Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wf7nmaxbmp
Target 2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock
SHA256 2decc0f00c6c2cf12f558ac9d0d2282124e2c99e1ecc6cb67a2cb22dea5a02f9
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2decc0f00c6c2cf12f558ac9d0d2282124e2c99e1ecc6cb67a2cb22dea5a02f9

Threat Level: Known bad

The file 2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (82) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:52

Reported

2024-10-16 17:55

Platform

win7-20240708-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sogAYUcU\WuowwEIY.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AEEowoEM.exe = "C:\\ProgramData\\AIIcIogU\\AEEowoEM.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AEEowoEM.exe = "C:\\ProgramData\\AIIcIogU\\AEEowoEM.exe" C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WuowwEIY.exe = "C:\\Users\\Admin\\sogAYUcU\\WuowwEIY.exe" C:\Users\Admin\sogAYUcU\WuowwEIY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WuowwEIY.exe = "C:\\Users\\Admin\\sogAYUcU\\WuowwEIY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A
N/A N/A C:\ProgramData\AIIcIogU\AEEowoEM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\sogAYUcU\WuowwEIY.exe
PID 1476 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\sogAYUcU\WuowwEIY.exe
PID 1476 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\sogAYUcU\WuowwEIY.exe
PID 1476 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\sogAYUcU\WuowwEIY.exe
PID 1476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\AIIcIogU\AEEowoEM.exe
PID 1476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\AIIcIogU\AEEowoEM.exe
PID 1476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\AIIcIogU\AEEowoEM.exe
PID 1476 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\AIIcIogU\AEEowoEM.exe
PID 1476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2624 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2624 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2624 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 1476 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2804 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2756 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2756 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2756 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

C:\Users\Admin\sogAYUcU\WuowwEIY.exe

"C:\Users\Admin\sogAYUcU\WuowwEIY.exe"

C:\ProgramData\AIIcIogU\AEEowoEM.exe

"C:\ProgramData\AIIcIogU\AEEowoEM.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGMwMAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyoEMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWAEUQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIsIkAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcokQcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekYQUUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmsoAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsIgookg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmoQsQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmMwkkck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQksQgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EokEIIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOwEEMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQUoUEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGIUYQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JioQgwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCMwIIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcAsoUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgIUUAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYMkUMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyEsIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmgkMAYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssAIUEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoEckIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCsQokUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqgYsQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEAIUEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TAQEAoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcIgIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\McAsIUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqAkMwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuEskQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCgYYoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49040454-1997845530-686132047507152205917625958143782554818965969791763733158"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RykoQsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1523239782761780370841054370-86263282339153614-1751170798-498911732-480358206"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeQIEQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaAgQgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgUYsUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiAwoEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwgQEQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAEEUQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUcEIEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\joUAoUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5084179671767057481-5676903146609126231199030213-457014176254652141-718039161"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoIsYsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1545146190-21099252941059599572176866132014908982551057932603-1910810706821393094"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUMAMQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xKoAcsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEEQUsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiUAMccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiYAgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGAEUwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIAEgIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqAggQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWIsAEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoEUUccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSEMkYMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmYgAcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMscAwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vmssQQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmEMgAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuQUAkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWIcEsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\neccocYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWcYIYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqEookEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1476-0-0x0000000000400000-0x0000000000421000-memory.dmp

\Users\Admin\sogAYUcU\WuowwEIY.exe

MD5 9eb3ed327b1e16488aee9442d70e81fb
SHA1 066b6fd402e235c1760f502e3b2afa4e78b192b1
SHA256 2e769b91974d05767f4d2e433bac91fe49de88a39d2659e00ba66d6d5aa37013
SHA512 3db571b74e652117bb29ddea56031f76f9584860e6a40607e0fb2fc005dd031a4040ecf577d73264cdbe40453b77a69691ba6b3f3b0fae6af6d392908a31dacd

memory/1476-5-0x00000000003A0000-0x00000000003BC000-memory.dmp

memory/1636-13-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1476-16-0x00000000003A0000-0x00000000003BD000-memory.dmp

\ProgramData\AIIcIogU\AEEowoEM.exe

MD5 17638f71d353b431357e9614fcd129c1
SHA1 ebcf42ecdc81926adcad07851aaea0dd9f818d69
SHA256 5dfb2b7276a813636cb7d1593b17983f2628d59043792ee7a5e682dd4eb49233
SHA512 583a295434802a5a69ea38c2a7e25015c6b185bfe65d6308756fe0e2d58b361e0a553f46dd6ec400b9768727f3da12c806a76a789bccc9b7db8c10015ce706dd

memory/2256-29-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JgAIwIgM.bat

MD5 28c22e83817f124f0327e4538befb07a
SHA1 59b27386c503686f3b5b344f3e76e27bc913153c
SHA256 b4ee0a0700bb87f84cdaafc799af96c13f3c44cf0943bcb91d1b9ccab464a625
SHA512 05e675911d4454108646c2ce6770775f490984f84d47e74fe250d5c957ffc02aa1347568b8cb9c69239064f67c48f8b658234166f657bb85f63aeee0e0d5fffd

memory/2624-31-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2804-32-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1476-41-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pGMwMAYE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\YEIgQYwg.bat

MD5 a682227c5497e57f8731563c2b95d48a
SHA1 96d560ef92e32e3ad03c805507f8d1199fa01c27
SHA256 096059c4658293668d2c1d6d1a50b4bf95bb2c1c24ace84821b977c64f2af634
SHA512 aa66e457fa0b93b0d669ce4f51e8b43dedad8ad882d3b96759a68d38f1ee0c48c606c234311a7431b3fd3b5e9134f6da8aeed8a52631213555273d20d6b62b94

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

MD5 f598e9820ec2badd9796e258a2906231
SHA1 436252684b0b285ecc2747aaf1cdf1e4e67a6eb7
SHA256 49da8c24946900bd5af73c70099b775d1142033a25b347dd5a21ca68cedc7c0d
SHA512 e26c4b70ca14d0790d4495d56adf1ba87b0f4a5b86e87a9e4d3a9466443c6641e48f493fbbce29e9610e39ec0c150ed8bddda4e898760aa9f8b83bfb51df1f86

memory/2756-54-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/2756-55-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/2804-64-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyYskYAQ.bat

MD5 a8400570bae0952ad27ad4093b01995e
SHA1 4a8d5600d3a41f52904a3d2592e42ecc07104b4d
SHA256 beea34d0eebf2c30e88a1c21cf74640cc2e0dff67e34833c082a5a981ada2fe3
SHA512 a12c65627ce40559ed17a0ce68eb59360e97acf772530984f59f4ad1019e24dc08d31256a81ac5134022b19e32f1b797c8a8ca598307e078a0e2503687860fc8

memory/3064-78-0x0000000000280000-0x00000000002A1000-memory.dmp

memory/3064-77-0x0000000000280000-0x00000000002A1000-memory.dmp

memory/1096-87-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAsUMskI.bat

MD5 bd8e7fe33fe24094f3a503d479af9a0f
SHA1 4cf576fb9f5f602b17e7070c19668bfcfcc7ddef
SHA256 bef2d98811580694ccf8094be624ad26f42e03407461ac723cb6c4904fedcc23
SHA512 ece9cbbe534bdd8bdcba41be9fbfb2862afb83aa0f86dd3c4597464cd9fd405f06f5b600a218b538fa948509df7b7bcdb3a62345e23a33d26afc489bdb01f564

memory/1980-100-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2912-101-0x0000000000400000-0x0000000000421000-memory.dmp

memory/896-110-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WQMAYIog.bat

MD5 3f6da666049d760c6c3d87ba6ed567b1
SHA1 9ce7fd01f341f2446352c191402f9b5a89a549f7
SHA256 c0d8a106f9acd1fc0c1018aad685f8fbfa9dae3671dc223956b5f0f2465de367
SHA512 b57310e2d3469c91d943b89c5be0cf955cf6dd1abccd45223f036c13124b89c043feebe69d60b915648f4d0a6e8ac242632fc77cf2a62062c65140f8ffa97ebc

memory/1736-123-0x00000000001F0000-0x0000000000211000-memory.dmp

memory/1832-125-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1736-124-0x00000000001F0000-0x0000000000211000-memory.dmp

memory/2912-134-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMwIUAoM.bat

MD5 7de611ee23073c880305252efc944ff4
SHA1 dac3fceaab5012a3374e27ed1622be4cd655ebeb
SHA256 3689e2c682aaf3e8d667d22e2eb8aa86b9697a177ad2757cc1f0c19fa3f62685
SHA512 2cc13641746b918a66493e64f010ba9e50a4716371eaeefd4111f614f1626c5bad12d076df442e07374f4f4c44abfc9f54f3ccafa0470fb7c3bf7ca0a8a8b88f

memory/2300-147-0x0000000000160000-0x0000000000181000-memory.dmp

memory/1692-149-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2300-148-0x0000000000160000-0x0000000000181000-memory.dmp

memory/1832-158-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RWYgIosc.bat

MD5 a63f9300d16760087ad4f0979d54cb63
SHA1 db556223a3522df4d3ccb8ee44025b9799ac62c8
SHA256 4b6dfe84387904b449af3f284eaf2aaa16da9747f01fe3823c0a0d0165f70dd7
SHA512 3c09837e42317bc0c6cb6af1b84e3248e24c6207acacb68cc2f67e03cd199486d5b5c55c8252e3c835042783934a08c742c731e7a85a02e6e6fffef609854bb9

memory/1692-179-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FyQMcsQw.bat

MD5 fd43a458159c7f5e2f0977423a150a87
SHA1 e66a52ef0fa39fb5fc5746732ed1018b0b634bad
SHA256 9a92999c604dcffff246e36b7b839fb274ec7d78486f1035d1ee06bcf95b9065
SHA512 596d7d838401ecdecbdc6b6fa36729c89c2d2181dff0f2f5f6315ba0191789469f5412d4464e30b8d5a1e200ba2b5522360f3af02b3074974b2556eb9e650bac

memory/2772-194-0x0000000000400000-0x0000000000421000-memory.dmp

memory/664-193-0x0000000000360000-0x0000000000381000-memory.dmp

memory/664-192-0x0000000000360000-0x0000000000381000-memory.dmp

memory/2572-203-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hocIMwEA.bat

MD5 a8f867c6fddba6e65fe445859110dcd0
SHA1 2c8e9dbcdcd4e148901cbf19eef68b6770d72cbb
SHA256 7508b03059aaebf2b8fdeb7307a72a6bd77c922c17b82cfff86bbc95eda6c321
SHA512 b64717c62ef0e1e76ee3a123b825e39d097f99bf9918acb07b5a01ade73e4546e8f19700af2d874d17310cf5004f88f59993a44dcd8f61bf6a5dbbf851f090c5

memory/2992-217-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1384-216-0x00000000001E0000-0x0000000000201000-memory.dmp

memory/2772-226-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HiIQEQIM.bat

MD5 7a5ef1b81fc2688a3c88a83fa236b6e4
SHA1 d3c7c308ce5cc25e5bb42b63e000f089bc7edebe
SHA256 da0c346a733a5b9ea162b5ea02404cd56b558bcfa2de9624f3a1af8e8e56b3ab
SHA512 70e7823bce877fc03cdc259d952a6c1d67dc05765ba6df74434618b133bb386530372f0500692da942e4696548e8d7e55735132355b32fbce44957800037d466

memory/2992-247-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nEUcYsgQ.bat

MD5 348c74bc5fe944ea0bc6fee00d933c7f
SHA1 b0898e0b4f60a09c7de308f22893c26f41ffc297
SHA256 a88caef6f3c41b87a6a7e47ee91d8050baaf7bed857b9d2cbba3ede895b9bb83
SHA512 7cfac3eac3bef9d5d01a078782716c8b7ae1a2e18ad3a244db293485016d89c9e1074cd3fd50e9f5eb7b8ea28178d6b4db0e9ec7cfe235cff7228e2ea47f780c

memory/620-260-0x00000000002A0000-0x00000000002C1000-memory.dmp

memory/596-269-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aOsgsUcQ.bat

MD5 e625696ee9d695483e6fdd7dca901817
SHA1 fdd4406f66e936efc902df022120628ee8be7c53
SHA256 4d83faa96d052c1d44b74f3413ea3bde386153264349db01b3cf0847d82ebf03
SHA512 171f5ea74ac937523201a8315824114c805a40cf851db9faf9cc82e986de0e06c333d56fa3d9d306f5554bf8a7b567f152740d4fe78d4b919449789ffd700714

memory/1544-284-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1768-283-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1768-282-0x0000000000400000-0x0000000000421000-memory.dmp

memory/776-293-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQoIUcUg.bat

MD5 288b0071cb87586a08f316bfa52687f2
SHA1 64cccdb6296106c097d5246fa1cac53932a65c5e
SHA256 2b801906f7bc11224a3cf56f0cf5194b46e7f4bec99bc64d80b53dc2064b5660
SHA512 c5a10a2853bfdb32b3e5cb56e0be4a59993951886f11718c4a5d1efe9ddf2fff12afd8d9aefb64f36042fc5dacf2d212b6fb51061e59c5c1aba3afa3247dd5b1

memory/2088-308-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2524-307-0x0000000000290000-0x00000000002B1000-memory.dmp

memory/2524-306-0x0000000000290000-0x00000000002B1000-memory.dmp

memory/1544-317-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuAQoAgo.bat

MD5 282c8386dc4610ab1bf1c4ef2f2ffab0
SHA1 4b29ff582c9c3765b18f1ddf916aef3f853014e0
SHA256 ee8d5b9cd9432829c8087d2255df0abd93ce399db157479a128bb13d782456fe
SHA512 1575972f1d5ffa09915e28b05bc55743fdef62a97f00fe5d9bc6abb45b3c38b59e19d0c08d3d2d5391aecd8fa7bd5b34b255872fe3c83c5e14b41b3cf977322e

memory/2088-338-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gCUsMAok.bat

MD5 ec92639bfd1ad98e8f02a637ce9289c7
SHA1 70698b57fc4bd95ea1c8be9da6585cbc4e92c8cd
SHA256 4ec138f3c8625657f3612daceee66d9013b594dffc7d9d93be8a06e51077606b
SHA512 24544f7303577726a7d04358e957c022435146e240c3e025cc080271d6c0596d593375e72e563215ce7b4caed59dc73881b02190568511a9ae27dbdde4dba2a4

memory/2288-351-0x0000000000170000-0x0000000000191000-memory.dmp

memory/1612-352-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1044-361-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqUkMoYo.bat

MD5 849b89074bef78dc26ad92f7959a7303
SHA1 3ebfdf019d430f14fca870fc09b2ae6fb089b64f
SHA256 455412d34b67d36d9d85fd327847832d601c2480c5736ac6352c3e130cd2b51b
SHA512 097ca8a68661dc9ba9618a78f917a0e1a90624925c726a791b7a63e5ac5fd7d5e88bc638d8e830d4cd521d7d2dab783aa6e44c3c7219d45ebe5266ddf0c29161

memory/684-375-0x0000000000160000-0x0000000000181000-memory.dmp

memory/684-374-0x0000000000160000-0x0000000000181000-memory.dmp

memory/1612-384-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jiogEQYQ.bat

MD5 03f445cc8d95f23449cb65e0d29747aa
SHA1 972d15bb285c01294633fe393b941d925d938cfc
SHA256 49c76a8a6d27aa42d1caa1c035bff7dac5af391e9a794045b74b309b15ae1732
SHA512 b91b16250d03b477453483fe97dd05e71b24d3bbae4f8267b28d2880c393930a6fd32f677b4f6385f63a48bcd826383d648575a43dad342f9b8fafa7fab11a23

memory/1332-397-0x0000000000400000-0x0000000000421000-memory.dmp

memory/876-399-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1332-398-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2076-408-0x0000000000400000-0x0000000000421000-memory.dmp

memory/392-410-0x0000000077850000-0x000000007794A000-memory.dmp

memory/392-409-0x0000000077730000-0x000000007784F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xIkcMAYw.bat

MD5 254d84f24e9fc36c70e0a06c655e7080
SHA1 6c9806beb092555b4359733df7744d0a0b9ffcf9
SHA256 b74a60e02e6f22aefb3ca9f735ef2c4314f26e39f58166fbccdbd1916ed768b8
SHA512 90f21222cb60d52a069f345138e8ea6dd8d61abfffb2b943794fda1657adc721287b37faa1d3ea602e9f383fa445f132e2d893a43212eca38480528591c88c5d

memory/2432-424-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2940-423-0x00000000002F0000-0x0000000000311000-memory.dmp

memory/876-433-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zYsUkMgM.bat

MD5 4718654c948e328e589fc6dc8badf85a
SHA1 f3d9bd076ff41598e4cb933dcba85ebf8fcebef2
SHA256 a1b57a46b95e02a3c655cc6740103c472909ebec8cf424084170c8e73c48f2dc
SHA512 5bd637f2fa883696d3c22fe05ff0c19d851a66861376c6666a70ca32ec3cc1a715ef8e309eb20e426f8085d8ec638396b4c554eec24ca0ad640814efd6816c27

memory/1784-448-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2980-447-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2980-446-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2432-457-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NAMsAUEI.bat

MD5 cfc9962e9983ec1b043ff179b4b78d3f
SHA1 5c423c2a15349ebf4976cb372208c6fd75eff416
SHA256 8c35ec486a4deeb2a3e60607a0561dee5f313caabdbd3a58414a511b7fedcf08
SHA512 3a23851f595105fef1baf6b4b49071f20e03899b1d339b676750ab9b1edb465377abd50991e373ed37c982c1b065c66ed4bd0d73626754d5a3ce500f066bfbf7

memory/2412-471-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2500-470-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1784-480-0x0000000000400000-0x0000000000421000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\WAUC.exe

MD5 a27240df21b9caec586e0c0ad6e7bebd
SHA1 8b872fae63851092a520cea8aed27a2f24d1ce11
SHA256 39d4747dad6eb18d1aa08348236263a19d21c7dbf3bd1f6abd56fce3a14ca055
SHA512 12db1357c753863edc2e33f024a17e2841a23f3ed31579e1071ac864a12253dd2c7235f2b925f543f0680eb366473f2bc2e7e7545dd7630b9c5bddfca51ac1d8

C:\Users\Admin\AppData\Local\Temp\caoMAUcc.bat

MD5 438f9fa8528bf3f2e64aa124a125ecf5
SHA1 b2015614f6ddfae0acf29b85387074e44f42339d
SHA256 54e7d1d68684220ac5543b3df48743aeaee87138d0d02a440fce5d7cacfb236d
SHA512 dd9be97263b7b5686edad16df45320928229ed8005af6ff98e92fd5677c9c1c0ca1c38cfde546b19e71053e468943dd604912fe2e6790a4b6e6a615ffbdd4903

C:\Users\Admin\AppData\Local\Temp\Ioco.exe

MD5 b0df31bb844f21e8136081f4ab3b47da
SHA1 1dd2c0832aa6405c7f9d76312f8ca64e4c44efa2
SHA256 fc85d5186890c5333d69d0be1a1e47446bf956be17e1068bece4b1763000a95f
SHA512 e178640d0fb7b3de46b44116fb0962274e0bfaf84600c85d126cdf154f9ce04c6c309ed20f8021b2df5cc51a6b46ab072527bf16e62b8e996cc5ad7674ab6422

memory/1516-520-0x0000000000400000-0x0000000000421000-memory.dmp

memory/896-519-0x0000000002250000-0x0000000002271000-memory.dmp

memory/896-518-0x0000000002250000-0x0000000002271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yggo.exe

MD5 3f11bc66b10918c8577b69c4512ff1cd
SHA1 8c0309517b221e59316b35d781b388c7fe9bbbac
SHA256 e848e999f8b1964208b60e6c37de7929ee4c491ff7860b2b8d39fbd0c19a1393
SHA512 db87ca1d8e69669959f4e825f064013b172ada8c5cba04a1f430b29482123c1333a3e59b84e31fd4e19041d541a531427f7ad4008cdf72e0277ffc9f0073d4cb

memory/2412-542-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OQgg.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\KYkK.exe

MD5 7d7f25bffca4e8a47383a20402295557
SHA1 25ae5af193b9f6fc06ab03d59b60ae2ef9699c28
SHA256 1c4fcad4404119ca99dca694df470d607903c7ec6b8e2b0bce438930335ed4ed
SHA512 4e5ab65a90f085f4823cc4ff552bf61f033064c4a9d9b3f2b3c5a1f868a4cd4d6b9aba3b1280549fd15504a8449dcd290c58cde25f2f3c87bc2e431fcd45dda3

C:\Users\Admin\AppData\Local\Temp\OsQc.exe

MD5 5953cdd106572e8c965d3856fd678fed
SHA1 fbfd897566982d9999345c329ef81a1b686cd10f
SHA256 230463ed0b4413e9a6d4cfe7026d523b2c8d438fc3acdd5a1a2883e24b4f9ba7
SHA512 6126b7bc0a89d18c751a599a0293a586b7d24f94d73cfdf6152be98660e6b2f6fa5411f2be59ba92ba1fdf1a693e69938bb4658c7fd63b5295817ca33a81c99b

C:\Users\Admin\AppData\Local\Temp\ccUM.exe

MD5 d7f6b1d1e1fdb192159d38ff25dcf40d
SHA1 e2f9c569e7a5f772bb7bf706eb983522b1daa137
SHA256 f8b5d69c333be6d5a2f4cf37308ec1a8eff37a1e3d0d1766aa938696b93706af
SHA512 b3d78b80cd0e83b2a185840fed6af1bbb623e3d2421baa8c965bf0bc547f242f251339a74a79ea432bdd6e9fed4115f61bba8de0562bf84075f699c64587fb8e

C:\Users\Admin\AppData\Local\Temp\CkAy.exe

MD5 989001b3266cdceb712cd32a5283be05
SHA1 1b960ea1e12f6c33cb83146ebd7283180119ea34
SHA256 abfde0aeadb318c1e94ae0f8b174b9fae04f156295440e81bf5d5be88d9e65ff
SHA512 e0d484a847dbadfd880eaf2629cc85f393e7f20378cc34bf44ea4ef8c7fa4045f0491726dda33beb812a3548d88856b3fec8f4ded818f46c32595e0844fafcef

C:\Users\Admin\AppData\Local\Temp\oewQgUYk.bat

MD5 1be6e6863203ba249de4f1a37ce11e18
SHA1 ca7a45c6658fcef6e21d76ee6d76f31c85ea0f73
SHA256 b57928923e0709b075d34a617eb2992927616565770d6b3125206d10fd64e4e1
SHA512 27c303bf65cc201d37bcd2cd87646df4789ef660f13067958e2d9ff31c0c7c99fca248b6b74d338fe33da68fb738b3f79c4c6d033e1651e901f0dbd36c61f44f

memory/2360-606-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2824-605-0x0000000000140000-0x0000000000161000-memory.dmp

memory/2824-604-0x0000000000140000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IEoA.exe

MD5 2ea5bd2ae239cc508f44cd87b06251df
SHA1 7357f066fe02e7d273acb293fb7025f256687a12
SHA256 871adddef5fe676ffaf4d5ff0d22dda3671723d949ef1f060cbd3c8202f4ca58
SHA512 e0e7a6a843cc56e6972966798533fce2c13db63b4cc98c0d0f931188a7a8916480b845ea27a262e0fd4da1df8160127ffc9fc4e27aac48eefa5b76d5b47ff90f

memory/1516-628-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goIe.exe

MD5 6102f6d42306bb093e301d821c959165
SHA1 7535980ebe861f6d1252186392a7540f4b5fcffc
SHA256 6a6d30228497a691950d8f0d57ebc99185ac5024b4d682b1f30c0f9b936765db
SHA512 380eb72b753dbf7cdb01204f5d0861d9667334438bc866c216f5dd185733a881f0c7af54247c596404cdb7a0d860cd49407d9dfc8e9a2818060bbb455049370e

C:\Users\Admin\AppData\Local\Temp\awsY.exe

MD5 d928c6e0e083d0307bbf503b53b72fdb
SHA1 8b576294c182cc683cef2e53f260e77e21a2e45e
SHA256 073b3e88b9cde6af288fb8b704e3dda357a9eb13cac8c668ae7c758ad2307848
SHA512 47d325b2406859980544d834e8bb8ccdada10003eb3d5f9c74f4c87f89a8bbb37745a2789c927b18b74a70ff3835bfa3916a01aee3c8b529f674b77a55919f38

C:\Users\Admin\AppData\Local\Temp\EuwYokgk.bat

MD5 c1f96cb55b2616646c4a8635055aa2fb
SHA1 cfc9c88e1fb3541358fe5df708a375685d5950c0
SHA256 f011ea1e5ad19fa67a1371781e2b02076b5cc092b4a46e00b00ba7b585a5e6fa
SHA512 96e1c5b58ce2be78b1885834541097d64f9165bc4f2534c06f94107981ff089c718d92721344e3252a5edfef8e94ad6ffde0abc76a754e519a791f8913aa8182

C:\Users\Admin\AppData\Local\Temp\AkoW.exe

MD5 e0dc1497072bb55e524e0e0c4f9c2a68
SHA1 a2ce0d2457ba3a5910996f45c8b0c7a2b995105b
SHA256 746ae5f87bff0afa1f1ffaa4de212bb5ef7ac8e83bac9c9bcfd7c69f54480b59
SHA512 3a0da1500d6f2314fe9d973a3492e23fcd8918f34a206a28cde29d72ab7e13cddd5ba7ebfd6ee40d5cc71048ca84ee22e213311feeb10b8ba4c9a2c8a40daf48

memory/2964-679-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2520-678-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2520-677-0x0000000000160000-0x0000000000181000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 5168f9b5f6019b58934124a6113b245d
SHA1 66088202cb7ba8f5fd0fd157d8b4c87b30bcacd9
SHA256 67b912cef7ce32576563c7a4ff7c34b83dd83caa817307fe6525a85a9a383c0b
SHA512 1bd4a8c4850e423524ca05fffd8daefd2eaea3969fcb194db73b081e4643d01b22cae2fc2db3c4686b27d13dca0fd16121ef7d2bf1419ff80a5a96c2f67486e0

memory/2360-701-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMAK.exe

MD5 e3da38475f351093c3ca25c4ea3de38e
SHA1 d903fa063a7f8a16158d0138d0bd14450d302877
SHA256 94f2c2d305295fe43126cdc0a9de53609c03bd21546e5a8fc3c27c7f3815df98
SHA512 196419f2bb2f1152c932114ca94e08e6075f3a56b5f6e0499cc81e63795374676d4c27a6a2797eec1fa7b4f6a265928323c7193d89a333f09fcf19fd7668b23d

C:\Users\Admin\AppData\Local\Temp\oYcU.exe

MD5 4c56dcd325f340457fe74d339e3b54b2
SHA1 91c0987c3ed0ba1a651c762661cf4415b6f0fdfa
SHA256 8c40823875e55390e9f1ba349c142077aee9a3b80caca02ca7396d345316c2f0
SHA512 1eb6f77b071299e43b80db0409db1cf7a98877fa00ba13780c2dd4e77288576dfedadfb18905cb7b9616bcbfff5e3692fcc08bc2c34bc491edc1d2b0f5be2426

C:\Users\Admin\AppData\Local\Temp\cQIe.exe

MD5 cd0611cf29e019aaccb26232cf9f771a
SHA1 061c0435847ee61b186727cb75c198cd299dcd37
SHA256 05c05f9711c9bb8e9ce84eb1b70b413f96fbe42d3dd5f9e779b9c02c4a7d2e0c
SHA512 21af29790cd6a57c07a251ddd390533fe9dfa5c5dd8870177ce4ea74fa73c6799a8c91b7939f8213101519a141e880971f4daadbce41b3c545dfc51cbe001819

C:\Users\Admin\AppData\Local\Temp\owIm.exe

MD5 2770a5c6342d1118dc2861b57da21a67
SHA1 939c81059bad57413563d5fa85eac003c6e57e8e
SHA256 330a7d3bce6e8b41d0a3aea26c2bfb165c985243527fba309987c5fca5e2a766
SHA512 85d69ab3778ab6560475fe2dbec5b16578fc2c4a808988806ac5f6029b5db6d5099869204201a22cce61bd864258bfcd98c0fdb77bc6aca6c1eb9dfc2bf87be3

C:\Users\Admin\AppData\Local\Temp\IIEM.exe

MD5 770ee67dcd4b28a84231b95dbe803ee7
SHA1 bdd63d8faedb775b0427a61c5ef52f6baa23d8a6
SHA256 25bc09eb5f9e66a927e970e36f5169b4c12dea9f64355b00957f740b2a90e361
SHA512 25ff0ecffe38077d8789d49d74bdde1660ad0ddf7a10c1182e94a162eacdcc23eac88b05e69427f356206c2fe1ad72faa3e7781a3fbf7c52a9ff4357ee93e672

C:\Users\Admin\AppData\Local\Temp\kKMIEswA.bat

MD5 14f0091b820f94bcd27f71215516becb
SHA1 87a904a7c098cfb2024247247ec64b97194c5dfa
SHA256 d0ad031c374cae8c2478c6ec2416ba9bfa900a8e538b7661535c0ffaa8f127c2
SHA512 4395e3b488d0f63478d131683297bc6d39874c3160172934053a1eff2d4b5ae598d08b53636137b0a5391a8ed0101bb1599a8f1a523a0417318df291b51ab17a

memory/1840-777-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1840-776-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAQU.exe

MD5 6045a7ddaadd79a1759748159463bdeb
SHA1 46f894402530fb9974a75115ab354347711a8d5d
SHA256 6b06f4dfdabef912403430366ca8b23f478c54980901ed8a49d9be969d5b79a6
SHA512 f583c96addd69eb9bc5b2b1590a483bee7a76d713684fadb24b64fe595d7254db46407e2940e2d3161f61945646b993676d4ee5f8a86319418b25ee49fecdd50

C:\Users\Admin\AppData\Local\Temp\wMIM.exe

MD5 f04088b77d3c16c58752e0e98351e51f
SHA1 76da2bbd891cdba998037fa3102a03d334035167
SHA256 877e1f4989fb33c6445782285a8fd9ee48d2c12273b7cf2971be7641bc36933c
SHA512 ad4e4c6a79a866e914033936a9e4106cefbf4a41df7be8ce04bd41eaf0f513f10ce967bfaa89ef28387a51e9071f3eea73dcc0961680a139ff7a4850de9d6a2c

memory/2964-812-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EgsA.exe

MD5 f1bf974bde13630a244ca7f7db9fee3d
SHA1 76d43079338e41e53270880a8d0730203b77ac7b
SHA256 d46ca5a6a37efad3e75e53b114d202fce30e41b9b905d4c4ec997c6ed2aa8ddc
SHA512 1592593fc9340a51c09a80385fe5e0af9414ef565b293b65374b916d083a91b3e646595cdb61c31db6d2e24fb40012b809b0d91c4189a4e144918a68148637d4

C:\Users\Admin\AppData\Local\Temp\uAYC.exe

MD5 1fc25e2505d9231e5fc4cf23157e9201
SHA1 e7b930c541aa9bfa4107261317873972c0f6c6f8
SHA256 61b80a656de6bb4b3d4b8dde26334e67f01c03b61bac21d202089b598ac989a7
SHA512 b00f573d117dd0e1b626144f5e987e087889ac8964b33ab657e3a5b9d47988b4001ff95aadedab58ca0623109d0f7cf1a22d7c01deb06d0723d6f3663aca0bc3

C:\Users\Admin\AppData\Local\Temp\IgAU.exe

MD5 ba644c837876705bd3b3216d9c3e63f7
SHA1 fc4fa23370b2da2c26821930d1d567b6e08cbfef
SHA256 3dfb0390725d21f4d5a4eca52618eda6a2a72cae9d835f2c403cdeb73631b7ab
SHA512 eafe9acfeb1e8853f562f5e92ad46ab57dc44d483c2c01846368c9c9b547a1cde85e523d50fd5077fc590a01e0deea58bf9e9b0b66bd7e2cee2891bb6e4a5fe6

C:\Users\Admin\AppData\Local\Temp\csQM.exe

MD5 df3c6003e3ac6233c2c016f684da4245
SHA1 09611ca8e1c89751acee45c25c4a1328dfd9f64a
SHA256 135a018fced885b592a31752b7219df33775246ad090929f8a5e4428c69b5324
SHA512 2024a0187926f869ecdecadbe2ccc74ea67331ce1f6645b32ee5b871a11e452da8d50dedd49303a53b6d0be911978887764c2c6249655b115a0ad06cc5857958

C:\Users\Admin\AppData\Local\Temp\sAQA.exe

MD5 2ef15c7a99a6dccb42c33b51035cd3c2
SHA1 7abc6b0e1294ed99de33354eab51dce9ac3d86a0
SHA256 3c69cd5a67d4c60b226bd6b5cd359fd15ff2c7e73312e7e352740a7e9599c0d1
SHA512 e803ef46d710326edbb0e9090f2adec51f2c0c6c52330406fa4158dd84ed5e810a28eb36d17caf36169678a90135ad5c55f04880339862a65dcb3ee142809c93

C:\Users\Admin\AppData\Local\Temp\zikkQoow.bat

MD5 a6075556afdacf3b7fbb9aaba6ae9cbc
SHA1 1d5b5609191d05c4d1cd00c2371b9de0d385358f
SHA256 0e15381f39ae536eaf692e31906c0d6ab24573fb39a9dea0f6e798b78a536374
SHA512 abaa7ce39c6e4f3b8d7029a6ded290ebb8925f2cd37e495fa111a43ecf366709a2c46a277142f530cd120658be2e302ddc0afeafa22663309a54551a05489277

memory/1668-887-0x0000000000120000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQQm.exe

MD5 083b1bb5a28b14d27b27d7be223e028b
SHA1 5ff76be34549d8e10681fc39d9eb807426d8db80
SHA256 3d02bd958fbda4e3b9da0ec321f58b6916378b2ac6c3f69ac27d8b674beb5c19
SHA512 b9504a81d354cdd58f8ad209ac7313473c8238a5b2b976ec6db29b8d84af1621a40fb788b71a4fe5b7dcd7124571230e37eb200987e111ae2d5459542ac06a8e

memory/2908-909-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CsEY.exe

MD5 5959703a062272c65ffa5e426120eb55
SHA1 ea170b8010aaa4f641226a41d5ee7d190106aec0
SHA256 af9816ed7f8ddf688740515a48472b5c2822dd57b47b44bcef52e4d04d9bbbe9
SHA512 b07fc1221ebef44943a8125aac315207ae0e455a0e70e1404bc6ebd620f8a8f05630258369b83c159fface6f63bd318813bf799ffe46b1b6205d25e18d924212

C:\Users\Admin\AppData\Local\Temp\osMQ.exe

MD5 a008d7ed936bfe8a4addfa84279f2c3b
SHA1 221bba1e8a3db477a0df4a533d3e1167c45c0145
SHA256 3b4c16285e016a74104def098624309e272586b66161d886c0b470de7031d8cb
SHA512 ab08f5466ffefe3c262c76ae4aba3a2f40691e447c2bcda1e121bc174600c39b68a1987cc45296ff9039e58ff38bbad74c18974433345be24d29ebb53208cb4f

C:\Users\Admin\AppData\Local\Temp\qEgC.exe

MD5 12d1091ff2ffb0e3974c3280de837c49
SHA1 0c1b26aefff9339c8e6efca095747ab7eeadf1ce
SHA256 b6d4d6dc6cce3e23414f58d50e28898e7e101944249b315373660d8d847f68b8
SHA512 9e02fb48564b7907e053de58035022f41dee0f42fc9f7d716dfa5429472bc1bb6e8b5274cc568b5c666fba373e58621699065cca7616b2caa493f9b2e09f89af

C:\Users\Admin\AppData\Local\Temp\XcIkQYoU.bat

MD5 d8b9274415252962b236dce24e462d18
SHA1 9d93d7a92484fb8a54b2a02fd47768eeabafbc8e
SHA256 892ad4d05d5a0050baadd4439b552c7519e0c49de7e9f355925393e26f8507ce
SHA512 3875fd96b819d986fe6f65c451714e4498c8d52fc35c01ddadf9bbd057aa2dd9ff48321ad3ec8c6397499e0b7c4853ce74418d2e8a343965ad90f72d1154358f

memory/2248-958-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2996-972-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAMc.exe

MD5 7670a09b6973955f018c558a04cf07e8
SHA1 2c3330e013f4481a4bd5374a93f3eb6b4e4c39de
SHA256 42df65ed54da4614f71837312459f54abb141ec6dd900ee95c2c79d8a5dc4cb4
SHA512 90ac39d3c50edcb26b45edd1662237ca0ce52d5ac0f0ef5620907431e68604097ab440857c945fc1206cc6c7aca8b11f9cb2a65e23d125e1cd78d4fb9c4b7f80

memory/2752-994-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugok.exe

MD5 0f58d6955db0c1e71fe57d9436d75ebc
SHA1 66e8a22fc97cc97968ee6866d7eaa9dd9c3cafee
SHA256 ea78c2c0e72761cf74994e8b8ead9a9684a201229dcb3840c3644dc4fb059364
SHA512 fabbb40cb7f539bcc84151e0b3dc287eed15f9aa68f2ea7b7c1a15fba428732714da5852151b61dc2b4ba8b863a7b060f8a134089fbb5d7e151c791e9baa37bd

C:\Users\Admin\AppData\Local\Temp\esAM.exe

MD5 06d7c7df47a15f6c41027a1821b2cc43
SHA1 24235923aea45a22c39b39ddd52925bd18fdebbd
SHA256 010dec12f4e496a3efb051c930396a708af8bdbec903b573d73d35841c856d1a
SHA512 3db5382574e9e06e9cb6384728ecd97e58c6e06650617b4dc84dfe61b4c1a9983d3cffa50dcfc9dfcd095c93d25477e6394467042e9d834987db9c152ccb421a

C:\Users\Admin\AppData\Local\Temp\MMQy.exe

MD5 eb819eb77063e5f1a7279a3be35aa840
SHA1 411f3ce02677c6e4cb3dc6c2b10de68a259f9631
SHA256 6d6c6ae03b4ce6f50a3cb02b272317f7c5bc04853585bae94ae3f11c5bc5993d
SHA512 ced2846b676b4795327c41400e8c2e84bc12ccf8e6aeded6f2c4a0981db51f0471bd5949fbedc57dcd6484ad2773478ece4f317faf1f36d08938bfa2f9c4a6f7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 26ce9eda84273cf1aa2acdc17bb5fa83
SHA1 21a2d571be19fecd32e6549a632917bbcb21d200
SHA256 6a7d82dc006fb9e649f16637f6b9f6b036d703e41b8e10e2b1c6699323efab88
SHA512 d48fd35eab41988b37c1d98eb9cf0c341698ff5243612754b5ed39688de84d799d29fb3034985cfe4b4f58e12fc412689757af75a32939d937caa9e1c0efb6b9

C:\Users\Admin\AppData\Local\Temp\GkIq.exe

MD5 dc3890a5d7762f301617ea1951928f88
SHA1 0e9f8bedfe49042e1f66104df6ca8a03b29be455
SHA256 3aeda7649aaecf70753e78f82df61b68f7639e4d0fb1c9a80d24eb6c9e4366db
SHA512 33530fccb32962fac24b62a002dc2b8da1118ac3dc761bcaf8642f683552cef95dfb7a1fdb6580822053498611591f276393d1296d49ab5f8685edc4e202a79a

C:\Users\Admin\AppData\Local\Temp\tMUcIgwQ.bat

MD5 fb243dccd92abbca6680a709b4dabfe3
SHA1 cd367af3fa30f6b6453f13b17ba3e972768779de
SHA256 1804d902012d14b61655fd6fc2a29f9ea35db233bc7d04c5ecaed292f2ea6ab1
SHA512 d1ac749694de480a7e6e755ed0651b6e2618ee9fd96ad34e54011cce9d9ffaf79793799631abd12dd89a09f8601f2172d3d11e36e9daf3798c760a1fd4a28843

C:\Users\Admin\AppData\Local\Temp\QoYu.exe

MD5 630c45265d223e79412acbcc5a79d6de
SHA1 35f0e2a17956f2c8653e0efcda30bc21760f9173
SHA256 90ea483e11ce19cfc2f9273b442c35b6ea986539b90c704685faabb54e4128f4
SHA512 ee4be77057c75b070c47817b9dc85c83b85bf8a60e4a0ee0aebccdcb4476c6485e1d303ab91c4d737fe0a05e7bd4ca1112e0ee252ace666ca03c00960ce35798

memory/2720-1065-0x0000000000120000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEsk.exe

MD5 57d3db7568fa586153d7f3e31b2827e7
SHA1 8ea9f31d6b15225f7cc3bbfd2baca7ea79d22b14
SHA256 abd77419a604fc1c3337ae868f08e63f098f78df2e8d5e45316c1ad679694501
SHA512 159970d2fe0badd83bb1e86ab31c21c49be54536592f59e0f3018aabdea87b4625602472fd163d7374eef4946e1fcdcf1ecb78277e1b076fee40e6818ef35523

memory/2996-1091-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wgoQ.exe

MD5 af926beec2fa2f08180d88e7dfd0b2d5
SHA1 fb1561a44d679be2a3e0b1e7b4b46e2441d4a46b
SHA256 909ba5393273e67ac75b7ee6d819fd980a3b021a96b454b93ca2f1e7ce1b4bc8
SHA512 6f7eb29d12c59b5bdca7139db9c33e47a8a1de9d0dbb22e1f44dec666132a84bad90fd1095fb813f0cbda84e86b2ba12d690c5406b682b465d7a478ffffc8301

C:\Users\Admin\AppData\Local\Temp\UoEG.exe

MD5 8f83a1b8227c5b1f5a70398736ff0af5
SHA1 673bfea63e2276fa360ca6736e4ecc095b35647c
SHA256 33ad53ddd8d0825e3e6973fba28de04d717c58ba49b2c8c72da38ca8654c9b38
SHA512 e68393cb0fd9a40505f62ef1641b63455d65207e4d3028751b31257f551f7dffd80e1e2875f1566ecc2cfc0898ee49627c7565ee0be40e5da64ee99213087f76

C:\Users\Admin\AppData\Local\Temp\ygwy.exe

MD5 73dca8fc0879ebfbc445f484b6d440bb
SHA1 73630926a961b79743132d74b1d08771d073a968
SHA256 c740915ed883c2a9429a06741d9faa8379a3fae0ac2f955f87e6da16fd796e2d
SHA512 91d47c870eafc9fdb2e10afe4b9231bdc36caddabfed892d79c471bca7eff3e9bcd230f9b30dd061df4bcbc8a3b482a07266234038c56c8612d7c430cf456bc0

C:\Users\Admin\AppData\Local\Temp\iAUa.exe

MD5 85605cf806f6db528744be8f04c9812c
SHA1 9ecc87d4999a9e520949fc69c4b98237e172f1cc
SHA256 6555d82f687e341b828f436ae323230733b820a0940e395343d686fa515c75ea
SHA512 42a972b11e7589f0393b8431d4f366a4527c24a26a5a2624bcc99929b8e82d142a05713a8f43368adb598a0b82700d6e45d717f10618b3366002c8b272a68aaf

C:\Users\Admin\AppData\Local\Temp\fwAQUkcA.bat

MD5 75533d99dca92d219c6eb3f9124a8391
SHA1 060ade90ec3bbc408264874fdf4fb7f754a45f56
SHA256 e22d919b8d1a7e8117faffaa79ff86bd20d8f7485fb23ad9335a86cf3f8ade12
SHA512 2ad36031365c2c89784b9fcd48da403fbb7a9798b26afa8e7e7b6313d53f330ee66ccb5bdfa6e1cebadaabb2dd4ebaa2cba343e54adfc50c31050b147836419a

memory/2768-1154-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2768-1153-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1740-1175-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mooY.exe

MD5 a05254c15c643a5e21da177828cb8537
SHA1 7f85b2501d7115bbb8163820b8cbbfac53f7d63a
SHA256 f50f8be1d994a0e9dca9017ac40ecb18ae43613c7d474c94470b00c4b8bf10ff
SHA512 8ac90c0598d63fa72f78b56ee154c76b8c893c749fe34c08a3a2d08de902762b75a658f310c82d2c8d621130e6ef6ddd5e01950e57b07de86ca2812d7233c588

C:\Users\Admin\AppData\Local\Temp\KAYS.exe

MD5 ddabdb16513a55b45b3b0d181aebbc55
SHA1 a5fa96bef13a68c6898a58253ad6288a441e8802
SHA256 4ecb97d389c7aa806a462043e8c65dc070f7bc9360e875d8740eca7e489ee2d2
SHA512 0369f0a1a0737b6bbc7138cada0e24a52cead542850b40e8be76e119740fbc824c887db0f709f9277584093957014a101723c395d7aae369bed52d7d28598097

C:\Users\Admin\AppData\Local\Temp\oMkq.exe

MD5 b12d1f4ff70e3ef11e591e422023f99a
SHA1 f319c6ee407d74c0ba9cd2ff18b3c324b4a6b07e
SHA256 df6d2270536406e1d0471a8d2bd9104f57b665789c0cacd2cd3338d426d125ca
SHA512 5ad305eb7d89d5c20579acba838d132682bb94cce07400b296aeaad922a45c87a29583b26ab9677436582b150ddddc10a607998fe79b9d550a6b351f054beea7

C:\Users\Admin\AppData\Local\Temp\eUoe.exe

MD5 df90a8306089127a4d177193e75afb09
SHA1 c8543f5b481e5613911e1ef682efc3d914710402
SHA256 c87c2a4641400d7f0a217a31fa1089f6783bdc60652132608504bfb084b94255
SHA512 e6076d7ac199a68a9f36a652f8c18f558b270d0fea63dcf344c1447e30087663c422b9d4ff4ae02d20e892ff4fc8dbaf4a29ccdc3326b7ec79b82c9d1e63e3ef

C:\Users\Admin\AppData\Local\Temp\GUEI.exe

MD5 3df6de55b11eb874effc2675775f544a
SHA1 561bf84caecfb39117d43b88b0d98e65af2d63a4
SHA256 2504f87cf8db3e9f4293e6830d37811b1abd133c2813904d8d398ae2b07a24bd
SHA512 6b5c4433f10d07361e1b2aef569f95dffa18c9f44f8d5b669ad9c7eb8da2f27ae0e67527ec4af3cbfbacd3100ae92c0ffd803de4cfa613dc69fcd5e7c64f215f

C:\Users\Admin\AppData\Local\Temp\ficcswUk.bat

MD5 37bfffce5e27b0df642680a872750c48
SHA1 f43a5552a3940974034de76b3400459aec7813e2
SHA256 9e076956f987b3bed7bd543b0ae122a3e62855eba16456bd8cff56a4621d49a8
SHA512 eb31a564e8a1e07e4c6012465c83a7973609834f57cd1b11cb2a5e0ac7127d836bf3e6c2b147747d54045279633964895049bb59a123e198b49a3529d02c6dfa

memory/1772-1250-0x0000000000110000-0x0000000000131000-memory.dmp

memory/580-1257-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUsy.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/1772-1251-0x0000000000110000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIgG.exe

MD5 ec0024799779be3580279d673be5e11a
SHA1 3916a98f883ccedf1a6217ac8abff8799fab88df
SHA256 a12cb7c7d5dfbd782a500d008ae34a277d3a03e7d8af0413768412932a58fbb1
SHA512 17761a4bb492d6600aec8b9d5437ead560bfee757a21c5a46264c9e4f52929c3cc522c353bde980b0ac7eee171c3b793144e3b921b4705df63de96e239ee8d2e

memory/2684-1274-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EMgk.exe

MD5 a0e716b6d5404f939d6de78d3234b2c7
SHA1 51f708fb2496516897063c90d0f4bd4704dd7423
SHA256 5a5b3f3725ac90c66b532d73d7f473e687a2af9a0880225df10126343745eb5e
SHA512 31e90a3f82546ea44afb0870f335b4656c9c8462daa0ac929aa42d27304799fe7af94c9cdd3e2a1170c6280d59e01c7bc13f1e535345d4b72c1bf25f8ae0ea60

C:\Users\Admin\AppData\Local\Temp\ccMU.exe

MD5 88de34b6017bd36ac547f208a523f7a9
SHA1 e306c17b020d3b926dc2d334850bb67958a76cec
SHA256 3a477d56117ccad71ac5f9be5046cd08e7b87dfb136dc7843232e307f32d63ef
SHA512 15c9a6c8b36a66dc621badb94d043d6c532e510e2268b896166b67c15bca9bafd17dff2261d9eef78f1d3476f024f718ee01a32f9b9fa25699a19eaca778efce

C:\Users\Admin\AppData\Local\Temp\Owgk.exe

MD5 8fc79a5df675dc5df008df6a72a18bb4
SHA1 ad2693e88df3169ba115b2bede692df1acf12b7c
SHA256 5df95b390a4ecbd00e26e4979a22eca9f3d25836f641da9cfdf763f0557f699c
SHA512 f5d9b2efb7774c2681b737c90aa7e5d933af4ab0bfa8fba4a286336ef020465cf7b66c96a1cbc1acfb533d445bed4f72437ad81d5de646de3b42462335c4b0af

C:\Users\Admin\AppData\Local\Temp\YkkcYsUE.bat

MD5 6d04847c5072607117778534179f3066
SHA1 abfa99d5aa7ffc541bba258c762096538fedf2fd
SHA256 02ffbb85b6a2d4def9eba371f5ac9532e68a798d0bd03fab27e491ab74ebcef0
SHA512 cb29e7ebc824a87b95965fa5f60f9c41c8ec75c1cc75aea3d973ceecd63eb8edae722db31fe58d00002506193e5afe7315b65e3aac2363ad89370f77af6e8676

C:\Users\Admin\AppData\Local\Temp\IUEA.exe

MD5 f8af0defb0a550a5bb7c628c0080e2b0
SHA1 7f51d898a8105ff54dc0b12058e5cea4c75d2dc4
SHA256 74fb461f1d1652bb7c2f8517696144c7c80d7ffd08c60298d42a5bfd333e3a0b
SHA512 9bb0c486cac3a45a2dfa5d25df7dfa3754c2f005e62ea4208e927ebb3f71396897216e323a032bd2addc83d988afd26e3689aeaaa207dc74425eb7cb0aa38547

memory/896-1336-0x0000000000120000-0x0000000000141000-memory.dmp

memory/580-1350-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iwQC.exe

MD5 7a6d75d477477ee87b7fbb8542ce5485
SHA1 b5dcc21b0d062005d990f43beb33e1e47fdc5ffa
SHA256 375794c800ef3a3e4a30a2afe3a8ca9202c4491724584ce51ed9675dfc7a222d
SHA512 b5e58d79403adf831005727cbc15641cffc75cdd83a60159259841d10728193fdb8d1d9fa6ad95b5d48aac883a2f7a0769ee141d07d03394890021a90a298337

C:\Users\Admin\AppData\Local\Temp\scAm.exe

MD5 e2e7e6bb9061cf1aa37225330887ef00
SHA1 b0e3f12b5e3209dd0ab04893a3ad7d1763320f5e
SHA256 88dbbbab74b89e96d7f4a8c1dc7e6d6e2fa03de59549d04cc23c3c2e90110d7c
SHA512 5ec72a432a090cdda95046a347babf7af3253b8174863de71ffb355e2f8931e431fe23b26477c20b60a35cf1ad6c7608e39ced37161032ee2131c3b5179bbcef

C:\Users\Admin\AppData\Local\Temp\ocYi.exe

MD5 392ab48336aa101bee791372df873e18
SHA1 dc171f05fde9b2cf228a5e3c72bece243df9d46b
SHA256 2e8a5a74ce4fa68bdbbc91c7add143e380a3a54be1d06d5e851d2f3098a371bd
SHA512 d091e818467c4a343f0234d50d8939a7b69b2fa30e304f125d4cec03b76f9d7d4cefe854c416d0c350137f194ef9b8a20a7d82219f43914ee8ec58977f7a874e

C:\Users\Admin\AppData\Local\Temp\UAwc.exe

MD5 4ef2a293d8c696ebeb3adb79edad0d91
SHA1 050fd2251473ec6ff7e2ee3665f2738405cca911
SHA256 caf6b1ddc9635b616a0ade3137c2164e538c1b959e569bc031d55389e0e6d5cc
SHA512 97d8a4f8b5762d626cd08387c67781a431119b9493d9b7c015294cab6041993276405d0a8ef3f9e55cfa0068e4b4d2bc96b708b722598116c6bce44986b99869

C:\Users\Admin\AppData\Local\Temp\SswG.exe

MD5 3dcfac50416c52d216233695076bd89d
SHA1 6fbca08dae455d88f2da49fd46155cdfd59a85b0
SHA256 dae0f5d491bbf0d4505ef32bebfe3df036c30ce50bb04d37c346e23dd7a82145
SHA512 9e67c890803174cf40b00480b4f013fa57cdbf651b8874fd72184d127f5c45026d7f87b93e2835148b08d7ba29d4da387fb4c4bbd3f897ee290dcfa1abe6bc04

C:\Users\Admin\AppData\Local\Temp\gKoIUUcA.bat

MD5 8fc294b0bdc2dee6bf1f070d18188a42
SHA1 69e660a72ea4a7ad46751dd51483514d11666f83
SHA256 934b1ffd98faa71c5c0008ab38b4e9aaecfed3799c5321511e48612e66a323c1
SHA512 ae764dfe6d38e2dd93de78f62151c7ba1732dbba0c2a67c1fba707068b060978ab2007a177db23f7af1fb365b95eccc80b16ea1f83ce77c61878ea0230cb22ca

C:\Users\Admin\AppData\Local\Temp\oIwk.exe

MD5 b32315b38f978d1d72a3d46e49e327e9
SHA1 84ad6d6cf01ecb5b239d80b17da20bccf6274105
SHA256 be05e911b57ed3f176ce7155409fa37205a6d150bd68853574664958a8c6ea8e
SHA512 7687e76fb33cce83687ac0ea337692c7cc537dceb3687f9c36f0d7dbe5ea0e8ce9ba17088bd32e900a37ba94b8487be302996739e098a19ea2b65842024137ed

C:\Users\Admin\AppData\Local\Temp\IosS.exe

MD5 61c86f79ace1cef56aa75f16d2602f41
SHA1 a782b343698eda33d1bf7d8651d19e810b5da42a
SHA256 2751c84e0fc582b0bbe3ef9c7f611162c33afd6af448c41b1493f696c78eaff8
SHA512 7d00ffc2af13913aa64aee1a141997854efb5905e288fc241350d3a766e112b3516b43658832f40db014a3974348d18b5d94c2fe38594d31e4bffb9acf6ad739

C:\Users\Admin\AppData\Local\Temp\kgMS.exe

MD5 544658bf918b5ea0c761d8188d0397af
SHA1 2b4ff447e6737d04b6a1680fa46564d4fdeb839d
SHA256 991742598ea62d7c21b312336a138736816ab880185dd118d62a7f6e0aa38e63
SHA512 9c45c49ff20c0cf7be6e5be3dc514dc037473c22bace24aabddad21f8b20f125fe61c06257d7653940d98b96fd70d4549150e0cea769c6390820bfc3bd3900c4

C:\Users\Admin\AppData\Local\Temp\ugYI.exe

MD5 c758bd271948ff4de1abd6c9b06c22cd
SHA1 7ebaf6cd1c14c3c8a7fbff04cedd0843f78dad4e
SHA256 0bb2a79ae4954cbbbbb9da8107d43e221924fe672711e22d18b480ef424f02a2
SHA512 92094f1885ec4bb9d4e6bfbad2c3cb701b005f9f6b5a6b6dc27a72bc155955da75207f6ad5d289c2a519a2a219afe4e73c35ff91a242691240c27bb37101d9c6

C:\Users\Admin\AppData\Local\Temp\wAsW.exe

MD5 f107aa79eced47e17ca024e6fce4e793
SHA1 60d6b793ffac832740e5b1b768f9cbc516b5761e
SHA256 2485893778e797310b403f182f9e71ff9e021d07df011e940ff91b4b23f8cb2d
SHA512 ff3dc859629bae771abc805ce0a5a12121e6f18b5b8c623af8a820f6517f187315244ec34bf617b5ef66980997b166d0dece760f924a78850858aafc036a26fa

C:\Users\Admin\AppData\Local\Temp\cwUK.exe

MD5 a35fa9f147afc4c0ddb3de16ff486430
SHA1 0df6028bc1f28522257d254ec2f378c9f5b81ce4
SHA256 13525cd4aaa294abb97e07034cb57ee5018dd012f1fe38b1984aa70451cbc44a
SHA512 3003bdea2d1caebdceb38e21bbf4565858365d93716e364ac3790f896fcf7dc4deb7eff33961483a0ef9857e0f05f4862e76291762859291ab659241e7aae4dc

C:\Users\Admin\AppData\Local\Temp\OMUO.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\wUYc.exe

MD5 e84ab14a47d38cf354be5bd76d539348
SHA1 3734c073cb7130400c75a51d151ae09fdaae32aa
SHA256 fb134962ed64eb7c73778431a7d280b62d8e5b135a9fe8d693be6e7d7f4f8583
SHA512 58231fed62f44ed491303d69649210d94186ba3c6ee909b135e85e782823d67cea6640f88aa7a9ed72c6dd08560312cfda8a8454b0739799721efcbfff670f62

C:\Users\Admin\AppData\Local\Temp\YcQe.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\iUUK.exe

MD5 acbd9829313718f6ff79ec2da14f366c
SHA1 616fdf7962a10b165ccbd25f968490b867e04e01
SHA256 24cd267cacf5d0efa7173212988a322648e3fa27177c7f23ee3001189ee920cf
SHA512 2c7e8ca97fe463aa20e2368f25d225b03c087e51c045a33a78fb628b0db839061585e816e0c787e3149394cb0acef59df1237e655867c767123aa078883576ea

C:\Users\Admin\AppData\Local\Temp\OGIwssgQ.bat

MD5 58a8ac874b06a62aed2991b91bd7aedd
SHA1 4c0b7dda6652c03c6360f5745a7618fc83a25ae1
SHA256 ed6b976d367e445c3530d95a0df7e0b7ad0220f10f14bf09a29b248c1f8bf7f0
SHA512 351bcd1b184eaa9b11ded20b913c41d7af3bd308c45be0ed98ddd179bf738add7e8e3fee55694e73bd4f8a8d60180ffae1427856cbbfbf38bbab2fc4cad4f7ce

C:\Users\Admin\AppData\Local\Temp\OoUq.exe

MD5 72c4db81d5d6a44676d4e78279526e74
SHA1 b9220a6d5feb4155dd58980cd90e7fcc7ca167b9
SHA256 1d5fba5fade69637e9f0f4fe210e592ea993875d5bcec7ff897faef787a9c807
SHA512 494096bbda8d18d0e9c8944673ff7dc1b75a283346ce8069c31bf90bad962ebbc21734d876f62d0010636b7aced95027fc04245cc32d2759e9c46c74e7c9f4f2

C:\Users\Admin\AppData\Local\Temp\Isoi.exe

MD5 22b9fc2cdc148e19e935ca1c1b8c5c07
SHA1 e78687723a51518519ec65806e6d80ed2db817d9
SHA256 35b48fa41943f82119f5032a68f656d5bbe1ed0c62d35a49bac8ed7cc3b36b49
SHA512 cbfdad77f7080eb95410e27ca280add53daf42029f530aeb4d77147f2dbc06f3cf286ad392d0518573523a6de76e46d430eb7cfa810a635d22c9604d1b333855

C:\Users\Admin\AppData\Local\Temp\SQkE.exe

MD5 a8ea6d19f55cffaee5e7565f88a726ef
SHA1 6fd23d4ebde4a4440f9e6799a9ffed62b040a015
SHA256 36551567525cc09e62dc4f3b562389132eb30268eaa035171853d4edbb4ebc80
SHA512 056badb37338a3010faee2da806ccbaed368e324acb5e59c88e0d1c506fed116960df8bbc93ce492e9d7d0b4bf5aff387699b2a1c46416455d141a7af07692dc

C:\Users\Admin\AppData\Local\Temp\wQUAEcIs.bat

MD5 9c23fb8413bc97a87744981064dce32f
SHA1 843fbf9e7ccd8354beafed434105afaee54aead9
SHA256 d910645dc3ac1022b3d8217ca33c748d673cfb5ec32ccee9ccc538881a4ac356
SHA512 e9a1a5e17a02435aacb4650139bdc0938d4bd489c871f217772551085cb1268720cdddf56a479ed7c7759e7e1037b3638f38f3881e890fcb4da1e04a569a4b6c

C:\Users\Admin\AppData\Local\Temp\qMgS.exe

MD5 2f79568d1ee22e83034411169f65183c
SHA1 b6c57531d9b2c804fd48741178055bfa19bf4e2c
SHA256 9e5f0041811774bb42d9aed6170388f8a660694ce2261031770d9bc4599120a9
SHA512 e654fe95c5b6b4cdeb34d68d48be928e2e3b9d04dd87c26ceeac7b4cbd3293ae9f7400c894db2f34915efac63593de8f45ea14df847508837d177d2e2cafba5a

C:\Users\Admin\AppData\Local\Temp\eMoa.exe

MD5 a3518ade1bd2c3f37546bc7945f824e2
SHA1 56bde67cad1d7a5a50c09c4db69a59a6245b3bbf
SHA256 5c9d839d96a5abb1fe66a08b23cbdee0a9767949d518ec1c89cb17c455990d81
SHA512 4af42c49e5316937efbe06100d1d2ef48025bac17dee640a3b35f0d917f9ae435f8cfeb3c2ee5b7081c4f32d95ef6202e20dac468a80bdfb9a4c54a22a4a9698

C:\Users\Admin\AppData\Local\Temp\QUQm.exe

MD5 f54f1450add0a055d5ecd23749308bf5
SHA1 be81d2cdf76713ea86ddfd9b3a4ed5b227b8b536
SHA256 c7e3365116b099f959daff878203df7933205c5921dd9df2ae58e09e1e21d904
SHA512 b32d73e377ceb3b98aca79f26d9269585c2b8625a5888c12fc1db64047e000036570ea0c2be524de68dfa1dc74f718828ca19e3e21133c61954b0ffddaef1ac2

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 324d5f0b4f5d0310373cc226204f0046
SHA1 f2ed7c1af56a5db75985dfbed060da6ed6b4c5bd
SHA256 63f91cfbce6b2e1f967c30d99f9e3b05cdefa0d0088196500f44c81a14828e24
SHA512 4b435fbae7127c12f9a15d663dfff28b86044dd13d3ac1f721ab0f315465453811ac8a5601f6780f780570b7370d25d7a25d22e44e1c05c578f364b6f5560977

C:\Users\Admin\AppData\Local\Temp\lEwMgQgw.bat

MD5 cd5b64d2324031ed55714feaeaa011a5
SHA1 c998976bb263cc66703b5ece434e12c9ecb6840c
SHA256 c0ae765a97f1657ae9d9703a2ada62d1e4f7a83e535d3dfbe55a799d7fb18d0b
SHA512 69e5273a5d73b6ada72a7b3fb1ed0fe465648e76a26a1192255381adc985d0255997e89e3e432b270c69a58fabc5ba850abeca592d1b8b7f611ef5242347776c

C:\Users\Admin\AppData\Local\Temp\qIEa.exe

MD5 8cc552e93f3afa4e26ccfa9d5d5518c1
SHA1 49a585f118ce58f5a1f598470f732ad16b05a193
SHA256 dc4819d99d90db941847d2649c2ce956dd4a5114def4d66670fc1719f0e99a8e
SHA512 0ba781d6f592bc8f728e259e26213fef350c9679390435c527938ef983448e187bf8383eec83c8be0c3630b3b5451732c9ac5589a1db0f4bc46d477e983932ab

C:\Users\Admin\AppData\Local\Temp\yscA.exe

MD5 0616f3b795374e374af5c2c5b467da06
SHA1 1c9953de5c67472c5318aec527dc735a762c51f2
SHA256 6141d7bbbb8f0b0f781a3f91fa3c81e6b144a2342184fdfa9ddf6186a85d7bab
SHA512 c393877e7ee9c2006a01fd9c4f673a2b8889e12dae4657c3f49b9bbb8b019ab47d83f3b8b3540222486f3512defb23f877961fb3fded001083b3ef3c79f2c9fc

C:\Users\Admin\AppData\Local\Temp\McMU.exe

MD5 ce40d9a445ff5d5ea809b326ccafaf27
SHA1 7b9fff6a6e4b915d614b9213dc9c55a9d7810f0a
SHA256 3fb7fdf33cbb603e6c10b0b434265fbc1e2bbd2be1f7ca8a98d273e9b26a2e5a
SHA512 d4b76323536afddc6e8253f8a9f207200b3130391a072a3fa87631cddfb18d88f9e5ad20020c5d9a39c34511c5bace6070bbca843dd92d5d96c79543736dc6b4

C:\Users\Admin\AppData\Local\Temp\LEgMAsUI.bat

MD5 3f60151338cc0d0fb14e38ff6a1624b7
SHA1 a187d2ea20da4695f12c98246628e8b7cbe189a8
SHA256 e4b0ecbc4a12dfe8ad0a31d112cc2ade22b940115b67cbe153e18294281c0a40
SHA512 268cb35f757fec137a5bc4ba28297a57d44aff776c4fa3f1e3ebeb7e8c7f87a62a4263bba073164f50c87c4a5bec3ae6f92ba69bd052b925bbe4f4e93b7d3f47

C:\Users\Admin\AppData\Local\Temp\Csge.exe

MD5 b2cb4f8bbe783dfd518b6092d0e7497d
SHA1 aa42288898bea672c051c9cb2317d8422ede0b48
SHA256 3b4083287180f332d15badcc3cec4349bcf5ec11781c784fc1656fab6bfc6c3c
SHA512 feb7dc29d75d0281a5fd7f038064504ab7553a7a7255caa538bc67f830135601c5db5fac638b46e0bf6025d04db606e7784d24d2ebbcda0644f79a6708146138

C:\Users\Admin\AppData\Local\Temp\IQkq.exe

MD5 de0fef907db5330fef054756d7d5ed97
SHA1 c17498d8569e5300cf51f03792fadefd768b1b2f
SHA256 306a1aace531a527b8d7bc796312841f5a3669d197a49404800233ae1f248e2e
SHA512 3e55be8af5f874ec9cfe7a34ec1cf474254bbb83c7747b80121ed97a760274207946788eb9d4660805258133b5e2e4707dea1d01b89e8bc001a15b9e0bfac4f1

C:\Users\Admin\AppData\Local\Temp\CAsw.exe

MD5 27f36ec4819d54a6808ae38fd5a74f71
SHA1 07b1a63a77c74a2cd27c81b2425cb035b9a73e64
SHA256 2edc75481279c80cfa1a0878f57cab10e5a8d0e9f29839ce65738424e4b9f0b3
SHA512 dd31f4390d0c2576446409642ac9d5952a3d76b0fd60afcb9b740d1407a1de6771d292a23874a3855da7bb89239c3945550b36213c39062452b04e5763f5b9ce

C:\Users\Admin\AppData\Local\Temp\lyMokowo.bat

MD5 728b3c159bd140bff56a1b3f79d44b1b
SHA1 141f341afe0a2f55b1cc3add5662c0da40336f46
SHA256 5279c41266fac34699168b907dfc572b2a17bda0937e280e22f196d71de7762a
SHA512 0375e6bd697f92dfbd5c6e72ef12607b1731abe2926bd3470ebabf74510cc609cce4b0caa84add5d7267a7d44ac2b56e0840a659ed3c0cece1e9bf8d0ca9c74e

C:\Users\Admin\AppData\Local\Temp\gMAU.exe

MD5 126ea634211b1c53ac71bbf19c36a094
SHA1 96faeef435a8465d3991375c9b7416c2c3ca8843
SHA256 726e3f524b821cee4f496a667127912485d33fa296aea182161488a136c71cba
SHA512 5035b07ddfc34bd06fd69852844c4c59cc8b80bbf5062c3ee66e32bfc04c0e79a281286bf4d19b232ecc96c6389f93e5242e93ad29062d7d97a046a99809d414

C:\Users\Admin\AppData\Local\Temp\ccIu.exe

MD5 fb84dce703db03236569e6e53b67c8c5
SHA1 b94df706d6f17a195470ca9d65be405daf90db97
SHA256 c36abb24f1855e5c71117974821bb15e4857db07e7f77b609f420833459f75b3
SHA512 a88201fbc27a1131eb1d3581e8b4987bdc090d0fa9b4b9585adc80f0c60f28047324f311d9fe0134beeb454d89d55f4334b20dc8eae93fa123c5efa641f5620d

C:\Users\Admin\AppData\Local\Temp\Yoso.exe

MD5 d7c078cd350bc0a9548ce32f658470be
SHA1 f9963a91faa06e31e1044803f6fd132778cab260
SHA256 c5356a680897ab54da78408912c843127a37af08c3f3476e37e1d25f349a237d
SHA512 a2d3acb48a51c27dbf740290238f707b423ab6591ac0ad3d362dc5cebdfaf50906113f59cac340d839e4a90be62c860e984e62a856a012cd0b3ea63ae1d0ef80

C:\Users\Admin\AppData\Local\Temp\gMsO.exe

MD5 856d9c4f00f2672505f5d58bbecc2d29
SHA1 40f6a038567ffc877bd7cf445327b303bfbd5be9
SHA256 889c552d15a7a42ed68283a388e623268845399ccfe84748170369e4eaa1c949
SHA512 72a5f29c46b2b4d3dab3fea7074e23cb68b1161d374a463ff3f3450a68742288d5ef5b6a14f8f318a2cd4591b81c6735cb3e3d9a00d3212f91d711c523ec17c7

C:\Users\Admin\AppData\Local\Temp\vqMAUUUk.bat

MD5 dbeb4cdca2c42ca11ff54fe0a9515437
SHA1 b0cbfca427e5de8b7772d6085b89e61a7d20c3ac
SHA256 4dbb21f42e445546299cdd00cdd94fdd39b63681669e09ba623c6fcb896a32aa
SHA512 0d7e1cbc17f855aaf6b62978903d09a2b746a36ed41e755113f8b67a11f0bdc571b96c1d336f88a2f25c2c8897ac260948ece9e3f9cda2e1da4277694e5d647b

C:\Users\Admin\AppData\Local\Temp\uwkm.exe

MD5 b7e89042ff01f3833fd7f39af60291e1
SHA1 6a6192e663bc522484c00642cfd017f9b32275c0
SHA256 387c9852ea2a73a818059865db85181932d348c1c1ef1ea3517e138cfc8934bb
SHA512 4e2638aa273c7eae0f2d7b6f15d323dca9ef6e35e01e0300ad627c33b83dd2433b2c6a7a6c699f1f9c0945c81d741dee1b42344d3cdbafa6c65b48735e29bdfc

C:\Users\Admin\AppData\Local\Temp\WAUY.exe

MD5 baaf71f65ad1d15ef54f59764c6117c6
SHA1 b6749780f0c48c732e5ca93bf084fd16fd618b83
SHA256 e955a6a3f21118b21770441c64a6eb883715e8900c076cb2ee42398f15417a16
SHA512 20e2c658f2f87aae06f5794de520fd0e0aa6f0b7a3af96c632f381fa0eed15084ea3407e68fdd072e564ec61c0b98458bb34adceb9d629472daa9f4572609f7b

C:\Users\Admin\AppData\Local\Temp\cIYq.exe

MD5 814a6a90388dee4bb28a9d5225ee1aeb
SHA1 881ca633d57d1b3fd460f779d0dda8e487b1f3ab
SHA256 b1953b041bba3da5212fcbfc3ea22754ee4ae64da3c18b0171cd45c3b0f736cd
SHA512 f1697e8b4399a583acd5328a55b1bae6de6d67868821237b8d345a16f438c574249ce95dbdbf99d5c05d71b58bb82db9b7436683c53116af064c78d94e93f02a

C:\Users\Admin\AppData\Local\Temp\UYoy.exe

MD5 ffd8de984fb9102b9cbd0c9d12a2ab9c
SHA1 6ec66d9bea1757738b5f021686ee25cdca25a0e6
SHA256 fe621a82dfc1e1a384e8bddb86b168b6d139c16600ea5b5f2c9f658f2befbf59
SHA512 22743d327bbb0d8c54a24248e9a55939782e2fe799ad70896e98ca1d91cbf97453d015b9f6b0c472abcda97c659be16002da4bc168252acde1a7c7b5fca92641

C:\Users\Admin\AppData\Local\Temp\Iwwo.exe

MD5 0bdb7e8b91912d835c25fc3045a1e150
SHA1 dd221a9eefc9e9e6e38e00ee3becbaf3521ac1ac
SHA256 065e3b21df35be29a7d5a3a1ca6b93c3147e8c170cea65684c7e6dcf19f1822e
SHA512 2b1d53bbf3e57d0efbee5bcbe111b9d878699dd48ea04e1f7693356feb58bd4ac52055e53d4359740d43772ae14efefa22e0b3e6287dedc250cb96ed080f738a

C:\Users\Admin\AppData\Local\Temp\CkUIwQQA.bat

MD5 157ffcd19c65e8a01916db204c4732f7
SHA1 777dcbdecd8ed3019ef0fd8c2072163296eec47b
SHA256 cabd7d308161bdfd6676d4c1b6bc60ec1f2d41a608cfd21110f61642efc76599
SHA512 3483c29052d67d5847c90a8a956b11f208ac49129c71680ff310ec7e0ba22f489360bf0f793a707d62fede2ed0e342d17ea7455dd87ab743f3cc2c9dbc39c19d

C:\Users\Admin\AppData\Local\Temp\EoUI.exe

MD5 7e965c69821e2d4a99baaf5408caa2a6
SHA1 b1f1651f82e2f595d3dc800de887f86819ee3e68
SHA256 ee75ecb4e9119a770a7bbc04b3a4e7d0198dfecf952568cb9cd216e6f7c7b6ea
SHA512 f4540cea72ae84b5c877a3c04e2acd55b2abec49e5e9d6c6b6b34fec894848ffb1a625a62c43b715ea2cce485485041cb382230d453b9915221e3139861a836d

C:\Users\Admin\AppData\Local\Temp\mUYY.exe

MD5 89c39fd956191a061e5c74c2d8c05ec7
SHA1 c6ce6660281b317f11414c6572c501771022a990
SHA256 9716bc8c8a8462d96094c47503480edf86d2a5c5a40d2c982675b0b46ff1e1c1
SHA512 c9d05014f3bf2eaa9eadca500f6b6fa71068d67ebfe3d111fabe5137eb6e730829154f72a05dc43ce5c973ebf2d849a422eecd66c8815375c461fb110964058d

C:\Users\Admin\AppData\Local\Temp\yoQg.exe

MD5 4e9d05cfaeab83834e0c972051b18914
SHA1 44d512f840756b0d164a25c84764663d1ac15191
SHA256 8748de165c6d54383be4cd48dbbdbcbeb22776cf9f621aed22bb64cf4eb97232
SHA512 4ca8eb76162ee4f9bbf1216dfc5a1540772fbf7214457ef66532314d450852526ab55d61422f40b70b8561341bf633e158ca8450c75a1178c381d213e1fb2e45

C:\Users\Admin\AppData\Local\Temp\kaUEwAsM.bat

MD5 a66d62723040032c8ef169e15fc6df59
SHA1 33feed8452f38787ad76f5ed8caf691e8c942590
SHA256 9a38f9898845515f4a5a184e880f05970732b58041749120434ad86f8813c8de
SHA512 0d4d168792ef8f7fb6730b33a45087fdebbcdba4da13d404d019aac743fbc9a7beeaa6667e59dad948d2cc39b62023d6792492b5838d7ae892e667ee909d868a

C:\Users\Admin\AppData\Local\Temp\MAIE.exe

MD5 5416e8f38aa768f8f039cadafd12d071
SHA1 ff458f5c679625293592309e93a71dbffb256cc8
SHA256 d44239a74836b2094ff945f3149f765e5507fcd5f2365311a7089c011d5c951d
SHA512 1d6e368760b0c41a313f46de73d8345a9d8984f44a2c10c87abdf408581fab0fd354a3c098d7074e8a77d03643e67aa5e98d6ef9b32eab1cc2e3de8c8933042c

C:\Users\Admin\AppData\Local\Temp\MMco.exe

MD5 c10ffb9ae7ca75ab18f01858263cf9ec
SHA1 8399149fb6ba1087cae00564c9aef91a8fabb167
SHA256 ca675361e71666e4542dbe2fc8f4e4393534b1448a727b55a17754158a91b451
SHA512 2d94c23cf579c9934d317810de8b4d736c6362dc972549de03081455cdbc865806bde7b435d29825b7b1d0bd0742c021b4fbdecc342cc035f016db2de39848e9

C:\Users\Admin\AppData\Local\Temp\EEQm.exe

MD5 89e812c805bc147143d4660822ef9335
SHA1 dd93c9736a364c8daa8f41eec61e2c5645292e25
SHA256 c8421521c28361d8bdd220525a04b749a44bb42ef3022a92900f44809a76ca70
SHA512 7e7bb3a7d0f453c33124b2c9110c06fe51c8fda292078136ca9f5ea0d604cfbf89485713541af4e08fe0bb07a60a678cfcddf42ebce7709053b73b2e590d0639

C:\Users\Admin\AppData\Local\Temp\CAAS.exe

MD5 f884c5c6adaf0b6ea2ab4f77228351ba
SHA1 d364776e4d3cb94afb6aab4384f98f5498631e02
SHA256 d155a02a23fad65811210b7e8e7ec6088940713cd96c07fef647cd32f08b43e4
SHA512 1a3b5483776bcda1df80f539418707ee1339dd31cd5a36a4c3f860d4bf08b207467e112a5611102239e75bf979e6f0e2e6a9f0176da5ebec8524d30c8e44e716

C:\Users\Admin\AppData\Local\Temp\oOwIYcww.bat

MD5 ee51d303d77c37e6f057d3f33f721a91
SHA1 dce9426c1ebb3a024cb7e3181fd44f6fb489d68d
SHA256 e1be27fcaaa094ffa70900e249119d8db09b61cb68ce39803842825760862ba1
SHA512 9470f2847b7b7b749ef38323f247e6437cc5b9877230826e35a76178e5fcc6eeb7f98bb33e612a057e4a6cf2a1915c801a9694999ea1477089b8f18961e43c78

C:\Users\Admin\AppData\Local\Temp\kEQQ.exe

MD5 e3aa5777358d7a22ec02aea29fc2d8c5
SHA1 4ac0db6efc29bd29b130016a6e61bd68e744e67f
SHA256 28ff0a68b44252339ecaf854594693b3ee108dc6aa470a0dbd703e86f79f01e0
SHA512 8b443bc011fb1b1cb840c4325cf219fdb5becaf60a0e7eb4e02a267c096f97087b168efc3114fc8c382a6a3514cc6deae5c267de1b068a4ae744baff5a3ce70d

C:\Users\Admin\AppData\Local\Temp\yUEk.exe

MD5 f7814318f49e0202c159317e6a2e44fa
SHA1 f6c0eb15d8a8d995d68a9a631e8ea0ce6178be65
SHA256 fac99589b7c41e5ddac3b53b13df08b9e086032085e280ebd9a72b9d90566625
SHA512 1404a2e1497e4f5242c4a3345c884ea94958c7d2e83284ce60af4cee7fd7492d22276b5105683d25c2e55b884465f9c934af32a321be799919900ecd1aaa6fec

C:\Users\Admin\AppData\Local\Temp\SUsc.exe

MD5 79074bbce8c73162fd571b26a4d790c9
SHA1 4ae282b7e6313edab9d52d558f8e8586a89f1294
SHA256 02b163b14c818c080c7892a9526d274029b01d7131ef491f62775c07e15ab49d
SHA512 70204f3a8f922ce2e94e912e9d9c1ab15aae379b39e8cfadf2d6d4ca59d29e54ab361c6647ffdd4c9450e02fee11181c5a2320453f4ab1778f632761570ad29a

C:\Users\Admin\AppData\Local\Temp\iKsMwIws.bat

MD5 6704dccb5292552f42a13911a94d4220
SHA1 8908036ba962912522d6347b541e3c0e16a288f7
SHA256 39f8a19af2810f11339a9c615b6482e226d1bd37e2ddb69802cea4efdc6ec535
SHA512 1af7a6ce80e10c8345e2598fbaf8ac0594d3e6784221771eea6f9d74322ecc5bc986c4b68448156b6db21691c015058f7533359011e8579e9de6dd074edc924e

C:\Users\Admin\AppData\Local\Temp\KAUG.exe

MD5 6125ead6a20a4cc83fa7cf46a9c00f79
SHA1 c1fcfe3a1d769d8ae80adfc71cf0936923bfeb47
SHA256 43c7e6d2c561992d56d3f29cded148e2925aa4339405db2ee98ff6c2f7944c34
SHA512 233a955cac1c6bff8c77be66a9df08784705a795c51bf3b807b44beb459a5158de45a206252b5a3cb369da626a0a99d937a659b8d776f86ff0d4646358b168ef

C:\Users\Admin\AppData\Local\Temp\SAQo.exe

MD5 a0e44fde936c9cf8cc309108ffe110d2
SHA1 68d186d0c881554a370023bf85e8bf63859c6546
SHA256 635d501e58612199a554c72f95b8addd2312ddfba3e98bc1fe5b156843c9f68e
SHA512 da83eaa6173afebcc4518f3d76e362d887aa501d89436b7cfa36ce1ff23737f8aa8bfa7f89a90689f4f232e0cbc7d223e5507a37c025b280b9ab61e868861c0d

C:\Users\Admin\AppData\Local\Temp\KsgC.exe

MD5 3be4ab4e25d671786742968027618aac
SHA1 04db9a3bcd644332a482b442ca6b86594c5b28d9
SHA256 40618d13d8f629e4b55c90409912a79d97c0622ff9bfb6d459e871eaf7eab654
SHA512 bf1ce7c4233168a8cc5c89c6815ed6737294314a1599182d914ad436099c03db06ea388221df6b566597bad0990111eb08ee163f7f343597cf22795f6107a37a

C:\Users\Admin\AppData\Local\Temp\xsIIIEos.bat

MD5 cabc3dc118d7e2b2594c2b7e5a9d2ead
SHA1 be78b401a0cce895be2360ef750994a82525f5fe
SHA256 9b53bfa9c50a36ec3ce0df5b86eb4d61e517e7f422706b589af7955a30801aad
SHA512 42de3919ebbb3e90368cad0a587d5b321f6e01b4bda9db27f27ca271f7f9e889de6568ae651b6cd8c635e691fc36616571e22e67b9a2a13d4502c73481e7437a

C:\Users\Admin\AppData\Local\Temp\ygEq.exe

MD5 fb2f6ad698c50cde5c9551b11786b44d
SHA1 f9feaf9c3e7b1ddf8578df5deb9cf84728c8e618
SHA256 d597424afa92cd849746f1f9626a7539690f52a64b01675099f5421f0e43ddc1
SHA512 90c36f0ac3284b21d59a89e1d6e549e5d287e3555976ec2f8ed6b78578ae24963d49f65a615daa280dc7529265fe2419b325b66926fb69cf46d05ba3c3095e89

C:\Users\Admin\AppData\Local\Temp\aQga.exe

MD5 396c99c19618fc5091fb673c06f87adb
SHA1 c2d36ab4e8e446a181c8f5f99459d8b5a01453ba
SHA256 ac28b5b76f42ed353adab2be9cd830a1adf7e7cd4a0a45d30780c5d6adb6ecf4
SHA512 eaa28c709bd086a22f9edc76849d87025c4f5afbbc8ba62e46f111f2bb60c08c89ef569bc0dcbc4fcb08dafbca74e9b00692bb6c9ebecc17072e5a231f008618

C:\Users\Admin\AppData\Local\Temp\IcMC.exe

MD5 5368412061d1b15540aac1a39842c48a
SHA1 38b183ea41c986686716f1e95df0771042535856
SHA256 1bed8e031ed2399e42ff71f7746bde3542fec96bb9c2ce22b2619cad6681f664
SHA512 28a1c60330b0d01c74b94e824def5a04415df986e146d072b5d7e10b93a738a0d7936d120f64d29355dca279fb3ee1f9ddfd8f3cfe6a6c7135ece669e7f459f3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 a8cc11218912451abbb53d72fef72bfe
SHA1 1f538c352c871cb61f028381ad3ebd0800829b94
SHA256 1b249538d209d3f3c2e82b21e26f70a9008ae1a9e665c7b994df90157fe030b9
SHA512 9c892a81eccf4a6f75819ef25e636c4d3d0a50e7eaeef194eb606687b357b52c6c24013efc6e4d3b078ebb78e72befa0c11e28c249e8be5d7d1c40b2a9898a23

C:\Users\Admin\AppData\Local\Temp\KIYg.exe

MD5 d9049c42571e0bf43db97fb1b45c1d37
SHA1 38a6033de1e57b0ebbcc52e7533cf97ce6ae9979
SHA256 e1e75bcd69905633c1206741f68ed9ac43288db23e1e59f5eac8dacf3ef7a9be
SHA512 57cb0e9dad9451b91149fc227000901f071ad376f84304d742425f0babe6ed52aa4c8d945629ebad4ab3e15fc40b2a823e0e792ee801e7a30bc810303b44a3f6

C:\Users\Admin\AppData\Local\Temp\zkEckYsk.bat

MD5 edc5cce8d1a402a081184c972aaa29d0
SHA1 9f64aa7ca8d2241d732f28e7979742694a75472e
SHA256 a1cad5ab1eb6cde21da5ef45306360afb9ef19692a20658ee20cfc6113a6f370
SHA512 cf64f7cbb4108961c43118e325c299bb3861d4192d5c2ab99757b8538c997c95b6b8d5613b8b1b3b288f91f67209a410e17c6bb9ae27ed5a298ce414c82461d1

C:\Users\Admin\AppData\Local\Temp\sUES.exe

MD5 0154ff9654df74547d53f13f9914b2ee
SHA1 3977385f731f2a5c2f0df45bed4b20d5e735de58
SHA256 2d3f1d9372379095ae77a51dccbd5ff38075fde57926e9dd42397bf682ff2840
SHA512 fc8729fe55688b4776819d1e4668331ea5d0cad34b36fadbb8adc046de9feda820db44252830c37c858c26b0d4bcdcf1ce2f8e23429094ea634c551ad1319cbf

C:\Users\Admin\AppData\Local\Temp\cwQi.exe

MD5 949a5ead6291a7028761e7c95e99055f
SHA1 3444860b72e548140784f983fcea00c3c9895c41
SHA256 e23c280fb3ed49bc3a9f7828d3a4b092bc00a37c4283a9c51cc31167ecf11fcf
SHA512 6a00549731a11ec3d08032e574b7b45a57fbb34ecd6cc5ddd96aa456457b0473112a4ce894c16c8518433362e970e23bb794f000c8558205e11c3adef7bb5316

C:\Users\Admin\AppData\Local\Temp\gwEO.exe

MD5 3e24bbd1f01bbe41e628a6562801b5f3
SHA1 2ac238486063affea2768764db1b0c3a8810e526
SHA256 91150004f629480966e191eca1131274597246325b14e67de4406669a97e319c
SHA512 a4c222a8a711d8ba8d2adcc83568a0750f403bafa4a67068527d95a59f52832ec39b0f6ca339622de25a91af13aaeb1481fab08e3e641496fd4e248b5663cfe7

C:\Users\Admin\AppData\Local\Temp\JOQYowMI.bat

MD5 2c8b97e70eb9ded41a0bd3c3e681f79b
SHA1 701ec276431a4451c6c1078eb87018c7c8a0a0aa
SHA256 9c904dca3da5133b3db6486178dd6ed05430274c4913df89094372f3b5d164a9
SHA512 5e2d50b4aa368a77e0e7221edcd52c64016fd8e3819056760a036a3ac8a48c219f4e4a812a1c2a851fdda0caebcd78fca2b9235df36b7716269eef3a7132b4e7

C:\Users\Admin\AppData\Local\Temp\ROcAMYkc.bat

MD5 fb32ad101263dd85985d926c5d678f0b
SHA1 31f1651511b80dd9051a1fd40b674a6cc88f67e2
SHA256 f8bda463842ba8f9c58697b98dd125c2aef720a524ee7789b995cc5bfad4d69f
SHA512 b1b1b3680b0ae315be0d754a107b9010e499f09b0f1996c00e49ee4e5a233f7714b20b24bc4b2332088c770d459b0f1bd23a76fd2505b7e1a71ff0c109cdfa72

C:\Users\Admin\AppData\Local\Temp\IIsg.exe

MD5 06d352ff12c2b5f9c8476991b0975c06
SHA1 557440491d95e34339276145983fb43a73f4da44
SHA256 ba07707608f03826754fc2db85832065259be672099dc7ac2fea7051b8649386
SHA512 237f0c82040f3b690fd2d2a941328b6fab1433ace41bd81221502644301c01a15dd56189460d61458025d9cb9676e03a987b92b6340c6cc7c0f2b53c370c1b59

C:\Users\Admin\AppData\Local\Temp\gMEO.exe

MD5 c5b437135699752fe156412ffdc46cd8
SHA1 2796a60dd3f7766d61c7a77a3a1f9f4fea0e8d8f
SHA256 da30ae8a45f7505cf209671eae426bcb134fb630e643b8f73feb7d208f82a21e
SHA512 28f4a27d059c890182b40a62557f3bda13cc6ac924315a37b860f71df387cd6ca49f941f34e4d82ed52cfe3fbde11245dd2aa58545ab36c2fb508f5987f7686f

C:\Users\Admin\AppData\Local\Temp\GgwEUoAc.bat

MD5 964f3ae4d1d28567e20e95ee06ec1946
SHA1 eae69bfd3c93d99e2c145a07333009e310c89c92
SHA256 f97ad91d5e6cb273c004c61ba2ed1a2cb125e8d50d72c5e9ab3801f14f801857
SHA512 3c03cbafe6ee20a58ca097c1d481490708df822c22b0589c1e2f31dc61ee4744dc5c7da370a8aca7f4520baafb7db06fd7e91e65023275e22e760f34788ae1cb

C:\Users\Admin\AppData\Local\Temp\moYU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\sIUQ.exe

MD5 3df0de4f5d859c43db6be8d50ea0bbea
SHA1 32a82f0e282582571c950d095ee1ed04091883ad
SHA256 2030247faaea4e20dfedf6ac6560ba4195bb28493ede071bd96e7e38bffc9510
SHA512 1978621a872ae9c803cc59e0e448d445767cc5147efa6dbea8f15e1ef78fbac55d0807d37985a85352390762825334d1bc304d2f5833df908fb009a59b1e5b6e

C:\Users\Admin\AppData\Local\Temp\oAwo.exe

MD5 c861db8205f99dcbc83c9912d043a067
SHA1 90a21d4e9868ea59c8f51c041f9e150da71b8798
SHA256 1248b4ca9998e1a876eec7d71ded5b076728afae3ae2145b0669ef727a4e77a6
SHA512 9b26a18b8aabf4e2d2c5d0ede9446315f305c42e562bf9fe3281bb29344eef90f4f2d91d1a53c6f97e9edf17bfb38e260785348beac4466533528b6fbe0c95dc

C:\Users\Admin\AppData\Local\Temp\Wwoq.exe

MD5 635a2c31e41c7aff9d5edc41f03ddf06
SHA1 e95eacbad5237038ac5c90af7f1fbcc254e63855
SHA256 d742b9edde8df85b1f7e5378acc2ff59bde90e7474cc0d89c4a933931a3d14f8
SHA512 9b3e79165f68f5867fd7f8c2f939ea32f5565028ec54457c35a89265bc7dd8e1b517118b0a27b42f6bc134d46aa1eccdfb6e24040f1392f12b68361fff543f56

C:\Users\Admin\AppData\Local\Temp\McgK.exe

MD5 2565955d665167bcd84e168bb11376b1
SHA1 b8b9636d9ae28b29b02954b673f2c5cdc4cfe418
SHA256 ffbf3fdb4e600f265c04b86df5b9f80f86f49ce19ac18709bece1df7c1da59b8
SHA512 3e09b03279fb260ae9c61a087c10415c7206abaa4879ec5f12971af8c198fb07efe1c7d3466f7f029de76dd4fda2a7d9aa9a891a9e6e0684cfc9168dc71ce74a

C:\Users\Admin\AppData\Local\Temp\mAss.exe

MD5 f90234f7fca90e5b085c58662476e527
SHA1 546e7c917bd2d9effa4d14570c155ebe41b47ec6
SHA256 22c559065cc6319119fa38bc93ab1c92c8dc9f48c318b53c51051664485b4c59
SHA512 9d6cc3064378bfc5856760c7c9464511b3244d41a95b193b69493a845b289ef8daa85254ec44c30267e62f43d8ee3495dd88c837a990835db07472315d8b64b5

C:\Users\Admin\AppData\Local\Temp\YkIa.exe

MD5 034aee02cfb3e62410aa5db2e2663cee
SHA1 97a35aa866ec3620e3f6352580604940e5e06c2a
SHA256 4ab71de310cc49aaed262fb173db6657926b47fb8158d8ffb994fb165b7f3117
SHA512 edcf5b5385b25bc912e836e6dc70655bc6689e1904794bbd7f6785e194ab6966067874909bab08a02da8a8b075b0f84f07f4af5b322ff3d63f240afd57c06886

C:\Users\Admin\AppData\Local\Temp\oIQQMsos.bat

MD5 798ba47039204dcc552c2ead6f08da19
SHA1 7a5f8d58b285cd1391ca94f4f3d05fac7bf1c589
SHA256 bc1c71d462eff5ddb4a9da709baf8adf12e82cc2b397a2812eb943b0a489a6b4
SHA512 33c939bdcaedcb330e22f105b5f70cf6dfbb312ca77b58a27cb548ed915884110d6d03ac32906d7146d521ef4916deae71927b3c3f3725baa82f9383ef36dc6f

C:\Users\Admin\AppData\Local\Temp\mAky.exe

MD5 397b84d8ba7bd47522b86b7d0bee522d
SHA1 e49104bde0b1f85beb4e53b528bd276788b88ce8
SHA256 3cfa9f23ed23c3f77b2d40ee5d375ec5e5acc12371ae744eb9b0d4d64d665a84
SHA512 9a1759e11b1b36f3d985fac3c6727c37ec7f9dc10152f0c9c6eb9e012bf235ab511833b58f00c170ee0a43abaa0c952b7ab9c5a315596f914eb5e27f6def9a8f

C:\Users\Admin\AppData\Local\Temp\EckG.exe

MD5 e7753237c9993cde0b8d7317dc883e94
SHA1 8ed2fbf2ff9de90d57fa224427b0583fb159de5d
SHA256 85d2a102985f207f3b1313d8008b015ae76435d4bacdbf678e3c0dc240b1a600
SHA512 eeed261c21169e9034a935e67248573f475504f127ba3b47306c89d07a995922a7673fa364181b2f74c2efdde4fc4aeb3c187e4490dd1fe2c6ce53ab4f29ac4b

C:\Users\Admin\AppData\Local\Temp\MQwQ.exe

MD5 0c71320dd2523d1d9ee8fbe463e6b953
SHA1 c6ea8c44d891e7adce9170f88f743b56b50634c7
SHA256 0b28411cfab59bffa8adb834a7a63f2439988f964bac2a3eedbf8cba2e978279
SHA512 fd1dfc122625257be0e14201a71f0ba9b92f86bc8354318701470a2e9892b2980e0c5d65b6d0095b42c7f588e8b128ea917a6c939cb08e4a6c05b5eb387efef2

C:\Users\Admin\AppData\Local\Temp\wwAoMAAU.bat

MD5 b16601d8aaecd332f213e58716b13be0
SHA1 48b1e039c86cf067095f4ab7833bcc91b3764d3c
SHA256 bad4a21e9bce38f3b40596882a391eb2bd48cd4816837725433b22d4f34de5a9
SHA512 2ce9fed8bdd20d453074b6571256d989be1e82d783d3b6fceebedb5fbb4f8feb2c8f3ff397f3a126203cfe2c5b2ce94b948c397305a251a4a286763d5c5c7a12

C:\Users\Admin\AppData\Local\Temp\pmwoMUgE.bat

MD5 447f80e8ca7c2edd620a80a39150db09
SHA1 1c0442c7d94ab99833888f5399767b597e39f186
SHA256 67ad86174dc1a51f44e228b86cc1fdf13cc39e397ef3d3aff46f0da1fedb9728
SHA512 70179e478349b840d1c955db6b8f4a132b6905117f653ff5c51c94c970ee1e7ef29c995c61c044fc3e85610001ad7503d3422f921677107bd514b6c3f8342b87

memory/392-2758-0x0000000077730000-0x000000007784F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NaAQcQMw.bat

MD5 643064c7f698f9c823f23454db0af550
SHA1 d69929bef6822f475584cb5043e23077bc0332c9
SHA256 7f78ae43f3c242ba69f7ddbb23b74d864a163f6d41a6da5dd340e6c5aa89fa8d
SHA512 a81475823d89747bec79c5116016451ca615032b59455d49a98d653afbbd61ebc2a8fd194a6af004d8491b008199239eb3612410769b84ac9a4a930a93bbb87d

C:\Users\Admin\AppData\Local\Temp\BsMYQUcU.bat

MD5 69c89a60b5b3fbbc1af411f46d9cd07c
SHA1 5e86cb13cda5bc41d34f202bd5e456f0824c92f4
SHA256 604a1cac91cd13bab3741ec1e03c640e8e3f4f457695e1fa09e7537b979cbbea
SHA512 20f9b236f38ec564b024a1d35ff2d2d166bc6770f968b88f455aa47b25a33d35dadb40ad83f31cb088f0594f01e221387eb8527ec2f3f74ec0fb2d14c911d780

C:\Users\Admin\AppData\Local\Temp\VyEwwgAw.bat

MD5 66294d2beaf0d76b6a172c6438058ff5
SHA1 f483548b3246a0f1bc6c2754d3ba4c4a110ccb4f
SHA256 1020bb70f522c27078bbbaa2ff55811c9caaf2c064ac1e3bdbafef68542ebabc
SHA512 fe098a55367a15a4b470b5523bffba5a3085fc460825776abfd82d0c112e0e7d43b1338ba7e98ec10f04973442d0b6137614c4c280529a5214e0d07ef12b9e2f

C:\Users\Admin\AppData\Local\Temp\cqAkUowk.bat

MD5 a4759daa5f909c3a971fe6b288b907d2
SHA1 6304637e8c52911cab18004265514aa2ca39c7f3
SHA256 a58014eec5c8eb6722547783606e18e6c0a685f311001052d8e0af00be1aa325
SHA512 61646210755d35429b670af4a60732fb48579d9472cb16f5c6100fbcb3dd5d5c0e49d921aa21647514f76de23d4c3bec728c7eb6e8aa5c863b6bcc6a20ac102f

C:\Users\Admin\AppData\Local\Temp\kAwkAMUA.bat

MD5 968683ee1c0320eeb918b6fc82e65f08
SHA1 e9203171f7a24d867fa0760729785a5579ea7809
SHA256 820b29f2379cbf406971516de54ed5d067b9ec2ed0f15918514840586af7d7d9
SHA512 9e7bf13f6d30d34a101203266891bd4984de5998fb0cce82d7ebdfaed0f6d215248c7db9e19384984de1e6d8bd28b817293a96e56012cc17ffdc7b5e3d09cfa6

C:\Users\Admin\AppData\Local\Temp\CuUAkwUE.bat

MD5 66e9a7f0663367c1f273ebd6c0c6eb99
SHA1 cd2e93cba037dbf4c47aed66c1e2abf37535e0e8
SHA256 8009f20b33e07b8ddc150cd7ae7a65d7a96c00ccfaec18867716aa940fe1a662
SHA512 e4feb7fb7989c251384c04d065a34ec9ce9df85c2ae4a29740e1b01a939b87216ab02fcca6a172e4576de186d36a89760167e7a30198313189f1b0fe3ab35a40

C:\Users\Admin\AppData\Local\Temp\saQQEwkM.bat

MD5 3810f659dfaa9dfc08dd6333b9edda0a
SHA1 98da99c862ed7b6ed64b8defdf6efe668ecccec6
SHA256 c0e81a5a4b9cec1545b6300774c05e2b0ca723b33c2b6dd73d53543bf65f62bc
SHA512 ae771ab224f3139f61547e5fb82bd7e6635926936d4d3741cb829dad46a2e5a1aff334620bd34fb0777245e0377a033f644437cf06881d93784227ac5142a6da

C:\Users\Admin\AppData\Local\Temp\kcIEMUEM.bat

MD5 87bba18431f256f11fe514f36a0edc06
SHA1 6987f9b396d5cb3f922351932832179394bb43ab
SHA256 2972dc57da8e5cfd83e23bc60123c131b9be1eb929b761a4b3185bdf9bfbfff6
SHA512 75ee47c27467bda1dd3a5ea0cd3aa62f8a53f6c2578d9ca25cf7b4dd62e2c1702f03f0fcd04d2bcb616aaac44070e8f3baa7bfacc18b5e6dcd8442c29ffd9a03

C:\Users\Admin\AppData\Local\Temp\pIIggUgg.bat

MD5 7218273106a30a55e5e300a8716f0a4a
SHA1 7983b4cd2d342bd5bc391140676bd7b8e227013d
SHA256 5a005777a7d4ff48ee4826be516a05cd3fc66f8b049fcb98272d2792534780ab
SHA512 d1384264f31c361bdcabd11cc3345e9593cef88e02aa3906706483eb37b830a7b4a7fa81f5392d476e43cd8479138ec750111d2d0e4aadfff021396842c66232

C:\Users\Admin\AppData\Local\Temp\haQokoIc.bat

MD5 5e3dcbea5979dcd76d6737c0a8b80998
SHA1 e6b318dcad57776b03d89adf8d2291f278a479d8
SHA256 9fa779c7866b45ef699d3b9b5107e2c9fe8597c3f049ff69a66f65a09e38270f
SHA512 f87f7a92c3ee2c10b2a705ebd60622c48103a61808ffe8d7574473613f903c57e6e59fab880f7f9fb3dea8cec7cab73129d4a9454963001710db617f9592e998

C:\Users\Admin\AppData\Local\Temp\TYYwUwYo.bat

MD5 d2cdcb3af4e7d8043537917a1c121f78
SHA1 50d53b53f4dff38e188ad10d0e7a93834c50eef6
SHA256 4f164416dce35c4073882e3f68ee6e7b5a75e0941a344a7b0753a99b8dca1b3a
SHA512 5672887d533af4ad27b7b97f61fbb2ac7889bf862e7bc52c5dd7cf372c1ec347d93671164bde850301cbead8a6d1f90786762bdeeff7444fdbc3e5d5f18ddff1

C:\Users\Admin\AppData\Local\Temp\NosgcoAU.bat

MD5 cca6f19b9feae2229b3f7af7440463cd
SHA1 c9c3c85a146d9703e88b4dcc7968191d27153a1b
SHA256 631feee0a9d7bb47927e2e9f28a46f79ade372336570942da57b29c14ca439ee
SHA512 6af409bccbecb9eae4f6ea5c706136e7a4eed1ed11bf2e2dbf94e29e1c5ebfad636db43c3ebc913faddddc0f15b1972c81db2ebf3d0747ffc0293dd1e0335e55

C:\Users\Admin\AppData\Local\Temp\UoQwUIco.bat

MD5 67e359286d015aca91db7f9bb5d7e82d
SHA1 54e2758e2eb3bed66279c1d6b37b3fcdc509ffa3
SHA256 c641a3fb199cade79c06b63c74e15b868b6dd6ae368446fe14b28984c8de2d22
SHA512 d2ce23afe46e165ba474e5ec5c0775549e4d7872e89bc173b51b667867e1aeda02ab727dea949db4f0dafdc58392d17577649924e6eeebe77a8b937b2bfdabea

C:\Users\Admin\AppData\Local\Temp\wYAcssIY.bat

MD5 2b5ed558f79b3d1fa6fd80a5c76838dd
SHA1 3debee4202b8d5ba2e49c7b43209f489f125cb81
SHA256 f9b68806d4be1a2354e9cd22c805af588f94097f3e4bad060c3336d7272e6eb5
SHA512 d80c5c7e7f56c0b579f2b3a230a803bf8ba906ac792daf6088207546d85383a4baf72cb1c9c31e7359f919de732b824162bcc7c1e68a28bb7f32a501fa907ff9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:52

Reported

2024-10-16 17:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\UiokEMwo\ceAgUQsw.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUIsokIc.exe = "C:\\Users\\Admin\\dAwwIswA\\OUIsokIc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HOUUMcYs.exe = "C:\\ProgramData\\yCEQYEIg\\HOUUMcYs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceAgUQsw.exe = "C:\\Users\\Admin\\UiokEMwo\\ceAgUQsw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcIwokAY.exe = "C:\\ProgramData\\DYgkYsgs\\pcIwokAY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcIwokAY.exe = "C:\\ProgramData\\DYgkYsgs\\pcIwokAY.exe" C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceAgUQsw.exe = "C:\\Users\\Admin\\UiokEMwo\\ceAgUQsw.exe" C:\Users\Admin\UiokEMwo\ceAgUQsw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\dAwwIswA\OUIsokIc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\UiokEMwo\ceAgUQsw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\yCEQYEIg\HOUUMcYs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A
N/A N/A C:\ProgramData\DYgkYsgs\pcIwokAY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\UiokEMwo\ceAgUQsw.exe
PID 2368 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\UiokEMwo\ceAgUQsw.exe
PID 2368 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\UiokEMwo\ceAgUQsw.exe
PID 2368 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\DYgkYsgs\pcIwokAY.exe
PID 2368 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\DYgkYsgs\pcIwokAY.exe
PID 2368 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\DYgkYsgs\pcIwokAY.exe
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2348 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2348 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4672 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4672 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3192 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 1752 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 1752 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 3708 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3708 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3708 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2316 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 4696 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 4696 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2316 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

C:\Users\Admin\UiokEMwo\ceAgUQsw.exe

"C:\Users\Admin\UiokEMwo\ceAgUQsw.exe"

C:\ProgramData\DYgkYsgs\pcIwokAY.exe

"C:\ProgramData\DYgkYsgs\pcIwokAY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sicMowgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsMcswEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsQccAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmYwYMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiIUUYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jokscIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkIIcEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSYQkIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\dAwwIswA\OUIsokIc.exe

"C:\Users\Admin\dAwwIswA\OUIsokIc.exe"

C:\ProgramData\yCEQYEIg\HOUUMcYs.exe

"C:\ProgramData\yCEQYEIg\HOUUMcYs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4432 -ip 4432

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEQMwIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 224

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEIkwEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqckkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYMgIYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2368-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\UiokEMwo\ceAgUQsw.exe

MD5 f041e28dcc88903ae4fc04dca143e491
SHA1 4315ec33e5dae11fff3892aaae02ebec67c46888
SHA256 874e942acee74514c680e2516cdc222600351ccfea6721ab370f89389490a482
SHA512 e05d247fe023933d8213d336a86deb3f62c0b996612d8c19673535c261685a12c7d50bc3e30e517fa704c6ad5870b704b21b698d9c82f14099ae4a78b9e7e36c

memory/2856-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\DYgkYsgs\pcIwokAY.exe

MD5 a75f6c1a701fe2fce053a0445f68920a
SHA1 6cd5a6067417f2047bf8111ddb36eee9f59f9671
SHA256 a4c54017381535eda6b75e8bce2969f5ebd3c06b72b48f7679a097cc4d84fd70
SHA512 9cb083482329c6bc4cb17a1f1a03f8fc66f5df9256ebb3a8cfb76c490d885b59c3f0283cc08958ac547e2dce3b2e389c22e004e2a48e36fd9c06115deebaca9b

memory/4832-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3192-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2368-20-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

MD5 f598e9820ec2badd9796e258a2906231
SHA1 436252684b0b285ecc2747aaf1cdf1e4e67a6eb7
SHA256 49da8c24946900bd5af73c70099b775d1142033a25b347dd5a21ca68cedc7c0d
SHA512 e26c4b70ca14d0790d4495d56adf1ba87b0f4a5b86e87a9e4d3a9466443c6641e48f493fbbce29e9610e39ec0c150ed8bddda4e898760aa9f8b83bfb51df1f86

C:\Users\Admin\AppData\Local\Temp\sicMowgE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/3192-30-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2316-42-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4988-50-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4976-54-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4988-65-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3144-76-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1856-87-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3984-98-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2624-102-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4432-103-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3452-104-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1224-114-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2624-117-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4432-118-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3040-127-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4904-138-0x0000000000400000-0x0000000000421000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 aa0902079b50942fa1e5c5a7f66e765f
SHA1 2ec8554c38239e79f483c662c3a93b88db129ab9
SHA256 1afd251d0541ebdc3546c63c6111f66e1f87cea42f9427bf047d5e08c25f8ba8
SHA512 9a838d47c6ca3978c8ef28ab6a351686016738008b627237f61ce6b7c1352f855197d077de8141260ab6a8ddd584d7cccbf29b70de64458fff524149a58723d5

C:\Users\Admin\AppData\Local\Temp\akgs.exe

MD5 76e598e53ad7c3a52fa10c1cdabe902b
SHA1 38b46ea304f4656e007378b68971764890ed1059
SHA256 d13ad9cdf722a61a22ace71c9407383e5a801ba3343858d6924403487c4c3b16
SHA512 2ca3a9252710048d125deca6984a4c23504c3aa15926fa673bbfaa952fb3ae2fc4343993cfd05607145c0f6bdbf65b48316744637a415a3eaca76a3c01d9c03b

C:\Users\Admin\AppData\Local\Temp\aAYu.exe

MD5 ab5f993a432f6b37fd52c3299bb7e080
SHA1 805fbd8a56d98086731f5811cf92a645c6053fdf
SHA256 1074743270d7b7fad98b30f7ec54f9488f6983f664456531430ec81dadeca757
SHA512 b1a6a39f2ce65d018a165c6f160d7b48544d1e8663e18f1165cb0753ee3453138e6b5fd097bad8f223421851469ce717c808cb5f4131a746674372f8b01ea744

C:\Users\Admin\AppData\Local\Temp\kEcm.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\sAcE.exe

MD5 bfed80207fa2cfc62df27e49b2b179e5
SHA1 c28049525861bdd5ebcee91242773d98da26300b
SHA256 c658705d108aa9502b576f326397a8ac5b33e7b872c47ce152c06e82516b37fb
SHA512 3de9d8a0664a01d2eea051c71ee087de928dfb50a3b2efb5c210ffbb0888e87a284a036bc6a5e593a4086374c2091f30cfbb5c2d12acc087de904586b1814aad

C:\Users\Admin\AppData\Local\Temp\Qgsg.exe

MD5 15ad6c9e92d659ca374100d10d941e23
SHA1 a02366b3e3cdce8cf1544c9ad938abcc51bf3614
SHA256 9cb6e42b84651c2a3ef39c465510d7622139d1449f61a39caa013e8253900a56
SHA512 ec9ecb1667f7fe3eb6b435a2b7cd3a1b1d560ccdbfe5fcad58c7b15be1ac82224e2ce63d2edf118a83c19f9c76de4ff6cb3151029722afc0a5f1d53460076daf

C:\Users\Admin\AppData\Local\Temp\sAwS.exe

MD5 1ad7d98773e5c20d4e2d30565d1a9c61
SHA1 4425846f356e5746b8946038eb55bec07bcd713c
SHA256 cd99c712212de48881e29c093521d89df6bee8c45744f4300479e28ef43159b9
SHA512 d16a9c74f7a54e51e5f6c7009929c48514df88280b253a433c95ff334c4320ad33b1ef51045721c7b17f624e748c554692abbb4d21a3047ac15dcc1ac03d7498

C:\Users\Admin\AppData\Local\Temp\mQUg.exe

MD5 afda959fd2144694abaee630fe061c8f
SHA1 d05d181d36a69285520d17ef1681142e1a36e780
SHA256 3003f6cf74406f64605777c7b4f761027dafc387e4c5e8d0fc6b0a7ec922aec0
SHA512 7cda47069bc9426a374f83e2357c2755360acf19374831815d040a3b1eef9c2a890c79b53bf359eb8c76d2da03b854bbed89fb0af4fbe939e0aba41fadb1d8d6

C:\Users\Admin\AppData\Local\Temp\Mgcm.exe

MD5 41fd52890158a69e1810137c676ad894
SHA1 46c3daf6ed1ebe2280aaaf382ace1b1842161350
SHA256 3a850b21feff6b88507f010489f0605fd86b399e1e72be394946b017e25ceb24
SHA512 78ba0d03573f3a94096fae92de36b2e4c6f3b51969b4337bc7d799397509be1ad8d837572394e7374ce6cbecb5b1ff6962b83022fe4be885a852970e11b5fa8d

C:\Users\Admin\AppData\Local\Temp\qwwg.exe

MD5 37902bbb8da10eebd2d9b7a25a821f4d
SHA1 f73e047f93735d64b4ce283dad2017b35f486ad4
SHA256 205b5454e8382ec82fd18b6497e2d5675c1674e5e2e0a06d8cb7892b0d84b86c
SHA512 1f7da6cba99c11ef95d5da996b4aeebc32ace21ead8bf5f0c69047e96f1540ab34d526f27f4fc5b8ff64bfadcc640a0482a7b830f88b016e9fbab395aa5a990b

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 5055d77680dad4721fdaf2678652c88a
SHA1 a595b64b4ca066a83fc35d2c11c870ea1f778d56
SHA256 20d35c212c59a53b32f53cf5dad2a21e161645efbf2d54f50f5ba5b4b1b061c9
SHA512 de09762802031ea5a62a46d7e0dac2a31b6bc7d477247d6972a6f9e105434376c95ea655ad8c9d23b8d9d45a9025bdba3f83da0a8187980a9919e6f3c4bcfcc3

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 5da2ea69bb0cb5510f75820754c26d37
SHA1 917b49a49d7b063ef80675ac600f37a8aa80e4e4
SHA256 9e720ae71c73faebf10f975d9ddb25216fd5c64eced889a96bd6dea963dcd1af
SHA512 2e1bf4fc3d7560c5297fd4a4611a76d161e10ef864393f63c01bf81ba9f2ae1a8ba77c2994e1ec5421ac898730fffb1744adb4952031f2b8b16081258e46b3e4

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 7ecd2a5c1df7745cabc37f3ae786f6db
SHA1 8224debcb0599f22190cee7b36b50acd20c0ab1b
SHA256 0bedfb40714c9503f787056d5579b501b98acf283224d8f8450cbbeafd54940f
SHA512 8c500c1c874b7669e7610e921aab364fc84b10264378c659cee82b3d07a62b06361e7b17957a994923dea39814778f6c4a25dc1f00982cf60332033aa4b861e6

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 946f324ca779adace28335463553cd12
SHA1 ae2e000b6ef8cbbf906f07cf765a787ddfbfd7d3
SHA256 5f12a511f8d1fa28a46efb6e1b36c0675d18cf6bf0551d7833a5e4068816b564
SHA512 1d3efa95e9f273597d7dafb77844f95b2cf934fc8f105ba3053cb96b4af466ff47a996b4036d23ed2e0ccebb2e18684ec82b61658e626e593690572b0f5116c9

C:\Users\Admin\AppData\Local\Temp\gQcm.exe

MD5 ff3577cd5dbd474657251d9a7fc2670e
SHA1 458a5633b877d68c6a00cd4a40de32c47523cf25
SHA256 ea77660e35b0ed3289ea6c239cad375d0fc51a90bd9d4d21e9798a93d49b4e84
SHA512 4c96df0261c850270e7619a5f42fd2324ef3331006c49bfdddae0402beed0d8e1adfe0518959f215468b85735b2e985a14841037cba9e7412ab6d5397272d1a5

C:\Users\Admin\AppData\Local\Temp\skYK.exe

MD5 032fc2cb7926ab090790e0599df32be2
SHA1 63356d093a430fd571356344edd4afdbcf26e902
SHA256 ef6af8ec271a721574c4a66c32e4c48c9a67fdf24dfd135cf0bf1bba58def8a1
SHA512 6c2d7800a81fdd862eec6e270e4affa2f5a41a13f4c16c3e2601e2abff9b7faf9d6e6bd7aabe22745eee2bbbceeb7d30ba7b2593a6a23f664b33d28d01fda030

C:\Users\Admin\AppData\Local\Temp\yoYw.exe

MD5 e725a1e6358ee279bb08b585adf24079
SHA1 3538c784ba4e079ed726ac33d2de17389e42b5db
SHA256 cdda6aa7cb0f1df6f10363745e6e0aba68bb99deec520946f7913689076ef0c5
SHA512 a775cdb7c9f26e8612812d9cd1e97374e6d27fead86f5c3a27bcb52273719e23efab8b16c18a03467d5ece6060ece10377f12e013bba16c9d6b73ae851865b07

C:\Users\Admin\AppData\Local\Temp\UMwO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 58888e039f8916f7b08b3b794e566038
SHA1 377c36a852c1afb51d82e0cab0d70dc9a20191f9
SHA256 8d790ceb65340996dd798e253ff2d4636d15e7b8369762d19cbb1f9946e5f84d
SHA512 c754a887c75d807b271e9bcd20c8d9c1940d967a3ac2276eac776f8e29ffe59cf6e99f7a0a904399adcbae334ded6995846977f60a82a101d50e8b94894b96ac

C:\Users\Admin\AppData\Local\Temp\mEsm.exe

MD5 8a4eca68168558eff8ef96e92f236693
SHA1 de72c9d5a7aeddd8d925dcd6e6c709758c542ed4
SHA256 ab7abfef0a1cb788aebf93da7558e1eab0c97cfb42a3221bfda95343f006355c
SHA512 a9329a2bebe0bf6a16d71b15786acecabe2313313d2e725c4d0d51b52ad306a9e7a28f80e4542ae510b0b549a6210a621aa493121ab0e3f9291ad02e01df8791

C:\Users\Admin\AppData\Local\Temp\gEAa.exe

MD5 de46e73416f78414b4d4657321a3319f
SHA1 603ae7a4c21e477039ae9a22139ca9f1480b5bb4
SHA256 326b030df8edf44a57b6983e6ab9b54f72b327994b708c9aaf2541242bcd3cb6
SHA512 cb087241cb17435176bd41b351434a32700b862572fa43cc3a40bb2fb5cb2657fda93108f30ad14dec849d25bdb4c390f1caeb8db65860b38f4424dfeb27096e

C:\Users\Admin\AppData\Local\Temp\MQEI.exe

MD5 0523af03701c562de41a67b14a7e3635
SHA1 85703b25a93892c0d6dc8f796a2ce1df5a6067e2
SHA256 edcacebf4f2be632fd7925f98810afa8fe151feb142e1f0509652c1729909794
SHA512 c82b1a6c5cb4ddf88a410eeafd767d98b4976b941020511c87ba23c8c0e1f8d35c5c86e78f086ddab31c1189c12fd70c5b280f87cc4563c3849a67c33aa3be29

C:\Users\Admin\AppData\Local\Temp\cAsG.exe

MD5 20b4d6c911e2d0cc1e7092bad489425b
SHA1 828ee286a25b7e69a9addfda54a1720b9453bff8
SHA256 0236a087a88886eabd5475d5276f1b496cd855918bfc844fe27436e2fd523a6f
SHA512 796f0bd88fcde8c26ab7ed422c3b274b051831f05f0bb6c393e7cef7dae1e7824154850f98bf422a98aec00d1a998b33ae72d90bba9d94b06849353a745feec3

C:\Users\Admin\AppData\Local\Temp\ekQU.exe

MD5 584e7fca57d513ac7f3bf5d188f6a0a4
SHA1 8a56321bc5586dc1aceaa777228093bb2b40a197
SHA256 5075cd73fb8f5b3d7dbbaf1aab642ffd3eb9603c6520cf164dd11ff40129a8e1
SHA512 2f5febbfcefc336291f47854b702e8db23c89b970f3324091b4f06ca1a614edc731656762942539769782799c2d0850a23d82a61c92f01ebca5ed8f451c5ffc3

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 602277c0b253ffe5216fae6b5faf3ccf
SHA1 cf1fa2065f63f82a71d31d58662e7443886e0f7a
SHA256 053b4bd30faa3f30641a30eda8a9cc4ac36954c160a4e239201dd57cbf10acf0
SHA512 bac0e2a0c0264780aefd0c692a5738ebb3266b7014556a2ddb8da63c87a1e6c9b4ae0a00067ff4b7fec6bcce5e80a98400184bc60cdb4f4da9ce7a12da30611e

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 db4de3595049a38a144067f17d9b0607
SHA1 e8082230eefc2bb41cabd828703974d5e63abbec
SHA256 9bc0bfe0ee2fd576630affa9b6730319e769cd6270d91312d5d3e4059445f4e8
SHA512 f324612a73a8cdf0f8b2a5ad382d07521ed242d72ea1ecbb3e02777502e93308faa47278aa85f77d09cdf32e323e8e8b30b56d4584939fc29dcdbe1a9b2504e8

C:\Users\Admin\AppData\Local\Temp\WEoC.exe

MD5 d440f7bca1c79da1018abc5f89da3fb7
SHA1 6f745dac07d7fc1eff1bf8da09ee30619f2fe9ca
SHA256 4bc6032977e3623c253c1799cf215f526328b9e8783f06b08dd595b6d2cedaec
SHA512 0eb417bc05e1316ee0e56afde58772cd6350bf9813e4a09bede215c5ac4b8399c9573174a3ceffebf5c4bc007566d8ab184d6335a431ac70f9ec73e161b49721

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 f516585487766a7373b0b85ddd837b40
SHA1 d97142a0117537c2476ec05f4beb6c7a7d7badb3
SHA256 c129d5ea9441296e05c37bf06b4f6b07fd6b59091ce20490b6ffa98a2ffe2ca7
SHA512 478940bef6581828cfbc41a4130a0c7fe246d116b626a6a3a605ac7bdef5f6ecf4a19790950b30c674c1320c4e88a95b1f34349e90c918423826b5eff850b249

C:\Users\Admin\AppData\Local\Temp\AEYo.exe

MD5 6b0f7fc211c0d2aab425492386fa1135
SHA1 de45f00387b901ef41eef90293eb6edc83a83f1a
SHA256 94fa4276ef3fb3932112df1edca3b9f59899726fe3a5c86f8b02635043578583
SHA512 48e63bfe41e1cea2cc73df4c25373016cf73a6805735b7368bc24197e461c78e6be168827a818d9573dd846b93a13175ea3752401f90dd4bf60891db71d6e680

C:\Users\Admin\AppData\Local\Temp\wQIS.exe

MD5 93ae386fdfec031f30cab4f0e5b04733
SHA1 c663a148e34bb5a5d9c3fc14226776c75fd0eb12
SHA256 6cad0c4e13de5f9231213b3a8bd9b708a34d98eb33ab050f8ff9cda57a166f60
SHA512 9a22e4055411945bcb25f4c53f8cce6a157aa8168967150340295da9156958e9f3f5a557c2d801c88c63f529672515c269bd045f91e3dfde0c03df2de62f8cc9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 183ba935f452fffb5afd76c13469156e
SHA1 896d1d0d996ff761e8aeb2c68e6d2059b4812f75
SHA256 d3f138a5aeaabdec8171bba2f97d5810ce9962b8d29feba428df7f01b9d2c5a1
SHA512 f9b46cb3ec0fc1b5df856854e7be879b7448c540061a3c4aac00ec4e9d8a3af5eaa26def96a8c8be74953fe79e4f5989c0db5917b472ea2414bf0d280bb636ff

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 7337f697c2dedf230876cc207f93f36a
SHA1 2d5181e92883ef854be093b9127eef926886c580
SHA256 738e649e687eda9960d3a3ecbd869d4e0cf892e45bf74297350b2a2e875f646c
SHA512 6931301e8204afc58bfb306959df0fb9de44b381fd0a0a481f20cdf4ee1ab09352a44f94f5f80a5fcfd4faa048076f4f190ee29a2481a7d9a2d38fd8539cf788

C:\Users\Admin\AppData\Local\Temp\WIUS.exe

MD5 919f844aa84f31cc159df616222d118f
SHA1 9554d368111f20831d533db75cc7e59b8bbb9151
SHA256 4e04d8415e3bb9b6e5bc96c9e98abaf4489cfaf50c8c2a7a0dfdd32dde4c8c48
SHA512 b8c897dcc513968340dd38e51a00d62f51ef7e58bafe2768a0ee3eccf86b2cd1e714d800605215902ab8b953f4720c3bd0b6c214663a3a4bece3387d692a85b8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 0b19d9af47269ec498a9066b9c28d451
SHA1 5625123522fdaf3e5a46c8a0f76ca78c2b060511
SHA256 f7e1419d0e140809ce949fd844ca30f63fba1b317e2d6c9270e3076a867fe48b
SHA512 4f3bdcc001a3368ac5d63c4abf2f7966f0e2e36b52d1007a6372d548f692c86c89fc3a530b86881b33081da11c3e0a5a0f638203a048b2286e3c95224bf99807

C:\Users\Admin\AppData\Local\Temp\cAYW.exe

MD5 b42b3c3da192ad95eefc558bf0d8dc28
SHA1 e143dd8505015c04bbbeacfc2696b0d6926d5936
SHA256 41d6d90299cf8d08b8606ddb60ed2c2de3ed20b15d5af0bc51322e442c063376
SHA512 32699ae20af33037b4c0a5dedec954c8cdfe7df2f570f106e23e28ac9d340adb8e84abe8114befaf34ac6dd706b8324385b88e7a07b365353af25e7896896a0f

C:\Users\Admin\AppData\Local\Temp\soQu.exe

MD5 b4bed588af28c116394548834c72459e
SHA1 213d16d5e541c5185afc6ad404873d882701fe1f
SHA256 2e7aedf873b0040d04337652018fc92a19c09121f0a84d99fa04f38e9474498a
SHA512 49bbcc5d51ab36cdf1382c80c6d7b5d20b76d1bd423d7cf771af182769eeebd49d78ef7c98b2bf581f193f784b9aad6ac9e0d39b7471c8f7793f7f27600f21ea

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 2d0d5fd66d9f207c5a28d2cd96fb3e1b
SHA1 4ed215a9011953b09dc93a969e09d4ef5bcef7a6
SHA256 7395ad2ff8797598ee8742eea119a7dd25e9d1047f40d245725590705fa17525
SHA512 bc0ea29c0008126ff267f321c2ca3dad2c394132435277a5252ae1456e66872bf9dc9ed3512a8df7a3113268701c40def6344661d46cf2775cfdde353dc56637

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 3dadaeb065bd8462954dcd7f8e396b54
SHA1 a02da296d6b0c7413a45798e995585f04d196a62
SHA256 3b0146505e0bfd6c76cf0dd99da5c06522520fc0270fdc26f59d9e5e6e4ef7b2
SHA512 926cda31537e63d01f17d09c1e64deb3dd01f609cb0b334cfebf170bfa06d5470f8faa5c216d99c52577c4e728fe859af651722312b63c16a1cfe23cb5cafa05

C:\Users\Admin\AppData\Local\Temp\OUso.exe

MD5 f16a02e3f2eec72ab6e43c686c1f1c00
SHA1 311b43d379d4312a74c8536a80919f4e31366bc4
SHA256 be5e9bd4700236a6cc6acf6bb3d90f2d46528ac27b16381f8e4f070bf0d31c2c
SHA512 8d5c86a921d8b82e21ba939e99a7791619768f21a910cacf5ed732e472df89a888ac45f759cd99a87fcd699286474c3a712e8506060802c95a4122494bcf5838

C:\Users\Admin\AppData\Local\Temp\EoEC.exe

MD5 5ec011d13b07cfcc10c03dddc47312d1
SHA1 22684a5ba29e0bc0fd6f5448ba9c1604c2e169cc
SHA256 9ea4cf4855dd102b47518e3c00ee2210a3590f6e77fedd0ea7bbc035f1f0dc73
SHA512 9fd10b4799ead58c73b9fc6179175cac3402a1596ab6a7d6389fe5f474ea5e00c27fa043d09650eb64ec2427c684ed6e408c60af556e11053fbbb66e51cde2a7

C:\Users\Admin\AppData\Local\Temp\MQIw.exe

MD5 92bf8e458521ca415bf0317fb2b38cba
SHA1 5e7aefe76c4faad9d761536aead9d96f023cccc8
SHA256 1b0526b51a6b98c3d38b747b792712ddcd87373d1ac66f85dbed5e7673ebb0c7
SHA512 5bfbb10918ab1239d1255dd4202f5dc6be2094695ea7ab6b38e59398c413d209ee46663f0ede9e3366a4ca92aaf90e4309466d1d5927b5e53edbc6832be2286d

C:\Users\Admin\AppData\Local\Temp\akwA.exe

MD5 21df19539974c9a1e5f34d383d837b07
SHA1 506f574bdfd81c23e7eba1c3afc70edb31c7b1fb
SHA256 cb4d4ff4d29a1294e5ac3699397642dbd4e0465d7ac80c114c6c5fde7076bec8
SHA512 9ddf7bf9978bf0e2de7623bc191ada828389a231dd00a9be280d470320d1cb891a0914bbd0817060a05dc935a6f3326d8060e483df27546ae1d5b20a5475c100

C:\Users\Admin\AppData\Local\Temp\SIMo.exe

MD5 33bd693b028f8410cba40b21b56c2931
SHA1 66dab1e526d1a769e9b88c13b848c87d87d4c78c
SHA256 a763f92d645ef3660bc433d316f687f351b97f3249d0cc5d811cab955ce4b052
SHA512 4e7d45098d422b96a610aa338c8dcf43decef3fb33d0615fc7337e4d56098e2b1456c954f3cfe97dd589a702285dcac9b67895a73032492fb93cc5e8124dac1c

C:\Users\Admin\AppData\Local\Temp\MUcy.exe

MD5 f426e9352370d60e9813d845d0b5dad6
SHA1 b9fccd8432ed0e2c07e879df44135d9cede5492e
SHA256 f840b4fd592ad4fbcb5b5e21c8994258bbdec8661c5d6cfad589a47e17ab854b
SHA512 af440f2eb5bebb885c9e508b8eca7fcd8135c07347fd41220999d03763f06c90967b084750caffc0a1a79eccb1b1c91577af47ca0e187e9cccd0ab2f330839a9

C:\Users\Admin\AppData\Local\Temp\kkUU.exe

MD5 bb0d4e7d26f96c0801d06504d4e8f8f3
SHA1 2ccf3a3a9cff4b88e335ec5cd382721414e4c8b6
SHA256 15779aa5d206b64f36c3fee840f0141b738f311b8b9a3fbc45ebdbc248652515
SHA512 bb43b9dbdf4602cb8a602d864ca30ac2f916846fe5fbccd663de96bbba6086fb8b5403ddcf10c21bc6d72df674be33f8955607b70bc7a33b618409531c38922b

C:\Users\Admin\AppData\Local\Temp\YIcG.exe

MD5 8b09649a0e6b848b8f98c1274638b51a
SHA1 08c8e61a972e9dec94ca11d77f865c7da62ac8c7
SHA256 2bbfe123589697a7af6a547b3c2277e682de7471de5538f639a475ecafa181d5
SHA512 717506ad19c94a1e845f3e13853026a224c047aa595732db0e439f18658632d3030d4ff2a4ea82eb5e557d5f0ac588d8d7e54301bc300054443ab4818781a2d0

C:\Users\Admin\AppData\Local\Temp\UQYQ.exe

MD5 69deb32604eeaecae9721a4372f90a49
SHA1 ea473e48f8852b79085d62601d28578770db7283
SHA256 f8b8322a7517deb77a46af42ff4419f444195911dcadbf34ca7cbed5c27d8266
SHA512 0305b6ae072bb845630c095fa5880e2bc39084f6abc74bf71a4fa68cef91f2a757a4644f96f55a8c97236fd7ee8f0daf9cd19349dc70f23eaee8d23697b6594d

C:\Users\Admin\AppData\Local\Temp\qMQI.exe

MD5 e87b21b873d395d5428be33b9f9b703d
SHA1 76566104f1316dd5400a489db005450f90e496e6
SHA256 36fb81fd8df2b251183ba1ac082ae442323959013cbb5ac38d3bbb56c6b746dd
SHA512 9310b9dc5761a5deb0839fd27debcffece9ffa2f52cbcd74832f0fab6a65274a9e279a62c1b8e0b86ea519248a0fee9ea0b9b1d7e4802adecbc63fa8eb8e58b9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 c5fee24028f5d962c13931de89746793
SHA1 bbc4e6b6f6cdfceafea07b5ae94848648399bdec
SHA256 b7b5745ee9e47c5dfaef4749bc75f6f1c75808999cc2ff18b78fa5485f68a923
SHA512 0bd6c6db715b6b724640143258aa020c41f143f9bd9eb5528e31e87655aaca417613b37ddc2d8d2de87a74462b4fca5a9b3fcf35e39c5f6fc38626de510ae6ac

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 668bd4ac17a4095e2bf90f7940518c2b
SHA1 1ceeb75c37713f0f38609f6cd7c4496459605af4
SHA256 75ed1a6fa45dd2ec172e8de486f6388cabd0b1100e5a48bd52acd190cb6cb9cc
SHA512 1ec8709bdd5b1fcf30ec341d5c033e1dab53cbea6d3b3e730a4527f6342ec2bb371f7afa4fb71b91e943551c12a8e500e3d039c3472b84d2340730b0959e2e18

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 1298f47761a086c429a2fa945d986230
SHA1 5256e842d6d43f3bfee7c05d91dd1d8e16a8289d
SHA256 7f1fd445c702e0d8d655ef853043ec07a610804c9e0fa5647c2bbdd002a334dd
SHA512 012573bf2e66062081785c9d8e43558697481b13d8adc2557797245546a7c6908db46d22e2280088c6b9ae512562a873c44735c0c9b35b5e66242dc49dbeb69a

C:\Users\Admin\AppData\Local\Temp\awkW.exe

MD5 97607660edc804f9628141025cdf3a20
SHA1 2570f25297a57cb2c503158bdb535b4b7b293b56
SHA256 e00acd2bdbd81c272009bdc908e6a354954f61e8a1b49ad2971c1a4104a5188b
SHA512 f600fc13f828c9efa73254a722ef64e8c971202a75bc0e596e70af85411d90197194718f65ff4d9d222db5569b7428a43c1e127e2b2921a9c77ea93dc54c4b80

C:\Users\Admin\AppData\Local\Temp\uQMA.exe

MD5 9ad3a79ad58005857f88ad733e07f3e8
SHA1 0ff270ae83a4722896c206498d188562d5faf16e
SHA256 dfefcc73f84eb733a31fb093f92f9493e3cc65930a342ea5e002f0dd29fca8cd
SHA512 c2bd4f29e6ccb1e5318508153f4ece4dbe15f06bfa800727198ca2154c4c5261901c10e20ce963c4f1445e4e66698eed57496f6649293474b5112ef8674c7a0c

C:\Users\Admin\AppData\Local\Temp\qsYU.exe

MD5 3e4f0c6d17b5e7d1e902bd964b1bb174
SHA1 dc696300a13fbe7ea536be72df8a2303df326005
SHA256 dc15645cfef9a05663b75b18f44a667162a5f4f058f96eb9f1009cd611a12df6
SHA512 011071973d262c617cc06917ed7ee3ad1a671b91a6faf8a249173c216aa3489e050e933c8adf5907a863a4b748743a00dac279ab1730d5a68ed437f6d6180c0c

C:\Users\Admin\AppData\Local\Temp\kEog.exe

MD5 b4a48fee5397024ac453b7610de4e397
SHA1 c75d8fdbf8abc56478c0e7f6f55b67290438905a
SHA256 84567c14d96c45d72176d01143eb5ff3eeadb01bde80e56476b8e29ae7d8e6a4
SHA512 6e8bfd541c399e8665acfeef7481b5727060f8ae3c7365aec910c503432b9d13e30c02df1974319bc329c66ac622fece76f691b3404dcda73c91b9e473b5878b

C:\Users\Admin\AppData\Local\Temp\gAQc.exe

MD5 8690bbd5be11efa7864a7d56cbbaf681
SHA1 ae35f9a17d7fa80d3566d0b5fce3b264aa615b6b
SHA256 e4d11c5505a54a84735ba11306e3fe8bd2e743daa5e12e0e2d2557a2e2046564
SHA512 f9f4750fadcf17e0caab09880491e77f13bc90c52be4f8a25c77f690b2b6c545fcc65e7a0dc614e4b741e8b33c95d69892730310e4011922de801ee2c44398d1

C:\Users\Admin\AppData\Local\Temp\OwEI.exe

MD5 35879e45f7c736f6138ea1df5a8db6ce
SHA1 4d386c772cad837aab39028c7573ae7b04d0783d
SHA256 1414ae9ed2406a4ec2e9c23a8f764f6236aeeaeaaa56f693769eeb5c4357af9f
SHA512 33d69d775395115fc85af08512cb4f88aadba1e4d74f09a0bcf5e483342beaaaf3103ac85b61122390dda7524059e64c9fd54a3cec5db16cad5fb495677b4095

C:\Users\Admin\AppData\Local\Temp\wkQQ.exe

MD5 c52b26f4a0303da890b5db260b633cb9
SHA1 c62e02734d307a54c8dc0f12cf452ca9fb2c1875
SHA256 418ac7940033cc3668691cc90262ef9ffeaa2480d7e3358d6c0609faa507e7c0
SHA512 7bcff9c1ad6d80e2f36b1b7ec627a129839b486b896e5e75056c7f8a54727ea6b16dcabefd799c28ae564b33408cf6b24934e63c82dc3643c8f97cb375235151

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 b92bb6e3d54f67c0c7b5bb6b5377b873
SHA1 8ecad25d630b42fdd0a2a4f50be6d607323595ec
SHA256 74b56eb23f4acd9711d4974ae82e75d083b819c0f671db44491fc057987dc28b
SHA512 f376a380273eeb710116d3611ee6d3e7a13aace3e98508b6b6d1f26ffa9b3c7b131c3c81785ad621a3688cb2a712c87085482d5c941017a4c7b36f1decafa3b3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 6841cd15a38299952db091f8b650cb1a
SHA1 e809ded7404c3e93923905759533cd482af22d33
SHA256 a3450ce33f1dc891465b7e584ba24a217871c3f9f9dae0e054bb27483e491999
SHA512 bedf03b42612a140bd7018db913ec67640757a9edd96dc415c47be7a54379677aab89fcc2b325190026b213287042aa1b482a13441c54036a4b15d88acf91c60

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 abad72d975f829b9de8132af2352e84b
SHA1 2954c1a43d215b837b1aa822bbc6985c8d1ee66b
SHA256 ff0407c5fca1ab168a4eee21e90c8a57072c2365dd5a75e5bba8c05b96b81b83
SHA512 736ddce9da5dfd837baf6326824a4a0db39d7a970bcf9420d37f3e9cbacdd7e2a2ffd14dc582b3c6be66df6365513b032f7ea26347f0fd187374c5b63f92ae60

C:\Users\Admin\AppData\Local\Temp\QQMg.exe

MD5 3bc3d21d1cb5a15c9f53aeeda8d591b8
SHA1 bc4da58f0711d56cac3c95a191618d000a737d08
SHA256 3caf403de892ce70ffd2ed8d7454077330df98ab6f6cb5cc8ea8a3f1666ba8c5
SHA512 d18e47dbab466cbfeeb2a31e7a8dd181a1a49baa4c466c3f70cda25cf2916d111ddc98778ac13ebac734783591465ada83800b737c6640449d386f0005d8fc7f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 afe5351d4f342d1bf8089704134499e0
SHA1 31c806b7021525c1883d6220d6e8ece04419ceb1
SHA256 a237efff99fa2a71edcac6432385318f383f7d60d92a0147d354375e1419a834
SHA512 81565099016ab055bbab0770ca5cb908db820b19039a02db3fd95533e7cdc36b0f6d236157821d30a24e0f8650245676ddcf3dda8b2159c885c147a15e115764

C:\Users\Admin\AppData\Local\Temp\SQos.exe

MD5 2b54fb4060c8164c317a0b47acc725f2
SHA1 465f38bbe2f32d332d9262397e204cbf37cedc59
SHA256 be8e7a1b1533dc1d5f9893a1e82bc8f652c9fe94ff2880eca356f8724e79e3cf
SHA512 3926be847498230fe066d29f613108b5b7ed1f73ec1e9980501aa0e205f24eed788461dbffaca790668f880f590daee4a1d1601a7eb63ca5fc8cad265cb2f47d

C:\Users\Admin\AppData\Local\Temp\ogoi.exe

MD5 c925a2f86090d0203077c31c2bfb3d0c
SHA1 4f0f51365697a84aae95a2072ef28ae159c3c1e6
SHA256 cc01b7be574140a016abe881912402049b96a4a0190cde6a3a241af2288d2e86
SHA512 b5ef8f55443b1e9a92cc5bee80dc437165cc250ef9afad29c452f007c77321bff18b245ee90683f111b3590249a0b21d38e63d04d8fd81c5b77c8bfcf3e2f726

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 85f362bf251596d045159eed52d8210b
SHA1 8447aa99f7424694bcb21d6e8a7eec95354310b6
SHA256 4d93b7a78a24480b32bcaa919674762b5719f73452dc25ebf1349f35ee6c33ca
SHA512 bbba5f393cb95f818c4d5c9965a727f7585a35a0a6d7d8f0f1e5debb5724f53bb460a705fc8b15a5a07fcd1c9cb417cdbc360dea7ed12999618b8be3aa2e3662

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 fb873eff9ee56150717fa047881646ab
SHA1 4223dd5de7143c855b9c0503f9425f5b8b956a84
SHA256 27567fc9ff25c6d7697dd5a6eecbe3446e4f1466a5202d99351b773437de4af4
SHA512 982d60ec32be97e2b0336f7adbe101bd8b7ec3c3df0051f3b544ec8cbe661015ef2aa1997f8836174ca06135fc4ccfd7abcec1cddd08e258ed0dd1b59a672f51

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 9330c6e63857f0c7a3356e572201d3f8
SHA1 4a7c132c09c702bc963b3a52f47bd3613e435941
SHA256 49a2979c7c4e7aba41eaef24e33b82fdfb003a0b6c2d78913ef7d2a4eddd0351
SHA512 3c4e947a815acb2bd3f803dcd534596dc9915b4ded4bb14b56a18f97b6036eb7ff9870d6a0e0c5a024b4595eba5ba320d808ae45a86900db9f8caa95a74e9a0d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 6d146a36ac424aa31a8e5a3536357c06
SHA1 692934b38ba879c9c658f668667cdec03a682033
SHA256 7c117ca1d682f929557fec38a4c4b447a2c00ef1237edf4b5a134d833a2d9a8f
SHA512 5d2f6a13db477d9bc66e3f9843155bf989bf7e06643c30ffae683857968f0d2bf36b88a128ffa87c1d92d09b6d13f60a96f6b918c60415b4204c9f9920d7e32e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 484accf6d304a491a13f134d1eacd955
SHA1 b675a376f3acb4e7aa9da88562350ae167c41899
SHA256 7b772297dc45e0ea31b079e5f2e37dde07f81d3c675d3f646f1bf9f23505b322
SHA512 441274f348ce31e79de39dc866b13739027fe0cdb3f90bf47cf483e7ebc10408aa0df2ff3aff8d7089130701c4861fda83f677d2e4225187282493f2cd2efb5a

C:\Users\Admin\AppData\Local\Temp\gIAU.exe

MD5 16954972795d03a5a2a2164ea39980e9
SHA1 4a3db7f595043f9074f6ebe253663a3ecb26b39f
SHA256 f46877ef65af3559a050c8ec77b8fc263d780970ac062c97b5f1e4cc484f3770
SHA512 e2a5ac9079441be6933a97958520effde21ff3069012cafbdcc528083c66cf07ccbeacbf9ec64ebc7fee848a470c697d7257c87b678bbbd0801975e1d5ddc196

C:\Users\Admin\AppData\Local\Temp\gQIm.exe

MD5 e2e478a8f9d6030bfa6a7766fdeba713
SHA1 dba6a12b9a3302520eeb2950296451fb24421157
SHA256 c4bcc5fc04e97011c2b81db2da7e52cdca3621ff0c9bf8dbef1f087a1793dad5
SHA512 23a39e8a07d531d72131e7c5c4ac75907aecd21cab9a9b8a04a01cfa0264915c7ab3f91652fa46f5f49d0f044cd3e86a6fecd30c1d5b20449611ad5df6a9cc26

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 00bf0a318bf1f56314c178fc32c98efa
SHA1 ed53634a26978aa67447b9cd05112b9b2fa5ae76
SHA256 f8472b8eb60860b7fd08d896814284f3f3b3baa89ff6e5ad134593580d5c33d1
SHA512 9d7b845c763169d0574d2b0f59905c7ff5b16afbac665a2b284a45487e364a1386f3bbd3140f276e18a2a9dd5b7cd7c791e88395826096b4e30735bc3ff6e8fa

C:\Users\Admin\AppData\Local\Temp\sIAI.exe

MD5 347fc4fcaed938d9f7376d5317fcf73f
SHA1 ae2a3ff82039c061f8c66e0747f69cbe753e3369
SHA256 f365a68da4b851be7467c2ef8f9409a9b8192f955b1109639ca913fa17ec1084
SHA512 50aece360b71a0c0d8ee1039c1a0f827a5695caf36f3fcbe73390b29a0462d552d4809fd2afca415b1e3735b968a0fc636fa2956d7a633b438cf364bfe030c17

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 e192fdcc7dbbab94fdeebfe4bc0c7d82
SHA1 1b45d9d6574fc8d0da6708209b26443adae15467
SHA256 b53505085161d9700b280d11245705866642590fd333b2480ad805d968b2488b
SHA512 772dfa1700d57e09f04d453ace029eaf71bf8dc2852b7d3a5f4051a203fdb918f19c4dc1f0a437d4af8316408157e1acbef469d475dbfb0d6e33729ef39e917c

C:\Users\Admin\AppData\Local\Temp\QEow.exe

MD5 764fbf063186ec7ec301d01a85589c05
SHA1 3f9c578bce919b145581100eb0386ad17e99d8e9
SHA256 8c0edfc991719a7bebad17033f0158856e2da438c89831ca5311bf902337b62c
SHA512 f8360a3de4e0e0b22bb85ba278f8f1b1dd38cf4aa5f103633e525df5c693b52fe411983021afb01422181b65df738001c0809759473bee73900e9330c4f0b343

C:\Users\Admin\AppData\Local\Temp\ugUs.exe

MD5 aa5f7a06bcfcf67f6d1a89fee153d9a7
SHA1 7b5d8863479e08c46577af1433986b211651348f
SHA256 1bd99a1397e4dd3c943a9d6aa2161b212f3faf37398951e0c64e3ce04080ded8
SHA512 d16972db6e52594dfd2f45f0af1d020b59b35c0da428d280b822f780b2503904f8275b58f5698faa0724333f983b38830b363c91b2b5513cd97c4ac2826fbfe8

C:\Users\Admin\AppData\Local\Temp\CcoU.exe

MD5 86281649db25d8680e89ee0d5cebc914
SHA1 eb5e4e78d17d1fcff397d5a31ff8de0ed3de878e
SHA256 1508ecc6ba530e50a4435a117f64f3f4f1f060f31418a1eb59ed63f4c0395e5a
SHA512 65c4a5bf420a3ba1a58c522b8bf8958f6c81916f5599c7e8844ac209d1881848f4f95952ac1d64d61b5b9a92002dd1f40b494f907b7884d47c2df6334c418a8e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 7361c6fbf99e02672e0e8485896750ab
SHA1 a7fd898f27569ddbfff8f409a1c6f9dba49ceae8
SHA256 f4d8c587560c18d0cb32ed521d3b1b987d20a8cc03b6bc54ae6c2c1d203e49e2
SHA512 6d4d0a6c9fb4168a85aaf2f94ba70184904e6aa73cdac58da1c7f8d1ec9e12be0b76580708454c853848d1d0c90c4e950d0cf06301798bda7d09767ea9b50226

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 af88a97ca7446c056693b7f2330241a4
SHA1 edf8b0d3ecfb973c5565ccd18cafa0f8b36a87dc
SHA256 2140b4f7a758710be07fb6cc9cbf3d745f94ccabd2f6d7fdc2f6a3d0e449b6a8
SHA512 07e6979ff320cc7c4ef1029b702ec79dca10d60261160b4321de2c35d71ea641919cec57da1e64c6535486290417e0220d1b5a097198630ee1137138712bc4d4

C:\Users\Admin\AppData\Local\Temp\gUgM.exe

MD5 7b6463b43049274bfdf44d985bcc2e86
SHA1 00d64b8b6fde8a6dbe985ca56a43af7dddf87640
SHA256 4621ac6e10ecba5d7ac6a95fbcb6f89c0cc4926e06d10c30a53386aa01816b64
SHA512 91d1e61e1f05f68490a601e25ea4b5d42c06da287b9b72ef143386cc3d5b9072c6a8e0c4b71ce37d335f96eb05c70d0544ea187a7cc2d3fa3f1ef23f8f54445b

C:\Users\Admin\AppData\Local\Temp\YIsK.exe

MD5 0c8e59331e0cc0ea03701664f242cc2c
SHA1 0b152fcb7c541d590de3bfd77dcd4d02c041cd8c
SHA256 c388cb583b46839f05b0ac4643cf14ec773abdf385025b0402390aa2d6053442
SHA512 271a1ff10ce94c5debed9c04d377b27ca22af9be7efba3ae3d09e790d5d75b011853c353a6913619f566d4c3f7a959ababbfa51edcc6958f0a80a24ef897bfa7

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 c517f6617d927d42d1ba86e261f39677
SHA1 6ad66d6bd5e0414b6107d56705d96a70fd325e5c
SHA256 0e8a02e5505c99bce361b9f78c650d1f6df25a736e63b46ca95f5439788d3a69
SHA512 725960db8326359ad7e7c0f5b4389ea1d304a94ecbb07b33baf54079dcd4d1d9370bcbad43a2d9bcea2a7767b8e39d0e8e125a29440aef82d519e64b3be44559

C:\Users\Admin\AppData\Local\Temp\mgUA.exe

MD5 5d54da662092a9ea52981b1291b9bf32
SHA1 e382b595819e235cf33401a043691b4183cf5ef4
SHA256 d5222d9fce41d8f57737bfb1ab3daa7d5063a2128d14f7de4fdcf6f5cf06cd69
SHA512 0f925ecbff5a961aae51bc7fb1cfb85ab38d523a90991749b4d09fc2ad653299e7fec24d9435339d4e990d2b01a9a653082e6294689beb28e53ffe3b8f7638b5

C:\Users\Admin\AppData\Local\Temp\uIQO.exe

MD5 5375572622b087bd3ccf8de686e903ea
SHA1 b6ba75c9efbe0ad9f96ce9f93a44e563999eaf11
SHA256 7d7c218f00af372238322326f0c2881ba9ebe21265831944f70c8a25a4c0da88
SHA512 eadbbc2c5c2ea2c1c7a3e22c31da2f6ca0031406cdc832edbee280ddea097909359a0d1b78f8c1eb5220fb21251bbbfde0020038d551bb524a08dbe8b463ee5c

C:\Users\Admin\AppData\Local\Temp\MkIk.exe

MD5 b8f1dedd021f31442e76501f586c0537
SHA1 f7bd8c62d871008bedcbbc82ed284f5594151181
SHA256 c923d311ff3f376b9155dabf0088a7aa5cf81ee149300e02bd059f345a57f7b8
SHA512 01b0fc2afb1701fba5cb574ea8bb8bbe50149ef110d5393df6385a8202cdca5ddde2876cbbbc67bfebefa27e99b6f35cfc3d41ba50d529f77103436000127039

C:\Users\Admin\AppData\Local\Temp\OsMk.exe

MD5 f7a79ce6eba832442133348b6860ecd5
SHA1 9d54a769005129f035a362b18dfa4162d4a8a35b
SHA256 569b31157e511c7fff87edb8e7b39bac3b6dd0eba70ec316b7a2431d1f8868cb
SHA512 5e8eccd2d79cf239f66914562928989812749a1742edf42a405e0145334af447fa62f8d89e64259d07e625b0a8bf4a71aa9157f4e5dc11b65c5d0ecbc8de1b11

C:\Windows\SysWOW64\shell32.dll.exe

MD5 501ba7e0ac9eccd1e8fdd3802384ed77
SHA1 e1684b1d0956b3ae05b80d3c7daf429f7f5b1af5
SHA256 9d0bffed87603d821bf703ab03b547f8123b1e8013fef165f2b4c72e8414edb6
SHA512 e829f2f3025db16115b84825f01f711e4a23762b578a21208ab6ef6078c741a2da534ca3ced978e0f4ce6f60be68edc71aad910bb44d1de1b18b4cc276d4b0a0

C:\Users\Admin\Documents\ApproveSet.pdf.exe

MD5 e0c6b39e837b0b7f9c9f56c310e0355a
SHA1 4e815bd61d0bb079cc9c1a8f94717c9003d8465c
SHA256 dda7c972e22a0e7aaa67a0ad0b1c949f3a285f255c493816746caef14e63da75
SHA512 32bd6cfc9d130b8e5da958b6aec00797699bb972f43a960deed2c8a514c1d82cbe90d0288212b043275c664310c20061c9493a4478e1bcbbba1353e4e1eb57df

C:\Users\Admin\Documents\StopClear.xls.exe

MD5 082a6ac9c33a7d7056691eaa2942ade0
SHA1 f02d5f90a13691756118a42e1391c8aa980593e9
SHA256 df447ef89eb7e68238c05c22ed40e41d758457589b621f37e45dc439d1259760
SHA512 2c8029796a0f9312bb968a0cbd716ae47b830e14e7c6a7705a4ccf514909274a7593f1b18dbbecf858a6b094958692e111775d5c8c861a033c6e86d43706f89a

C:\Users\Admin\Downloads\WatchBackup.ppt.exe

MD5 3af53bed9aabc162739952474c5683eb
SHA1 c9d62d046202316f0e6e00b135eb724fbb3eb15e
SHA256 444f9a0dbe0be3e1d27326e9da8f9fbb77a0da35d393d5ac37b0c7e004443b6e
SHA512 dc517c824ba097e49f0dd8b8e69b0e3f69a8cdf01047a33fb89490edab016d6b9a150183792df4b45efa354a2ec4480e529382426147dfec3277e26a96805bf9

C:\Users\Admin\AppData\Local\Temp\IcgY.exe

MD5 2e488fc33c5af257432ad4911f4b046f
SHA1 19f7a2ba83815aa4fa87aedbe70b7935a9ba4ec9
SHA256 9fcda00cc3e1a587990aad0d10e8d79848f2ecc3abff6e1321543e498e8665c0
SHA512 38fd5d0c08e670a3da8192d08ac2f4dd60cfe61d6c90e9ed201bc114fe45d643aa1d7646a2613d83ee232fac68e5be5ac9f2df29fe5ca6d464faebfa42f8b099

C:\Users\Admin\AppData\Local\Temp\oEEI.exe

MD5 783bb64b2b366f09cab833f71141b03a
SHA1 8d4c7a1fa893d7ec350f6f1ab8d94ffca6dc23cb
SHA256 9137ca24a69f634de115aa067ac37d0c85eea77c006895ab480fd19129bb544d
SHA512 9f2a3dc671760a3417a0bccc85f9359fefa7b5e3f8bc2e7b6e2778862de5f0012e842643d6428fe225a43a567869990f5b7d4acd53ccef55c0bb7513eeaa518f

C:\Users\Admin\AppData\Local\Temp\OwMO.exe

MD5 1b0ead05a2da45007d68130762dc23ee
SHA1 aaeccd005db83836b2b55600afab68fc4fa7f898
SHA256 d5443321efec3cd0eab8aee507b354fa457a22d3476976ce9b7c01d8a2d01652
SHA512 e0e9973963372f16209a3643f414026cb9bc43cf0a3d9e222e2d8bce38140ba7cbc0e7b63d71748f83caa98516386e0ba13caa0b8546576bd482c2ccb61fca36

C:\Users\Admin\AppData\Local\Temp\SwUS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\kksU.exe

MD5 74fedb84132f295eb8bbfa06fd64d4cf
SHA1 8984bff111e645cdf80b55dc5b8f28c73ec40ce5
SHA256 ce1899b3da18e18f8f065d6357e6b2e28d81c4511e5888475e9acf766c0a525c
SHA512 e7071425797185db062d44c940483c89f5a9027a6ddb21d2f85a698f8c7c81ac3dad808831a573b2d65732517ccdcae3605275c3a58c7b5135fb8990046b292b

C:\Users\Admin\Pictures\CompareRedo.bmp.exe

MD5 17fda39a5fde59e0f4448313d39dbd9f
SHA1 002418baae1b941ec31e32921d43b1a44b182717
SHA256 c89cc4362f0a681a125625252f6c7adba5825aaaa9507e6daa273e02f085af7b
SHA512 6ef404284857c8f4b0f95440d3f4b5def6bd0d33f1df1aa10091965e04aa5458762e6d2d0c5c33490d07ef35298f17963cabce16f05db8d1b30c8a7788f1b9eb

C:\Users\Admin\AppData\Local\Temp\ocQu.exe

MD5 eff45d1db808ef18f06cad4e6d1ffa72
SHA1 ad91f8abe42a3ff3f52b55bdccd24be860a64354
SHA256 9796b82c856a4203b958ac3f36384d374abde2ecd95d33971046acb4b5490676
SHA512 a5eeb73bce7a8313b1901f8ca9a0cfd340e733b9cdace99bbc8603772af74cb7fd4f4775337b595210272a5a6552f2fa892b916998ba06e208d606489b9b4d47

C:\Users\Admin\AppData\Local\Temp\agAs.exe

MD5 9a068b19acaa9fbc01c0d62cab0e3abd
SHA1 cc2972265ce663a4b545d535531961562a42a4b0
SHA256 ea9938bdb8505de33284129d86ed2770efb87937d2a1c130892f340f9f48beb2
SHA512 405e26cbfb469c2d31b3e78c13ba5138afdb82b2711e777c03eec1682e908645417938cdb36ab5ed0e2214db73a16c412c79148fd5664bb1106c2ba0e645bd6f

C:\Users\Admin\AppData\Local\Temp\Osga.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\Gwkg.exe

MD5 5cf39fef905a4a0ea71fbdbcc1dfae27
SHA1 a0bd457ea768e32df1cd3784910cfc31176b27c7
SHA256 56ff131a97ad6343c406123bc64ad91e5a82445266aed830a9479f45f3fd103f
SHA512 7f3b65a5524ee038fd93cbbba83b8a13d8c4579ffe3ea6f9cbe23292c3c350f2589f284b32c4924b3dc7c5240680478344ce88e2b4385e5b8479da5ba3cf4726

C:\Users\Admin\Pictures\PublishInstall.bmp.exe

MD5 f454573fa1a5629136e9ce801ca540e2
SHA1 84b55ebe8dbb61ca16796d65683d3eb8292ccebf
SHA256 8980707daec504170455c16ae6f4463973dc1e0ab941e472bc458b0eae3caeaf
SHA512 f8ed338a61833cc9f4ad20aedbea627492ddfe1dd0dd942e7ad2602c75b80e6cfdbc8b996f6984ccf724e3f905ffd99517ded066b146a2cab9ff6f4c018e16f5

C:\Users\Admin\AppData\Local\Temp\UIwq.exe

MD5 8c0745048d197cdbad9be087ee3f533b
SHA1 a29ecc036bccdbc140a66b2c1c708bcbccc1deab
SHA256 636256821d8cde9a537958366d859ca7e1a22ae6a0c3c7f252695bb4a8e3030e
SHA512 f79b3ef5d5d77b3436a7df5f88cf055995314a66d031a7ac89dc28da570781da9aac777678b565b0ed2c284a3dafa842cda3d5f5ecb0f915937726b107d01cf0

C:\Users\Admin\AppData\Local\Temp\SAMw.exe

MD5 2450718edef10da448064c9530518001
SHA1 8449049de42dbd57e39f8eb40c757a70611b2928
SHA256 a13aff4e6275e64e8975f4430618bf799b2f7774c9128cec05841c15537c09ca
SHA512 0ccc926d064244472b276027b35cb015252586b10395f12f493615ecd2ff3dcd4d87c84bb0957b486c997606009c606708a71bb0bf08789d5dcf695e60b5755f

C:\Users\Admin\Pictures\SyncRestore.gif.exe

MD5 bb3d15ad24f254e1aff627f0dbb19429
SHA1 c574e05e24d6b7672cf0591d081c47d738d33fe1
SHA256 17c69f0fc930ea9b513930880eece61efabe5fbc47b6215531791b93e0c00cf9
SHA512 ec6a87982c0f0894ecca4ced6367bd83397c376f9d330a654722d34a730f7bf27e751488803fc3db090504048f49616bfae3b5deffebb116250ffe1b7855c39d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 95c6801d00fb673aa6ac3f58d1ff82d7
SHA1 c64698c7be10fb0e2078b558f41647dcb9916c48
SHA256 c43d59c52bfdbe3311d20247c348729f3f4550b61b393bc57162be43753805aa
SHA512 305af4df41ae8c976cac2bceef7aa1f59fa28707df491e92629cb4d2befb24e2c4671f05b6c36b87f8231aec99a9c173f89c6ac4b1558a8179a004babb9d4427

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 579a0edd1c70f60159697037cfd11c77
SHA1 ed15792f8e91f9f700e03b0e9717c68c9cb2b5cf
SHA256 cf4545f08c091907a19aeb0f53e099eefbdc1d6603b18ace6bf688f72f111dd9
SHA512 a99adcebdf574293a73dc7a492ae14aaecd57dc673b3204209d1c0d2df1ee219c14481046029dc3c6ae8a9d3fab42281c4b753833c7b20f642fe1a80c0094297

C:\Users\Admin\AppData\Local\Temp\OMEs.exe

MD5 93de39d1dfa06ad1b6b1c3208978cef1
SHA1 53e39b236b2bf8924234984897565105eb882158
SHA256 5699bce89b676670afc30cf7313abbb40908095abe530356c6b98c9a421f2f87
SHA512 2dd4d459bfeedaeb3abebd850d32b19b50e04eb9fd88a9250c40bea4141e8ee3e88367d4b3cbc3b64b96e954f225e7e73c18f2c71906a126de84608f0ff183b1

C:\Users\Admin\AppData\Local\Temp\accK.exe

MD5 7cd0cac2abf1f389a8a50f2106306602
SHA1 5a2a0840af7fded4b739e1d15e5ff1406d766b60
SHA256 9d199f42a166aa9c06587f4c06f969864ad492ded1e8a02584f91b8527252f97
SHA512 afcbb6886914fceb28bbc795b498887ad92bb84173cca5918984bbfc6330c28d5d51f37b91deaddbf9fc9b3be45422135dd04e17748f6f94dfa18b732e0d24a2

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a8ba4c94aea62afedddd8ae37f5f5c66
SHA1 ec5c42deaf95ad60bf79e906f1ef8e0b06bbfb4b
SHA256 f94229c098bfcedac3c758e50942f3da892b546b1f66f99d76f67e7ff2538776
SHA512 17a308cf4300f487293f48e9a252df765fde6d94a475ce9fcb881f7247a2b6927b6fc690b4329be88f645afe04cd3312b8a8ad6387cd2cf5bd28d615b34f75bc

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 ed35214c40f21082082d0dc4f9c38ed0
SHA1 653142ea7b79705e0deb3faba5bcaa6a372d97d2
SHA256 67dc1b6febc1c6034f91a92ff7af43a579df05bfa7f3e32ba03d211a3830bbcd
SHA512 5aa7b7adfa5d5191a76af71508602fa3c5d35c036ac64ff85d27b72132e8ad3048e264d5d9ddbf94bc4e21886555a9912b409d37bcba1c004c4c63ee93d9039b

memory/2856-1677-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4832-1678-0x0000000000400000-0x000000000041D000-memory.dmp