2eb85bbdad25d779e5db80fd07ec19b934929fd341c7ad3a133a072fd51a8dba55637d29128eb0b680ac812814e4f12045ac2b8f7e0e

C:\Users\Admin\AppData\Local\Temp\uYsc.exe

MD5 2fc38e0dca673875e1ad7544b34d26f0
SHA1 0ef589d4638eb98c5a518892d5537bd2f3b9600b
SHA256 bb60d7d054e88bdeef84afd6c8366f24d2ce694e7993aa53cb15b21ad445fc93
SHA512 64bf1eca88afc60a806fd5d1cf8138e7a122940278cb8b926920c782e4cbf639098748421777a2cb38beb53757e310efd6705513319f80ad94f7bb0712fee3c9

C:\Users\Admin\AppData\Local\Temp\UEgW.exe

MD5 f9ec94326c281d9f6a1a3ebcb9cf90b9
SHA1 1dff80fe7b78d244ba3222a9f4e4c4bd62875c9d
SHA256 986ec3728219ed34fc29a33fc40460e1d3c4014ddeac7818187373db1745112c
SHA512 a99e15ef588bc3c01ce8151098392399c061d27e758f6615de3c367f812c2e9430772d2b6819b4c0596bee00e24123050921d9cc54519eae73baf790a9f06af8

C:\Users\Admin\AppData\Local\Temp\ksQY.exe

MD5 7838936498b0c283f41d79d898e5891d
SHA1 c3885b194559a19fa0916954b2d8fccc019d5e9f
SHA256 636d749132a08f1fe1122da8c030c0ed85cbaa2ce4d010bf152cace7e98885f6
SHA512 da89d935f6fcabdacfdc82f064e40bf0c127c848091fefbb30e8fa4dbeba65be3de7da954d02ed1b799b2dbe4bd038fd83b98c701020a598f5b39f5d72df9de7

C:\Users\Admin\AppData\Local\Temp\oMwU.exe

MD5 44843618cabf9e1a1f43f91d0dae976c
SHA1 a741e16e433fa1327fa68ae7b5a497e9f7ba8e48
SHA256 dd9595bcfbd7611f03f80a01dc66cb2464b0bceb7cd3b8c896596e999af4d85d
SHA512 1227fe9ca3e07054a395e5f556fae1e92ae0bebc4785cefda66343110d613960f8c745a22eac28a24d4035e762aa87da09fd98f3e48234c6920c2f20516b6618

C:\Users\Admin\AppData\Local\Temp\Ogog.exe

MD5 d185a8b59c2ade40eb4822d80fc64205
SHA1 666034b68cd2d3c76f9a923e91d7d369c1a97fea
SHA256 86ed7b03f3f3d7b08ee2a924c5d7a604c5345c46529304a9587b166e3c090926
SHA512 c2c6fa9acf2322762c29d586626adde14791a3ac548c591fb9f92631557a88e5659966b8728b9d29834c9f2fc84e992363d9c1395d6f308c4cbd11a35ced4717

C:\Users\Admin\AppData\Local\Temp\aQYY.exe

MD5 13544f041142f1ac52660d9e9179c035
SHA1 c09526ad1d5d8d67e2b33d9621e9e4ab8caa9034
SHA256 1ff0f9d36a9e817e7021f8ec1f42534ecafe1bb15bfa6ede8cf97e59f72079f8
SHA512 04e859fd1723febadf576e7396975afb4b0fa175315c438077fd5717bf9ef2aea72825bd1eff19f1b97425938a0261cfcfe34ee73539d2a3aee2d257053e8b5c

C:\Users\Admin\AppData\Local\Temp\ScoY.exe

MD5 047819fb8daef72f03a0539821445eb7
SHA1 784aa0b489884fe70459d32f5dcb57c3e0415b10
SHA256 95a3232ff60c42747a905284f11b20078c4a62e39a3d373e7b2ccbae1f2f88f9
SHA512 a9b3d84643ab40898c54fe2784afc0dc3f9cd16b7f64b680fea5687386bf0961b9fe6fff5c08b6fee609993ee06513fa7a0f96c450f06cea791fabfce19d3bcc

C:\Users\Admin\AppData\Local\Temp\gwsq.exe

MD5 99123033774e9aec14c07d1d7fec4f10
SHA1 78021fdcf4c868c2aaaa725a6373245e998e71fd
SHA256 de7fcdad00ad257a95d3bf39f96fc476ff47c028616e0efaceee2e3c152d5b01
SHA512 1bde4c0a6b25f846932c12d8f7693539996a5f35646ce0454f8a73964737c5ec811a89711d25565327615be2e5f3623858f69565b8d3218c8510ab3d6f4b0aea

C:\Users\Admin\AppData\Local\Temp\qowa.exe

MD5 af7525a3ce5f565cfda5da80a199c88e
SHA1 e7eb1547b8652dd4b3f49f6715706d998a95abbd
SHA256 c69f9646f3cea5d8707cd97dabbf10dd047722752a9934d7813a392f8bfa9fd8
SHA512 0021f1ed4f7eb30818da3aed8d5ef1ca505690f0a1d169dde50e06f91bb4e86c070500898fcfd1b1b10ed632b5f4306a9a329d30ab0cdd676f7d08439efc1e03

C:\Users\Admin\AppData\Local\Temp\ekEQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\kEoS.exe

MD5 97a273c92f441ebbb96bc07a23ecd6da
SHA1 8095b68c7225bab968ed8bd91fda78e8097941b9
SHA256 93f45972affeb6dd2218d7c884d95929a29a5ca5e8e8f5f2ee28ea523c32c614
SHA512 6c0a21e72e4366d4f0c3a538283a52f64b2eda94c02034e3ceb2f3c9147c6702ccc4c1b3599eafb919d61f24bb1db9675e1a05967d1ba6e0716608fbb01d1f16

C:\Users\Admin\AppData\Local\Temp\sQko.exe

MD5 f9c56b0d23bf4cc2924e206bf678c4b7
SHA1 95a8d691ebb821641c2e20e646b3f133dca5b10f
SHA256 477ce63084992b3dca69a3c8be4f742fa15d4e77de2fec52a26b4d2255c4c367
SHA512 28f8ff8f85ac654d193fd8da1733621a3b82958400b7a357a7d203d0b382e6a1bd93bb06ed0675c522f33597b0c823378cb87d1e6e70855245c46888fbb006db

C:\Users\Admin\AppData\Local\Temp\MEUA.exe

MD5 049fe1b61f6f769119e387a2cf62f06b
SHA1 0003235f424cd14158d49c2a6ef8b17d7da030b1
SHA256 84f03478b226e056fddfffe1fe55f3e5dd9137719ea19a41bea405dc9024f3c5
SHA512 0dfbcba5014695e282a75e274eb69a602868911712cba7a5ceb9756ba499c3bcf84dc50de2a685f20bd1cfb69f30a640af859a8b7ac4ccc3445491bbbb9acaa6

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 c7b24dadf8775fe7f7379fcc2eb84e09
SHA1 25abe679510520f91be5c00ce0c5e4889b8ea218
SHA256 8e634c192b51fdc2b84fe0df2db558b1264782108993873eb801366ddef647e3
SHA512 8edb5fdfc791d42989bb14fd0c84a02d3e71d4510fa88ad9f089817f51793ebb526b79efb24a1e75d36c6cb2065cd1d3efe29307bc5d114fdac3cd7c88687795

C:\Users\Admin\AppData\Local\Temp\sAsK.exe

MD5 e055ed92d0389fd80aa04bbdae51443f
SHA1 5966aed77629b95ea1116a04e06612d57b00660f
SHA256 b9ba76d65d949403a56626f12f6e10e75f6a525f98b0f63fe00de1ab8b07a236
SHA512 5e18894b793334b284ef0d8d5a7f9ec2e5f7e3042b7e69a8938e4cb60da0515746b98e80c132610de0f0d58d15a4158523590894a38d0db540120b7bf53b56d9

C:\Users\Admin\AppData\Local\Temp\YoMi.exe

MD5 3e6f0093c6789fb4c3d2c387cd4b80e1
SHA1 a69f13871f5370716c7c86d05317e0f4447221fa
SHA256 cbc6e6b4a7258241039dbb3e0b2ddd3c85dad33efba523d7f0b90ae8172362ae
SHA512 f563ed8301a7edd574ac43d1f4cc5b35ca1babe52d03183c10a7fdaa624eb63b5d68c94a76a727302fc2ae51c9de17c9dfdb6f8af77ebb349896e72d5eef9855

C:\Users\Admin\AppData\Local\Temp\swgO.exe

MD5 86f6fbac85a25593f0789c87b2086640
SHA1 870c06230ac3a080b49f106671bbe83aaca0b8ae
SHA256 0cd5e5d4581e34f76e04b65315a3653f358a3f79fc7e0c8c420e8a6110def001
SHA512 e3caf3b638b9bac8128445b358f571a20874efea41baf2b199dee8325682e8781bbf59163ec707d0c009292c12dec5541203dfa97c36bf21a66d4f1bab729691

C:\Users\Admin\AppData\Local\Temp\QMMG.exe

MD5 66c775d04b1c0559fa6a267a631cd36e
SHA1 7075ec8a93521326eba99b44218331ab87793919
SHA256 336aa111793e877ccc9e4280647251ac570156f4a2a5ee5dc34b5711e5dc915c
SHA512 dc4418efb2166501d2beebe8449e21b0b216a90f3fe156fb4df3d56f6f10d3aa9973bc595fcd6733394327f46f44b3f98ddb22bc95ee28d82110820239ed88cc

C:\Users\Admin\AppData\Local\Temp\EUoU.exe

MD5 709482c83e0d5d5a7a37ae0c4fd2070a
SHA1 0bc791c9fcc887c690e26437fbcfdd137fb7b1d8
SHA256 d9bef30ef6c59677660fe824c99bd0981b7850a5222605d87abc1b4e29a51ff1
SHA512 5e862064306c275ca3cf626f9c8ad2d8e5c7a1e80221fb9109dc80d10802b1f8ce3d8aea0202d23a8b804ff4db5aec4f97dde7669fa010fb85b5b6e0798a1ef0

C:\Users\Admin\AppData\Local\Temp\ScME.exe

MD5 54fce53a5e15c551f0737a920f267097
SHA1 b4bc39369dcdeb6e7fe4c2f75b23846962b99fad
SHA256 8f5c3310a2c6bb0c8834b91ca734e6bfd96562cc6f0fcaa5f0554394e6fde2ff
SHA512 14685c19495d76cfbeb4b4d00d18eb663a8bb09861de1e0d129e56ec139d57c43e183295f3aa6dbe979e9a8ea9802785cda6c3c2d0e8edf582d1e306635bc3e5

C:\Users\Admin\AppData\Local\Temp\WUky.exe

MD5 ce11eac04e3d365a878d4ea28655f4b6
SHA1 ee028b5e8a8646dddff01c238b2789a1e7fde7cc
SHA256 a30765de3fd337510d323f2ea571f48c840e507de1439d3239e0daa04bbd2f38
SHA512 80b7a28e8e6fba088ba9e2630347ab350a1302dcd2d98f8aabde1bd4f1b6006bd8b72ab1481d605f7c7836a70e33b4ab47a0a0cf29a157e1d3e488a206a6e86a

C:\Users\Admin\AppData\Local\Temp\KQQe.exe

MD5 b46192bd3306fba380bc5db41c89718f
SHA1 04bebbb45baf5063078fbc03b00af2f176ee6ffc
SHA256 135d093b733384da43fdb8776b3a43552e148d60e22e35c9cd0f6fe7d99c4949
SHA512 5fca0c442f819ef8ed1609ce344dd50b64039d45b1c5fb184baa8b6f8b17a1bcf5f957730516810860e4da766d187d7a0c98c83165dc5cdf15b39750a8d804f9

C:\Users\Admin\AppData\Local\Temp\Qcsu.exe

MD5 24eddfd52ca9132f806aa85c22fd3988
SHA1 0dfdb043bebebaff4a0e4308494b64b33002f1fe
SHA256 24a9afa77c8acdec248238928843c7099021f1479e0e697829c4ebfaf97be297
SHA512 e54a87ec9e0c45876a0cfbcfb5829125c291e98a688813401ac5771dde81527e01f0c62b3d595c5530345b29537d3cea92e82b3cf17611c5edf38ef7d43b8364

C:\Users\Admin\AppData\Local\Temp\sQcC.exe

MD5 b27a9f48de4a07fc189be87efe94475a
SHA1 cc01c61d2ee17c26636548df814b0f1089e5ca68
SHA256 6d39cca57f61239b28293dfb9b6157d2700cafd879296c08119fa345700fa852
SHA512 393c62a7ae8ba86a9f8722ce193f04320738838900d57ab1b6b04f53456a3817f80a7462adb3d476c948663c0e49f47ca258c89f1cc3668a37a6e221bf2d09a3

C:\Users\Admin\AppData\Local\Temp\qAsY.exe

MD5 3dfd0c450775891527dd071eae23ed50
SHA1 362ff739f6cf8bb1cac42be9bf6d1f310c9fca6b
SHA256 74a33180e2cf600147f713d1198a97c67168712ecad40577759985ff96261779
SHA512 2b0fac82ec9f3cf16c07a346da923da7587473febe15f17ec246b2b9736b3fe8f4a760f6b08761341a404f355fb6099cd676fb052b970d55461ee10ebd1f51a2

C:\Users\Admin\AppData\Local\Temp\cIoQ.exe

MD5 d0ebfe6babfec84e8358d863b613d806
SHA1 d111100ed89e9d67b07e5f12dcc3696d3028a029
SHA256 6f522ae3c2af825d3315c7474ce840466693a708db2e0f1a928d02d59de2838c
SHA512 99650a1f97e95d54a21e9b6c772b05ba5d15c8d3fae22b610b91327fd86775003015034c3111d1f20c4bf8de3b7a48012e8ca78f7179e5fe7529f3adc7b1b5fe

C:\Users\Admin\AppData\Local\Temp\wogi.exe

MD5 9875519e903f1b947cf842a3cda86252
SHA1 b5c22e786e3194fb2f53312f902020bf1acf31bf
SHA256 d7950907459dcead0f2f9d96446e4492641f4cb6d45cb2abeb2d52dfe7c72289
SHA512 c2fde50feec543e9544b278f34996aa1b483871d0a59f8b71f421600499e029dd819b2133c5a0a6e5b6e0e634976e73f2928657bb8833614ae0a8e0f12b159c3

C:\Users\Admin\AppData\Local\Temp\AIcS.exe

MD5 a4f379d8e658d03716cfb65d2c1097e6
SHA1 ab50bbc5e85a9db808faf09c5cdab37a8a67939e
SHA256 dad90a7a32317e1577955b9287b30448dc1ebd84f4ac1de2515ec037c6e0b58c
SHA512 a392b3af79b65fd6d25c5999b39f4511bc0aac0df7fe0578fe32c19f7aaa3de01933b696dc1304b168b98a317e28eb70bd2a721f8edc52cfef4b1926fd4cbb99

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 aef7c3c1f75e636873333e74cbe3517a
SHA1 3d07100e1475ffa209fb1bc7ce5b9fc41e277759
SHA256 76b3ade7abe71bf9f1a3f935cde7994b4c0e6a07b4e3905672e29596348bb8ce
SHA512 47e2fa7ab296426eec69614e2a6c209b30f6f58dbf45cc04c04256c41b863d06523f1c0d1fb6e6eb648e4ee73c1f513a6a258763e72cb82102222a93e4c6124d

C:\Users\Admin\AppData\Local\Temp\UAMk.exe

MD5 646a78789f79a9e89b3d448b2b390999
SHA1 aefb51846955209653bbbd5a82ec86a27195ea00
SHA256 df2afae1ed88d6b74f0a519ddb050b0971be95926e325bba8ebf2c260a2e5797
SHA512 94a0ac68e140795cea8ee9bcf482ca656cc6797c46b7da31741ac111dd570bfde04b7492d91f0243f7589adfc82a25fb682f8ee4ab212861ad9580c0905e8653

C:\Users\Admin\AppData\Local\Temp\WQUG.exe

MD5 173cd41af4b15961db333fd6416d0114
SHA1 6c62230ace39ea37726f44b809c28f177e533520
SHA256 bca526610dd30aef414f8c4825e63f4a44101c49a5ec9a5d088a56a6e74ba3d5
SHA512 67f6f7ad6e7985dcee9423c7b3b98367f44c0933769e91da91c2e209b282b1442f0ba7dec6ee81e3ce1b6f5103bcb4217e27636df2dc4d18e5c5b94bad66dbc6

C:\Users\Admin\AppData\Local\Temp\kEMe.exe

MD5 15227211569d80486263ad61a0b5aacc
SHA1 e24cffb301a8df062dfa5ae5e836bcd3aa562339
SHA256 cbc160d55f253200df0f16ec33f85bed82c862a306e70283326989f479800d88
SHA512 e9b29180ccbf410284abfa8ca1e0cc2554c648ee1e4dcbf055ec0d6f94e4330389997e83eaf97a871454abfbdaff5ab50c4ff9ca6d71ab435fa24a4bce8a33da

C:\Users\Admin\AppData\Local\Temp\MYoy.exe

MD5 7fbd5505ae1c85bbf655f7d930660350
SHA1 87f430362a94a375822b95421c77b860c78b1fb0
SHA256 b6f67d4bb3ab0ceec53eb5865c2bc68a2766d2847af41940e7f3c17bc0957268
SHA512 697f547a7de33f105b938a387125ede31e1a882f5f4fe8f85c343fc36a4037bedf340efcba5b0b37896eb2924e3cc7e68efc2128a0d9d4d10f871d1f19f20efe

C:\Users\Admin\AppData\Local\Temp\GggW.exe

MD5 2537f12130efb34a221f53a7c2d37685
SHA1 d1b9d6d05de848c8d31851e43a833fe9be5438a5
SHA256 399ae761662ab6f719d0c82dac45b8ed5d96c07dad93761dac38dd1bd50b37bf
SHA512 8f2da8ffea02aaa0696d2f6df879f98bb88fefbc8e691d9451df8eaf209a140ff315138be016bc3829e25545aa0ae5c31ca1bace52d31735fb5d709a844bd4ed

C:\Users\Admin\AppData\Local\Temp\oAwY.exe

MD5 e7aaaa98b9673743e8e15fe4aa75dc18
SHA1 2ae9e58c1a377ce19e2632a9ce98deee2e23fd1a
SHA256 51bd99e5876afef1c44255156d50fb1cc039a5d9ef0afbdad874a66831f74bf5
SHA512 72bd94d1bb9963d54e70e0885a80e9e02eb5f8d467d887612c8ca5a4d7b261c84f9d8bce962a90e642cc127bb608bb198ce9a6f03b981b99d258f2abbb72aba2

C:\Users\Admin\AppData\Local\Temp\kEMO.exe

MD5 a4b3539b9397b3b9750300775e49e29f
SHA1 1f73b0b2dc7c97743261bbecd9a6a30615c86f48
SHA256 6f6cac2c00a8375df596c64d84bf152286e8f27afbe31be210f45baf55a28abc
SHA512 ba8130db84b41dd932f172425b82d2fc9a4ed15ab6adf93e7db290434344f6cc0113681bc0b71ed0371bf76a6f9a2e826c20e8d883f9f58594ec41b40f58b26a

C:\Users\Admin\AppData\Local\Temp\UsMC.exe

MD5 621848d9d54d3ab330df2a3da47dc67a
SHA1 56d86458e71dc1cdc8adfa397fe8f9822f29aa6f
SHA256 999e4f517d3b013cdd1c2369e72d9f29c4ebb6b82ff038e943e7277b8b08b69a
SHA512 0a32c47cdb3a84987e97f8ee11c539fc21ab503a9bbb8b8df56126ae2f6a40831087fcf155568cf051fafd5ffe8b1092acbd9913918e9f1a2a9c9c4e9c4dfa6a

C:\Users\Admin\AppData\Local\Temp\UMIy.exe

MD5 62727d689c572fb7e86d49abb2a3ba04
SHA1 79c88afbd9e39e28b2a5903da49b49857ee33ea2
SHA256 75e50a1fbe98a2cbae2ce7e78c3dc3c4923b349d229e0b9c1f0e901825ed2cdc
SHA512 fb0ba97a7b3a94800dd0e357b6068d08f4bb541137f4155b7031d5a9b4cdb558f3fc2ef0157dfe5b6ed1bb66d0e2b0eb5fd4e776ac3412184486ea92eca99443

C:\Users\Admin\AppData\Local\Temp\Koki.exe

MD5 9b78570166ef2509f35d8e92f8c697b8
SHA1 d777aa8b24bddf6d70c101a99661be8ef082dcb0
SHA256 068f8641ced5e377dfa01ce2487ccbb680071b254f32cd46429f1f36bcd49d46
SHA512 7e6841fcce14326795a642f0796c418cc0754492e0154df9f3f28488a9052162880cc6884151e526e8e636a45ec3aec22d6c06868bda37e2abfefd5976f68519

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 5af4d3fea4b645f17a5a8c7f3710b156
SHA1 fe0034f882246d792f8226552735ad6e7d6b448f
SHA256 b0228c03221f899342d97583970392b6d3514d3f11056b7e23eb538063dc6ac6
SHA512 9496bd3b675a739d2b852ed8e763bdc68612ce75ce6a5f7b78c52082d9842f4a2ef484ce29042522615c4545e50bd3e9af79b46d646a397d338335b217bfb410

C:\Users\Admin\AppData\Local\Temp\EAcE.exe

MD5 b905ca04932089f36c176589d2b4b066
SHA1 d35ca8d96fa1a08d97a6e78e829dd5ea680739a6
SHA256 f4be6b561e99b20e62d0a497c90600b01db9ce84a9d3c5d5155a24ae0e2f009f
SHA512 bd32394c74d30e630e84e92ba558f8ee2f24ee3cf8e1cac6d772685eccb6a32663f4236e0f2861884ff21338b85b8248fd8a0603792632fa6500012133596a7c

C:\Users\Admin\AppData\Local\Temp\UwAy.exe

MD5 e4378025f6a2f79061a0d2e89519243f
SHA1 3c0876f943509904665466c258a277c48306f2a6
SHA256 8bcbea92d5249c1ec33ee9d0b8f0cc379b5fdf8b24a1d149f1dcbfe328153963
SHA512 2d7e986374f0299d233536903fae9040b029375194f8a7019c171e1a6b478c1c3e5114da91591313f87448755251940cc3e84b76157d919c9b261126e8583969

C:\Users\Admin\AppData\Local\Temp\Moci.exe

MD5 a2e9a0117b3afbb7ae7f13ed3fe6a008
SHA1 9ba3d9be9a028f5779a585e169daf8648047732f
SHA256 660d47a98f100b0304d44b0cb4e9302aa90c997e6451ae4e55e5ab4f4d7b396f
SHA512 9e96cf01db5c80698b46f4caa7ec4789f874af027213eebb4702f9022c2cd41277bb1bdeb2e3b3a926fb19fcc4260754915b939032694e55b9678243e3b7fc65

C:\Users\Admin\AppData\Local\Temp\mEsU.exe

MD5 df79fe574815662b1f16d508eddb8bb8
SHA1 9b7bc2c15edb0dabe7aa146143788e8173f11de4
SHA256 14de7ba6d63b1409fb7e2802b7f507d6f6c2c73848987370a6f3a24ef6e89cab
SHA512 90479b72fb7cf615933ac23473b471531ae3f773b753509b61ad808fdd516df2390b252abedb37f05af9c03f8e8bc90cc5eab4253d28960686c86baa2aaab033

C:\Users\Admin\AppData\Local\Temp\sMQi.exe

MD5 b431f6f11c6b75bf6da469d24abca16e
SHA1 bca3150b5ddd6c92d1ad34eafed40243eada0736
SHA256 04187c33f2dd6640814931478245a7772d97e8d4789a37181a86096817e3e4df
SHA512 49be4186a80c04adef9eb226cc7a840e245ceb70b44eeef831e02c8a27e7bde0940892d046008e2a3e9f0da31d68c64e54f6e82978e700bec293e354a62b96e7

C:\Users\Admin\AppData\Local\Temp\YgAw.exe

MD5 8ad8614d9bb65bb9b0832985bfdd5ba3
SHA1 054d1785a9abc7c302ffcef9d072a9436863d56a
SHA256 9bcfa94ac017553de8781b3446daa8203abe7bdca823b06c94d15232f2b4dd79
SHA512 08b51f95fea1a56b6187c7b5e84a7cd32a308f63d92cfb71a2181af3592cc9bf3cd72e92a1acbb10d4ed46c11e921398a00fe553f6ee9ecf1e30b58a75acc281

C:\Users\Admin\AppData\Local\Temp\qkEK.exe

MD5 bcb34b39f24c3d71ec5400b68164de72
SHA1 d5939287b9b9b425f98b09e73644f6301fa4e1dd
SHA256 9e60805ad35d88d3fd212a046d96d2e5068727a410231bd0c602a6cafaa6e463
SHA512 3f90cfa52d14817386fa47b50e91f6dd001e5552b2afe3af1373e19a028a5b74bfa8725228f7c860427242c011775861ae2b3215dcc8f69bf2e0fba7d7107c7c

C:\Users\Admin\AppData\Local\Temp\yUQg.exe

MD5 2470b05977ddecfccd859bbded729c61
SHA1 ed97f9edbaff842c37a269aefed2fede0de9b630
SHA256 272b7610dfb7e4c29d01e727c077680b97386b231c7740680a5f9485cf538806
SHA512 01ddb67e470e58946c0129e388170bab916d27610eb870c9aa57be3a1a9df8d6bd8cc3329a137378b237a3ff2c8901dcf8b5044f6964f6bf0e7dba2951c35cce

C:\Users\Admin\AppData\Local\Temp\swMM.exe

MD5 1b3d7e7cfa28fe1c308cc969ef9e612a
SHA1 61bd6436c8c8e596f1fa8e1dec609a264d82d65c
SHA256 190f7ab2822d012083c38e9365d045e0e17373a558bedfe313eb05b3759423d3
SHA512 27bc89fb13c457989bae4842b607fabff7cb23130f191bf246a8ff70174a3f10d3f56ec980ea8a2e332160fae3e2e19953146d0fca414a1c208906b12c2cb2bf

C:\Users\Admin\AppData\Local\Temp\cwsw.exe

MD5 7314363e3f32c8798dc47d4dc269aba7
SHA1 1b06abe55a92d6e7304d9d9ee79d5ac23f826a6c
SHA256 cbf82b1557e7132c3caf032b1d3433a7035e1b280b7f56e959bf4d7650875b40
SHA512 9780c4aab19a27985588ec33c32f3726d6d7d04f974787282df4ec3a91eac498b0237d443023a4f6a7f424ecdaa0567ff08870339b92efe4c839dbaeb1e52b2b

C:\Users\Admin\AppData\Local\Temp\moYW.exe

MD5 05e053cde59135680d154cb2512f1151
SHA1 b0ee6dccdd0ee246bcdb655fd1704f307a19e5a2
SHA256 d04f3836bab90d25f2360c4eea033762508283c2186b2cd6cf25adeabc13c4b5
SHA512 69d2ac97ef78892c4d41d6f7a5180dafb83ee24527e38e9019cc2ffb7f3bffe506aa18dbbafbedd161879487bd8ad0ff1801e399ce435c954e00141109383b54

C:\Users\Admin\AppData\Local\Temp\kwkI.exe

MD5 cf7019e37aa07b97dfd221f802b04287
SHA1 a09369971cf46c6d30fcc8e60ea47635830602a9
SHA256 e2052b4bbb950835cc2c9e3c830bc603b3254d8ae5d81ef3638b0d8da00c8a0a
SHA512 b723c447b382e0c411487e0389037fbdee3580969ac1947cb4c6d1baf8656eff69cdaccb97c496a2f4557baa1cfeba54b0627bd0f74a018552ab0aa84ba81289

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 d1d272ae2688cd0f6aeb6d9d666d5246
SHA1 ef3357c6900180fcf6bd1454efe14ab4e513e9e1
SHA256 f5d64f4019fd9990cfcee0cc0a2a62fa3550520db98966847a255f74699d1421
SHA512 9117fec970075e9460305f3e1047cdfbef77432b180ac305a978fececf1797ad393c19446ca3939b85f38fd2eaa1fb3d760d5c132168d01921b3817a23b28f61

C:\Users\Admin\AppData\Local\Temp\iYsu.exe

MD5 3b8f833f58e6b07adf600dd42d6242c8
SHA1 329f2fd9371e13f8ac6db11ea40b79b19d9a5598
SHA256 b373155d799d5286af7f5047c62a0235fe3c2fa696f21974cbe98f7ed2f6575b
SHA512 ab0b2d85cc10cd7712f266327a4351e65c01e8d4a844389d4bea1577aec4ee6be5f0e0f0aa5ae9c3ec5b5a92cc85212bedae9b002f353e17f4fea0f07673b8ad

C:\Users\Admin\AppData\Local\Temp\YcYE.exe

MD5 4a3bdbd0e94cac5e24301be527688c1c
SHA1 c95ccfaf5ff1240863fbc48d3763fca0879067b8
SHA256 a5a8a4b8c9f3795d90f3758f85b34600c93fd9e997d00a7e586bdcde785b6095
SHA512 87005a675a23d5cadad72455536121908ec256989484d081728037713d684490d2496e535bd2f890fe6523c11865ded001861b3213b35f874c3462037ef84726

C:\Users\Admin\AppData\Local\Temp\uAMO.exe

MD5 7a844469450595b752d99c49402489ff
SHA1 1ccb3c756926011003386445a9b0cfe52de6d16b
SHA256 6b6f23ac25b029a749d9c268d2e81d6e46a67dae9c6834b70ead4f12ae84e70d
SHA512 d8b09eac3af9daa465e9fa3ca82228a5179a70a3106b2167e537ca008eba13ce2668480bee8ed3d981cf50c0a1857061fcfebf2c0875c6af1e8a1726b7da40b6

C:\Users\Admin\AppData\Local\Temp\cAIo.exe

MD5 1daf5e74e906cdefe735e05837dc611d
SHA1 5d91f0bf9f1257332a3865204c1623d1339d348f
SHA256 78d81742fc6943fa35f9098f039fe580b28f460721ff016520aa0a78ab11e5aa
SHA512 0d1e5483580cb739b05af8d5833eded8cfca967d46717805ef8caa09c0bf718d29ae8b522f02733c0640ed908091c072ffe57a58d0d575570508ea610780adcf

C:\Users\Admin\AppData\Local\Temp\kMYe.exe

MD5 eafd205ad2f4f761e67c33a700cc910d
SHA1 81b0fba7dbd1b704f72fc362c0968dd267dd0123
SHA256 aa9131c22ae20d3812dc24b4ae1e359fb362bbe176ba27a4f78d9aecfb701d9c
SHA512 bb2e5ce537834c770f5f6721ee3dba81f51fc23b8e46ffda61f55ce198c6a85a52d1a386b636bb492a1799e82c825281130a1484d95f36ba5563a45eacf58d9c

C:\Users\Admin\AppData\Local\Temp\cEMq.exe

MD5 eb49eabca8de63e70c53080fb3c70c26
SHA1 b684e8c93fd4388557d0b65fe1d52ddd3c06b8d3
SHA256 7d2a97d05e2417b6d998099b5d7b096a475de75476343d7bd399ca48a43416eb
SHA512 8bc6b03773850213b6401598e2b830a3e04ec4953647c9a4d7e98a9239dd9d2160b1f7c06a9522b1718fb7f59c7188c59352ea6c068492de910d9ad73ceb7c84

C:\Users\Admin\AppData\Local\Temp\eYMo.exe

MD5 508011cb2e737096e722b2f611b9a062
SHA1 7633aee1d6308132ca9ad3cf216f032ec9e2f4f9
SHA256 81137221304ba7a287174e0a92ce7835f39bb6929865c8dd9c62c8a92a8ff528
SHA512 94026db58a0e2f57ba2439e9988c1cd7643e024dd0488d7312ba8d39b6b73ee8fef82b240b00f5c78eae4c3c28f7c875ad55fe5d3d95de9462e186ad6a18577e

C:\Users\Admin\AppData\Local\Temp\icUa.exe

MD5 0c18c186716ad60665e6d458fe9ff089
SHA1 f1abcdb909c92d8d021e5843a52be186fc77eea3
SHA256 ae8eb8500d0cb8f30d053cff2da02c10de8c57b522c5e68ab93d1a04ea7a0786
SHA512 586f2bf5c10f3458915f4b12f2b26c7061711a0c7a3c4fd0dbf2e77f066237fa6a66c31a69d6324fb6bcd49d46b02896c554e1098e1f2676c8820c54f94fbabf

C:\Users\Admin\AppData\Local\Temp\kEMK.exe

MD5 209a5a73a1850e10630362c728ba3ee9
SHA1 264342baebeb942737d27d723317dd1eaf2c5e36
SHA256 b150dab396720a9b9b62ef171cc69f4a932ca7f91a610326384211e27613d0be
SHA512 da7b6ddc771e5bcc91f4b514da31b383ec0176c9d52e99962676aadf14c526289189cb820775d299a3440d700b39491a8785a9d6f3db2942e88cb77e8aebb42a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 96706a36d892a297951675b3da99bd2d
SHA1 21dbb2777c29daf612e9e8d31b19ed09c9ce5b12
SHA256 c141573452987a5a5c58acbf9430d5c898837a5dfab0aa91ae8c51f29e5d2f39
SHA512 932bfb1aff9f4acab5b9746e2dfd9a93a55956cbbf61c744906fe3d3f2c46f7a5ed4cf15cb2208246f65dd461d4aed924e88e79475c3d5050838baec3af46563

C:\Users\Admin\AppData\Local\Temp\WIEO.exe

MD5 75f5a4f4ad102b9a6d70718a6a34923e
SHA1 d439a5e2738144967ce869be723f04705bc6cdaa
SHA256 255bf09f42d21fc9d2e746fcc14c9afe777fc6fa35ca88c87d4b1d38c65373cb
SHA512 2cc4d047a91b5c5ab28c74f744b54c8cf940684a79cc72f74fcb0dcf17f29ce1014e8a8543a252a9442e2b9eff0cd6fde9c63317452af645e60780575515be8f

C:\Users\Admin\AppData\Local\Temp\uoIQ.exe

MD5 7e9f4499bf6e787fed3cea08ec2ddb9a
SHA1 3cfd761db9e0087c47aace5f50a729ae339a5f14
SHA256 ff533fe25d1c7608984d6b5eae9ff8486e60f6d46b16e2384223ee89a873dbb8
SHA512 435b31247fec2d9a7374e9452fa0c67459a9563bcf4229630613656e0d69036d9c0b78795c708179be644b15d124132b3a929115f9fca040a671aade345702cf

C:\Users\Admin\AppData\Local\Temp\MQEs.exe

MD5 872a21f4d96582b09fac1edd9cf9e633
SHA1 6aaf460efcd70b4e6510d617d532a550e0eadc1e
SHA256 c8613815bf79d04c1f5e4cf22332ba5b9c3b28c510d72b5233f3c6714f3ceadb
SHA512 d9414afefd7c7a58889295e0d497c81b626f1e9caa6aa091cdf45cb2326857dddc9092d5c05d140e887a072a11ce6dff8ec15b06160e5e00b7d1ad4dde78dc6c

C:\Users\Admin\AppData\Local\Temp\kcYW.exe

MD5 f80ecb35e32b441d2a3c4dab43302eed
SHA1 59f12efd39bdcbd76e7bf0d5a89b185e61eb0051
SHA256 fb695c25ea376ff1a1587fcac83f274b0778b011038c28f1697dfbff51443d0e
SHA512 cf53863a141a7fe42a0c0bc02e62b872d11425d711ea88a7d799e2e8bd2106555af7cccaae56bc213d1d4172a1429fd391bacbde84d0b6715e4c1ecf32f347ce

C:\Users\Admin\AppData\Local\Temp\EccG.exe

MD5 5ec26070e397239eff8ea4d90baf8a63
SHA1 c3ccd98a8a896283798cb754465ee3e907daace5
SHA256 64635f30a16c16b4df4408c07476020e9b1c5cce58cef1fe5b8bf89c8561262d
SHA512 fec7841ec586c6e01382b66793d0b22874c8ac74800ade4a962e235e052b68a0c6cdc5dc1c0e929dc6f34ada6930b0ac1ff5a9b8c0a38dda7a6efd15b39982ae

C:\Users\Admin\AppData\Local\Temp\ugAk.exe

MD5 6cea9aa1eed6eb50224bb0d4d6444f58
SHA1 67c8c0d836dd75763278396606472caf190ca202
SHA256 ed972cb60e5c8f4df220d5de52190bc3aa883a180a7e41f85491977d8e7fa435
SHA512 33a6085fbc9c2674245551df44deca74d7683dd2c18d9393a2b6d6d1e469c26b0e48f2a28d7a903011c2964caffa4e7c9a036cf8270ebe4f15c6ca0f562597d3

C:\Users\Admin\AppData\Local\Temp\kYAy.exe

MD5 327f800f8180968b248f9c170e33ff15
SHA1 970a57d8ffc58707750e1a80d09323c1fbae603a
SHA256 b3904fbeb01e3092bceb36f8550d09ea506249573facfbff7c863a1f611ffa57
SHA512 6d14f81285ae3d3e33b79e313f3a24d8016ff48265ea4d45ed32492b65dc7a9a4ef9aeb13cbd4ab0638600a908973e4e30dc31693a1d36e095350de00edc3541

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 bf37b6aff787722ca7b3f79622d4f41f
SHA1 f63fd09668fa45c94837316168dc0eac2942177e
SHA256 8c1ed7d9fad718e1f84700862b99f2384ca2f676f35bfca58ec482e086506cf6
SHA512 51ddc75e577dbe37bd9fead597cc838c5a1465e80e7ae78b99b7c5c844495226f1cb3f78fdf26f041c370b60e7828f40708f27016853e6dbc144bbbc86f81bce

C:\Users\Admin\AppData\Local\Temp\kogE.exe

MD5 e41dae568fb1e903273eb1e01ea8257f
SHA1 0734522c7d8e22d039f3706d856e979b3ff8bf0f
SHA256 d5ac55770c98bc1fed00a8433f0475e9c05f68edbe39a3bdbd34ff8eea042110
SHA512 f0d9552c56b79d738a08ea252cffe83dcaa0684841f6334da476bd3712b207b86f854b9375b449f518017635afd832fe3e2f1e05d16a731c806c4354f3445b43

C:\Users\Admin\AppData\Local\Temp\OUUC.exe

MD5 05860a5aac54b4bbe3d8877be068d141
SHA1 1defc19a808e24f9e4e8efdd61cdbe7caceeb39c
SHA256 bc8c7dc9454b4fc347cd022fe61af6474d7354f0e24595e844d9e525cf50cc70
SHA512 5dd6b27974f37e58089f1f8f2e0b6bcc545b94b768d7a0a9f9d54d9eddb41a035b2a0dc83d9a6e04ccb5db8f818a8ce79f6f31893253f37fede0d662a5c9e1e1

C:\Users\Admin\AppData\Local\Temp\UcEa.exe

MD5 b30a83082860591d963ce12dc5b31ceb
SHA1 8f6a4aed9b9458ebcabcfab15e0599395dfedbf1
SHA256 fd87f2c4916d6bde2a097c579faca7f7f62800663886831ae296e6e19cf46419
SHA512 0fe9700b729ec17b97c81286e4558e4ac79adaed5b48829e63d1c6f9c3088941c842c44fe7e8198c845530795b8845318d5120531fc7cbc1a611946b501d487c

C:\Users\Admin\AppData\Local\Temp\Msoy.exe

MD5 fae5b6d99be95ec40080db4c53231f7b
SHA1 5990e929e0f3eea6e0bb9604c3a747b701276844
SHA256 231f3190c480af079ad29d85d70d18e0a45b3ff37f34f9cb106637d6eaa9b456
SHA512 0e193f1676b8a4a50f9a0ffd28d1c2f86bcd1d08ae6f7ad9a0913020ed9c9444bc76a6a28a6201e5496e660b17b6c22f60c7d93bfabad78a50083e5a629ae447

C:\Users\Admin\AppData\Local\Temp\WMUi.exe

MD5 209c6b461af144b17d9174d0b56e15be
SHA1 eb312141f06ab8c8bebf5633537e2183e2a7094d
SHA256 315e4d995a28dad4a2286c0c3875e716b03539aeba652a7ba5fc0d365474314e
SHA512 d21d08d5347ba49d5ce2d3a989920c245a449d068cfdc766670c1ddcd5fe9ef2259cd9336de08abeeb04036b3a0472e39fbc8aec9ab9164a793d00e0b119bff9

C:\Users\Admin\AppData\Local\Temp\cocW.exe

MD5 55f535d41f60d902b8378a1e3124575f
SHA1 b42a134afa857c45dc452dc21997dd760181205e
SHA256 8a64e20c297b761ccb2b17ead8d78c1a60f03c4eac0fda3660f2b1657d3c22fc
SHA512 fc7acdbabb9711899704010827a087348f1247438cbc56d98d2bab4f570301b42ba735457a444b43e68afb3f4dbece3a7a0e47ac77298509bccfcc913d283508

C:\Users\Admin\AppData\Local\Temp\AAAS.exe

MD5 d1e55266b6c4764c7877931af0dd89e3
SHA1 e4b353c6234c6045f8a3582949d5eb36d905a7ed
SHA256 d5c4fdcba92e3403ce0cde2da0c8d4ee8675c183cd76bf183000e5239d123bd6
SHA512 f4bcb04ddc430b65deb977ae4eddd10d08ec8a156e94167a1616c8c1f538e6d5f3c9c9085ffc8403cc2728653516039d3917d05f698b100fc29620a6a2a5b5ed

C:\Users\Admin\AppData\Local\Temp\Wgcc.exe

MD5 538005c2aeb8d46b3467c6265aff707a
SHA1 df4a3b645dac69da8d367f082d191a657b24cc1f
SHA256 d773463212e5285593ae3c016688030c48532636da4e3340fae508c41f8fa48a
SHA512 bbf9e2b7e122ba4978b0317aa75ad46df6b9badc9a926cdd4a2098ea03c0de9a180013264c691e50dacc47e245e8615d5f19d027cef234c430d4a297023404aa

C:\Users\Admin\AppData\Roaming\TraceWrite.pdf.exe

MD5 3feb251993721e85cf06337e1d5224f5
SHA1 f4864e93507091b4a5f1483bdf882e753a313575
SHA256 62c549d396004fc12f5c1a411c5439c7e37545310485c22df982bff4e042a3c2
SHA512 cbc6c4c36d24d23f2e1186c6117a499495e43ad8ba92c0590164b3fa16ae07430f24eaa17ee6ff627e5f343309439ec09c11cd45a7f0851cbbfe731f87f7b88b

C:\Users\Admin\AppData\Local\Temp\EMUA.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\aAYM.exe

MD5 92c2e4c58cd747112ce322ef00deb116
SHA1 9527987f77c49ef6798938203eb68c6ee9887108
SHA256 27ed6f6dab97dc53ddb499cfeae7199f3b9b0118cb451536ade62b7c29cfd432
SHA512 ce740a7c81f5fd13fc8a107faf70ab0e57bed9bf2f764be366cbc152c48511fc5f3c27d75f3ba56dacd43d624c61934c249d81b375e9b810100c342fda715313

C:\Users\Admin\AppData\Local\Temp\yIAe.exe

MD5 efe921b84b085ae1638bbfce05cf5914
SHA1 8f31677abbe9bca2120149ee54c22b0e535d88d4
SHA256 ef03a0bc29d25ad5b564bd3479d9868a56fe845f7b77a45e7c6c5afb2614ce67
SHA512 aa2c79b1f4f048ad1e464f16dde5e4efd2d13f54b5b02c3b09c5749a568bfb52a899e77d8b7219998354a2704ebc4267de113da74e512474bb1fb7a1f8b8f01e

C:\Users\Admin\AppData\Local\Temp\iEkQ.exe

MD5 4ce21497709b91e49786b6b58b022338
SHA1 84098020ff5af2914398834d9cb6de57fdb1e22a
SHA256 f1cc2b919a7f63eee9bfb9309cd31d276aa553d50c3ffc25a989ea6710974586
SHA512 0cae59e259b784e9f57fe83937bdf90d632ae088c25a294c19703bc3edc6f0a33f81369fc8b4b18529cf574b53d6436ed1c2e351dd92b0921caf10c49baebb69

C:\Windows\SysWOW64\shell32.dll.exe

MD5 f2eb6b91862ee1815f35141ebfbab850
SHA1 5e94b1b1593d776684f516818e3924f31823a614
SHA256 7ef7d5d94adb74a4c481786abd1c89f5c7e88ed4d2fe8a17d73a7b3c2ba8422d
SHA512 ea95757cdf6c82cbaeb73e26b28487c705b885e896b1965fc6c79b0bcb07c22432d7be73c1112bcae89d848c796efbfc5e0f55c28d56fd84e580016478ef3257

C:\Users\Admin\AppData\Local\Temp\QYce.exe

MD5 a3a09192de6db3d41bde58ffee74fec6
SHA1 551a633fee4b3db7685c0f036df1b918e999b161
SHA256 74abb2c8decd655258c463938390b4b9701aab6c45965eb27c46e9a885f1b761
SHA512 685257fb927e14942a46cf253816b66329ca353d84f2dcf5c2c24d9e54855052890f8f084886060d5c0439cdc6a91c42a6f051cec4afad7fa42dd7b7e4d8a4dc

C:\Users\Admin\AppData\Local\Temp\ywYq.ico

MD5 7b65672ac808bca7c81e0700562aae9c
SHA1 e279f707d5f93cd0449443cf7f70d54a54763208
SHA256 e5798e3d8c1af62d997a27bc2fb7333639a4f20e9753cf7a5b0639cd93f96448
SHA512 7592be8433d2044e21d2e67cc5905f1ca3d2c05884f99e4fdf4db1aebaabb735ca1d50f6397d02ef2c0ba6e4528ec5fdc4592ef35e0e6d451e0453d5491345b7

C:\Users\Admin\AppData\Local\Temp\KoQo.exe

MD5 50e2ad9fa073c2664bbbc722d5eec268
SHA1 101690691ab1ca295d81974b78e90303a53920fd
SHA256 5bfc09fdcc22d94c08dfeca0b0c5717608e6e5d4c1dfb3b4fef80f877b20d472
SHA512 fb694a9436853bc3f6aa30de32c17a9a1a6f9ef178b52447922a0bbd1bdcfde294bd0cdf656523c8ed3589a3bdc6aa6db5df40603f2c0c1ab637d46e9679b1a5

C:\Users\Admin\Documents\MoveComplete.ppt.exe

MD5 8e6ca1afb3aeff069b07883db731912a
SHA1 d0676506f2544572db56a29dab89d5e13e5e15df
SHA256 9b2ab8aa3cdb502afde0dd929844021b246b1561d1dda2de64cb225240782cdf
SHA512 0f4963d797976790a9f5b5f7420c6905b29b9f7c55b11f9494a11073769be0995b5d4413a7ea25d3bfb642f70c6d4dfab0bd1e69141c94a7c91c48a824ea81bf

C:\Users\Admin\AppData\Local\Temp\uQgs.exe

MD5 1cec223dca2aea2d0e176a47345087fb
SHA1 578180563e9d0f1c586e82d6c2a0e17f4db3e411
SHA256 0b56719a7d57474683e36e98eb30b137a58bc7fdf015572a08012a3b6051d119
SHA512 c4871304b881e0bc7f032f4e2bc4a65eaba4603bc8e94d8556a57b0ae5f3aaddf3b6346ee040afd798456671b6c0cba6f55a7d156bb42f414efe36944f615ebf

C:\Users\Admin\AppData\Local\Temp\ycMw.exe

MD5 f0c15031440ec0aa24500b8156db0906
SHA1 cfca7f2dae4b89e4188f59cdf35f3a7cf2746d89
SHA256 cd6c259baf238401e159cf95c74d8b84c90b3ba648c581e85277345dc1a3effa
SHA512 c4a468598bb7a38aeab7235d34440b38484c31a70d4ca154e1fcc8302804b57f8f400ba77d31373d4c869559eed26c426aea74c5f526979495bb2031b7125eb5

C:\Users\Admin\AppData\Local\Temp\WMcq.exe

MD5 531e4c06019ac454d6baf3709af16279
SHA1 d0245e500d1c2c44a709de18a8d84de430d788a5
SHA256 7ce5438164b782c80716232399aa556f525836591986874aa5b5834e1d8c97b5
SHA512 6ae924652a34bc0478c12d48e4a2faaddfc417f15f526eacbfc83237a88722677a47b9818c2826f9cacee5f77d06e2f544c703677b2b12e1e942a4f73c7f85b3

C:\Users\Admin\AppData\Local\Temp\UUgU.exe

MD5 02ec7679f2fa4e614979cf87c0f0ed47
SHA1 5151f158a11eda21c88507245d93e6bb81c1260b
SHA256 83051592c275a137a511b43089140faaff1bcb3dab1a5a4fb803282d7aa99ef8
SHA512 21963deaa110faec9c2942fcc3735c6a3b0bb99a872c521e4638bd5913f3dcd43f7b82bd8b6dbc1b511f78e22eba23b54df109c892f91ab9dfaf8d162e337125

C:\Users\Admin\AppData\Local\Temp\gIgS.exe

MD5 fd6c0c484b6f10a049de6caf93f8174b
SHA1 7b7b486a0ec4f4045b4301e6447d43a2bc3bac96
SHA256 6f84fb3fb9cef2bbbf9526abb2d0c2b96e0a50fa502f28dcb3b2d082e7342daf
SHA512 3c176a69deab63a426b790b188687c1166eed63182c11149620582936ba74079f1d5db80df2bd10268f0bba21c4ba0d485f84858ff6dc0c210b2d414aeb4e81c

C:\Users\Admin\AppData\Local\Temp\cAQQ.exe

MD5 3ef22a601d8d4f378c954cffcfc51449
SHA1 a7565d635e4feead94c64846677dcf4dc19d54aa
SHA256 722e44ee050b3bc748c9190b4ca0aa1330fdb6fdf36690cde29d58877f80ee66
SHA512 06de42f815c2d27f19e2bd7814abc95f3d802368d23704068abfe57b001968025cee0a7cd1e55e15cfdff0083cf666acd116c01fe9ff042fdadd8369960451f8

C:\Users\Admin\AppData\Local\Temp\WooO.exe

MD5 dd383990384a9d3267f47bc3b0aa5e1f
SHA1 f1f89c87a90d08f4b31c8877c45e40a3a3827315
SHA256 2dd20fb551339541e9fe098591e4071a65fdec56a440c5e41c45f5927d7eaca7
SHA512 b578b5fe8be1f9feadcd96389f36de6d0b455eb18025b47032008333875c18361649187823abadc225e4b98616b2f3f2550b51ddf295c63692f87aaa6020094b

C:\Users\Admin\AppData\Local\Temp\sMQI.exe

MD5 50689113bc322b600c77fe9663ea99e0
SHA1 aebe2e8b13d4fd49cbcf28a81b722cf3ebd37fc0
SHA256 cb98df435c8a0048998978b770d6fe2c5f59f884296095808f319ded6d6154bf
SHA512 1abe7635dd3b82a69549a26ef79e2d3b74f64fbe5da8dca7e2da0cb7e5fa6d819eb837d229854c32eae2aedc51b9366dd09f7ac0662fa0fbc366f06e7eb0783a

C:\Users\Admin\AppData\Local\Temp\IkYC.exe

MD5 527c01a3bd96e7031b341531899fd306
SHA1 5ea4f54b0fe4cc03ede191324828820f853c98ed
SHA256 42852081b3251ea18ca5246731fc46a1df817abc68f6499fd8d437c28e2f727e
SHA512 2127eede0f23a7730bee41b6c2b610127075090847a64e5297a0c8075921e357753ec6bf029734133b2ac948953acd6c5b865273426a964c256261afc0491287

C:\Users\Admin\AppData\Local\Temp\uIIe.exe

MD5 85e786f07fecf27515f496f2c568fa42
SHA1 474da97cb18a2e62f6ff71eb36e8713e734c3619
SHA256 008a94d3c346a798b384c6e43e9e3c00efdde873d6ec716b68b0cb4004937bc6
SHA512 26d92ba38c15c0483e94a9668f5055fa69887ca158052e006ae9faf6cecb46d152687c2e83ad9525c770be19a2e2784ee9063bc64fb5f1e829bca66bbb561388

C:\Users\Admin\AppData\Local\Temp\SIIe.exe

MD5 ab99662cebfddeed16d16125c52dfed2
SHA1 cfcdb3e8182bbe97af03fc81cee28cc6915d8ad9
SHA256 6162d9d730af5ee3707ca730a4d79c79910ac0b2a128acac0791b9fc8d75c472
SHA512 8cb0a407890c70527efc3e208ce7287b4823196c180be4bb19a6c72b0f0f32a31db6e7faa21927e9c7e49ec0335e41aec3b2a8273c812b86db2d3d4a3335d9a9

C:\Users\Admin\AppData\Local\Temp\MMgW.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\Yocs.exe

MD5 f4aa18957ac4a88ca6dd3ebfcdc15aaa
SHA1 f18a5bf17b94e1023e3e4207a9a3dd45c764782a
SHA256 18f8e45f5fd1bd3744419aed64bc6bd2d2b5af3fb43c9cce53f26dc8b62d27d1
SHA512 7170609013bf6865b4656ba2cf236d9452d7b5d42f24daac2632e73796f7f8b49937e90e183b7bda0c73b4d992d1a95e2b4b8fe07d9960c1bedd1826915985ec

C:\Users\Admin\AppData\Local\Temp\mEoc.exe

MD5 0bbc4335c81608611f5d751b4259779c
SHA1 532db0a61b6737fadfaeda449dc9abaf90312176
SHA256 c62dd1d2bbf7087fbd25bb57bd0e41ee74c1f54cef181debac3498adf25ebd20
SHA512 b743a116c16ca249950740bdb28a437c90b1c158316a8c514a37225ef00191f826c18ef98aa889fd1b289c15a0a862d87abaf7490cb3e4300490935e05c7ba0b

C:\Users\Admin\AppData\Local\Temp\IYYu.exe

MD5 f3b9e4fe74b4cd5b82c2c11a25fc2e92
SHA1 5d6680c367f948b040d40b0433f6a511c7cfba5f
SHA256 523596a60a0ed92f714681c926a15fe79eb8cd19629d2d3ac76a3c0966c9a6d6
SHA512 abc04be2f50043f72c44bd820fc65191e0ecd4338e1325d8ddf6c66618f9e5390e2ed2d946550a5cffbc7a131250b03b81eeb1d8ce26135a20e4a0e57450a4be

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 bef68e8be209b9834a1a3e98e9ed76fc
SHA1 5c77c28365bff4e5d53da7a7815f55501e3c6ec7
SHA256 1e553be8fe2f9d1a7da642832d5f8c9d5b6b6374d86a592ca7add94024a45ad2
SHA512 f080489667ef05cd61c3e58b5dbf7e6e16c00fd6991eca61c84a553d419f9b03c44e523026bd4d5e5d8e2024c8f280ab9e151ff83dd440d5e86668d2e4e72352

C:\Users\Admin\AppData\Local\Temp\Mcss.exe

MD5 511288dd29f2d6124c7c81562d4f1e9d
SHA1 4d73386e4560d71fa7ccb67f0f26de61b6ef42a1
SHA256 37a599b5768dd284fa2f7e403cffcef5189a2221637c58ca53be3b9d558507c9
SHA512 0a38b10d06421324c22c9ddf79b9519053596867ff3695105042262ac92e6538b9eeb86ea401e7c9556c93f84e54f2fe6dc7d4c996c341e7570603e8b6b4640a

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 0b6c948ec28cf8c8e83d4eb48c4825ff
SHA1 200cff3ccba999ad073fb084fa2dba2e33999def
SHA256 aac5dabf56036498fdf4fd575d60564bfd60d7069f99ffbe90913700c00039b2
SHA512 1567ca304a8af6a8ea3b1d6db8812645ed7c9ddd14f685aa08d515638bf4043eb4152eaff028782e36d981f122f2efb484c15df9dd4d862f465937cc49af7058

C:\Users\Admin\AppData\Local\Temp\SYga.exe

MD5 c14638818909493a1b5bb8c03d1b3581
SHA1 f30a0666cc95027dcb36d5b6501dfd8a849ec105
SHA256 8874a410a60c0c393058531421df34edd70d37896904fbaec64d3b22357f208b
SHA512 bc9cb9aad2d0d61918be790088b8567d0b94e346f6a81cc3f0e0fd1857362f1614710367299edce63edbb619c35670fd07405e408669269397a4fbaf3f74096e