Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3fcltahh45
Target 2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock
SHA256 2cbfc88391763ef2cea1a1307642a6e24daf41170321cd2c05e7d97a7329fc82
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cbfc88391763ef2cea1a1307642a6e24daf41170321cd2c05e7d97a7329fc82

Threat Level: Known bad

The file 2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (80) files with added filename extension

Checks computer location settings

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:26

Reported

2024-04-07 23:29

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\ProgramData\WukogsMs\lwQUQwAk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tskssQcM.exe = "C:\\Users\\Admin\\WOoMAsQU\\tskssQcM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwQUQwAk.exe = "C:\\ProgramData\\WukogsMs\\lwQUQwAk.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tskssQcM.exe = "C:\\Users\\Admin\\WOoMAsQU\\tskssQcM.exe" C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwQUQwAk.exe = "C:\\ProgramData\\WukogsMs\\lwQUQwAk.exe" C:\ProgramData\WukogsMs\lwQUQwAk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A
N/A N/A C:\Users\Admin\WOoMAsQU\tskssQcM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\WOoMAsQU\tskssQcM.exe
PID 1280 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\WOoMAsQU\tskssQcM.exe
PID 1280 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\WOoMAsQU\tskssQcM.exe
PID 1280 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\WOoMAsQU\tskssQcM.exe
PID 1280 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\WukogsMs\lwQUQwAk.exe
PID 1280 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\WukogsMs\lwQUQwAk.exe
PID 1280 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\WukogsMs\lwQUQwAk.exe
PID 1280 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\WukogsMs\lwQUQwAk.exe
PID 1280 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 1280 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2916 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2916 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2916 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2688 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe"

C:\Users\Admin\WOoMAsQU\tskssQcM.exe

"C:\Users\Admin\WOoMAsQU\tskssQcM.exe"

C:\ProgramData\WukogsMs\lwQUQwAk.exe

"C:\ProgramData\WukogsMs\lwQUQwAk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWcYgcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RyEYckEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUQIccYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcEkkYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1280-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\WOoMAsQU\tskssQcM.exe

MD5 0c278664fa6dea5d1eae9da29b388ee1
SHA1 275145b6bfc73a15f19ee8c00c199b6e37b73201
SHA256 08ed93310c3cf71e8743984b016c12965f50039b6d83408b533e3d504b0c461e
SHA512 7d34353aa5cd4abe8b7fd55389731ef8e0ab2967b2e79ea11fae013570ae57a6415845a666951a1267382fc3d362524dcd1e18375aebc8f988c33f360999c630

memory/1280-4-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/1280-13-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/1544-14-0x0000000000400000-0x000000000041D000-memory.dmp

\ProgramData\WukogsMs\lwQUQwAk.exe

MD5 d1b39234d046f11aefb130eb770b9e20
SHA1 cfffcabab072ba23f0802bb0118a3095a93b0cc8
SHA256 24ae01876308f7cbb2e6d129f74c7f988a39cbb93d1f405db4cc9cd7e253ef46
SHA512 73a96988c528100135688e837c97535962940973c968e99b82a21621537852160037cefab65d4d3692cffa44af469f10f51bfb622dc96552cef85f8f13e3f3a8

memory/1280-16-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/1316-31-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeIAkEgI.bat

MD5 33b785eec15e6567321c50d95d54ff8d
SHA1 08d16c32c348ef7fd8ab26cd020749a8141c1cfb
SHA256 baec63a411f7653e6f185e6d8ff04ebaad3ae53220b3391db3297c8d4009e68b
SHA512 f959894ebcd30d114094d0d4b779373cef4f6a2ec4fb6050862768a0ffc9dcba9f05f0805d45e2078e402de04c39984a2fa898efbce72cc43852a71146cbcea7

memory/2688-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2600-33-0x0000000000120000-0x000000000014B000-memory.dmp

memory/1280-42-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rWcYgcUI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

MD5 3d404187efd7b9fb9810d112bd8cc368
SHA1 4c18184896e46369b2af6de3d84c25f44d3f051e
SHA256 410fd53c9634965c2b56efbf7a774d79014c98a2cd1d767adc51636e97428c5d
SHA512 5c1ab1a5309e0d2ea3f08e0e01d1291cf964de682c06812061d46d7bf8db454d36532c58fa511873564db9cfa9d215a63e752d57acb5038581b3b9a55dd27390

C:\Users\Admin\AppData\Local\Temp\pUYYkMQs.bat

MD5 1262c3927a97f1d5c10c5849822aaa5e
SHA1 ddd6e934fd6658720a6ee6920f246396422ba6d2
SHA256 70da317b4f22c513227021d4bb36b69f030e188c658e95c34289b2be8bed31a8
SHA512 1792ff75e6fa7e3c8dfae6dc9b8bee9da89ea7a2f4b34da214cf417dd1e39d5df872cd4ad0aff2c4a3fae123ebb77b1e065afa69348e3b78d70bf5961015ff5c

memory/2916-55-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2916-54-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2196-65-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2688-64-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OoUQsAAk.bat

MD5 d5411352fa0e0f816d2b82d3f737d253
SHA1 ee31f1a5e5809ee409a621fb9d67256bae73c3ab
SHA256 d0929f9df9ddba162438936ca307fe59ed1cd374150fb840c03a5d2fa232fc54
SHA512 df356c175c68985cce01779f6a4074d4bdd9ee83c65a9c12fe3030d6e1871de0bfbe6a4556b36d1139e7c15e5e185e4d2a3edee7d25d369814f0e029784b5b47

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/680-77-0x0000000000280000-0x00000000002AB000-memory.dmp

memory/2196-86-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2744-87-0x0000000000400000-0x000000000042B000-memory.dmp

memory/680-88-0x0000000000280000-0x00000000002AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ygEoAEMU.bat

MD5 ecdce62f6ffd81aef99d858c1b6f16b3
SHA1 e8f8c01c2dedc40145ac65c4085d5dd79b6ddc24
SHA256 a4484f3f6d5f978ae4540ab4093217c6068ada2d7d158b253611e1bb42a10421
SHA512 094ff56616992e966ab33b0c37f6341124ea8aa9f8a4e184bdc8a82cebdb8b48bfdfa98043f4d65bd26ea1a402204e33b2616e828abd4bfd2a749fdbaa8e2e8a

memory/2744-109-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\egwO.exe

MD5 3b2894779c688a247dedb5b3b3029a6a
SHA1 6dc327e3ee25269fd084de98d69a1fc85dee710e
SHA256 55ce75346fe309a87a0843fa307325a9e1a02e8d02785e6db9765078f42e35c9
SHA512 523e7168ffd4945e83207bafae92a0dde3f34ce31a4cb4e38649f28df92c011fbdba5a891ee503466dbc72306301bc0163f17c4a5cec55bfe24b3fcab3aa74e4

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 66d758630d05fb97aaf8a5ee62d08139
SHA1 07024790e20782d6e1c8e9ab02b5640abe1f205b
SHA256 db7ca7bcf7462973bdb8efef62b243306246b05afb4ccfd75eecd0d2576ddf45
SHA512 c53d51b3a27519834bf3f63e56542a42bb1764b93fa0cd43c2c2de2d10ecbb2186523bc3287a5a258185f19ab69e8070fe5e782805e2ff4c6f5d1e5f00112500

C:\Users\Admin\AppData\Local\Temp\BcUm.exe

MD5 e3125a28e4eb48baecec82ab5f39787e
SHA1 d9f02e52c8271a508d8d814a21445d4810464a48
SHA256 052e0258393be1c6049fb337fd9b7a6a5b8fcfe747f3a81f33519084d4caa15d
SHA512 c6eefd267e44ffadfa76185edfd95ef60e87629f662e1025e3a06abd8b260556cb86f85e243bd752fbca53fdb9d2310ff2997c0daf5a132f9226575822c88336

C:\Users\Admin\AppData\Local\Temp\lMUq.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 25aef79ac67ce3d818ca39c4dade2a12
SHA1 d2fbba198e438b205dc0349773c1e4c1f31cfe0f
SHA256 577a18c467d9dd1b242b9f010b142f2bb39603a2a16195f451967727d05d80ac
SHA512 b1fbc51bf95bab3ca899de5aae231881ae49d8760070dccf2b31e3dc29c1eb701d6e6b511d7594b2603cbbad8f4e80444ddfd07f92037df2f51cd4c9b48dec9d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 4b73a0334ee92792ea270c2b8fef88af
SHA1 4387616759d5d9f746603fda12cd02acfe5d0eb8
SHA256 dde9f5698754e5d2694e3e270cbaa35632a2122dad28bcae7a0a83c90481231a
SHA512 8542c74116a0ab7742d436f448b8c472c2988456b922caaf096e5dfb013da0cb6e04cbca57ab17c2dce03dd151ac4d254f0b42e9537059ef79e21b4f690e4784

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 77511ff3e3cf277f236d8efe968029c9
SHA1 50297f4d4144bd9237e4965c831273ad54b407b5
SHA256 76ebfd00336b3d7f885d71e76acfe20fcc959e118d036a4ef3e848b278dbd302
SHA512 4b6a843aac8f71738836afed6af74f7921a1779a8162f1d77cf4735efdf5e86cd8668fcef7a1ebd6d98d34f9a50365710cc8b0cc275d88f3d2cd103e690000f9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 fa215abfb7ae7a0f4445bb37aa7a6f46
SHA1 21dfb6b53cdc9a264ae4f7da176995b6dd341cef
SHA256 7c11d5f4eafa196634004aaeabd3d892cb3b679d417c6ec9dc45d0db76a21d98
SHA512 c013c42dd1c76fb17eb79095e17eaf8e6d2835ed763e3d940aaa1ab9288a892b673b79522e5565e28fe3279a6bdae2540c8791d3018734bc5e7710730b9da9e6

C:\Users\Admin\AppData\Local\Temp\McIK.exe

MD5 c6aa7ab5c069bc8721f01bd8782020f6
SHA1 2c50d048d47ef2eefe85b9ec85f912446fe8743c
SHA256 5cfa4c3527421f83d456561ae989d641212f5c866c43537b9c8d4bc0f32e61aa
SHA512 e908cc3c3c7e87143a73f0cf7f230746e2d47d0ba04773a4da06fb1069f36294dc4b550926f5d154a3305ea12de29f0798eb746cb44b65f996c5018c09357371

C:\Users\Admin\AppData\Local\Temp\rkgq.exe

MD5 614e7aa0be95213512cc450a5c585751
SHA1 600d5439cef2a355ae607eaa95b43ffacfb096b7
SHA256 6d92f760e4671e3ba58c412c9757fb98b2e4f4c246ea3ba2ad9b99e763ab45b6
SHA512 6a5b62ee54ddfb5d560bcde3a0b877f878c7306dde5c75d1ca385e95a6d6fa955bd122e98f10db96339c6bb91eeee29aa221abc74257fecd91af2fc84423ae1d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 ea2aae63b4beae9b78fb2968fa0285f4
SHA1 705960c63ee91bea6de02a0bb44d5282b40725dd
SHA256 79010a589809f99f58af930c85752ad3fcbbb7eeeb5b43f4540d10e30d46c447
SHA512 922b7646b736b5685865c6e478b70f5a07da91dccd09f05d1fd859db0a4e1c84c7e9cfff6aa93049df612c4489eef17bbab1cadf1b61fe0b2b764b5e33664339

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 93f85bbe8a57ac25b5880738ae607938
SHA1 a11f5570326ec9da2b707640380030ef87a033d2
SHA256 859891e94c19374517ba27e616b395a293b0a0092b4ef711711d9c02cb15172a
SHA512 98f72473f83d23f51d4abeea8feeac710617d1550a295bed0c098c678190f9510b8829c9ae864ba63e21ead0388a8ea6780ac92201031b8af7707951ddb8bdc6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 a34132359f252e71b23fd9a9b7f33982
SHA1 e737ad58341ad64e7b87f64af52ae3715055641c
SHA256 afcaf2f0a0afba2a04dabefdc8fceca4ee94f964d361d44cdfe0f9f25234d8d2
SHA512 207374e3039e0b3908579b4990ec7dca6155ea2b91808a764da55216d60227de450a0a79563e32e8af0521dd6cad39852b554c52c866797fb6130fc8b9a66990

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 66da3b42f71f898bccc80902500da7eb
SHA1 16053c615ff83a91b7911f7fc7f63ff32a1f627a
SHA256 c3cd66e048acf478b56f24f7f010447f8444f4755ef318c295611a1fb54a6ee8
SHA512 44bb035079b344e6834f27f4c0aa63beb18f3f1b76aa322e360d3925dc1f9892675c03b8d598ee8f44dbcaa1ba8069f67d0d9328edb9891467f193ff549c44be

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 4f67875b88a675e31a4b07220071ec4f
SHA1 b68dea59b5d5841208b32881ad8afbe0f4cd3e32
SHA256 8f479255453ce628baebcf20bae2ab9fa679d3ae620c9518ecc3cf3256413919
SHA512 a4cb8eaf1c654b89ecda5a987d17808f64b498c110e24b52af686a7d2454e731bdd66dbc4ad43d8942777fcf8869205e37305788fc7dcc63c5b1529678665d82

C:\Users\Admin\AppData\Local\Temp\lsUq.exe

MD5 2cac9183cd7db38be9d34cd09c4a384e
SHA1 269afa8930b6002c07ce4ae9e70f95597e1c7e58
SHA256 c89167ef148eb2b87c5dc6bc5c3b450c15dbf2343c7f9a1bab27244a91195534
SHA512 f9e3a4548d455e8a46a997601e9f0ba1b70def4a608177f41a34ed589b76b87c38b1c5b87851305507f08389a81271b44cb036aa569c6963ea6b45e8045c4e1d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 ccb17b2174530265b6ec705f41e10c20
SHA1 9b1df73477af124f4cecc57da20f3cb2aac7cf60
SHA256 c24c725c4f78939e982f9cfe97c169b98ac3a1afddf95410b173dc420416018b
SHA512 1b1e38012e741ad67c085df0cde42cfe4df87263223236437389d753c3149dd790545e3d323eef7a556d9824cee17c271b64ceb74a2f48cd4fc27e462948f998

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 7b870d358ec2ff53763a52daee137749
SHA1 481ecf35bc07a032fad9d883252acac3e34be3e6
SHA256 82f206a02d2bc069e526855755671f7206a8a7db1c4e0197ba368c5ff31117eb
SHA512 90ea4aa16d9e74a7c59790252ad5b8010c900d2b1678c71d1688f453b608162e687238d871b64a25a555c28e74968be3841c6415b3d06d124b77ed8c91d74727

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 904080393735ab4b613f583c071dc522
SHA1 41d0749ffdbcc823822902643e8f586e988d8f3f
SHA256 16d9e3d774a46fecff794070487f51fa4c5cd192b4eb118940b5384b67c1faa2
SHA512 18c1841cbdd10df5f4f5852122b8dc53c77f4d7e6e9a298d9723d6a9a7c379a26a7e9f0cc3ddca19d01ccf4cd9429a6fd6e547920a07c14fab49812d55acb5ce

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 390dbcac150f3cbe55b67741e884b168
SHA1 7fe24585fab82211103340d773dac19c468cc5fe
SHA256 0883162915316b8b10e329f77a23047894f30e68a5512c1de9037ecee9865ee2
SHA512 5b664a39f3603f18a2a7fd50c61f2ffe97c011aa3c6b2b5229012deae9ac403235c61069075bf281e14d68f07368bf12c7db9fe0b84a8d3825f1493b77359482

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 b27bdabd4460bf320f15e07ff8d03d76
SHA1 e1ab438ea2356a33c20ca355cf704902f8fa52d6
SHA256 f0e00c499f4fb2958d7eabb1bf05c4001dee2cfa3a5a6fbd7f7beb26ca8953c8
SHA512 001d1c50745f6b2b3475f94cc255de8f7981239f04318e881d47c35d83bee3aae17404c2446b6f19b7a8b2b8686e4ab506fcaa2b93c1654cfae361fe44a2b529

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 af1e1b5b94945075e87dbb4f46c5a9fc
SHA1 42c638e820dd74a1bfd8320faff69af57eab3782
SHA256 a8836cdbce221f3b8601e04eacc43df45a9333bdd2030a29d07e0c4a402f870a
SHA512 7794c26f7bab3e09e892b15caa5e376d1ae285df114d21df872430156d6726e92466248f6ca34fccd589861b8ec243c018f78fb445bfee11669f8271e79732d5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 e75cd121dc99f640db35c64b8ad5a91b
SHA1 3cdbdf3d0ce9cf2decd6092a94c0fd5f2c569e0f
SHA256 135b3db10dea87d87c32ed22b4be20255a417c8d9451a8e0ddb09f56911a142f
SHA512 5b8a246591cfddc6286e5dae8743556028427deafd3521ab487ca249856313f2d14e2cb4cc6ed61faad54197075b4708bd85196c55cc1cd146ab34a4a7a72b4c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 756c01fc1d35ab8d194795c07ebab466
SHA1 c9c1a7678a091dd2c68d0db0cc84e858dc8be108
SHA256 d6c14c438e7dcf2f8484e9df789dfafe75aaaa3d74d8e91546c98e212c843364
SHA512 f4b2384389a7209fe783e2e43eee58c608bfd053820429f7e7021a4eb4ff34271f938685cfafbcf7e5232e1719042e55f5a0adfdb1249ebdabe0f1cfd624ef04

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 c1b84b9ef668686bd47e515bfa69c0b4
SHA1 89ae9fa7c58935b30c735b53e0337324eba0f4b6
SHA256 d6119ad2e9c9716e63ec5ac84ca93a4545b130c07c57aa6e14ce94f5abb5333f
SHA512 e2434dc045463389cb5bafb818aa9b8827d0c8a128c677699445356b4ec04458393e50caae991ad5994e02d4cf4b814b7d2eb94954daa28839ead14f6fd18886

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 1adee4a10fc0d8e9cb78054ab5089cc0
SHA1 27522b4838b4d559771324bb0db3a758d6143f9c
SHA256 6d87808dbb602f9d8638aa932de22cc35f84861b39812bdd799045a6f1764862
SHA512 5a8d0750728f217b97c1937e0c24187bcdd9ab782fd81d24a4f754b0a65e3c800b327cfe68ff2b9c7493887c1388ae498726bdd8716317a325cf94c47c4cf00d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 c5aebaa499c4ce84fc9b759b89c8004d
SHA1 874e48c27612d3ed33f4d4515a14f8e828c5e0c1
SHA256 297043e8c9dfb49eeed64b0717507fe8a94161275ca247496e548ea893ba479f
SHA512 a26de5eadf85df919a39814bf74eafba818f1cfd510d8376be6f7dfd2c1357b40e4f83bec2084b789578cd2a8e7cb8c77df262a1cf9be84703d35b2bcd03effc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 fda8050c1a2d1713d176bfabc34c1d1b
SHA1 ff36a4e5dd7029c371d5fef2e0b42323c6b4cdc9
SHA256 e4ed84a7a0a8a75d5fdfc8d1e75dc49b68c47d8c0e69fb334faab064f29fe8bb
SHA512 80d1df3a76421fe2a1553f134edd35ae55a2958e63fba88e914c3e8e60404368af43592b3e9390c3bc1822b8979702867162258652a4c1b491ba4e06c07fa5b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 5fdb05f74577170ef0c71f34dcd1e4fb
SHA1 307f52dfd4586277e60ddf2356a50d95e29fddce
SHA256 d4a0fffa0eb2f06246472cf8f224340db9680263bcf78eeddd433a1631c642e4
SHA512 9fbdcd17b7b1709cd1b6bd8e84d7a52c48e80d9cb2ceea0e5148ab19c33546626282dc8b14f6c2f396928501f42e8d4e03991aea580fd5d3d19d8366e3cea604

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 b17677cbc101db6dbe05d4a6c7f43800
SHA1 575b1ed389ba3d3645402c7165d784c98941993a
SHA256 5407090c004339a3473beab3a67d1686deae9da154d7768115c910253bcad0d0
SHA512 a95450e6a26d2a587c3b74d5c64ca69fb08768222ec70e73e6104d3f2e569f0648966f1a382d84918ab7226c3b6f69d77cb5cfe32ca434bda6891fd6d155676f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 5c2543ae2ee11dd2bd8e2f262e0c98c9
SHA1 472b05fd4662ad4671b9e0888b61c958e2643cab
SHA256 a70557025ecb513c4db26e3e1a94eccf921a63aef98d01e0ab863de6eeee393a
SHA512 87bb8887e400acdda2cff9249d0b3c000fe1537e6d1c3a5cc971954be144131db6700d91fc3ab6e084c1c19d217982ebdd9c0c4cc64b8a60c279c1e880a0714d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 531e233e73733d316da411a82b7506b1
SHA1 08752c3a685d1d67b47bb9973731eb13efea36d8
SHA256 11f63373b4c3e026be614870a0b62ec45b7fc4e88caec07e6210b415c2586ed0
SHA512 34744d25ea5bb95eac3a96e0a11d3d883ec900274e17bd57840c51e65c70dadeba82a8c7924548cc82f95dcc196251b6c0d5b92d6081e2f4b7f0e75ac3873d97

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 fcaab78b0c8dd7e23d23fc78ceee7ee9
SHA1 bf877575ee92d4135f4261b12268171a3619c265
SHA256 09e8437634353240992d06dddf1daa5a5332d88cd7ad50031bda90384d0f6a67
SHA512 5d7fe29e56013c08d1ce5b004132d198ba13aa65f8788a4db2df184ee6062458c1839e8f6268cfe87dbd7862886de8556f5d224cc5e381aa6f00258d43c8bc7a

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\Users\Admin\AppData\Local\Temp\lAMM.exe

MD5 ae8c91398d738a50318097ca74bfaa5f
SHA1 fc584d4dbfc0fdc53205c028d32a327ba3dbe061
SHA256 9277bb9eb03389dad94feb6d9a6d55276bd3fa021e5161c6399921bde555f0c1
SHA512 4372eb2b9f76ad45859c92ce5464b3cca9b1937ba997a16ba3ef800520aad7a3543f5cebef2e53f9ae1e785e0799cb3e4fd173a42044841338ccab2ef8cf4476

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\MwgM.exe

MD5 f51744f4878d59c567feb84027879245
SHA1 512260b2a3fe870199e1778d101adf1aca0fdca9
SHA256 652d0b6a24aee0e7005812c0adbcaa54e8ee8462b69893853693ddcd2d1dfe14
SHA512 79a7ae2517f2d0c7c2d19a3592628cff7ff548940f356f17cdf76a9baf4e834303739f33126a19acd984d19b4d93ae01845cbf095eb06400a13a4d92e60678b3

C:\Users\Admin\AppData\Local\Temp\zQoY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iscs.exe

MD5 2b223c187447f5cb8cb05a66ef565bb1
SHA1 d317d3603a8afc3fa226e2c2433c04cf482f7eda
SHA256 6b65123bd9fd15331e5715c3186bad579b0b68fa59719030e9ef82150327ada1
SHA512 af388aeec7789def0dc72cef697d6cbfe0bfad6677232fc9736c004f4d09cb10db5393b25f412e601d815cd9f0e61d5dce79c3636a72828339c969652c55d546

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\woUq.exe

MD5 1cd797c6538aad7c6eb67845a9ddca67
SHA1 10841590da8c5e5da017cdaff17a801b7ef8a91b
SHA256 9625ded48e69e1ba5e5543173c0014e7ac3857c23a85ac8ab365c336262d95fa
SHA512 03e2f37068afaa34efa3cab7cb9d63d9c13414a75bd82ecf59dab566956e15de61c3600573d19ce647bcd68598bf1eb69225d82a3ddb0cb39a54171e205b9334

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\kIQM.exe

MD5 c345c5617f1f610ec56e59f518fc5b68
SHA1 e95d120fd2cdf4c6254fb1126bab282fafccb05a
SHA256 289045a0df8606ad6c578599c956ea3c76f7c14b7d5af2329ed491d2bd6ba48f
SHA512 b26069ed968e12b8aba55acdfc6f7b8be2141b03a3da1c232328ffe083d8559c9cbaa8d5cd9ba20286bd935a75927c98c5867c84fb71d625cfa053c624d84bc7

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\zQwu.exe

MD5 57ecb94dde740c6241597a0f8c663368
SHA1 6a57dd417663c048db70a13ec6be385af93f607e
SHA256 cdbfb5340a2d60308fda1c58b7097f9f03b76e159c03f8b27ca67d8a476c817d
SHA512 3bec670fd437c5b2939b3e861e19af2715ddea8afc43887656e023f5578a1c358d2a00e15c98d444084c2a5287bd18529f919d2bd5cbcba38f0ec4b1ef5dfb07

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\wMAA.exe

MD5 f10dee9645259c735a8282f24e0d8059
SHA1 28a8b91460b7e3e7e13086dc2eb45bde8dcf352b
SHA256 8e16ef887d5fdcc252d4eba449a9a6c4de8018b46dcb87877eb1e11acbfd080b
SHA512 85b5985170ba50d73d6c704eed09eccbbef06de1b454746ad0ebc413d310f6cb58fa21e9ee69fc5614992c71d9de73bf69b344f6a7c933d636104fdc296cef14

C:\Users\Admin\AppData\Local\Temp\TkkM.exe

MD5 ba9325cffd6da78db36b3cf51ab6c6d9
SHA1 3f168b5028f52668e803662e68cf1c8bcaebb437
SHA256 2a362a4aeba865aa8a44211a81928f3fa10d1e611d4d750603fad773fae00f66
SHA512 49d6d6e90ca2dfc567f1f17a2a483725d66bca1fca712363412c73cfacf6a0b8697cf8f9f5090c115200158a7cba2b7910923ce6efbee90e80ea1d2cf84e76ee

C:\Users\Admin\AppData\Local\Temp\vEEE.exe

MD5 bdd24b8f565791a2d4a050c10be173bc
SHA1 2336fd51ef62d770f8bc7a51910268041a4b36d1
SHA256 5893a81fb98fadeb19269de541ae941a73659a9ad7ec673d8539395eac28b09e
SHA512 a9a63f631f78ad872fc5969ec50adc94bf3e3ab6a1d91820660757e412f5c608a0b5ae32a77e5924f975fa01b145a09ed9c56ec8ddcc5f23beac177c115bb2e3

C:\Users\Admin\AppData\Local\Temp\CYMc.exe

MD5 51d09d5096a48e8f51bb484c80c5a2cb
SHA1 7ab98e7443a2cf1ba4a79ba879f9fe6e68d6687f
SHA256 540a4d8e027b98bb135aa5876247878fd0af8250e5666cb2d1370efe23c2fe93
SHA512 85db440f89c2a18711ac034a0326b42d7dd9bf2cf3c4b891017cd49e8f7b36968b8d027b43b4d17d3b7aa949e31cf5de420ae331ef99a14d780860d29ae4e762

C:\Users\Admin\AppData\Local\Temp\HIIq.exe

MD5 00ea5e8b8af750574b892cb984a2e2be
SHA1 a5f5e0bf42dc9044fc38d65990962ea716d7de97
SHA256 5260109bebbae659680287635214be0307b02e8b7ef33ac1889388719870078f
SHA512 7d22359c82b61c56f316bf40cf7aeebf60eab1d22e714e48176c418f604f545f92bdb98b280293fb6b1203dda4e0c1ec764d4d8ef85b03544022a22194e3873f

C:\Users\Admin\AppData\Local\Temp\bggE.exe

MD5 86ea0222e9da2507af1468cc01361574
SHA1 30ba2c2c185c1bd05d44c1094ed812708304e609
SHA256 850a2b25cc79d02f64cd534e912f5679f23602c1b91980892e39e0efd2e78b8c
SHA512 5d9d23be5f958db03f5831914917cffdfacff9362c691c01d526642229c981e53e7a82a9d45a0f145002c6eaf46c2295b3cc4816802ccc8ca5876f7967d927be

C:\Users\Admin\AppData\Local\Temp\GAcQ.exe

MD5 f76db0cc107e752fa48bfbf836ffddbc
SHA1 69d2e9f68e2ad0c473d88987de767cbe4f523fdd
SHA256 cdf787e251b5c68c1a2ba9a7c7c07304d6ce5fb86e195c199b20911f92e2f7ee
SHA512 3140cd345d25fc4f0dcf78f5fd70599378ec5f6c0877d17656d694002be1d80779ec4d2aab6b2e3f8000b1a9c77d6015afe0f6e2b594cf19152fe2078a07cc6e

C:\Users\Admin\AppData\Local\Temp\uUMa.exe

MD5 5db679ae90856f79ea6995eb2fc9632a
SHA1 b02c8135411e355b4b86d5bf36646bfa0dd2a9df
SHA256 ae0acc19a5b1b89b25bffce027e0fff588228993e3454f722330994832bde03a
SHA512 6a4b082b86ef7fc5ec702b05cc7ab9b70a20c649142f80414ba1324248fafdab4d36151ca7e339e99cdb2d049efa9d119568db4b904179ed68a24389df397a65

C:\Users\Admin\AppData\Local\Temp\qcsG.exe

MD5 bd144590d10f50e22d39374ef43a5b7e
SHA1 b2683868204552d581f04e8718a4571e2b7816ba
SHA256 cd893e641bef9e42acc352d33cd01b28164bb11b28391cc6639a00989cbc49c2
SHA512 3caca0519843ea47fe806ca3eff76c45679e193ad808e4d3dca53a0ddb140d5d60870576297fa62327d6e4c4178e0e6d2f9892f634064d3e7f444b4f0ea46c76

C:\Users\Admin\AppData\Local\Temp\EIAU.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\Downloads\RepairResume.gif.exe

MD5 d4b39b4ea70c3dfe568c28c7ea892124
SHA1 fe6cbf69e83d8d0cf18d79a2e0c40745d14dcf48
SHA256 6532e1af6615eab2966250097b7e7cd34a86c207ca3baeea94e70128cdbe8e31
SHA512 7548de410a4e828175b07f09338dfa82cfec7d49b554c05e347974400641bcd43918d877ab4a2cefa0434f26c1ebb91216535bff43cf27097c4ce887a5331629

C:\Users\Admin\AppData\Local\Temp\igkg.exe

MD5 ab7befcb1e717fdf62e2c3d9cf925b82
SHA1 60135acc796f23747db38aef93ab3cff82564e5a
SHA256 a180d8f40ee250071276dd6723f36471717fc371d48693ed45ebbd6693079e97
SHA512 0e89e5abed5d500c16792ec7570a6aca5b817f8a7d5a6787c8d968ce2cfbfc41676df65951a54e581c19e42c6a0f30501acef8f575e2760353dcae680516a42e

C:\Users\Admin\AppData\Local\Temp\zcMG.exe

MD5 fd317eaa2d3ed066b10b0ee03861d619
SHA1 a7f5c27e00953181761be8721b97712ada22ee66
SHA256 42babcd5b7f6bec74b0b5b2357323d4e78f50e2f50f758193b832f5c70f7b65c
SHA512 6b3aed9caf184028eb3049a412392df30d306f821da44e80cfaed990357e5bfc5fffeb00d0f6fb6609db620a623b1d517c05ce61b8ff0226aa414115ea442079

C:\Users\Admin\AppData\Local\Temp\OgEc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wgge.exe

MD5 54f14f218f40b9cb9a3930eff4517af4
SHA1 1ffc35646001dcdf2c27bc585e70c5dfc8625a7b
SHA256 28be1416329a8461dd8c5a1719533ab6634cf34b0dacc3eacb505f0025d4c3dd
SHA512 4139e92aa4e1c4c869bfa4ce3fda5922e39d33a58ba14cac65bddf785c22af8ec0b6aac4a8df5cfb4c0b0d74503abba13128ef32abf5f26db3ddedf46b534c03

C:\Users\Admin\AppData\Local\Temp\DEAC.exe

MD5 0a172a1ea1a2a0e58056f5006b8cfb6f
SHA1 08b5518696a6d7ab4e43ea75bcdae51e41610b81
SHA256 435b8fd71393f39bb60c4f27da8f3fa3406933a3b43c8c243c1990d85a2e6794
SHA512 9b792ae1abcbe8321cfae2339115540840c234b0f3d11a0e560c253c16d10e970991461ffe2d98ed4afd2c9bdd4bbd441bbb7080afbf153eb5547ae306c2d622

C:\Users\Admin\AppData\Local\Temp\egcW.exe

MD5 a4ca814c808f4c45db69d2a6fc43ce4b
SHA1 8bffbc8b4f49d64fa100296de52507385847bbcf
SHA256 05c3cfbe3770c2c7c2c37c846e0fcaeb0af1bbdfd770e6b2899f71128f2fa43e
SHA512 8f763728efc82a6c5dc554a4cbddad1c073cf0785dd7917adda3f3c664d6db0d23fd7199642688c5ef2c33089e2b5b4965cc0724c57ad5db7c553ded2cdaf847

C:\Users\Admin\AppData\Local\Temp\cMEQ.exe

MD5 3e8b466a23a5ef26d3d4e433c9053375
SHA1 6984afcc9821e4520fc4112c77753f898a83d58b
SHA256 58bdfca58e71c445043e3425d12da56d6a11fafe2839ab9cea7354a4c9208644
SHA512 e38acb6a5f2b264d2547bf79ea44a21dcc2dd324095cde10c13d98ef7187a078cb7bc8966e7fed837aeafd9b346405862baad9afbed42468374a4567227428d9

C:\Users\Admin\AppData\Local\Temp\jUcy.exe

MD5 fd404aa9ae08b93f45e2d29a6f16bbf7
SHA1 bce4b4bab182e3991faccb16248c2a5b2a1e2df5
SHA256 f4d3ab2d31565e9953d99f2270a39a93ffc176ae20e453a306fb96562609ed89
SHA512 d94fc44833898ee5f8cbced16babbabbfb0d8094898f465eda45d02ea6ae836b542868dc8b3e28768948d33d340d47708da95b910b7d5e2f48d5f8f07d260ab3

C:\Users\Admin\AppData\Local\Temp\wEYG.exe

MD5 d205886d87bcbd22673e77bd941e74c9
SHA1 5698a8ee9967f73d25724d6031d0a168e16220c6
SHA256 b1e003c9fa1fd169c0aa8a9b589c22bfc91bc75ee19e641c949afa5f7209deb1
SHA512 53960f7e88ece598adacf36041c82c4e868c98a39415b3a7c8d2954a75feaa4665007ff61ba57dd3539ccecb9103f0fcd4f5f5eaae08db8f8bd0edab6bb76a26

C:\Users\Admin\AppData\Local\Temp\DgIK.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 9a69d074e834cdf930fa80b37430c0ff
SHA1 23c86b10292aaf199365fe8fdbb3d59ccd21c126
SHA256 4d154a5a6cad5e71150757c41c236ae6060a75a8c3aa6bdb60c274f57bab88af
SHA512 54ef35311ef1a24b40f3de6598b7612b3d2f58b0f34e2b3e16ee91c00d99a320db779092c38fb20ec31d64ae0ce64e2c3128afb241ff5a891a56aebe1e337544

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 2ef5872fafe977879d43186372921ec7
SHA1 a4eb579dc227984214e9ffb600ac9181292bea13
SHA256 f9ba1df1e3caf8fc1b229749d7c8ca9d38fff8fc304e154abfce18c389aeb0c1
SHA512 b877ca7b26e1350dc1123673ab4310695b6c3932b987330e9cc58868ff586abbed38b230871db7c0e6f85b289dee6d56652dcbd220ba7925bad08fd8b2cf6086

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 d04a6940e2a517b9c6e69cfecd9625c1
SHA1 2db78cc876627b6f814c37552fe14074b175dc05
SHA256 eb20f4081246a0e0ad91e2d524e68d7e3551932438ed67cfd7ee45918eab74b6
SHA512 f64fd231db5b86097e4cbbd998ea13c0143dbc88245c08a6952dd0d56d278586dc4427a85662cce8f1bade21cebc0d398d3f2e1e414b4edc557e5c734f96af1f

C:\Users\Admin\AppData\Local\Temp\aIcU.exe

MD5 22bc50edbde07b000266090ae0d5a545
SHA1 c091ad61884e7fb10b81d1a1271ff68477d4a02b
SHA256 0455803a9cdb3fce74e2261b4d043836bfda4b0e7ff5d9dadfc4296e857a9f3e
SHA512 53aa5f4f5c1e44e6d7613a0e3632e6cdaab7245c7fb1f0d92f2372c1ceac1de86a903d0af97569013d6e53bfb8807d44d5fe718e04ca0553d7778f0d34c4fb8c

C:\Users\Admin\AppData\Local\Temp\RMAS.exe

MD5 5152149d8023f78946f1f1e19e82352d
SHA1 53092e87f7e52e26422068c27e1a3f97bf825160
SHA256 ce906fe4445418c7f1679464766df504cf5bc29fbbf5caa7cb6db781a62b1f56
SHA512 fe6f497d0eea331db42b587fe1738e248bdb9b92535ebf14638abe8cb969748cffe434c2094650c40a15f297d2cd6d8d036706976653bdd6ca6f8d2ab9b2771c

C:\Users\Admin\AppData\Local\Temp\BIIm.exe

MD5 eddc9d19bf0164830aac56079dd36971
SHA1 9f8bb78b577941b5102a0b1b0491490c3268fb65
SHA256 21a53b41a0c52f276a46f9a98cc53815395e83df91bd10143647c910408a89ea
SHA512 f3ae16558f2d74bfe0c437710ded068ace7e9c2b5f5ef227561782223ed0222b1f09f35f77b74997725986e1a3b17d2753eea37641f9d88e1c153febfd7936f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 520db8959a51506bdd15a26105f52f8a
SHA1 9b96bb2d6a52d19f4207e36be3084944eb1888e9
SHA256 f32ca1e9c4ec7dc49521f455b845b254b518b6b8f6190ca4d02fbeae1f0ea4e6
SHA512 c0a01bb36669302019d73342e96390a9a54143534bff3b2925e0e31ca394823a87c92e44fafed060cb4305474d942d883e5cc371c7ac92570eedf9870a0888c7

C:\Users\Admin\AppData\Local\Temp\GQMi.exe

MD5 1c6b6a22f6d2e31d6b0e82fc931e8bfd
SHA1 bf106b5712eba8cf15e780af4cf8c281c98f13bb
SHA256 4ec58254e4cad3b28110303b53bdedc538e2c7b06e8ac1933310bd3341ceb87f
SHA512 e2ff3b9d2c251fb969996dc6923e52583190a0ae4246a1f57e752e8f822c4f5d8c72a4dcdae2113d3b4a99ff8d87dcf4ff517fb0af8e696b79d4ed207fe30498

C:\Users\Admin\AppData\Local\Temp\QAwE.exe

MD5 aeed7cc16af1437ba2648bd436518a43
SHA1 61d9ab6c914b016efb01e3dcfe8ee7c7d254fe82
SHA256 40e519564ab4546e6d91c2a88ef4fb433926a156568cf80da631dc3f6eb6b04b
SHA512 7cfd1f2b8ab393ff6fbbe5fb0d1375b18496f25f334a3808ef10468f2e6f0b310ae2dad6ad905a909f245adf41ec3a58e7168c0c22db5779827053c04fc9f8b1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 59957503c64fc25c132cd5bc278f50ef
SHA1 9a6c7dacb323de07312157f1e57001556f89ad0a
SHA256 ffed631d0fc51283a37f580add2da2154474d4518d86a29ed081824801a7c372
SHA512 4721a464f2d9a32f07caeb23c29c64874c1e554b6f960b960271943bfa2a6109b90cdda0932ecc3579430aabf80d0bae264259df23d7f9c3de18c8df73ed6d86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 5dfbdc85aa31d8b0561417f265f4ad12
SHA1 305b6759afcd5495c18b85f74c2c733e6757235e
SHA256 2cb3400a43243ae4172653416c6e69ec52f4b8ba2f133ff92d2e05b5db3b8912
SHA512 7a7ca9cc6c9d0768b02ad99eea6a6ca122caa4d960529e529de652bb2c0e27150718ae14ba6a64ea45c72b4fa3a8cbc7aec6c7179fdf7b1b7077a1b26a48b51c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 65de34026a3e6e3228f2de4f3189d2e3
SHA1 9c12084759920fab749c96328840894ebcc08026
SHA256 be0adaa2db00db651b8e643de59287e7ffa0250d52f0d10460f32764f53681ba
SHA512 2eb534ec2807f0ac8e2c62a417ba9a45ccdca97077346bbc454a9de2eded1d660a0ad8e945276cf065e067b6ac4867d6632e6d688a3f8d4e51c93a1ffdb0e7c2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 cba877b5c8c348865ea0199e2c7f84cb
SHA1 9e4359e8c84a5cea65906c48ea45c20975640902
SHA256 8a9d2b1f8f3aba675d66552340850d30a528581eb9cd6ab295ac9d94d8d16caa
SHA512 74a124a9bbcc6e242b2b9c193d95782d0ef4fde1e2938c237d8a4c662957c2a56acb222cb9bb543fe63146884e3e89ca9928285f9fab638003f2053a8a555047

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 17672374f0b6a9f004947eb64048f637
SHA1 75b1617c20102ff02c55c767749d279fc41e9fea
SHA256 19fa270287cfd575d460201ff8b87f68cc824b13abad6a656291e8c8357cd57e
SHA512 d7fd95df143dec5b60690aa874472d626eb4ca364f0e883ff6cd4dfde3da97f70a1f18b705114df12f33b6dca8408b8ae94868d52bbabeaeb5b2d8c5ffdc6e03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 b4ee75486238e71db12d52fba170aae5
SHA1 7ec73c7aa85630b503de648d00289245f31b32df
SHA256 11b58b1452b52d08af9e25124d2de3ca8dc6f553174f307868f8f4983f795ecd
SHA512 f7afeff5445bea7d36474922d3bb232e869d09d4010b40e511fccb2a4efe38e4750dae047257141a88830ec190401b9be6e9de4436cd4155f0d678292e6aa90e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 e65bf630a53413f1c8b1ad31684642d5
SHA1 ef3ab29fd5062a0aa72532a478688293ee52ee36
SHA256 45e6c9934eead476a44cea94a84e97e5b1f8934c0680324b95141c896b95535b
SHA512 d916d2ea53c99baab32530d2455cc6243ef780a4131b1d1f2db99e7eb3fd67e0215da8d8c0ba43bc1e42aca8c65e2fdb5c985dc4f35651ad56255c4128b003d5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 486b1b7ac465e939462c5bd8248b364c
SHA1 da69ced4e676e842cd577963e4fb841057fdfb0f
SHA256 522525047bcc2ead8e5623527a8f0e99a9e69c830e9bc80500160dd37d3cdd1b
SHA512 d578c0b1ac0d100e5726b686fa1b28fa1c7525f1277f89fd0c9d97c1b6a94fca0bcaa6ddd6373833c56566fea2ec9652f9eb499a2cbf8b8d360a783e0dfbb45b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 0318bdc4e2dbb29cc79f4a93b60bf08d
SHA1 3fec5940ee8cef65bf0729582d7c356947ef7938
SHA256 8753f3317996a8d9511c15b275e19ef20446ee76d192d4382cea19f17960b6f3
SHA512 c4ee9c666dab2a78de4ff3e1ef44fcfe43ba2f979eb62b5dc69c98d9aff53b632ccf41d1503b3125df252054c8d18f919f2c81f64ea827c49aa36eb221384ad5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 d8137b6ac12cf56ed8390c861ee57954
SHA1 2fd839a186ed0bf2db379ee5e8cf080e5dbb9d45
SHA256 c47d32daca6623fceae332b5b4b77aca70d6a6098a54054717b0740ceb374b90
SHA512 0f6eb7c13541e73eb09053b3e24fa6d92badaac95b6e7c4fafe00fa0d49b73847992eadf97c91c1363c3ef02282e63cd9d4d2e90ceb593decc3a1ba62de37c87

C:\Users\Admin\AppData\Local\Temp\NAIi.exe

MD5 402ee3cfe1c29df2a104620b76d8c74d
SHA1 ad315cfe37d110a19e01d9add3385c2f93665cfe
SHA256 ffd753e9315cc0c40ae80bc751f471667f765e37028163605fcf0ab04100964a
SHA512 af69fe0fbfedb13b681759a0e1b5bfef2086f1800ed45f3fd3e1e91444ab3225415ab6d92817d001f97cf9154177d57e55179fbc4f497a4d527d4e7888d132a8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 9e83594b0811ec8919beafa9aed5f1b6
SHA1 11b7c98bb548d97181541789eac85aae31cc09e9
SHA256 1abb5958e245121e412a03bd2bd0ddb68bd03ef8e1365631e50af7f80453f1e1
SHA512 f6398330d511a1e208c4ad1d7e4b6a8cfc4ce3657c93225aecc5af77f667187ac1522c576a806ed80b3b5ac73a842e1e771d1a5a2cfee98d6d80d427f3f387a7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 8189aee17de0df3a3cbb910206d6419e
SHA1 8c662dfd798f17e07c9dd0d6f54e467886ea242a
SHA256 67b2cbf288a2cd1290c587a2196a061353a74ce39b5fa47c6bf55009557a98bd
SHA512 5e5b5ee58014fa13534d3e5217166ec84cf92e648cc2b7fecd3bfe5ff90edffafed4a44a9d3ef6b60a5603159f9e375e1c6be4692f8d2db0317b95b5e34357af

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 13f02705cab764586bd8656776399eb6
SHA1 2c3e5441f7963255e2ca756c12f5a1e7e54ac1e3
SHA256 9dbfb311c58906fe8c980a87b63c2ab44f44d10f93f5a59a6be7502d31bb8be0
SHA512 53f6a961ccb4b879616383fc854557f59940fd4041f3ef919f40b5cfe884ef9bcc9c526210a44e833b5786f76da242fc94105cd0c212527b59f0ab9fb4b2d762

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 9214ac2ddab64cf35cda16749ab3699b
SHA1 11cfd31fa53a4fb52b6d347c244f0408c6d7616d
SHA256 00d980277c4883f4b28bd905741caacdae3ac1b51aa24a5ce58b169d3b2af81d
SHA512 504f81b2b28df0258bca4f0735bdfa7e96e2ccf6add07fa7bfe66e0cb517f84513e22e2844370efff1dda3613063e41359cdd2fa185bedc295db3bdda31d734a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 63041afc5116762b5d1958cc3516e4bc
SHA1 1f7dd4ac3c2958a6c7106ab788f5dfe83e03d16e
SHA256 4b84db7e52d50e00a492ba55c5a755d370daf23547117b90b0dfb08c63897b59
SHA512 57c7b09864a01f8567d986ccd20476ebc2330b4f837486f639735fcbc671dcde9c6c444c5048280abce1a1439231a22f553a4264239da82482eeae80fb02f68d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 da7747752b6a2b38eea4648319876b43
SHA1 ef11f8dad7934ed2e495ebb9452854365d3f3d41
SHA256 3afb89b75019b53f59c08d876dc4def9154247b44e49a42d5acff676dcebea00
SHA512 0d50ad8e624d401b5862ed65e166b94de6d58d90ff16915b1bc2bc299c45ace0b86876bc4b8fb33f37465ba670305f32bad308bde1a96167a2c0c44a9a5178e7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 f14cf5dd99c1475c5728ad3891d9fc0b
SHA1 6cf9d329e0725135b8bb4834bafea52206265cd9
SHA256 e3d2624f179932b878ca5cfe741470d542af40c6e745aea8ef5ec0ffecc60a6f
SHA512 de76c1ec6f7759d30ee80f30518678556b7b79908fcf02fa4884b5bcbcc683847cd4ccea7564d0e4775944179484dbdbf9fc8cd6d538239884162b9ebfe38de9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 e298ecd7f455ce6d42d73243eb3c1399
SHA1 8ad621ba0fa23b290593ac3f6989b95979e778a0
SHA256 f1e48d6d35f382b532d6008ec9b1ba8cb66aa0acf20d3653dec9dcad6b7acb90
SHA512 271af386e734c33535604610b4c1f7f19297cc684f5980e4547d9c647d59e53309395c91f95ff39ca154ec77627a1f66058b9fd41f52857a00821c58643f1a64

C:\Users\Admin\AppData\Local\Temp\AYco.exe

MD5 e141903e572623239a2af9e5aa3bfd95
SHA1 74fdb70b9cf911e4fcab08297809a9b2a935d672
SHA256 20ade0b5affeb555ec9cda7918afe9305c6ac75b4c88f20fb62e07a532741d05
SHA512 af58b7ec17c702b19f8d2b78840f51dc6e2617020951dafcd0eb4fff35bbb28558baf45d053bb05e659c4c6adc05752a6e30c1a951f6739a933e52faa2a9deb5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 d7f7da73274bcf870694b4e52e85df18
SHA1 dcea22a9085301b6c027baa1e7a4ddc8ac5558cb
SHA256 cc602070caaaed930bfef4a4aa9240b7efdc5e38389fa00ca9ecea882ef72c88
SHA512 206adf129a19ed7e99e418a714cfe194f97ae59189e7ac2638dce80523b177eba831b70d425ec748509bd2072222a0119cd8ed45aaf1a279aa08d84bd4f6451b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 574d8e27c0b012e8fb3934924eaf8ca7
SHA1 250a66c16c218bf0654cc29c8fa7d4c124a9c66e
SHA256 a00ee4eb594a31db44b8c0f8ca1886753ea8ff421eb15cf3eb364175f82192d3
SHA512 a781ef8bf85aee60665a8d925ed6668b7807c494754fe10a476f69f2287a37cff18711e3ab6806094b58fd464d25485c6303b0af0f49fb21f53a12252d28d104

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 f5ffc9c04f76149b5a286766d6fe09cd
SHA1 b5542dc68e471ef1217bc48341dd6a87d9fc3af2
SHA256 0eff06e96f7573dd60f4fa09e9753657d87aecd27ab1d3c7fb1583802a03ece0
SHA512 bf02798e645359a81ff0195a19877ac00458f3216207678d00334bbb21e00b67a3f666eccf7801716944ade6b516003970df52ca168b3177831c96aa1934c1e9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 a902031f2ab4a67ae7d95f6b21e8b18d
SHA1 e415b5e12028de7add66c0c05469574ebcc95153
SHA256 ea0a043d5857a9bd6f15fd124737012e386d2995d91d9ce35bb592e63a5b59ec
SHA512 bc7008c628e07ac57d940b3501ce69e7c56d3f3504bc2c7bce69d25a5bf0cfb3ca46e8a42f2e79d73a6d5be940e6ea14546818bc193aeac34846ba82aa570ee2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 0f19af8174ef6aed9a161e4bdc4d09f3
SHA1 34201c2d17f0abf76fbbd05cabe0646993cf31ec
SHA256 9884111122663343bd3b6f33bf159ec98c6ea0592c5e1b477eab07ed3dbe4f5f
SHA512 59e7e532b36cc97ad8f9577412979f529b26006b780419798bca0e53b21821ef8bdd95d4fdfdf14be6a01bddf7c276ad6d2948db214224b56ad73ebdb4d7e7ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 da43457b86396d56e8c4ddcef299571b
SHA1 f85919e78de85b66aa2088723bebf7f2cb9d4e4e
SHA256 865118bffa09e2546e84cd34c7c36220c8bbbbb172c3380ae30c76164c22c149
SHA512 c5ee2d2613ee2d6962b3abde108ca94039e728c51567fc35641670d6432c2a4ad5a7e69d59e57c8192f359f4d1921dcd2fa65e95c18f91ab07afed8bc5fe0712

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 658ca7ddbb890c12df52f827336f4300
SHA1 0e401f1d61f318f58a8232ab3c3fd7c4dd7883dc
SHA256 cafa3c83f61c37171dec5bf70156b18f17f66cea530b2819e319810670e079e0
SHA512 65bfbd64c3b1e66ab6c78aa10051e1156179731b6de3cac96970965ba30b5dd3d90a30515cf68c0079948d1841a74c48cc0d9eb845e178d2e7044a107442f273

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 6eea5423c3a141a83a9442a19044ac69
SHA1 d09f0274684501f3b46c1e4fdab2d155c271154b
SHA256 d67b28a0665d0c734181928d109c6708cce09631ac36169a16f3d726325fd7bc
SHA512 a59a955d90db106fe885015535a530702565a4fcd0f5ae24fa396c73d1fb1411eefa6903eed2c31487b0d94982f825a5ab317a660b9b8c667fa0b1a424a7c748

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 b50dd60a8af131c2f05f279a651f5816
SHA1 c4988873368798e70619871028e12997d8535209
SHA256 141e1266694d25e69c9b2a88c52e3bc7ebc0874d00574718f0376dffdb7e69cc
SHA512 612160f554a86087a70ffaa414b79ce95136bffe47a40b3a4b357a739719d5fd9572617d2fb8bd57710c2eb646ef29e5dacab9fb497d22d3646563b6607effa1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 aec1367ca7458dd6b5012458dcf08734
SHA1 2641a1898a87b8603bedb372e0196f06f8999c6a
SHA256 7549d180e7a15cb283dc60d6e7fc85d389ae3609071c010fa8c33b700d813489
SHA512 0d985199cde1d92377548d113adf4bde4a33553674a90b8b92246bce4c651ab468e41ebef55c38af94b2e1ff2201f570d9beee0c71a99d7a79015c9bce2c27ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 f939b53d0ab0758697211b89e139527d
SHA1 263a0924849c46e44abd73c2904d1319bf7fb872
SHA256 e3ac61751ee68bc27c90c18b8fcca09c38eaed638efad9d1345fdcbb13173b32
SHA512 dae824e239516dc8f8cbae2265a37f9ee3334427e37027139ef84e0f586eeddb19b63bd3d890ab39e0fbd0cd9bcf03874e960f3e7f15a0228ebdbf42df4a1e75

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 2f0a32956f400d6a8ee6217f928200e4
SHA1 6b68abdd568d0a2ab4be76b6a988fc194fdd704e
SHA256 883c31498125eebc21690ab5c46fd5d6c9820849cb6040f45bd6a1f85b2e7ef8
SHA512 45428f0aed7dfd37cf52b5f0acab9e3d778a9909880d4575d40c423d27784cedea1db7320204b4f088ef961add7b05d089a3c2ff2d1fb677e0cbaf7b311d1fa8

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 0da8624f1c922aa1fe3ee757bfae8494
SHA1 48c46f4fa603a1d72dfb26b296697f6fad8292d7
SHA256 4bbdbaf78af8d2af1d74a5d8f15ca46f2e0c7b73d181252b7ef656f742e867ac
SHA512 355fef9492b34044987dfc6340da7394e7952d742a991cd1ba71019d4008a427cd893919ee02fa611bf6604badb4ec58e45c5ab7d30d78b43f2919e44855d485

C:\Users\Admin\AppData\Local\Temp\xggi.exe

MD5 dd98f01b8631db6e510595563ec8e45e
SHA1 0ac44ebce800fa46fd1ab91fd896ba69ce88b9f7
SHA256 f4ec9d8bd2ef4ef1904f7d261df3a661fcaa862fd22fa92dbf2f7d1194a4b511
SHA512 a27d321ce9f8d3ad61f18afc40d89abd5a11b7236dd44b20dd02db94ed68eecde88fe19b2dab1de277a90a82092579c7d7f5269d3dc159d98fdfbe2ee79e2eed

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 7b93b4e76e2094f3afe995bb9536ffd1
SHA1 7a10ec0ec35c260515524b2af2b52c578eb9d514
SHA256 8a48be00d019d3507f4c203aeb96670cc40da017391b18610b819dbb7889c3d0
SHA512 5f2ae96d01b09d7fa0650d724ba2d291398a221145a0f94f3abaaa323d10c086001cd51c275f10218f6ab7d94fb41ec9ea48ec197ae8098d9e8a15e0dbc426ed

C:\Users\Admin\AppData\Local\Temp\rsUY.exe

MD5 2e39da33ca768cc81115adecbdfc9144
SHA1 ad0b63ab4d6a16279a5e638af92156beee6b4918
SHA256 86ce5b54d0564b2d17330a0c4451075e5c9c559d9f3de972f255a768545f245e
SHA512 421cc8ee733d037ea6defbfb31f531047f58740245b8f25790e3d0ebae28deed1c768e3830ae52bf3ea156ad5e8080c7b75f15f256092a6a1b25814e0552b527

C:\Users\Admin\AppData\Local\Temp\kAoU.exe

MD5 b3328af682358aa8dcc96b4cc239fdf1
SHA1 f2f6866f47d0c60ef76584e85dccf1ae8dff5163
SHA256 23666b63658e9950360893551964d6e33c76f7b02586de1890e5d19c12f5e556
SHA512 92bda19ba9a7564b58675aab71b1f0cdf084f8d24cc47da63fcdd227e30235a9810d431436e6d9d299f1e75ccb542f5c95549e98ebc452a5063615f46b18c593

C:\Users\Admin\AppData\Local\Temp\YEgs.exe

MD5 d04bfacc3bc7b948040f61fe19b648fd
SHA1 be5d23d6384918f531987be014334146576fcbd6
SHA256 fe3f4fd26bd45df202c7db89be5ebc557a5bc90f29f584d3202b11ce7ea1a0a6
SHA512 ff09b9092c6512dcc8f0aa5bd421f474506750b99b7c8bc106ad72cc7e6ecefda463ba40f7a980462b4ea0ca8965cc21ee3e2a3cb1cbf4002253e08eff28922d

C:\Users\Admin\AppData\Local\Temp\UUEk.exe

MD5 c3c1e5d5b6cae610ffa394c2cf8371a4
SHA1 55176772a6285b900746f0088777f812fbd6ca1b
SHA256 6c3e70d830b54c38a14d3972e2d4d2b539a10568b770cfd6914241f516409fde
SHA512 6c1b844750cbcb7a707b6a2e237fd611f8e56981412e02d4677f1d023bc774b5269fb8433320dc028c0de19af8bc7b592700caec8ea34daf8ac271360ed6c148

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 57c1969dc33515cd10416027f0ba5cab
SHA1 defd97d43bc5496170f29a0887327fad3791904a
SHA256 73d89df5353b9353f59c5f3aafc548cb0793adb3c29ab982b63406aabd2f7880
SHA512 7914c392773dd2f1b4ad2cb45eec5bf9868b2ca00bd740e874cdfbc855b2b1358aa4f6cd3a14dba37eab3aae98d5365d945011a803ddf415e83d470987f302c4

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 359f0a72aeaa3500aa27f2ef094a5237
SHA1 6c8d02a8e1d3c59e4bb8d7c6472888fd984a7d96
SHA256 171b165b2dae0c4a150a7d36fa2582f7bf60b3949f8e7517fba083437da41752
SHA512 f2e5ed97fb50e9914076661375e2170f9df3d3be1c1c770fc2cc3d0255d3d138a25c23b6cc755a2be9f8ac3ce992e841d719bdb1b2dab515b65b9902ced56392

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 30bf78d919453b6ec096935dd56d212a
SHA1 2e2da057d67da02bcc490c82a7c2e6eef1314dbf
SHA256 3990e80441ff79a44738225d2259d6388042c4adf94e90254b50522e350bacf1
SHA512 adacd32860e9d391e454500f5a64c1498c01d655c2e1ed60e4953fa90865d1982f644ac3cb161f1f2602b347ef275bead99f275c53932f68ff464e2691671e23

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 17a1c1c3d15be84b2807a0ccc997ae0f
SHA1 6c1dc62c3694d9bf6b7746a4ea40ba420cffcc10
SHA256 90fa5724b4ed6a4866da68adb52a30813fd460923c1579059ad4249802c9db98
SHA512 eb93f83c80f056b30d21ad90f7fc1f24c36ac0830b2542825952a07d05cee1dbe33caa40dffd7f4faf604105a597cd45354b7acb4d0c3475e98cf9066979a12b

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 c79440dee620951513c4d223c6129677
SHA1 bb33af90e63f0ecb41b63a36a9fa68a3723842c6
SHA256 231751f48ed0c711a1ced7cd475e2c4077539fe7872caaf9ff71497732ebfd5a
SHA512 8b0474c14fb0d827a586edecd9b17fb9a5e6414a7d4e737fcd6267cd9a1b17ca6e89d838e5e78120771752c0be128a58a9f61c283325d54538d3a40e05d977af

C:\Users\Admin\AppData\Local\Temp\DwAW.exe

MD5 a0234dc790cbada09a9b1cb1e5a38c99
SHA1 b935ae3235413f29a1382e5cbdca7e7e61488f0e
SHA256 17708c78a2ae57b2773060b3c70f4137f88758286ca25264ac9418dfe9d2a5ac
SHA512 24f4fe93c332348e7c562e4b8d6c75e2d5f8b3c5baa24654354306562bf65554be2c4d82a07a878429dc28ff83c5d11ad072149bb0a7e9e88444e8d8a1da66a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:26

Reported

2024-04-07 23:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\ProgramData\nYgkYkwA\TGcIEMUA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rEYAYwUY.exe = "C:\\Users\\Admin\\jWYUMkUQ\\rEYAYwUY.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TGcIEMUA.exe = "C:\\ProgramData\\nYgkYkwA\\TGcIEMUA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rEYAYwUY.exe = "C:\\Users\\Admin\\jWYUMkUQ\\rEYAYwUY.exe" C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TGcIEMUA.exe = "C:\\ProgramData\\nYgkYkwA\\TGcIEMUA.exe" C:\ProgramData\nYgkYkwA\TGcIEMUA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A
N/A N/A C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe
PID 3732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe
PID 3732 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe
PID 3732 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\nYgkYkwA\TGcIEMUA.exe
PID 3732 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\nYgkYkwA\TGcIEMUA.exe
PID 3732 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\ProgramData\nYgkYkwA\TGcIEMUA.exe
PID 3732 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 4668 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 4668 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 4392 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4392 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4392 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 1800 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 1800 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 2612 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2612 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2612 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 744 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 3888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 3888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe
PID 744 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 744 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe"

C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe

"C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe"

C:\ProgramData\nYgkYkwA\TGcIEMUA.exe

"C:\ProgramData\nYgkYkwA\TGcIEMUA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUEQIIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imoEMYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCsIUEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOkwwcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMUgcokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMwgUAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igcAgoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqgMwwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqQkwgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOMsMssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwkwYkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgEUscYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIwkwEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAMcsskk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGwcEokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmcIooUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoIIMEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMoAQIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWIogAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asQgsAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AicwoEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYsEAMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOAYIQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUUIoYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baQkAEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeoMUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bissgMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIgAEMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyQUwcUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMgUsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsAAIAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgoEMgoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCUYIMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOwAAMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMgIMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkwsAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwIIwUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsIswkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roMQAEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCAMIgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUUIcEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkocUMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqkEEsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAwAIkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 46.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3732-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\jWYUMkUQ\rEYAYwUY.exe

MD5 93d9e1dc8e4e0487b4f780b0cb50d983
SHA1 369815d2eb119275bf49b187ce61107b765c286f
SHA256 4511517d478015abd2d1f9fcba157328ef78f8fcd24b885642c43a8e632b2fc7
SHA512 3a5aa76fa2af389523347ce71cefa1b9eeb2ce7a3f417481f1bd67eb4745f79a7ac2b7ad7fc97a055744968da9fe93fe97bc69148ff948df7460720fab0e5388

memory/2012-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\nYgkYkwA\TGcIEMUA.exe

MD5 cae63a77d16227cf342fffb62c1bbf4a
SHA1 6a29d3b9e67c8cbf31d651e7eb74d21937a68423
SHA256 6bfc37e03243c590f3a57f8b73164ebb39f8e864dee10b8003ee0e7d40f68143
SHA512 8cd0770c0b5e21cba31a486156a83c5a177a763d14421717fc3437fe5160616742b3690b4bf7ee6efaf96a4aa755a71d1e774926f05f1b18032e6bc40e0720b0

memory/1044-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3732-19-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2476-21-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jUEQIIUM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-07_3d894f3a2ff01049d00ec8cb12c42ae5_virlock

MD5 3d404187efd7b9fb9810d112bd8cc368
SHA1 4c18184896e46369b2af6de3d84c25f44d3f051e
SHA256 410fd53c9634965c2b56efbf7a774d79014c98a2cd1d767adc51636e97428c5d
SHA512 5c1ab1a5309e0d2ea3f08e0e01d1291cf964de682c06812061d46d7bf8db454d36532c58fa511873564db9cfa9d215a63e752d57acb5038581b3b9a55dd27390

memory/2476-31-0x0000000000400000-0x000000000042B000-memory.dmp

memory/744-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/744-43-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3328-44-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3328-55-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2720-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2720-68-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4552-67-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4552-79-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4332-80-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4332-91-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3308-93-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3344-101-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3308-104-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4840-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3344-116-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3724-125-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4840-128-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3724-140-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2144-136-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2144-151-0x0000000000400000-0x000000000042B000-memory.dmp

memory/320-152-0x0000000000400000-0x000000000042B000-memory.dmp

memory/320-163-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1792-166-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4028-173-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1792-176-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4028-188-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2044-184-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2044-199-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3440-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4896-211-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3868-220-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3440-223-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3868-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3764-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3764-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3632-247-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3632-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4836-266-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1020-275-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4712-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1020-283-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2932-288-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2568-292-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2932-300-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2564-308-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3172-310-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3172-317-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3108-318-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3108-326-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2560-335-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4296-334-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2220-341-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4296-344-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2220-352-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3564-354-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3564-361-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2316-363-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2316-370-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KwkW.exe

MD5 f1fb50199b8a61433e250fdfc28e9b00
SHA1 444e920f7948a2e3f67086ae518c2e1d87a2d814
SHA256 13a628d8c610a9661dc6fbdca6fc5c8c85f0853cfb767da82f7eb07e3bb6fea9
SHA512 714613875f317a437a22623c83b59de9f23662e6d308f2cfa2833146577ad400ad793ca93195d6f3ef3fd5068319a8d2090a060ea4951682f752d2636b29cc96

C:\Users\Admin\AppData\Local\Temp\dMQo.exe

MD5 3de27a815c11e510da77032a5c444f2c
SHA1 c09f469a598d0f593e761ee014853dbbff053480
SHA256 72992381d659a822ca6433149cbcca400789b635b9f29a4e2d53c506e1f057cb
SHA512 acadd6b424537e8c6c875a58efc316efbcb4d783e1bd2320480d8270c90890cf61a727b7d87a2b7506bc582cd39ef34012dd07066822a398f5b16253dfd15aec

C:\Users\Admin\AppData\Local\Temp\HIsY.exe

MD5 9df57b486328d30d46c324744b2c3407
SHA1 282dd5ed185e6ff62f043445a23216ba9c17ec98
SHA256 56b29f5cd1c800f848d4646b83215a36f68f24b4b5c019d832365e25899bb8eb
SHA512 537d5829e577338521f72b07a36c1afccfeb90fdf36ed6629044a09b4f1c7c5ead8dde19e2948cd5bf61ea23a364929a99ca8632b192b60636ed70d71ff7b70a

C:\Users\Admin\AppData\Local\Temp\FcUy.exe

MD5 27af61c0b0f23a8a1af2869555dcc518
SHA1 61f55fe23ddda8703cb9b9541abfdbddf474934b
SHA256 a637942705d5739ec031768001cb6076a296ca85b0eb6c77d31c91666e76667e
SHA512 46785afa7947c0e42770c261fc8361e81f9ed4c86d36fe4be18212ca9dcfb2cae6a8d599a5d2ad5bbc347aeb3d0a4e9e4b37386404ab2a969fdd95f07fdde7b8

C:\Users\Admin\AppData\Local\Temp\PAUc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\NcUC.exe

MD5 2d25b710d6efbceccebe5fcf1e77b149
SHA1 d83a491c5ce8f1ac8b9614c01b7313cb7587b70d
SHA256 dbecb0a99b3c30cc04de2df45a7d3071f5abfbd30ac8587f53f3fd50394c38a0
SHA512 eb2f17a440c7a3ce93943ce6f67c7237cf1702fff024a1712f86ccd98eb7a25cd78e5dddc30afd36dae3c4f4d9a845eaaf76d018d53e11de4767e34be4925a0c

C:\Users\Admin\AppData\Local\Temp\NEIw.exe

MD5 be04c3af6e2d8a90d84e728a018a9c0e
SHA1 e277e662d480ad1ed91d253a650628ad17ef4b0c
SHA256 1060919b9bb9b0c097ef0c488bb86a45dd200a57b8b6b85cbf6c90f6affc56de
SHA512 afa5322d4d5d7834b42f7bdb87e2e76d7ecec03ddc55b3090e81803fb0e9ebacc93dacec96acf04c7d6263ca449c638e04801f59fbdf9aecf4f7892c2a72e0df

C:\Users\Admin\AppData\Local\Temp\vAoc.exe

MD5 2c9788e7be57aff0a58cb3d15a49f660
SHA1 1cf482b9532831d111fa7ed405041388c0d880c5
SHA256 52224c21a11933f71455833b924147317b21c46dfb8db44ec9d9d86d3985e899
SHA512 f727d2faec19d4388967f63da9cafb3cf18f39d5a5eed843f2659f4201049be273b7197789a5c719e51405a383b1731287f004529dcff136b068b919a958c637

C:\Users\Admin\AppData\Local\Temp\WEUw.exe

MD5 34a11d8fde24fd62b3d2e71508c747d4
SHA1 5928273e4552cc0f9b9940c379d135381ef36162
SHA256 d2dbdca0b0f36c04649a0112fe5af9504d00fd81c8c2a73ebdf46c1a72811ae1
SHA512 93d0b45e00bdfd66ff78cabded6b679599d2462ce498586c57974af3f973dfb5ff0f1f3ff7a3efb1f3d8a642a6144c1eca3b8b77594163b2aade7a2cd87de31a

C:\Users\Admin\AppData\Local\Temp\HUQA.exe

MD5 91f559bf912fdf2316b3e418f1703c20
SHA1 af01aca7e880df801a794e380985a534538d67de
SHA256 fd45a41884d6d09a1ad04b0c04c56f3b12092a1ef5a530ca75e4f6944c65cfdb
SHA512 947a286070f2eb3fe09b4dcded87c4e4f9779ae8444e4869f3baa0060613ff099eeac6dbdd1759701c625ab698d43df811d55d6025e232baa0568e9351901f4c

C:\Users\Admin\AppData\Local\Temp\JsYu.exe

MD5 da025e646cbc85a83c2660299a69d787
SHA1 cde626226375ae9bc529310190780b505c521daf
SHA256 bc3bf54659ff8ad8e277f1780f634d9af243890bd85dedf3929440357cbc9f9d
SHA512 3bfbe8063ec3d0475386d707ba5b5822706225cb67a0c682061d550fff2308b516d39f481db3d1998fe911802567ad4478a8840251741e03eff5fa87a7a8ea2f

C:\Users\Admin\AppData\Local\Temp\ksca.exe

MD5 4d784e3c9df7e4e770801afc94547a8d
SHA1 da05ff44b6f1f695dfb453b16da06cea48bb366c
SHA256 ee87ac6180d2426c9c2874fbb4f06c3dfb062bc8424ee582d78efa2e6f510b9a
SHA512 3ecb61144fc3602df2949127a3fbdaf53928f1213c510cae9066a7fe3112c20246adf260a307874f1d41dca297c44f6471aeba0ff60c97e24710d70ce885fd9b

C:\Users\Admin\AppData\Local\Temp\XIAm.exe

MD5 b9f5e130b10e9da5e266af4a92613b73
SHA1 e69af967346cc440afa76a3bc0db243ef34ccb30
SHA256 961417397048837db49fb730ca0001b6e8eb2522375c8c2a1fa51fee88c95810
SHA512 b058f4dbb0114c5d30b86c4966eb58f51fe31c533feeb089b8f7a8ca343a979b69a0ba5d5d1de88b5c61967b1fbcf3432083f1c4d6e7348bb27bd7ddaa6d621b

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 7bc7d8a85cf1ab1803c501717c16525c
SHA1 5f645d456a136560fe67adbb07d480a8427fc114
SHA256 fabc5ff07d1897d072c01f1b26c0c42c6043abe6a04ce128f7b5587470db590e
SHA512 697409235de1f1cc2502ea1b90a6fb183b4eacc0f77700ca6e459926ebef33fe69b893203a07474d6c6c8ce6d720980ff77db5af95dc5ded09678047ef8c511e

C:\Users\Admin\AppData\Local\Temp\VkYc.exe

MD5 383fde840ffab5c1f4f507ee0674ef26
SHA1 1e1103b98c7107d82fc1c5ce951254148e69f155
SHA256 b9da9734960f954d1bacd81d4836070d18642b0f26f3eba65d258b8a3c93daea
SHA512 f11864df2bba4038884c8bf611a4e7de0c734c72e8fef5f5d1e02b6cfefd8f0ace38cb021cf7de74537c96a9431416704a8442b0ad3f247eb4d56a5777781cc8

C:\Users\Admin\AppData\Local\Temp\gMoY.exe

MD5 a8340dc09a5bd9ab26c29ba85871e649
SHA1 44613581facda2b3ee66a1830a0b7e1d8d44f59e
SHA256 2dd98e0e6f1e6bbbccbcc99257e5c7655c87ac0e3a952db2a48139e900341ba2
SHA512 f8265e7803073c9a9d9fe1bbca0e2b754dfab718ab6c3b240a091113f9d8d9df4c38eb26da4eb1e7e6cc2e5e272fb7177fc184714fbe5e20ba5d53988dcc252c

C:\Users\Admin\AppData\Local\Temp\DkQA.exe

MD5 8e663dd8d7e8b214b73f0156375150dd
SHA1 9f9669f32c10b47e39bd038f3d32c04b4e02e420
SHA256 cd41c7af834fe31146be4605858cb8add096528a87812f242b26bb8b40338c3f
SHA512 09420a080c1bdbaa412a1c954504e6ad7809e2d611c5a60dcb109f33d18f58a76df9fe483d4edd3b6fdc3e485eab29e8ca9b42846580e5098a85580f85340c24

C:\Users\Admin\AppData\Local\Temp\Iwca.exe

MD5 7b030e9d5743bf1f0222ccc5d6893beb
SHA1 a5f1534a4c765a13dab8ef4bfabc6f218cd187e1
SHA256 1d5aab35c738dd65274e490bbdf3760a5b0557622abf9e8b29ba7a778453f4d2
SHA512 d2342dc6be119ce6157a23368754f521b21035dd7f36a817c5ee1ba80c6360c78427a7ccc6a98cf0011b8fdcd12e0a39cb9f72e8c24a18d37b645fa86674f4d9

C:\Users\Admin\AppData\Local\Temp\HYoA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\bgoC.exe

MD5 b37b07f15c4d3012674ae602804a3f79
SHA1 437a858250f378af5ee326d002ee887d591937dc
SHA256 3dcc892cab12a3328e9eba65517e6c714b3231f9ddffcb293cbd2222a91dd2f6
SHA512 f9c59c69836e0fc3f5baf4ef62659df11873db990a2f5a39ed4e1cbc441e7052eafe815c014f49ff22474adf90cc8a281c3f476afcf7b38e0a0a4fa99939053b

C:\Users\Admin\AppData\Local\Temp\DQcM.exe

MD5 25efc24d4467611d94afd6634803e876
SHA1 f04c2748ae070d732826cfd7f3fbedd114105085
SHA256 55666ca8bd66be2cd659e611044bd79767dbabf530ea7f4159b8132e93dca38e
SHA512 bd18bba5c30124698032aaf4af07610fbddaa0964273d0e011eb3ef835b8cfb0cde2e18d7ece8c7141e6b4a0fc541b5479fedeb829f099fb0e2ec773cbbccbfc

C:\Users\Admin\AppData\Local\Temp\LQcI.exe

MD5 aaf95d5d85ad1a42867e79f2d1b82ec7
SHA1 e5ea9d2cb388920fef056ca3661b48d1824bd009
SHA256 6aeda08be0fed6b7031b9374a65f4c48be3d55aee2ae8e0742579d77f9584a49
SHA512 ba4d6de8c46f735c76652e374074a1fcbbe54865dee77c370e9fc352f357a6f4eea8a6e4d5352bae8c811697f1d6cce6b8028e10d0dec7698fb449b0037d09f5

C:\Users\Admin\AppData\Local\Temp\zMAI.exe

MD5 c5b5fab76755eae52c7201ec0b44ab6a
SHA1 f45e6fd267df397e5c57b37362f2a3a440514bb2
SHA256 e50db37153b00f8661030a821e4857199f009370b2d97b103b5f3e97257238b6
SHA512 2ae612693a1c0f781b5db041ab7cd70d83f7743794cfd354b32d3ad28165929a76f104895c4653bc328abccca9f2c35c69a980d16cd3f894a62271d669ab5f83

C:\Users\Admin\AppData\Local\Temp\GsAw.exe

MD5 9920dd2b4f6c153f42a49994bf111bef
SHA1 e1daa57331148a40e13c973b1a0faaecfc4e0308
SHA256 826ba6e6ca196ac6694cee13edca542bd5c7842324ed5cf9536f94a6b937b7d8
SHA512 39b4a8962736b9e3ba0267a9bb4c92fda47d54cc5b9ee6e34eb8a681b9396e7e79da404c8fc55b940f1a588189845d5d024383c93dc5b4dc9b15cf211101f6f5

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 155d73462266730726c4e6f3ec1ad2e1
SHA1 31fbbaefbf7fd4e0466e1b48e99b686787353cf0
SHA256 c3c23e6ec9e9dbb8df05b74270c7d67b28f5993b0b721e53bc0dbc4ca6d7ca08
SHA512 32c997c82f59b7deb8c3aec2294df88a465189b3f15b9517302e3d98b0a9b8df6b1ad3d7e2435d127d01b281bb5b1191563292608b2456d02e8e767f705b245c

C:\Users\Admin\AppData\Local\Temp\VcUe.exe

MD5 c82f50303ad251816b6cd190633ed2a0
SHA1 741de487c16a2897864f7ddc69049ec18c4a5abd
SHA256 ccc37d9b05f59168aa53561776d3961a2bb303c1d237633e39c9ba688ab205df
SHA512 09b5eec5d47a935c3f2e2de53f9b5f0977d311e2f2845f4cb5b80e8ae375a3651161cbd33dd86455dc7fede0778baa71ca3c06627553da7816b163fa768b6851

C:\Users\Admin\AppData\Local\Temp\LIAo.exe

MD5 e809a7238c2654481785f79706f4468f
SHA1 b18195b8f4bd04785aa44bbacd288b2276583b43
SHA256 034c3330d01958a71449b19aa15bc7203fc12624fcf1c0e6775bff6b211ff6b6
SHA512 8295671fe4dede4c28c0ef6683a6775229dc0aad3442c787f6299823d9676342c348997b7076850b34d62b51bf3b4e42675a2bf4f41b486734b088e69b564fae

C:\Users\Admin\AppData\Local\Temp\EAUk.exe

MD5 893098557405ef31877ac4e2ba6f9907
SHA1 cfab64eb764a55d57116d9cfeb922843a15f778b
SHA256 bffc0533327eb0156721711e28835b4d5d39dafaefaa3dd9149584283aa7ad35
SHA512 eeb8c0eaf2b2312ca100b5e6649af3cecbd9a5a181c1ffc1734b365924c81ef08ae49c1e07e92473859a7304662c0286f8068bfe4a931cfbcd42dfaa19db6ba4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 64ef7181839812fd929d3b4d130aad10
SHA1 b6521261516165595b5bb303bc4925c764feb30d
SHA256 3d82716d9b1de948b8d245fe4a8c86f8352419ead154acdb682b336e5ca38ae1
SHA512 bf5c7dae04dae85416b08de8e9881f9e948ba95bf7b53ef6662e6a4c5bac4eb4cef70381907405ee3762378f9a2e8dc299187adb1f05df2da0e205f148e585c9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 49cfc32cda1c201616e8998f7a9cb3ea
SHA1 c37784c50c92af10ef4308d9c07faf85b14001be
SHA256 64ca1107df6ad10e5da02270de57df99ccca8333bdf7aa8cdf32c20cb5e7f2d4
SHA512 fc5a9d6e7452ce38f9e1b91a8880cea300b603ad6bf4a5c6f0ea8d30e6f3ec80b2eca11a1af086f5eab7192d977f973122b1d1dad15c0d13761b272e3bc58ca3

C:\Users\Admin\AppData\Local\Temp\lUwQ.exe

MD5 34885d67707ecb3ecf018f29e41e72fd
SHA1 851ab3a5e62e4a964caf0316554ec60e7b4ec170
SHA256 d6b1af7448a4fc9d76648a0d32a68723804138ff8e780638890ed63addb1ef04
SHA512 2790d56db6d0201a08332ffc92dea8914220529c179866d0a5340883dc9e9a6206c9352712e00e552f0adf3739506ae211539a2f9daab02e36caf5ce989335eb

C:\Users\Admin\AppData\Local\Temp\Uccg.exe

MD5 262cbdef4f00448668d98caaa6c87b34
SHA1 b443907307cd026fb79e0498eabaaa992601b250
SHA256 68b33ac3c272d8c45bca8981a6d3a976c69c7c30bed4be1af8bddcfb9ea8152b
SHA512 8f4437500138c63efb809026e59e3437bcd1bd815162753880c7be16d1a33f4031598c082cfb2f90e2c8a441358fb3dd678a2636b60e1cf4cc98644cd1d03d07

C:\Users\Admin\AppData\Local\Temp\BAYq.exe

MD5 7f70f4a403c5f62f938c7cdf7a4514df
SHA1 ec719962ed17e752e0e2ed5c1701f9f2532a9079
SHA256 7b5254fd6b9475792884d2c6d3dfca508acd07084fdc4d8dd115165c4f5354e1
SHA512 b38a189f32783d00dcff7c2ec6b8f5e32a5193d6b02e6343e3c75007513cbddff20d009f31a4ac2f40a9edb51c594ba18806e9d17b3ff5a0435d8decf19732fe

C:\Users\Admin\AppData\Local\Temp\rkIW.exe

MD5 b23183c721be8006b7e4dd417c0c04a5
SHA1 58111b36305bdb0800fdc00b1311c267434a3dfc
SHA256 2a7a091af9d990bfc3071bdcfa987379f4dce4c69291314a37fc30fde520076b
SHA512 4083366b7469a3efa919049e0af083ed004489f96c9df043c1c92d8f3da039e9a5a894a5bb9636b6b138ae24c504f70f7ee3766ebb6519d803a3466198c924a3

C:\Users\Admin\AppData\Local\Temp\QUEG.exe

MD5 b5ce590821501ecab35a9adaca654cca
SHA1 059702f05942e760e8e74e58f3a5734cd96fe156
SHA256 994cec0337d336e0c35039058310ee7d6e72d9e2e26a8e21f0550967f9139bc6
SHA512 4a8e912b9da0c2a8e27cad8453d001ad3c60a0127c3d63d58d72a8cb2d2974976a9118dfde8f872ff384bfd1a52e23a7d3629c80f7fb2b95dae5bde41529b3c6

C:\Users\Admin\AppData\Local\Temp\NcEC.exe

MD5 3d1f960989a989d3fd199b5e0c493385
SHA1 731f60974ffb9ca5df8c6872b855938d3ec454aa
SHA256 bbb8b8f62ccc2555c67d467ef84bdebb007d705a52fdb9f82651394192bdeef5
SHA512 6ba28eb77c7d8acf3978e09635b8f3367c5afe1e3dcb9adfa10db3172d97d8e439520c35da4cd608ddfb4c6ad9776edbae54df62037f199991547cc0221396aa

C:\Users\Admin\AppData\Local\Temp\lYww.exe

MD5 08ea84dda03883c915d416febd338469
SHA1 d35f323d59de6bea43d24c496798c456a4e5e72f
SHA256 46ad01b5b8d4a5a712c68e8dc91dac9c680cb03b77b4a7e1605719ff3142b022
SHA512 d2f33a2f77a263842a56455fbce75014df8b72e05ddf8022ab0c7253efa185311507be0a9f25393e56a77922178f8c8e142ae4a5cdffebf62f402267091ca224

C:\Users\Admin\AppData\Local\Temp\pYci.exe

MD5 a8034dac944bb666450596e3c02583db
SHA1 be17ddc8b80c55cbe3d6ddd79844a1663a5c1cb0
SHA256 d6c8052d88a90bbe8ba0f3ce4329bd853ead1b9f04f9b1c8f45809128b2db810
SHA512 46f1a718ff9b87f48d1b42b170a68f317fdb8d84c80972d76b96a62c2967dde43147ed87b5ed450df079e658622f7225d9a617923d7f253a08137317f116a01f

C:\Users\Admin\AppData\Local\Temp\sscu.exe

MD5 021f15527fafa6bee703f98b9be179ab
SHA1 e9f67d817d74912b535692a4fb3c31b7cb0da623
SHA256 81b822095407c8807cd63e4684ea3fcfb08d479517cb55db6d2c3ae96f6455ee
SHA512 db02c396b64a3523c113617ce29a2a814fc03c7f0b106ae93e2900e8b1992f88bb5c44a8f487bf0f93373dde65f447a93b03806356d0c3cd0d54e8e0b7b87e3e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 f0219c2be27a89b5441abdeae76fbf16
SHA1 501cd2a036c6eed8d0ce7ef7d21d9a262132fc9f
SHA256 f65252dd2ff1354f43b71a7d8d0c59952d824d54b30e405930c7caede84aa147
SHA512 9d344ecbe46e7c5c5792efeb1576fe3840b58e3d03e306fb20b10508be01831afb3be87e405a5834e52404ffcccdebf8919f4805b8773acc4d694ceb67447e52

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 599f77a4b37f15aea76f93555ac2d969
SHA1 7953f3412205f6444b4d1a9d6126e49a09e839ac
SHA256 d93748a0e48078ecc8173502b146a505fea250f32f762dce20f8fcc068a9bb1f
SHA512 1302fbb771d6795e8b27798500c3e69c6b08b1d2f05604125b81fb9bc7e2363f42bf0d531ab54d0a0816d43e0f7e546248a1d867a71f9f1b6ad8833e60f6ce78

C:\Users\Admin\AppData\Local\Temp\dAcA.exe

MD5 fcf30b5757f01bd59f7208b7a0ac9165
SHA1 d0cec8a0565f1a91abbff60089434444e310644b
SHA256 2198d22c336a52118787af672583e5dc0fd5eaf114134bd43e66cc82bd308c46
SHA512 178040bbb1994fcc5b61d57ce3438bcf06a25a5550f06ba359bcae428ecee6ad0d7834b2ea1a983a26d58f78e266740602efd28d1735887361ee59a667ce89c1

C:\Users\Admin\AppData\Local\Temp\uAUc.exe

MD5 e6fad29b6fcaa5a6d17ab8ac82dfe9f5
SHA1 99e3392e6ebcda402f6f66e6a9e0e3225b2befbe
SHA256 d7db7bfdfa888a8e7ca3cfe7f5fd5e9bd46ec1d89bd56c64dccac2fe848ca39e
SHA512 4f28a2733cbc5831c893538ced8694b4e085a7c37ad4f818bb0ba21df2c635797954e5fdfff54a1bfe1b70653087392b4164a9d80dac4335d512f2359b3f7633

C:\Users\Admin\AppData\Local\Temp\tQEQ.exe

MD5 9424c7633fc5e30f9d3efd96b2b435ce
SHA1 96850c970e01284f5ff2c9aa9754edd24c95798a
SHA256 606362e4a9b9cdfc0cfb9a2b180ef5d7a8defcb66a1ec8b5ed88eefe9628e392
SHA512 1cefeed52f008b0f0c5b8f4d93515ed5126743dde217110b3b24329348ebc444dab3c6b7267e69bc8e2721fe789c1d1047d2be2616dc2047cb608a1a3673c233

C:\Users\Admin\AppData\Local\Temp\QwUs.exe

MD5 d663992abbcc9b4c259df9a8b94ff573
SHA1 e36ec4175e9cd7eed3833fba696ee94c238e0697
SHA256 da3d6221cf514ab2b6ac9fadac72114449e15e2c07e70dc34330eb838351b3be
SHA512 1f1a3d546ddea5e5ce15a19365cd48fd444fca32b9c7f8d1eecdafac257386c0c3bbdf98c11c2b4fc87eb6a2305a4e3ad983b8a2e2b1fdd0d28d09280e142ef0

C:\Users\Admin\AppData\Local\Temp\FccW.exe

MD5 dba3463b5df5bb91491f1bc6621bf2ad
SHA1 016ee5787764e9c37dfbcdd7dde1a482645a1fa9
SHA256 e0f47261b696cfa9e3cfc8b7579951d68443e1de69adc6eff59e89a44f39e177
SHA512 819c870b0b61abedc13003e39b3fbaece0edd4bd5b500b5e57fa1f7178489e46e069c2fb988a3784a5cfa4870d6ab027c0c97837210b8f13e28ae261e5a9fe18

C:\Users\Admin\AppData\Local\Temp\YQkQ.exe

MD5 99f774e265850c3e5e1290813b1a1d73
SHA1 24afab531a3166f9860b986fd2a28f7413653f68
SHA256 c1ba47d5a806f18b30e2db51327984b05978c647d903b455457279288171cb91
SHA512 a6d1a6b535b99410be4fbb2566046a765529676581122d3532b3b9e065da5548ea52c5d5aa0dca34a7c0ed1f9ded3170bf942cdad9f0ef20cf44d04f19d47c0e

C:\Users\Admin\AppData\Local\Temp\GgUK.exe

MD5 95f0121c4d11154a76acb5727dd3ed82
SHA1 c47162965d004e97857030e1fde7b11a470d9eaa
SHA256 1ff91627c1f07ad2e99de44abf11ce585e5f8cb5e032cca6814002a3d2ce5e56
SHA512 b3d0ac3a509355ce3c1fd38bd1872695885c3b63a0721f53179522f95cee9c77b146b7b173052c3f302bf74213d65cf47af80d0b6b7672e2bbb80aefd2e18bc5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 78fbd77c877fa6f9a4022010356e8946
SHA1 f5083038eeae15b3a238730c3073ad37f576a75a
SHA256 4191aa91f3096436ae5613d59f18729781e2a155e6f7f4bdc6c8bd059a73a2f1
SHA512 1a5184d151ace7d03574ddb75888c7eda7f43a7dd9daabab11054bf633611dbf2625a58d9e2b480e8886efa260619f7d425f02ca129e14453d71d524c6fa07bd

C:\Users\Admin\AppData\Local\Temp\iUQu.exe

MD5 f2581ea19e6ecfec67ed0a0f9eb4c827
SHA1 868b14d7408e7d01a7769fcd358c908fc022b212
SHA256 a56b1fd97b87a238abdf4db69d61e877ecd2e73a7acfeb348aa9fe17ef2e935a
SHA512 9fc20e49dfe2b1f271b04697aae65afe91a4210acf5fa0308100600a3ebf5044190278adbad8b265d28d8c7112df597f5da7ecd459602b4d2476d31d94d41279

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 99bd83a631b5a237d285d08cab7a14d1
SHA1 d78441693663a47feaa1b566808d657cde37cc09
SHA256 afeb6b0d4f1385e8aeda8959a7a5002185d13af4fe424abc3614fbfb509faf3b
SHA512 6651b75f55e7bdc1fac5f83a0e497a9d586d45ab23b143be05dc01614e98689d23c5a1040f6f8526d14e8b198f07b9c87d1142b3e806ac03518da735d599764c

C:\Users\Admin\AppData\Local\Temp\agEm.exe

MD5 61ae3adf2d3aa93d1a42ccd72de93376
SHA1 706aa51890586ede6f13efe7de5e07a85de25da2
SHA256 7a8a094cc20c0f4c05a0d61e959e98657c469701de13d7e3f5912a59ae703f19
SHA512 e22ee111c87d2d8dd95bb765dd90431893e7bafc79892241a276ca3b3f50a00ba6465e021f0221b393521b1619fa2ab14951b18545849e660f3d73d173974d28

C:\Users\Admin\AppData\Local\Temp\BUkO.exe

MD5 1dcbaecc2c92100fe2e41068477f5f46
SHA1 2c1bfe70e3b6221d6dc65738ccb9290c44bb6eaa
SHA256 cadf5ce4f6609ce827874a5c03ac01a5019746edc3f77870ff1b00b72a865b5d
SHA512 a860ef7a0b32ea7f3ed22617e0d5c440b66112098ee232965c796ec1489c7d9bfd0d90814bd9dcce98195cdc048f05e5389266322d3a652433359aa9faa3180f

C:\Users\Admin\AppData\Local\Temp\usQe.exe

MD5 f0a465d051e7cb78834d0f3648a6a46c
SHA1 03f1640816404d88eca1c047103c24fcf3e93735
SHA256 85d10314a5b762831c5fd9da098bb83a6abb8b893ebb36bf4c65773b8a0204de
SHA512 5068fb2260474b53f7686903d686f024851531cd2296a00c00724d6062be6a7113654bc0e492ffe5bafc28bfca952bbe8a72aa603b149f78fafb1dd71ebc02ec

C:\Users\Admin\AppData\Local\Temp\YYsC.exe

MD5 5491be5087e74fe493dfe24f6e13a400
SHA1 134fc94782b85b81f5234ee39671b2b4919e378b
SHA256 5b22c8d70126dde1d8dfd60b902174473e0a117f1028a6f462469fc15dc6475d
SHA512 f1472ecf8f09adf2233d6d842f0364c639e6552f36b25e56af15df87edfabc6d461127b3f8997e0b4e79ceabde1d95b16fb060d5a3d96aa5ab027bc11d528909

C:\Users\Admin\AppData\Local\Temp\hcoS.exe

MD5 f12b35f54a4f49942529599e8b27914c
SHA1 cdc688a06eba1c9fed0b9f01539d2109875b1b82
SHA256 980b3062683153365744e4159a1d266d0b5168756e927afb20110f405683b73a
SHA512 e97b84aa6caa87330897246ade31223464c862c27229af869094c886d1b751492696b3d2a28469da5ffd2cf6affd083034aef2db34f76f46df90ee0ea038b71d

C:\Users\Admin\AppData\Local\Temp\zgQE.exe

MD5 2308161d0f1a08fab848179dd1914c86
SHA1 ec6253647983a1933ed06f6137251c34a74dc992
SHA256 bc8cd7b20425ce5e4e1864767124c762320ac4780c9b4667f5f8c836f0419764
SHA512 37accee5f80c45c3c3fa4864034ba54bcdaeb977bf101ec2e61f51d14ee13b4753db81c1ac3bab78a5809cd1e1998ecbeebf84b10a4843d0842fa9b25cc02152

C:\Users\Admin\AppData\Local\Temp\JgIo.exe

MD5 38e6609f34f3f803f293b38be6f82b8b
SHA1 fae80ad61e95a0f1dc923c3e40dade42638d412d
SHA256 d5ae03a8cdfd1f7776134f9a47abe4003a01b9a3d250235a245b7e45eb62b8af
SHA512 62304b438c77dadcbf0ddc98e157e52917a8606f0f1795631e5a4be215de5faedf6cd227ed22294ce5bf32fc9693b3e295be78c831d9625c55c0d96fbad3bc40

C:\Users\Admin\AppData\Local\Temp\OUwI.exe

MD5 6815ed4740f1e4baaa0672c483db55b7
SHA1 068cc501b774c469632f9bc0c5d967b6d92e6c1f
SHA256 fe6b84d23298d18455bc1393a72b241d00320df5569a315a05897f03a6641b56
SHA512 b3575f0b1c07c63b93e76088e4fda8109d6da63463b53caa2052d3cec0cf4a11f46c549d7e669bbdf0b2ed764c3efc37a3586060186ee004eaaaf30aa5242188

C:\Users\Admin\AppData\Local\Temp\NEgk.exe

MD5 32910c5d6d89caff986c450b3e8cf662
SHA1 a4a436d0a9273fad8d694227786fe48a658a1a8d
SHA256 2f1c50ec88442db209fb42e7f0a747601c52afe28432a7f92cab81850b9ca442
SHA512 a7e59442648b943ddec3211b27b90139cb40edbd8e23602f179a2dd313de865c137eb7135d0f07adb0aad9ae98f1016dd65a7d94609cadad15b0c593930ad737

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 eb2bc7691afc67fbb6fd87dfd64d29a2
SHA1 702c368c7aad372d2a3e422b3c543fe1563eb3fb
SHA256 70ac08f333ef741b04ed8951768f046a63fb7377e1869d517701a5f265f8c918
SHA512 4eaee0d96cf69e594e65a994168490421e0468e8a532f140ea4f42352d11f212d0fd9302389361168044a6c1f64c740dd4334ea2a1b36e21c818ff59d69cfde6

C:\Users\Admin\AppData\Local\Temp\oEcM.exe

MD5 e4e71e152fa5470c29ed3d42133c4d55
SHA1 0c3c55d80060f7140638730d57b6f61baa50659a
SHA256 71e2c0eb326a4bf10a7ca27120b027ad9fd7abb2610d9a17d36d563becdb8d32
SHA512 5d3f62abbbe9db8dc3148e12b2a4d1bb12091bbee227aa233d32db549081e9a447fae04eb9881a9e95c2b42062d9dcd8c78682efeadf376ba9cf1effa5cf281c

C:\Users\Admin\AppData\Local\Temp\CMIc.exe

MD5 468524dd2dfd3f81b96803d8c6946631
SHA1 62863d230d1fa1bd01469a7287c1c2096561aea9
SHA256 f869678b9764dbeb918db8d52fa2f6c34606d0b0b8175f40ff36c4ff05a4c71d
SHA512 5b8ecaab064ece8bdb9b5dbd7dd656ee04599523dc643c814ba4e425dd58430648643f4c5259c3133b58e0fe34e092a102c325b83a645fab262a0837a19c8244

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 fd148ba62eb99a8b5c2120e4bc1ced00
SHA1 4709fcdbad897e98251f6a444e13fb92d1f76137
SHA256 8098ae45b82283b1f0b3009493303acf7b0b85bf1bab591160f47d8087ef858d
SHA512 2a6f7bc0ec688fc4208dda1e795374847a75157cb4c8df32b8b9df5fe44be8bd204ea690c7f010f882b6708d7b6e48ef90cba95a620f858530748eefbb7f10ee

C:\Users\Admin\AppData\Local\Temp\jYsW.exe

MD5 c1640006691097f165f3a6f2c5eae70b
SHA1 10332e92178c5719f49f8e1297cd4111bc45680d
SHA256 6cbb31621949028a63876af6a48e8230b30411525205977dae295e2ac557d187
SHA512 4f4b9b5236b77b50b8de09df1ff7ef42284b94fa6b75320648074a80e69aa016a0acb5c1641d49ef053c758eb2d8d21d62f56b21880788b534236fdec4ca17ff

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 564e4c6778e893504851bd5716d1160d
SHA1 3cfc4a570075865ef381bf9f598215eccb14abbb
SHA256 6d6852ea7120befcc77c81bb4c4e218c98d95a12527ace284069878df70be8a0
SHA512 15bddfc95176ff0a6936f63239d0961c55213fecfa8e3273f9245194e6260cbb7185150e64ca64fffc70da9d30928e9d9660259827bba893692b6ec5ee0feae2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 3270bf201dc83f0053c32f1e4dff76c0
SHA1 a69b8a86238cd337c44760534382adce6239ddec
SHA256 effe53b1a9adda6d378f0ac47da30cc85ff04418a5ffb50d04792a54cfe71c71
SHA512 82f78f8ac8c65494932389422351d73521584c90b8f528c4299582f27ce51791786a3ad8440e8931c13cccfa8bdf46448bd439baa7b094d2f8cc73400b5d5848

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 5c51fa9b59fbdc4a6c5fddd0e19c2136
SHA1 db43c00e07479ab984ce7f02606021ef0eaad6eb
SHA256 f49d57324a308b4f35fe6073f476620be5bd494c0df9e25e4cbb5e74ed8e8f46
SHA512 5aff95da1c2decb8933d6af44ca4a1e2e819a08e7f83f46081bc793a11614f6ad997f513f83fea79ecd060d73d535c3d998a8aa0e231ccfa78d0eb38988df67c

C:\Users\Admin\AppData\Local\Temp\bQAE.exe

MD5 4d6f2514683416b4cc8176153a02ef8a
SHA1 56c99540cdcf2f38047e7a4e7a07c4ddd1cef10d
SHA256 dc8a8cad10f9dd5f4c6a1d158e85677a5792dd353c4a975a9ba6b78184125a7e
SHA512 04b1fc7f97957f2099e0810ae97f01263e4740defa402c33b9e3e9721a9cfd8b5280b9d1db0a7b1ce0f55afed0004d5a3a3f4e611b20510bc6387fd8c18597c3

C:\Users\Admin\AppData\Local\Temp\IQQe.exe

MD5 5f063d88dedbe8520c82b2ffd2e91fe5
SHA1 29b14f031cb1d815aabc255223c374aaef7ca413
SHA256 c841ed4803031269f1bc5a7c024844538a80c6b6e5717e28413c554ea1954f75
SHA512 7295f83945792c70cbc645ac75f400f5c9e24f9840bdb95610f4e8e23abf7c9496c33792aee970a0eac7f52fca609b0d6d6e1765e6836f584b0de71d8f5b4de3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

MD5 7ec75476b0250f5f9cbd8f33f6df278c
SHA1 57cba55daf698038758af81fea49183bf277887f
SHA256 a996a83e20b240d9c20801f5dedc5c9e2a474a05f9d7c8fab08f6efe3e48b077
SHA512 4d281ba8474fbf6241e3bd7a6cfa4f8067863a66c998f1c4e7ff4ca4defb7cb8c4c5e2c531c744bb7156bbb204528167c7a546a3d0f3f28eaeadede83c608cb7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 5db4d46086e221e722386e40e0a01a79
SHA1 13941e45a81addbaf455867fe5216ecad372b508
SHA256 b9fcabcaa6be6ed5287130fe8d07c796db099e21d1e396c6c029c3c3a85d5983
SHA512 650c2ccb3a4a5075ea9a4d0938bcd04d8ef883b1880d84f3cb7e4da7a76b0ce89bcdedd11b6a2a7613469c7e7c19f8ce453c076ec23f533be4dcf67592bf0705

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 dff3c548e673ca5fbfce46d879e15a82
SHA1 8690c262008273d33eb732ee3df31cdf7f77eecd
SHA256 2da4c5b99d9c406fd18030b8d1e691aea3302c3934894aadd9fd3a68fde3f386
SHA512 1d32ae14f026d0a8a2a1d371d1df14610ff1725e61977cbfb8829879fcd371939a4bb6f77b93dc21bf76f22e7d9d1d67a98f77911d692b5227505d4d88894245

C:\Users\Admin\AppData\Local\Temp\YYwC.exe

MD5 9e80c1542e8aa9962622d570ae3c4043
SHA1 54188af249366343d508caf47649e38fd18f9a06
SHA256 0b1de16150de0fb1dd69f1619fc4522dab85b6c05f018c2e00ad3ca0a130916c
SHA512 35a06cb66912cbe61317528011f0e4b29e28c362b98df6537282e5490cea73b406684c05d0e64ee68f1796036ca42cc43417b7726f3d4f853bd229ab7eecf73e

C:\Users\Admin\AppData\Local\Temp\eQIG.exe

MD5 4e9992967e03ebd2964ffb4000a570c0
SHA1 181aea033c558d1b307911e1c3f31d8b080a5f27
SHA256 d3162c4d9f2c48120457368a12a9d45d25eaaaccbbbf98c59f006597dda4ba4b
SHA512 23f905c8db1daf8185757ab4c516542c8a3c0dd3620e57c52874ef5d6f29903183941572ec52aa0ca2971824c678fffbc890b6284346a16753dca2043c20d0e3

C:\Users\Admin\AppData\Local\Temp\hwEC.exe

MD5 d777bff053b5c053f668e4be8ed7c495
SHA1 02dac815cb1b67f71ed745d8d1fcec91f68da8ed
SHA256 7b40300be0ce63bebf20788d7dd35b95a7fb4bbc77fc065e14727d240e2bdb00
SHA512 94707a2bfface7da63aeb895456c248a8105d4d62d170e750afc1489a0c8c7a552eb95f8f47498c2856ede27ca4dc884ac14442b4df8f3c5efc0e968b95a291b

C:\Users\Admin\AppData\Local\Temp\zUQW.exe

MD5 02cf577895459b462f6136eca1a7c32c
SHA1 c72807ecd1b120b473d5432dcf0f92336dbc4745
SHA256 b5073cbd1a6d74d26602404bffb0a315c4739169680abe90db3b8009b89ba788
SHA512 1350c752d2ba55deb012c242d1f4aba2f0c1d028339b698181b8fefd3f5c67693d78e8c8ab4ad5a04c9bdd5d7fbf1fe42ccd18c47dcdd1abf1cae8bd5ba30cd3

C:\Users\Admin\AppData\Local\Temp\TIMc.exe

MD5 0fbc56fc89436f7537951b0b565418dd
SHA1 7ab145fa661453a6ba45c35a8cf0877b95613e94
SHA256 a23ad9c3b5be5b4c5f5c2d7932e99d1faa0c38e5fc24b7efc6912346051a5e94
SHA512 4979ef0545b243d09cb55272705195318664f0a9292f26d6756caf40ee2595cc53bd912957b8b7ebab42ae4212563b749d5dfb199555582629004335f9c0eac8

C:\Users\Admin\AppData\Local\Temp\Gksm.exe

MD5 94ebe3a556288ed2d8b801216e45109e
SHA1 432c91dd19d4c327ccd90f3ab485e7353ddfb68c
SHA256 f7310fbc253624b3fb0dab250d4773d967f8ecbd44674316a445848475df021c
SHA512 aff35bf9b6d69e8667ba8ff162e4f98e4c38810515bd3cdf958b2cc2a94f9d5cfcffc5fea3c1359905477ccc3783bd28c68e4e1ef6999bb6b3db1233b082b66f

C:\Users\Admin\AppData\Local\Temp\QQUe.exe

MD5 41b7445e5e555be37946320472fc2aff
SHA1 11f8982ec8e72c709f3aea5b77bf5d593ee4c52e
SHA256 74d3bc914c017ef7f75e259666e39ab0ca590f3f4f8a9deeaaa9d39ecf033463
SHA512 965bb729f9398e6617436435d2d5e6702fb0e1d7ef6786bc590cf7bf91d5d345ea745a5d4a6e90865ed52adbceb0deb4b08cf57dea9c4885bb53f8f874501e0e

C:\Users\Admin\AppData\Local\Temp\Qgcu.exe

MD5 27bc0588e3daff39360bd16761b6aa83
SHA1 9bd59e94e5afad35278c4b1e7f13f0a0f4fa2a5c
SHA256 79287effe53eec13d59338413535b7e6a6573624934a3967e38bfe46d7ebfae6
SHA512 d494a8fbb14c90ad832b8d44df9bd9533f94a3944cc5930240bbe9e7701528496448bc55af4a93decde2f6deb363aa8d4505a62ec7db496636887947eaa3de00

C:\Users\Admin\AppData\Local\Temp\tMwI.exe

MD5 92f76cb451e3a2db9e37d14a6478e631
SHA1 166833f7b22b3dd6a278cff350af1b5d2f4be37e
SHA256 f4ddd989c2220ccf9dc657673b62a64f2ea2df85b763f429d8a3d2d04e96c4ef
SHA512 be8be19bdb4d033c30cc2e00aab748c3a17f15baf60e41e00913bf9616ec89664cb85ec2cb123c732bf2d7976b544ccc1ce5ebfe3efb9e0366d74905586a3af2

C:\Users\Admin\AppData\Local\Temp\GwIE.exe

MD5 f5757c01c6c34b936dfd39f80d2d09fd
SHA1 a71e3eab53765c8ccae39a913653b9f7f1cd9804
SHA256 5123e41de77bd3e34522135c5c91579a05cf97cc54b120f4aeed941f5bfedd33
SHA512 a3d29bb78ead1694c4d521bf2ecb460461aef1a72058db703ee6bbc301f24de8b82d1d433279da94b505f7100f2d7ee9ead54fe516e2def4945c697b0834d2f6

C:\Users\Admin\AppData\Local\Temp\fowk.exe

MD5 b2368f0f6276b9f344900b4c5dd17465
SHA1 dfac34499e5aee20dec0d8bdde90b70356824ae6
SHA256 2d701e34d580a7cb033f2d905df2439999281f0e04c2bcf1383475d51472b8c1
SHA512 d37b5cee4ddb2d998e5a704dd38bc3e40dc5948a15b6618ed7726730228c8209c837cc37885258950b86a27131271914ef29e9a8cf4f6bb6f84010c3f7730595

C:\Users\Admin\AppData\Local\Temp\Rgws.exe

MD5 962e27a28e2fd3e00445952a0742b3ba
SHA1 66bdbfe9105513aab7d26fc21f0c66c74d83247a
SHA256 55a84339e4eec5b37ec67821a493bb644a794cd7ed3869da36cc0d056f8cf0ea
SHA512 ae16b973708753000e86ded319d599282126cd85b686a968299b520491597424be529b98fc4c20b8d792da5f5e27d8f8c58c01762261e88ff4dcaf026c936134

C:\Users\Admin\AppData\Local\Temp\BAgY.exe

MD5 81a81662a38746d4fa7e0456d57656e6
SHA1 9762930950f28f09b1c42fd0af08983bd9959a9d
SHA256 933e3b4e954bf0dae22bd76fa567b4fdacebdc6c793d718ca1d24dd9f1f72d03
SHA512 1fca1f07f4b7a0df589ec7fb2fbe37ec835d6a086e0c1cbb680de8892e40a97fe9ce881232cc7e4988554c1dbb8d1cba9e6fdc84c74a2e2ffd665c69a8c924f0

C:\Users\Admin\AppData\Local\Temp\awEK.exe

MD5 49750571591d1c23d0a0b0b5beaaee01
SHA1 775213f57abd7c7efaa0bdcdc56a8a3d4b4636b1
SHA256 42d81f83d9e85ef4ac649d5cb2d3e6f6e5807ba2b5b84ef73a0bf6852f9ae193
SHA512 c4077262c89c88571361a017396dc22be18531f1276b223363ee5199c5ab3b0ac1eb260f0389d50290365150d534a4dc474d2d177a5ee0fb01c2aeb60850ae65

C:\Users\Admin\AppData\Local\Temp\SUkO.exe

MD5 06c78f1f8cfa60d8a11378d66f128775
SHA1 3ff7a50405faea6315ac028a89e3254ec3672190
SHA256 ca500b25a1a970bce680cb69e746ac759312aec878c441d6d11920e76d4b86d0
SHA512 6178d74895fb5635b5600e9e3adf3409ee86e87c9aea2d608b9b1ff56c675195b31cc3c386a3d37e2635a9d877c8683b686ce1e0087adcf6067d8ed6c01343d4

C:\Users\Admin\AppData\Local\Temp\lwwA.exe

MD5 9d8f8313423030b69a4d685a333d83fb
SHA1 77f07aad929ac38ad6dc14cb4bd0019cf1f79c45
SHA256 7f1cb291657ca2d35dbd246c7d04e61e2122028d7d833bc81407b19bb81ec1fb
SHA512 0e8f67641fb38b79e426988e89b94fcbac47646091d965580d41cff270c2cf3d9743251ad9a53127b81c33cbbb99086ce99eeb29388e17d78f1301b5c94184bc

C:\Users\Admin\AppData\Local\Temp\LcYC.exe

MD5 5756cf99eca20f729a2566fa2a1841b0
SHA1 c45d3515141614bccd70d706bd4a6e9a40bb7407
SHA256 8431e74f9f614e10ce955d3ab4b4e85685df6127c4c05f051f01d0ca8b4bc42b
SHA512 3fea371488b80fca366320bbde05eed7e05d3198b07e8936aafe85dc5fc3354c2fe791601094d1d36c46688e430933ceb0ba6f904dd83932aded0068678abf71

C:\Users\Admin\AppData\Local\Temp\aQks.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\NIQU.exe

MD5 667c02ff8e6d27ea8d7a901d43f502f6
SHA1 6f2c9aea33d457b726c822c547d8c88ab3bbcac2
SHA256 a59708a5149a9ddcf7fae056958b19b40f720cff078311248487775760e4203d
SHA512 b0b1be600fce58ca6f07d18daab4a33f079469ab2788d1f15bf6fe4d02d9b9c894b30ebafffa0d1b0dabf80cdd79d286fbb3c9b94d678e8ab4d6339617bce705

C:\Users\Admin\AppData\Local\Temp\ygAm.exe

MD5 3041da5b495b29a1d2e90975a2293bf3
SHA1 89e3739f476694b3332c46ec89ec585247905f9e
SHA256 3cabe6e884dcae5e1a6515cebf7cd99ef8dfb0788b611da1bfc69c784f302ff5
SHA512 512c570e1fd8806e4849664948a2d1623a40c949fc377602e1d2b0fc4f128ab74160e943bf36b2ec7a6d6ea9b8d71f09afefdbc16c4cd95a6d3789453ca11ffc

C:\Users\Admin\AppData\Local\Temp\pQsw.exe

MD5 85d3d833582ed8731a23d57fde3fa211
SHA1 cbba53e73a88b596e297fd5f205b00c11966b9e3
SHA256 8bc9b66e0514b7340c99b836770f155620c9c0375f8948ac5e0aff34677d1d5d
SHA512 b9f26a3e7183263b2731f3694d1787bb2edba7f4a7b8c4910667e6ba4a6dc4c30006c60433ebcc160a5215d6383c43a3763e46b17a6bb685e11339a884b6c513

C:\Users\Admin\Pictures\MoveHide.bmp.exe

MD5 bd5a7caf4a32a582532d9635630620e2
SHA1 d2f3b9701ebc9ff2348dfd25a5f69b48e2472b18
SHA256 52002d1d7a7e5a5700b443257d6b47f1a846d4985fb2adb3627f8078b05dfb2a
SHA512 f5dd5bbc3e536bea775ffece67cfa8373f78b2bef1cf9fd85fa900bc0ec10dfd4de1674c29735c7846300dd389bb20f4be54006889beda58967c1d5807e77807

C:\Users\Admin\AppData\Local\Temp\YAwo.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 d3e69e6137380c7492b13cdc8074a3ff
SHA1 b63ad058148e820cd4e76080f5ef7792f18694e2
SHA256 a5411ceaaa6ac4fec7ead45a33d748f55c44d9da29b1a7cb1714b5eb890dc0af
SHA512 eae026c4b204f50538d1f80a351a760f41e75d4f32028f88b2b4b19bde20374b85f3ad717cd4651d6e022d98a19eb62148508e1d63c01f95d33e4db2fe8ff89a

C:\Users\Admin\AppData\Local\Temp\wEQg.exe

MD5 e8df3f4d86f4c27c76e0b92eef803719
SHA1 9d7b0345e3984257b25c7dc4f0f24cc89236d568
SHA256 d75c0a419016ffc3086d5ba550ae85a564715f31c0244c1374336a7ab4208a6c
SHA512 fbb9eada408e7e2090c2f16840c47acfd7bfd4b74f5f58eba40677676f9777f3544ba3db091251000283062fd890e160d921ace580eea19592e201ded7dbb51a

C:\Users\Admin\AppData\Local\Temp\CAsg.exe

MD5 74d5aad22929db2dcf555bfa3be51aff
SHA1 83833e7e0501faeb38db0d3960c6207267ea2ab8
SHA256 640827141b1aae977fa28f7ed44ba57f5f52740f3f1c321e25b690c2eb6c9cdd
SHA512 6ca17567058910891f00aee78029428adae0adc212085e52cc51d56963d6a82e863404e11de632215c0db4039ed47408e9cbb0c94a988586b872a56fc411ab71

C:\Users\Admin\AppData\Local\Temp\lkcU.exe

MD5 edf44255c51f281077855902f7a81b33
SHA1 9a644484bfebeda782f0b02c900bd947cd1d79d8
SHA256 14caa71cae2704a708d58fee5c9703fd28563bec1a12b47de295ca7b2d529c3e
SHA512 e5e59d4ea6af902f1e0689223d615d747c15137727fa0edcbca868b621bcfcec6bd7c9a95a2e508dce2442eec36e8e96a32e5c4c6594ea9042f8875549318ef5

C:\Users\Admin\Pictures\TraceInstall.gif.exe

MD5 ac3a32615ea0bbc17661996ca8e0d0b1
SHA1 1ad2a55324edcf0c089daf737e3f0fdad50b06b3
SHA256 145a113164f694bc6d8b30a32bb8f91b06357058b769a4c70cdeaacc3c06f9eb
SHA512 640de916bb284b937eaf7dbef9e039c2681b5d9adcffac6c5e595cac80c21cca6330a6f0d54e80736ed5b13eb4dbc957ca259e9c16232cee64aa09d59694d9c2

C:\Users\Admin\Pictures\UndoLock.png.exe

MD5 907338f88885cf9386a025535cc88d7e
SHA1 c46a54181d550b9fab37dd841fce0bdd773f824f
SHA256 6e893899bfa8db7486dd4213ba031669717e4409c12eed55622a509637f32e21
SHA512 beecc326a6de811186861213f6876e15644dfb72714e4c68bf50ba0a849281af9721f27bd82ef7f9fb13d1b126b37777b6bacd16bf3e9293966953efb2ff051d

C:\Users\Admin\Pictures\WaitInvoke.png.exe

MD5 3f1f09fc60e985ce7691f535afd720cb
SHA1 3a90e92d660d348c496ee34247e88ca030763f7a
SHA256 0b9548931a1bfd071f84908fa2c5c8b2026b959032c89ccaca237ff142400334
SHA512 075288c0e9c2d6d7da3ddada23673becdd4cbd7a11fceecac6c9329a0736714cac7a1afc7f982795b925edf8dbaa5673765330f5a110a6c439e1ecbe675876ab

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 10defdbd71106af23292c518fb50f9bd
SHA1 ac93c44fba94c0bd59195d3667318128f30fdcc2
SHA256 25dcc71e809f401afc9c725940347b306ea39faa13800f73a8dd760b8d99bfb1
SHA512 8826d6a25a755a4e5e146997273b24b845f38d0ebc54562fc9c26f297584bf2ad882f33d0744af3d174359983b48d82372181bf7ac2c29a883420a330c82e1f0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 0b8795a5fb64ca93068ed7a05773f5ca
SHA1 af423e8250ba58472a89817b1bd4ba9115e9cfe8
SHA256 1d1434a7dc5467a63127f4bca4b238cb3df958ec175f938bd5154e5bd5d27458
SHA512 7aaac1fc0752d39da5199f9ea6fbc7380fd4dff0ee8986cc50d8052d5abacd4cfe6c5bae8ac33efcd18985eeecaa7d15faa671db672c0d050230c40d61153298

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 6d4d205449e538f72707fffff71e4bc3
SHA1 9e2ca5b945b535fca695346d5609aa06d7994e4b
SHA256 4325f1185df077b585c1a01bddaf6687be89accd63f2703189699bdeebccfb83
SHA512 013f9a4717ec89421b6085e93e19cbd757556f3ad8c0d6a817c9ad2ab39da0dbaf1cb4cec00c115c973caeb086654946bf48938cfb3639985e904d4a9ca77c79

C:\Users\Admin\AppData\Local\Temp\KoEE.exe

MD5 9d5c97aeeb4d5bd92e885c2273f8ab33
SHA1 dcbe0b994daca2f192b51a39fc7c57f7c2c7416f
SHA256 7a7a2f35b50a1065d340b746ca736812e01e8885954350e55aae315c7befdaf3
SHA512 637897f74d39232b4ff4e41cfbf28640c69e3e72191015464af15f0e84b801fc3954b5fff604bcb00fbfa13a61f8669813cfeb3313d756debbe5b82c208881e3

C:\Users\Admin\AppData\Local\Temp\DYIm.exe

MD5 a96eeb39cea7c3f5ebbc8f43fa41e6eb
SHA1 0ca33e40fa5946eb0bb8e3b99e8ba0ce67b04eff
SHA256 f87669dcf6f7fa09d63720586229d074921c2f4d1c656ef2f8f60c52cccd001c
SHA512 5f264c23505fadafcceada33140d6720eb2e562886e70b9499406fc1ad8be642c6de218ee7a60eecddaffd0080c4919412412fc4fab1955164bc16b2e6842814

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 1b68c9d66a9dd443675331af4afd864d
SHA1 5ad58307d80f5f09a668d79806d6f9e697198f46
SHA256 8dbf85c46b93399a1375fdaaf3a7261666d373e593a9e7f2d38cf59cff3e184b
SHA512 a57ec842aecd4af2b30d4ce0eaa3664907803a15d76bf2625a908ec4d96fcfd30892fd80809baa9abc2ba820769e014729c454ca61de943c449ead8b0c949a13