Malware Analysis Report

2025-01-22 20:38

Sample ID 241019-2w6zxswdql
Target 2024-10-19_42de2729a8457deb93859902fccecf16_virlock
SHA256 d877d424e6836255f8c4ad38414f94e74de49d270f0c6d6dd49b4f0e3a0aff0d
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d877d424e6836255f8c4ad38414f94e74de49d270f0c6d6dd49b4f0e3a0aff0d

Threat Level: Known bad

The file 2024-10-19_42de2729a8457deb93859902fccecf16_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (82) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 22:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 22:56

Reported

2024-10-19 22:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\pOwEYUgw\uAksoYAA.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uAksoYAA.exe = "C:\\Users\\Admin\\pOwEYUgw\\uAksoYAA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XygEMggo.exe = "C:\\ProgramData\\uwQQYMYY\\XygEMggo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XygEMggo.exe = "C:\\ProgramData\\uwQQYMYY\\XygEMggo.exe" C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uAksoYAA.exe = "C:\\Users\\Admin\\pOwEYUgw\\uAksoYAA.exe" C:\Users\Admin\pOwEYUgw\uAksoYAA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\pOwEYUgw\uAksoYAA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A
N/A N/A C:\ProgramData\uwQQYMYY\XygEMggo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\pOwEYUgw\uAksoYAA.exe
PID 2872 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\pOwEYUgw\uAksoYAA.exe
PID 2872 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\pOwEYUgw\uAksoYAA.exe
PID 2872 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\uwQQYMYY\XygEMggo.exe
PID 2872 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\uwQQYMYY\XygEMggo.exe
PID 2872 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\uwQQYMYY\XygEMggo.exe
PID 2872 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2800 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2800 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2652 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2652 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2652 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1108 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 316 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 316 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 3684 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3684 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3684 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5076 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 3908 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 3908 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 5076 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

C:\Users\Admin\pOwEYUgw\uAksoYAA.exe

"C:\Users\Admin\pOwEYUgw\uAksoYAA.exe"

C:\ProgramData\uwQQYMYY\XygEMggo.exe

"C:\ProgramData\uwQQYMYY\XygEMggo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuEokYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgQMoMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSIkQQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkQAQEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuYMwgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKMYQEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqIUEIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoAwoswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmQEMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vksswUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIYcMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGQYQAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 216.58.204.78:80 google.com tcp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2872-0-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\pOwEYUgw\uAksoYAA.exe

MD5 a76a9d468cedf97c432b4fa71cc7cb0b
SHA1 00e6bc3bf85b661354ed52c2f674f1f4e02aee91
SHA256 fefc1572709ac7a454d67e5c16d153cec8ad1a831a8dfc74d4e3c2d719de2740
SHA512 fb0b0242e7bf143f0903610ad724aff9873d0db2124fbc60f267aa29ae427696fb8bcf352279d3afbdda1f5e54cb2140113956a5e692cb9a20e325a71f973d4e

memory/4528-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\uwQQYMYY\XygEMggo.exe

MD5 d47a05508729947ac7d71079350a4c71
SHA1 9de1fe4221829551c3db30b0d05f64d52992b274
SHA256 87f1115c89d7bc5ba2d519a1153e7798d3aa1e42245a3eaa83aa31bf563fff48
SHA512 cb1e8187bb5764765cdda9f83fe72e677a15797705b35c8166b43c98cd80dae775429d9d466237617c0cb604fa669115d917c0bb125250aa8a331ac5f429161d

memory/2180-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2872-19-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1108-20-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZuEokYAA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

memory/1108-31-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5076-42-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3144-53-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/760-64-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3720-75-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1140-86-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/316-89-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/316-98-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/756-109-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1400-120-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5048-131-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1404-142-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUQA.exe

MD5 9c36c31940f36c6ddf9af5eeb2ae10b9
SHA1 15bba690b3f44d7ab5b902c83640725e0c17177d
SHA256 5368cd3961ed4738afc50ac3c5eaecbeb0be74cf7f7d806588ba62ea09049524
SHA512 92e938989f9c09c34740aba123f9fe36426f15064d867111f71dab398da8503c191bcaba27e29176c26252bc4a528a3dd524f9a71ce3a37ef2def9502d0d67fd

C:\Users\Admin\AppData\Local\Temp\okUE.exe

MD5 6d3158462885ff537a7a54d2ea4c5c5b
SHA1 57beb49df0abef8a2e024aa6676543605c7b9daf
SHA256 df09561a3b19e576072d2b5d6bafcb61521c942239e258705afd448a31cfe3db
SHA512 c224aad412a003676a4a90274213f60b7722da5bbff32888db5d0d40dd51e924e5b476485ca3d30c18da95f7d61ec4a0c779e46e61934f71b05074f1c9b89cf1

C:\Users\Admin\AppData\Local\Temp\kcIW.exe

MD5 23c29ab71fe26aa02143687dc4ae80ff
SHA1 3eefe1f0145cd866abfc11832a1bba63d05d8f0a
SHA256 37897fef44a6e5f05892f4fc7bf99c1a60b029efbe675d73f44bf2ac3b45ee26
SHA512 1d431560b1e2bb374118ede1a6585f699ddbd99364ad66c878181fda514f28c7831c94ba99cfdbac8f69ad030872059a69f720301eea46fe1faea85d282c1c58

C:\Users\Admin\AppData\Local\Temp\cUAg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\QgEK.exe

MD5 eefb5203a7f14f541aaacff5b634d507
SHA1 eb00a8f7cb73ecb1dbd70acbc6f3fc1268bacc6c
SHA256 53add38ff2c1395699aa3ee7e5cb6c7e0f1070bb96292e00a0eb496f52b70db7
SHA512 c0631386696ec98da6377b5119abf1aa021125da649c6cf4d37b9b30dee590a475df49de1b4a0407abb499b9d362e0d69e03c16ace127a155230e151042f15b7

C:\Users\Admin\AppData\Local\Temp\yUoS.exe

MD5 a506599bbc173edfcb6c6fff2cb549d3
SHA1 193c2397b0ec84462710506c0381d7ddb396732f
SHA256 060e15eb002aa23d6a8c8f88c919e4a47fc6a544c247b01c4dbda942094b0029
SHA512 9aa2cc67f2f4cbe53b06c05f130a82db55376ea737b5edf44a957c0dcb310635680c689de130102e8abe90c5bc05d798e1a0f7d44f0991515ff75078c15851e2

C:\Users\Admin\AppData\Local\Temp\AUoG.exe

MD5 41b18df775092316e7145188c9e1fa9c
SHA1 dc49faa08b9205311a4102fa281374845297613e
SHA256 a0464651be2f1cffbfca016e9c130ccd6fc29618d5c01845f4d42f89a466379d
SHA512 0069368fcb0fee9ee6230bc3ae6313c6be9543ce9bba5fc21e749f862faf7be9a0271e4f0b2642caaf7671fd8be9161c99cf86f8c0b431c6f003c66cc8099a35

C:\Users\Admin\AppData\Local\Temp\cIAG.exe

MD5 18abbdf737924421610c4163b03d634d
SHA1 3624abf60dbf1ebf23aff5359cdd49e37219cabe
SHA256 3b38ea36b49ab5e44a485b23b87a55bf17cf029aaa2705e54487193b5beb7c6c
SHA512 5898164dca188aa845a0a5e35e553479790a6a4400b6f609c79a041567254fe4b6ac44bf9a3d4fbf670e18ab728b25e12d2841364551289a8af077424cb08c6b

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 0cd6dfa35cf75de8ebdf7ad30480c5e3
SHA1 d559d59f1a51ae8126a2eaa371a36dbe031a849b
SHA256 702722e5ae1066f6a3c6684ff9406ea4701c3513e31a066a122f818f45ea96e1
SHA512 bbd80f9d6c9a9420c7f9ea0fb33b255cb724db9e83f466970f2f7aaf82357e5f543ef68fb7f2b29d135213402c50766c9a5c2e9c0ac947206b415ccd270eca0f

C:\Users\Admin\AppData\Local\Temp\owce.exe

MD5 eb4d4dd5da13a37066d9f9f3a1f8b579
SHA1 8c22dc345ad6cfee3172d3e9cde53db98d53ecad
SHA256 ffe2019691a7e7629c100581aa6d99dd33d5fc2c44645112ddc525b2a92676e5
SHA512 5c0d68f985daa3a358ebf5881ee25d59712d16cdcc7e7d45ffa7354f0ff9280e8fafa6008779ff93aef7ed7dfd553f63ad48172deb85081ab04253da6b994b8a

C:\Users\Admin\AppData\Local\Temp\QYYW.exe

MD5 e88335a176b8dd54e0820800b1aaeb72
SHA1 ec87a3fadf12ce04c3126680bedd698cba698920
SHA256 6650c8e3b0a919d8788d82a9e281eae95e2b79c95800746d0137b6eec7d21dac
SHA512 487f22cbaff0c6f4e0f00ca17317cac1a799beb21a9b067bf56e9e3a020873c30403641ed637c121931def64094f256f28ae43da221082b07128ca48c4b510c1

C:\Users\Admin\AppData\Local\Temp\ogUs.exe

MD5 c94807e51ed8c8b487d472a87793e24f
SHA1 ad1710bf2714fe0734adbc3afe2b2f5e9266b4f3
SHA256 7533a6e3afea707357f4b6f39a82de6f93270d9a39d91374c2efcdef962bd759
SHA512 2028a8ed3063941caac161f43e9c1966310547a62cd3f2f0bef56be71088b3e180303efd5731820afda15fcb40f0db082ce069b560edbbdfa479a77aab604fa4

C:\Users\Admin\AppData\Local\Temp\gEEI.exe

MD5 2f62c5962ee0364ab7a14aef6421827d
SHA1 e2df2cb4a71c25442258883592498f1e831fde03
SHA256 86724a3a165a04165e3944f2a598c288ab8b5bb13192427227e2c57e27432589
SHA512 c87c3a284413098ecad51b7ebad5e5aa717b5b7b52b1e7d98b5b0319fe420dc79bd2a4ba2dd8ea52f42c14a84dfb1ab914b14f6a1c6bfe4a0f524c591aa91b91

C:\Users\Admin\AppData\Local\Temp\aMcY.exe

MD5 6f9ba5cc8e4258206df471b58b498837
SHA1 1e7dea3a494ddd247ce515908ff341d8836bcaec
SHA256 6315ccfb2ae973f4edcaa5643db0b2c370bf8e464e6a81bdd374f3b39b88a2b7
SHA512 f2f2d14e1321935b899030279522bdedf01e8dce1f01f5f40ed31da89c06809be69d553dfec759d341e79289727c08616bffaa32a0d6509b34462a31d5780c68

C:\Users\Admin\AppData\Local\Temp\gQIu.exe

MD5 dc428b693fe94caadd9a85d031d1431d
SHA1 3a07d93577467e2e91b4c4063ca56c7b6bcab836
SHA256 f5d05bc222aae7682cbfcc18ed213a528da668ff219870ca633c489dd70afba3
SHA512 2f8d568eba3c300a73d2e43ffb67734e86f9a7e548f57f374dd987695b67ecb2fa1e43ec6162a94bfa7801b119bbf863b632b799fe6e4081b07559bbf55aa33d

C:\Users\Admin\AppData\Local\Temp\QoEc.exe

MD5 ac3dd6faf8199e110e5f73059d006a3a
SHA1 cfa802543a5953c113ed1d5881213942e8831508
SHA256 755ae3c2309a4132514a5a17792eea166517ba1f831940ae5e34ef5a1afcdcf9
SHA512 48db092e7ac25140d2b6db9d28618ed72ce17c1682fd85792949ad094f44558c19c87d5481e5e482820c0751d80063d52ab218d91d1c83a731e0e59a628aa50b

C:\Users\Admin\AppData\Local\Temp\CEQm.exe

MD5 a37586a0e6186f5df212291ac94e9b8c
SHA1 0986b07cd3940beb5734ee753062db19cf7ee484
SHA256 ed93b63285f356ee6da8d39aa8e7b61bbf5f76022f247bda554ce1dbbb82d47e
SHA512 f977be749e50378be5a18cdaf4015004ff4e99cf9423424e50bc50d69a546a343a5c615c2ecd200ba8b68cdc31022cd65d6239a9e01bf8270963530c5a3041d4

C:\Users\Admin\AppData\Local\Temp\GkYk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 5db248b780379857c0c12e3f0ef7f430
SHA1 f64c90459c54c5cbcd88534d64a4afb99b8ef486
SHA256 246fdcca26de4058170725f6d94001c198c47450a97f8144cd5893859dfe37cc
SHA512 eeff5c62026f98d405441904be57d69ffb426f2f82e5dfb1de989099b45be1f5e1515ecf1e1eacd6d08a288dba581d01470e4c1a4884adabb0425682288f5cd0

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 600e02fcd7062d432746bd6d0386f569
SHA1 07174c636c62f6354c12bc8ee60af343e8d6db71
SHA256 6984c180d60eb2829804abcc7440b2397d3df4c98d36669a4ba598b09bee0cf7
SHA512 de88d66a0dd853af45115f13ebbe094bbe3a9caab55d3bec776e0e8cd5f97429d8036fc7bcae8a4f01598ee28a3c044a38a495743ff99ea2ff726a094c8dd25b

C:\Users\Admin\AppData\Local\Temp\OkAE.exe

MD5 c8cd5eb6a8aa636cb0cd38c60077775d
SHA1 f50511f64efe1a450b1586acabd9be6af4d3a38e
SHA256 7652551398e69221d62774c1416a464524c6d27e8d8fa0b1b2be314650caaa97
SHA512 1b4a2743c5924f43b0d3664cafcfb85f196bf90328a48041f6f4d4d1866f6a998d9c827b4bc5b8f667eb54882478f715979552268c8e36c05404b2c35585a3e2

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 3dd02bd5ca3b8815dbf9afd35deb65c4
SHA1 5b9ad13b05ae210521d0e525fda619b95b887202
SHA256 eb864301393f095e39eb3a91c92b139fc31f46e345f28491a67e1cdc8e579416
SHA512 5f8ed72474bdbe885cde09ebe38229b21ed4c976d745305371c8ac6ac481a60e90d62e67bb4ca92f4fec7dc66fa3404ca0057f1f9355ae8dd468c642104301fc

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 dacb0179c9e9e0c86be350d7b2ec9641
SHA1 705c795154dc6d3092257e9abc25e4ee55e38dd5
SHA256 c57c2f6824ea4756ea621653e9fbc0db1db946e924639778821fe164c56f3f14
SHA512 a50da2f499630c32c544e27e8bc6bd63e4c40559102aaf1d6496351bfa04bbc1b54800b995b66e83490d832ba8be537329c4e365d357a70f400b99a452912964

C:\Users\Admin\AppData\Local\Temp\Mgww.exe

MD5 d620e4c9b7f7f13452421acb0073f59c
SHA1 d03018d0e16d30f99f79cc10d130029531e1bb92
SHA256 f55108c7f7fd2d09ce5dc63f443bf1a6e3a7aba85d77d509a2b22e0f5eba2287
SHA512 a08a211bed5fade4c0dfde7f4682e375822464fc119f406837e38d0da309c29232d0402755a10a3c02945ac9e2b903588e4ddb8a7f28c023a58f7475cb6711da

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 9c624ce0e942efed69b144aece8da37c
SHA1 198ea07920a44b49ca1c4ce722eaad777c7b21c8
SHA256 2aa8792f22cbe45c194b831823e72c318a8196e6a5efaf4eb8264e4a81197d0f
SHA512 285983f2ce8c6c38f2ba1bea3895ece6b3d77fd81ba44b8ad96c51dec1c4bc6d540166f7cdfd72d7d70363fa8a669525cdb309758e609295ef0b3be3a382c1a9

C:\Users\Admin\AppData\Local\Temp\Ckck.exe

MD5 88371bc3d72a8caf2363974aace97d34
SHA1 2aff4df0d278ad340dd9503e13d616c02525c2f8
SHA256 f81e87e8fc84be0a8ff45d64115db6aa9b203a9d609cf2ba2db8c668759e1a53
SHA512 ed6661bcfa8463160c2e3e47799e4865bf4c9b477b79d82b9665aa0dc9e03d426fc7cb019f5b85ef3f07827e595ef4d0ed60c25d88f8dd627187ea3132b64f15

C:\Users\Admin\AppData\Local\Temp\Kcgk.exe

MD5 c06d2c9d6994587f1d09cfd23227ad41
SHA1 9a9f61c599788be00cd03e6b0a8442f360acea4c
SHA256 26e8dd639229fc838f3fc85ef8ef31848196414c2fa7913b7bfe7d6cd6b6e7cf
SHA512 0c15200d65b9ee540c6c1fbf9f0c02dce9b220b3b211921a2d496f2f21890f93f462f6736ed5c8372636f2bd62a4a2bbcc10c36515ef159e22026ad26b9864c4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 8ff51a87f23bae22e1722eda8ffa1d0d
SHA1 54a017f1377ff26e4efa636921ceef8b09c7f7c0
SHA256 a49f397816a0aa07213d3b25fa0987479cd2686bf5ab77781207db2c64069bd4
SHA512 b26aef14b0716cee8f619acd40e021854ed6309d070c719e85c03ba95cebde503bcf3027a9d1ab9de91fc43128e8739400b90de296a1610ed7c1f50e79d659dc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 2fad85597d5097fba1892f78494d1a51
SHA1 40391956ccf57b6942efc337f8b98e842467d392
SHA256 db0a1ec2040b764e20edf2e55427bba8e3c7fe6f2becc5f2577544fb9c9639e1
SHA512 e5904a83dca7608349b7c7ec1ab3350019950833091370d3eddf0eb9a15959df9157ae74957efc040f9f4bbf666c87737eee404db36823da7dc114c00069a1af

C:\Users\Admin\AppData\Local\Temp\aYIW.exe

MD5 9bfe1ea0615cc1e49dda32967bf7ae37
SHA1 6d53a31bc2d84da39242a64aa5daf636365284fe
SHA256 9b376b1f81a5d8ef78a4199c8111b11cd8557399f0f1a0d5bde9289f80595319
SHA512 43b124e257a7ebfacc199f2b9d5c43023b104a5dd87ce51792db31f9b3c383150ea3266751630218443fcf93648124ecb709fb7468668153f8c305a0f64c3daf

C:\Users\Admin\AppData\Local\Temp\oAIy.exe

MD5 5bdfa6466d061662bbc0ac9de72fa122
SHA1 3c99584f33de15da884ba2b31fd2380713f8aabb
SHA256 7fddf9cc3f314273bb06ef69fca7c0404c7c38ea949451743395340ceee88109
SHA512 265d1f178229df091b9df8960fec19e0d7ab522305bd091c4f03f96e3f208bf603b76de70a2fbb78515b308eadadd9a1fd1a49ddda42e0236441b33ce5ec4569

C:\Users\Admin\AppData\Local\Temp\wAkQ.exe

MD5 a1b5ee718996f8526b27171ce09814c9
SHA1 68428e98a5278530ead538027ad92dfc2b219e4e
SHA256 5a556c75ae55276cd1dea7d0f5d59266df615f2357137aff2881c0a66c213f89
SHA512 93325267ace9414758a8d1b3e3a36c4ccce3a1e2f33ae08e3d9dcbf3e399aa2e52d0fe24cde5d6d072bfeb28e04b149f61927aee286df9be3a583fdc4ac704f3

C:\Users\Admin\AppData\Local\Temp\ccAW.exe

MD5 0a22c75846f9b833e232349dd733060c
SHA1 6b994c20cc2d9f3f04cd352c4ff2ef4eb8e658d2
SHA256 4c7b5b101c8ee13d530d1afd9d26c937faf3ebeb95a4c93cf333748eff96cdd0
SHA512 fe5e896d7fe8ac9bd8d90b2c733763d07aa762ccbd3567b98a3da89f2fcf163f6d12bde6c3a217857ee7512639491d33aae450d05afdcbefba32196d131d3340

C:\Users\Admin\AppData\Local\Temp\QEgu.exe

MD5 aaffb3d4cfce4f8ab30588d6ef7ad9a4
SHA1 e7184ae28252e792d39453394b658ed21adb849f
SHA256 01b6625db4ba0fc59eae3e19c60e040c6d047dc64fffdc1e17c96443b092fa79
SHA512 c62f8c185f82e3e396ebd6b01bdb249d02da9e42cc10d6411b75f827c96de60de51de339f2b933086b20341ac53c37fb30a5c038e78c2bfd298c2682fcd95ba8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 85c9f4f0673140413ad4cba9f9c95b29
SHA1 61585917d973325940a253ebdf4f8b43fd81cdec
SHA256 2f10a8b7a28b613f557a990b002faba852ea868c9857fb84d4d0245eca173a94
SHA512 d025c83fc4a07ffffa1bd2e353787feb32dbe8b14d6356791cad934e00ba503bdc047ff28887aa8e64e01669ad19d2a6e97c88fe3afcd843db6afd5362a580e1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 4d52385959edfe11ee35050f6b49e1e9
SHA1 5ff89d34fa00a82dcca6c5ec3870828b56b7756f
SHA256 4ac788ec86caa135d7ba1b93dfa7490ef30caad85e9dfed3bf4c229278cdd099
SHA512 5a6d1517b4758cfdd271050e9e254c00d4b73d129a76e30c3eee387e2aa0cb3cdeafd10735f2d4fd4db1f6dfd3547a3a426f06d752b7c79c6eea1b32db78c8b7

C:\Users\Admin\AppData\Local\Temp\MIEK.exe

MD5 3877354e05793494bed9eb32096aef91
SHA1 0cc66709e97b47fa3574816dae67dcc731f35d60
SHA256 e730fa52f1aa936b3c2fbb54a6f9981769d8ab1f465bfed6f4f36c384c5ba15c
SHA512 20f4ea91575a8dbb9af0d3cb558c6f171a237e205bd90864bc1d6cc9a6941126c9b4dca69ebf0be7564051f02010ffb0ecb1933e3befc047bf92aa817d8ac784

C:\Users\Admin\AppData\Local\Temp\SQgo.exe

MD5 39324ade02ba85a4f019837eba4cc6c0
SHA1 feae05b4776c606df1dad5be2449bfe9aed684a1
SHA256 79a8bd75e0ac4fc10bfd697431997c0a98eea2816ced6e388378d1def52be4a0
SHA512 82ddcd298893c45c32a25ff5cf835ef3302b8bc8c0e68630f2d710eee1fed053083e5e05a2e97887807b1e1a2f4067bbaef243fe0826ad524f70958f21c71145

C:\Users\Admin\AppData\Local\Temp\SwcY.exe

MD5 ec9b29df83d37f831bd08e0168b6bae2
SHA1 78c9492b27d0b6e966fc35ccfd2417805af1e26e
SHA256 7abc2526cfecfc1bfd947aa19f813de4f40ec9a834747024dfe24886ba1d6def
SHA512 bad82b58f70a408901dfbce9bbd5c631e882b281e15f98eb52a1ec83c59f6df22e535166806f95809e03c03a24ec340720e0e317b5067cc45b5f8f79fb97de55

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 5855dc8bccdfbde1e3002270bda4c995
SHA1 fb863160bd674dc906c00c04112ed76c8aeca6c0
SHA256 0b783d0496ba8d61c33fbca35186ae7e72dd23f3e3da111c01e248b293609192
SHA512 622b388cee3b8ed1061acad67081e2edbff6ff5fdff565e8483b5b7f98537bdd0fc8cfdd619d50a22b570749e113a0ac7028153601956d4e41f7d7c9c4c9502c

C:\Users\Admin\AppData\Local\Temp\CscG.exe

MD5 97b0d3821f70922a0982a0b73e76e078
SHA1 519d59fc5ff1749b992cdda16d0bcdd199e3bd1f
SHA256 564a181a6ae15610311c805aec99af0acc4bcbe618083569e0394d2aa92e5a6e
SHA512 4b627b1ee2a5713b0a5d9332a74ebc31a1706d6d8bc8b05c009b1a7e5ecce3738e240a4adb9e9b74e9f1e4483650f23343c63da6116d301d2949cb110aa9dbc7

C:\Users\Admin\AppData\Local\Temp\YAUi.exe

MD5 538783e532341b43936156a3ed2ea192
SHA1 2f8c0f08d44f43eb3720b6ac7d1543f315f1f537
SHA256 4e6684f21a7324197df39d0f6a965af40fee73064781b4768dfb4883fbd3bf20
SHA512 f44a804a8e0f7f52918bf5d77817bb6403f85c08878b55c7aa5537a6e77d5a9deaa4e9b5623af440750310873693b4235cb3b26544bf5e01b1d026410587c16c

C:\Users\Admin\AppData\Local\Temp\eQgQ.exe

MD5 afb3f0d1e371f6caff960309f75f9108
SHA1 cfaebafc10adc8c7685aa8aba33dbab683f8b31c
SHA256 6e1f383292f432aa7626a200edf239972564e73f919eccc891945bca31f18bdb
SHA512 b17cdac8f07e1f0a778013ad3275fb9656e541afc1c79d03fb9a26b36a11c18043984bf85d996115e3c8e1604f04d7fc7b82feaf89651dc9045d741645b064df

C:\Users\Admin\AppData\Local\Temp\kAYW.exe

MD5 ba2004a940c49980acdfc8657a561499
SHA1 3e2945ff34af3eb97c10ef9fe030711d49aa57d5
SHA256 10b73c1d4ef5b0068a2bfebc83a194d64e351882048e4a4f3fe2a2bb72e1e4a2
SHA512 f8fdb7d0df0d5e10041eebba6c1b6a3f0b9204703d02496be705f4fd54ce1a15157af23cbb584f0d4da5ec5c0a58ab046f39ccdbf3bae4ca655d1ff4223367da

C:\Users\Admin\AppData\Local\Temp\GgQW.exe

MD5 c9159effa3a3dcd39fc8b0bb60524b37
SHA1 209a2f4f74ffb9cadea1961cc32e94e3664fecd8
SHA256 01dcd7e3429dbc529d54f85ff13bc4bbfa105b0ea6fb539a737917b3bde7a991
SHA512 3c57beff4262b7a16b4a0512ed190d09273cba047748eb572b3184061fb842edff137445c35993cb58e8408598106faa61c6076e90ba2cc80b663a831e851886

C:\Users\Admin\AppData\Local\Temp\uQos.exe

MD5 dc23edb2c3aa1ba612b597840aac3e33
SHA1 2496964a34e7e910672ac79f9b655a194f2807c3
SHA256 68c777202425c298665905aa27bf4c7b65664204edf0b992152dda5af5c72846
SHA512 3c7fa9bba741ffca65250a1da6a7945daedccb66b71b960f5860b83fcc7e114857bb8fdfb360ee8ba4f6d7bdb5238e248ef1717984f7c0e9ba6bfa2beb3564c7

C:\Users\Admin\AppData\Local\Temp\WYke.exe

MD5 87079f9facdbee499d54690f3111f6cf
SHA1 c299c8e3a80a70b76e49657069cc556e1af35932
SHA256 3e51228037be8f0697588f0919986feda8a569199771e48b3f499710a93066eb
SHA512 84c8effd9c35cd9827f6f2a5d633179ba66e8a70981bad4c4a5af62609cb6640f48d95165715b01fcbb516667cbf40f35901abbe9aa95de78dd0a9c1b46432fd

C:\Users\Admin\AppData\Local\Temp\cQkM.exe

MD5 aa9541c21f808a0285c15091a109c7f2
SHA1 d9418ab5dd8dd8f10af4e3876b56f3a60f8f54dc
SHA256 da2203bd4a4965caab9bf0d1134283c4e6e08e0ccbab48bf9c84022d6a446704
SHA512 2e758898b2b48ca3d2d37f0c8f873e9fa42ef89e42769e3ab4ba46aaa2b98305f1022f674a85a944980a224d5cda226623bde3b25ada1f2e0669a0ad5a213e0d

C:\Users\Admin\AppData\Local\Temp\uwYw.exe

MD5 3f6197371745c66fa7777d45c1e7e03d
SHA1 e9c274c40fb8b2b71fb1a22e06bc757c2a18207c
SHA256 6d6d7b0ba6ba286f10f01282d999188218060d056c9e6979a26ff85b964d5e6e
SHA512 5252e86bd8e13dbcbc517a481e267a6797f049ed48c6e13d5e7851822b37b430fc47e48a431fb5029adc15f10627f6b7a381a0ce75e664443277cfe8036e7e7a

C:\Users\Admin\AppData\Local\Temp\KwYS.exe

MD5 93c3df3e84abdd09ef3599f0f3045dd6
SHA1 25decd776f59e5c231af30b3deed9b87454625c4
SHA256 07bf445dfe0659c82834bbdc144d287e0537dbd62cceaa7532a77def11116c69
SHA512 4b04b74cd8da190d526540e5c8f6c33be9d5c99663afcfd902398446d9a93ee579d9360681bd22836b145e144ea076f8e5a4cb1f5f2d6a592745e4114845ed4f

C:\Users\Admin\AppData\Local\Temp\YsQo.exe

MD5 9e6afa9a0967f260cde41137bcfc3825
SHA1 95fa5987ba6c5b1c7345021bc19761c0c750e026
SHA256 419d91ba264d3e381ea9850f64ae4fd70807d8cbc2b89b9b605d9382975e0980
SHA512 d3c7c9420a7b67804d88df4d65b14317d4c0e91aea5e1fd83b6383c70a1672a629a02c69b17ef40802d0722c844e75288af75d38db1e62ea895a00f7a5c7c724

C:\Users\Admin\AppData\Local\Temp\gEcc.exe

MD5 c4a87b84cd23a8b79c4026ca9bd45783
SHA1 702cb1a15c5afd96c6fa00094bad52ea14d0de54
SHA256 275911f64c3eab8a37a55241e138d3fcd1141e6fd6666ad60ed0b31a1d8a72bd
SHA512 30ce1522a1e8879129dacd787420bfa91ab89605235a6d0d6571be27699bee28383eb76cc83b1dd09ee0991e7b9217885cea194b27da7003d2af4da3ae8b3779

C:\Users\Admin\AppData\Local\Temp\YMog.exe

MD5 15053245d8135f2a7acce0bf78ab484b
SHA1 16208fc1d793e8bf8cf0f1f6b51caa28cf603557
SHA256 012e776139c130c99201816848234a32381e37d9ea8f690622c0fe12fe92857b
SHA512 a99c3cc3f4e3a3ba5b6308cdcfe985ce30cda0731ad47c8a424ecf199ed7329965bbad15e20113b04d95fb9a5977d5622489a760f79f7573cf02ea487bb1538c

C:\Users\Admin\AppData\Local\Temp\MgcA.exe

MD5 5124733781e25ad47ac1cd487b3eefde
SHA1 adcb59b35646f5e1757c7dec1068780a6f720ed1
SHA256 5b3975b162b10407f47eff702e397ec2da0f8a79610c8189b0cf6dd0ac6fdbd0
SHA512 e0f97266ed43f60d44c64537766f9b3266d7ce9d0ccf8a1a63ead29dfcc16924e28f01afbfc499024faf7fc03d559715738c0209e21a48777642d6ae177b88a3

C:\Users\Admin\AppData\Local\Temp\eYkK.exe

MD5 4d3529e447277c6a7dcad65ee3966575
SHA1 864e56c2815c50d1dd49e6e5828423b980319cb5
SHA256 e6a5e968e536ffdd5c730b03d22f66790a52bf366213f4248a4aa6676f6e647e
SHA512 454e48f0f356f1aa735bf384a6c02e46a4c717e7c3670f5563331121674f02bf4260d9e969165f12f04ea10510cb6ad350b6b183d9ede9bdf6625c48f379a41d

C:\Users\Admin\AppData\Local\Temp\cYUa.exe

MD5 ba26e9191c82ae8dfcb831094825c297
SHA1 85dc16e2cf3d7840e8fa9cd1c59f0d9e3662690e
SHA256 27654a4377125ed193bdccfd5b383310282358c7febe50b5787fc010b822d168
SHA512 0dc441ff2d7712fb177aeee5ad0eaec35f1ee6efff13fae5a2470071c63bb20ea9d6b770472d1d6d8f05a140ff742723b0d5553e5e16d5345e7fdb6b62475727

C:\Users\Admin\AppData\Local\Temp\EUse.exe

MD5 84ebdfe69ba69958f2d398556b88b178
SHA1 18d1a31ec3fe445027a1ffa339fb1ad9ba0504ad
SHA256 8b2be30362f450457179ea5fcff42972cac51cc620c24c5ecb57e88249355fbb
SHA512 699e47a6d0b55074d5bb0979214d836d00c37f7fa89db3c3643ad7e9dc105eb1f4bba0c6d4dc9a325e1dd2631a9986ab7c190923cef97a537448a6447848d256

C:\Users\Admin\AppData\Local\Temp\ygAc.exe

MD5 757c327abce963b6ef28b8ae3a341378
SHA1 ad85dfe2342c8fbb824a9f20f0a3b41998067bc8
SHA256 6c910e884c02372c14200c7cfb8f1715a0464c193c3ece98f1328f8baa4e399a
SHA512 e1a81662c3ac624d97856e3285d34ffcca6717cf648f0dbfcc92648eaa8698f44b4550c337a7e9bccc1d3f526d9e5e6a99758eab5b14da4d775c6d4af654e865

C:\Users\Admin\AppData\Local\Temp\QgEi.exe

MD5 785de1d557c34ee0eca24a62edb06851
SHA1 5a854e5e1fa4b3117712412a099bb5abb409d383
SHA256 5401b253bff03491e259c9ac4f5406443e8babcadd0a7da357a162066f4f3ea6
SHA512 e0ab017d214ac4de7d14c8310998927d49085990ca3d8b8a22bde7257bffb8c8e327265c1fc623d8fdf01a5ed3eb75d23315987aa176eaa4c6cc948e7fd5c79a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 e7fa407d27256fb26ae3b7aafa53ea1d
SHA1 c7193c70b00d2e6be5e7d170e80e237123b9eb25
SHA256 70ffe2e84960311aeb1e1b84fa265b167ee321b24fe4633b3d6f20b3c7d25e31
SHA512 2872eed3d107e1d685eaae17c9f29748514999e0e3618c45949c3dd278f12dcc9a3b2cb042be461b762302258289f8b92b22b3d637d3c2bca9da138af52c09d9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 1b342268f4b143f0ee4e67c4a91b9d24
SHA1 6c127432991b09fbd5d8f926f5b087654aeb057c
SHA256 bca1a59da56b881383027263d679f4f3ceaf2dd9100abd1e8cf324e4d8ab60b5
SHA512 0aa4ba0e7d295fef3dc68f78d57870d82fc24000b0e9c81197fa038e77c32d965f3f8820c60dcb57a591064adfdfd15b111e9e504593c07133690b20078ad56f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 5739159e095c0ebcd3091a2b245f95d3
SHA1 0707332ff984fd82089e792b5885d5817d7716c6
SHA256 3767bff8983f10537442df09b5df8170633ba806e747afb612ed2d86c3fe4f3d
SHA512 ee9a1ca0d81aaf9552cc42e01ca748af0b3889dfaeb7cee148e6115f655096cec4b0f32c9bce46c7cce1bfe859fa45c4ece06d44d96876b55e083f6c069eaf65

C:\Users\Admin\AppData\Local\Temp\IoAg.exe

MD5 72e7df838e7205725e55bb49bd0170f8
SHA1 ee3cbdbc39fb113bbf4acceb678aaf5718c5d1e8
SHA256 057ad95f01d75e8847f92bdb9f32ed793bcdd7f56b40e64ababc2c768bff65d5
SHA512 d4891362d5f85fd594e0da497f543b23f2eae20b93f5397a04b596db4b1cc70adc4b609fbdfaf94d9e8c1bc6999319e39f27552984728715d893334862c0e3fe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 bbf00c2d80592b4bae1dd67f6d2765b3
SHA1 57fb0470072dd10b0b0d655d82ff8cad7a10f0fa
SHA256 68e94673c91a4241e3f923f2a8d3d9b82d9dcdb80e364c8545ff16f3407de1d5
SHA512 ec0c8b487f215cec4669bbdf4e7be6d7133839be4a49cf055e65b5a0c15fc4d440caff844d75794db2d6f6b510f261b512aae6546c7a0261bae54edae417fe94

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 c4741a79f5451cb03e33d1bd53eeac8a
SHA1 73c42600edf02517253b747de8a7ab9517f38a23
SHA256 2a34bf54d1dafa3659396dfb9ac7259146397f703dc5e217c262807f2d3b1132
SHA512 75ced33b4a1b7a2a8111874a054e924ade3fae9f062daa8125589bff8939c22f28655b3756506e26f64aed80c4968e8baaa4d69250918b6afc1dd8a9a93b1572

C:\Users\Admin\AppData\Local\Temp\GQYM.exe

MD5 c7291b6766464bd9d5390cde683b86b3
SHA1 9799dc37796fd8e3985ca8e40ba932f85e93d665
SHA256 391942400f18c9c9b3508d37da7eab4ed1c1e22f3c9a70f982149f549c470897
SHA512 e2fa9c0aecf3cc4165b9a26a347eab233052a3ac77101c22bf7dcc46eeb38ed0709a69817a99dc52e2d9f98b602499670cd46a93ba829af2b2029866e63aabbf

C:\Users\Admin\AppData\Local\Temp\WYQI.exe

MD5 9b075f8b0ce46f77ddcb7e688663bc72
SHA1 5d97f38f3509f33a8c6c2178b1509e8b4124e7b2
SHA256 e1b83c3ef504190d93fc7eb7155aa6d5bb380f23086c8cef4b343e77b02f9043
SHA512 a70bd11173647684e1ef62b7f5be4cf6f9f6a8ebabbb9429459f8fa40697ed906f7d499f3be3361c9185fa04a71ccdc67f3427850a09bc6c42727f0daaeb5b02

C:\Users\Admin\AppData\Local\Temp\sgQG.exe

MD5 5145a4ef00b80a254e867158c0c0f19c
SHA1 8b31628df9d1a14ef3eda435cd6408c0fd3864ea
SHA256 ea9a86ffa614d4749bcfbda6e28bdb5cd1b0f71cdca3eee052458028a1338bdd
SHA512 22b8d25c40c0d09ac39208e3d6c40f8630df07d8a22e9fe4f54d76fcfb077ba359703d0c66cbc5b2a642e1ecb17b1f8b3956c62c730675ba79b19c3d61c6b0c1

C:\Users\Admin\AppData\Local\Temp\WYAM.exe

MD5 7aff0bb4666f7f4492fea6ab9b05ce04
SHA1 c8707e7805eb8e9ca171465419da6540a40f5d33
SHA256 6a06b8b91fb9d464d0658abe689f0bafb5e804ce280e189b4d75ceb5574d9e96
SHA512 e0192e23dcd24778eef5a112fd75daf7a06c51577d81476f4d6b6be0f8a5830a195e75b341caebf432026458b0f2ae76c1be1dabe27545470ad198ea59b9e9de

C:\Users\Admin\AppData\Local\Temp\Wcsw.exe

MD5 15f98b6cf4863a986ef7a13f250943cc
SHA1 3fccd4dae4f9cefc773192ffb63b2591fc8e00ac
SHA256 083c917044051c6813574523c88edbedb4d713c35301760b883754ef6e722f34
SHA512 17bc0db04fe8b63158708e74c50db936bdfc072009859bf5ee926823a34a85435ed5dfb8c0f71273ff78789f488028ab48a21767ffbda555fb11b1db7c9ee8a1

C:\Users\Admin\AppData\Local\Temp\OscM.exe

MD5 223c4f9a634217f329a290cb8b22b16b
SHA1 71944d547969d26c3fc1a180cc2478dcaeaf788b
SHA256 ffff6ed7c4725f7e22e7336f852f90553c577c438956cde72d8161862cfedb1f
SHA512 23dbd40830c1c67a33afe13a99150f62ffa76a3a83052b00831f09e7863801d72289cd7eceda9192a46a2c3cdcc492f7df48018bd4baec0c5925b4cfd9c12047

C:\Users\Admin\AppData\Local\Temp\WAwq.exe

MD5 da75e3b3cd0fdff7053889ee77314235
SHA1 7ba008ef550fa783053589f3f7abb4660279acab
SHA256 fd8544aa8e8f5df8270c95b22bcdf76fb9b94e04d4e69cf3bc43a031135b2b9f
SHA512 2c626f33580a63ca191c53a1b6eee5036ed1b4c289265a78fc25a1b76a22e7b2fd7ae2a210c6ad08b8f99f57541564c57822068fb049d08aa54f7f195d086909

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 b7232aeaabc39627427690883ffe5504
SHA1 f1447a5f758ebc7282e4edeabb398a87dbc9c41f
SHA256 5df9fda93f61bd57fa6cc64de25a2f50c72a6a7ac2f751e72419837dc9ebe838
SHA512 6e97893df402fc442a439a60b83751da47382c57e3fde740b0a38c32e6a64fd36f8c465fedf2d8adc388d2597834dabcced89ea56e9ee241bda1fd9b6fb3bbfb

C:\Users\Admin\AppData\Local\Temp\AcQW.exe

MD5 c0b0bea9f944c1306e6d6af14e84a513
SHA1 1fa1ddab4390a07b72a5d16fc65d9b207044b0ec
SHA256 aa7d42e4d9950e584eb9d52d23f9d31ca5d6a4b523970b194ffc5d42d4e9c1a3
SHA512 7d3b94285c73edc38361a2261bc361444a3291cb94a2331e5b7a20d94577305cf6b63819e0615e2e3a7143f06fa2801e6e6ec1b55cc4cc377b4382ad1c9bd199

C:\Users\Admin\AppData\Local\Temp\sIca.exe

MD5 5fff9b833cbcf3fdf4dd64a8323d94ec
SHA1 0eb1add4bee37cf7347f8a8ca5c84011ee058497
SHA256 c20d3d0d92229b1c449155f8c1108ac4648dc831a8d8021c79cb385cd714697d
SHA512 21ebb362e1bc948e486671990a5dc862ea9fe3a93bfd799c0a298e502686aa62a6debc8afe25e61bd8c76b92d536a0223a9802bb0f901dc9bc6f15fbe023fc99

C:\Users\Admin\AppData\Local\Temp\ykoY.exe

MD5 7f8051a64c4201a598606b94e8d24b3b
SHA1 d52846a5d37b897e2913bfa2efb9148f4fa3c488
SHA256 6d554d79e695f8dd466fd6450ba3eac2d978aae1ecd4d7e915fe212ab995b4b5
SHA512 013246dc39816bc356f56441861a65ceabeba4af0cf44784da130c41b9072c05d45c49cac0df02b44a21e0d85ca683b60714a1b4289148fb3171f73380eab329

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 859bd91793c1fd164e23bc1f5ee023ad
SHA1 1475851ecdffd8d7411dd67c4844ceaf11393514
SHA256 37fc95e8a90c95eca5b96ef1559e17fd4e3c385f5837dfd492e92e59c8f9c448
SHA512 229ed0bc4154b82464097d43626567aed1b8e1c90472bf50fd7d1d006f157592b4bfd9f4df59610e9aae8e52b8fd9a1545ed0a5439ef8dd2c7a65c86f8762ce6

C:\Users\Admin\AppData\Local\Temp\osIs.exe

MD5 bc6df75141b39ad4ebb1d9439016ca38
SHA1 bf98f3971fe39e37887db6cfa87308f6a393f6d8
SHA256 a9e415bed00cf4d5b3fba407850169953ba606cc99cdd0e17b6a9a605a10445e
SHA512 fcd19e8e68986c0cb8ff0e61757bffbaf81150a145944b1fe290c0e5f98481d1109dd32ef13c3dc243ae06a3208aeaa1665c53954d47421f3e1dfd78cfd255ba

C:\Users\Admin\AppData\Local\Temp\cwUe.exe

MD5 1fa8c3d5833f9b73c8c6620b090e5b43
SHA1 2024e5dbd827fe619cfea53bb1bf2ecba7f7c314
SHA256 8c860d53e429668b861dfb960eedbb8779222cd4fb693d15f4679d54a49e23b4
SHA512 a32420b83afa9893b1791ae5ae4a86058974b49370c7fe311c143132c07c3f03fdce71c3067a0923b4fde061eab60dfbff31e018fe6aff846218f34f171667f1

C:\Users\Admin\AppData\Local\Temp\Ycwk.exe

MD5 1d93967bba44ea3b241856ff31c026c7
SHA1 63bebe08704c9ed98fef690589f52336d5281cad
SHA256 cc2b92fe37798a565d09136b410036e5a99e0b33e08757bdc361bef29c687d44
SHA512 052b191ff770cc8239deed4c48e125fbca4c8bb05bd44536055e860ffba8d5aaf48ce0be234d4fe3c52ee092be298f8e2010249d15c028c44818f19f98c8c326

C:\Users\Admin\AppData\Local\Temp\awEc.exe

MD5 4bed36b7bb9ae1d0c646ad7d09191493
SHA1 84fca306a857c005c399d08e8352b7afb7fc992d
SHA256 bef2a7fd7a1675d55601ad1c99a1ca991d9a0eab0b0278268961c8a4ed825b3a
SHA512 8a4e39a8020fb2e4f0629a5f2111dbe61da66f2a2aede5aaa8ec9db3250df57f2cc2107f9d5683e4cb1431ef1828ba4895c351da2e3a6a0bbf57d72255b867d1

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 b22a1c849dd587e25f21185ea1b4fb3a
SHA1 0aa6c2060985895bb57156dcacd38c1013797820
SHA256 6fed80ac22849c9b48ebe3d0f393fbc40f06c4a2e5e2c130b35e50caf037b1b5
SHA512 fbe88be98d652abaa2287ad28537dad80540a7f6dd09e400186590568cc1468c16d17e5eab46fef9c58572d38d06e5f86932565791f938e5c295e639c6a6aa4c

C:\Users\Admin\AppData\Local\Temp\OoMq.exe

MD5 04926e181c4041693712704b04534e53
SHA1 f8036ddd096ff74cedeeead1c927778e38715777
SHA256 fd9e7db97f57bd8e10176ef24b200f92e9e19f08089415218a2b2fd89e95adde
SHA512 2285fc453780911a978c0451ffd758c3c989473c12e0563459f75b13e5510a14200d8a7e2582baa6459ba2c414ca87c9d26622cd25f625d5ee174501d44a51ee

C:\Users\Admin\AppData\Local\Temp\kAgg.exe

MD5 96514e786adfaf0f2da895d8c2483a55
SHA1 db68c4649e51cb229238587bc5d2522ebe9fa098
SHA256 dd60a972545eb7a6ec8e253eb2968658bbf2483722a5e5d7a92dac260590973b
SHA512 044eb913ac5b79fc4ec9add63df6f110b29033566de152ba8eda973eadb183b27d537fb58e3ffca2f0ef67860369828cf82fbb05ba50b4e950869c8cd5d2d8d4

C:\Users\Admin\AppData\Local\Temp\EUIc.exe

MD5 3a6f8547e02da8faf745b8799392dd53
SHA1 44eba8efe5d82996f0b8ecd3c8e5e2796c7c3318
SHA256 d35dc2a476d503b15fc07f178bff35b1772d42b4a9a5bdc03d902a1f98d92a7d
SHA512 35e2d8d674210f6b3d9c159ec7126b1cf5cfb14116acfc3444078f6226794c5154cda0d3ca118d937dc198bc8d80f375a7cdb7bbe510ff5819cd67e0f763c9d8

C:\Users\Admin\AppData\Local\Temp\CIcq.exe

MD5 fbdc0c3092cab25b08ab2a4c2afa1719
SHA1 8bcfe5ac5dd733eb91d6d4e36480477c21a5ae18
SHA256 a6819fbb54c6cb5b0f95fc96b317a2878dae5ee541857ba6cb035c1a7df51ab7
SHA512 42a9185b1df26315922ac967b93ae2d47ecdb9647eb3484f655089e1080b1f1e80af7fb6a89aa8492d3664324b7810e421c607c661084ce7569405dc241b6c4b

C:\Windows\SysWOW64\shell32.dll.exe

MD5 9bc1bbf4e8d4d7407ad23f5c2a32fc23
SHA1 477c77e8250983071927be60b49658567024e510
SHA256 3af475d0c10ac43d6fbd6c5c6a005998f7f511a3cd5c4a48829cb4b338a5ae66
SHA512 54ed935697f2ac7c792cc3bb44287a17510c30f6e22f215cde7acbcc9fa210d697a8d9e90ffb77e34c229b8211d4ca5c7ffcc7d03a60dd041a5574e4ea02b327

C:\Users\Admin\Documents\ConnectResize.xls.exe

MD5 28bd20c6001a8cb6388780be66e9bd4b
SHA1 3dbfee01eaa14315712f2c1c47e0be44f3336e15
SHA256 e4746bafcf5415d5208dddc1b719f0d4f925d1813da612b1159b61d3e13e1912
SHA512 a6de77b98046a85acc1fe2188e46931226c9a95971e1da91c2b8477c4ac956c8eca0cde62157ed3bba70384651eee1fad88c34b247a0afac95f74b9f496ca523

C:\Users\Admin\AppData\Local\Temp\oEsg.exe

MD5 56c3bdf199a65e824eb24f56db729750
SHA1 c6cd1eead6af03fdbc4bba888937713ae362f239
SHA256 e2b3e3e5d3e511dca357be73b97bd046217a673fcd10bf98533f03da484cb1a5
SHA512 86a2fd5cfd8b8b334eb2387fab100bb0c0b47c49e01684b4db30fa4cea2e69191b456f5580ef1501865c2d63d0282ed70ce0009fc16954773988fe42c9756866

C:\Users\Admin\AppData\Local\Temp\oMkw.exe

MD5 bbc91cbfb64ba556f214b6c1978a67ea
SHA1 b13915fba293c7c4535b823df1cedf29b6a66020
SHA256 fafc66b7baf01564aa005cc57fb0eeff327f177e0b05ec63de4df9b205b199d5
SHA512 14b370cf1f953c2bc5389ca013373e0801f7582b91519cc258874adf4e75d973562858e8b778720b1a3c660f46b5afe3c29f45b42f4f2e27072057170b95afc2

C:\Users\Admin\AppData\Local\Temp\ecwu.exe

MD5 dc7e66c6589aa9b587b01a909b9aa34a
SHA1 1437c5cd75b8083baee251a90e36e4ecc2909ec1
SHA256 be7531c586b914db943659442408b033cc34472f86a1497f801bef46704ca663
SHA512 45f5e7fd8be9134a3bd36325c9504ce9fa1520af8e10bd2f9933cd5dc4812b291d70821e440abe030c223526062a057ef6b38c2bee1d8a60d2cf91a1ba5ff1bd

C:\Users\Admin\AppData\Local\Temp\WQQi.exe

MD5 f721095509ae32ce3b11d82a7498b8b0
SHA1 b6f74a14b0f25ded4a076cc5b2e8a615a7978aaf
SHA256 0c3e0e4f04cd7aa39af9cb7cb5dc31a3761287b6c7f49aa48e469c800953cc30
SHA512 ac07c1eb1fca1c63ff491cac35e6165dd766ea4ee621c6549cab2164a02301e3408ec8640c06ceb412b8de2bab8e75dfbb63ae4f34ccf085c04367d9840b4b7a

C:\Users\Admin\Downloads\AssertWatch.wma.exe

MD5 d4cc79ae25f82ad80b8874a50437abac
SHA1 f662a34a57ef4ab4f1e431ce4a3020816d37f4d9
SHA256 a7a1f532216a3aef5fb4009f20a16eb10de2cf6910b90134a631f44df4303d16
SHA512 9f2f6c6ce8aa03e6d2db1a8d34becb35af306aad40a792688732c6ed1bb04e1be911797a1326629128b8a45e378a77c88455543b28804bfb9bfd51abd27f9348

C:\Users\Admin\Downloads\PublishClose.mpg.exe

MD5 cc233a31c882f093e2bc51494a1100fe
SHA1 75379b8b8c04360207f68ba5b0af62741f0cf53e
SHA256 98235e555a098baf5512b153b3ed2e005a0094c052487fa2f7d991f2f00cec6f
SHA512 15edb5778175461b1e3a689891941f414ef8d83bf546626b926f937a0cb14f72c52764db9a3c7c048f893b7ae02b8e977e9c5da3263a265603279a5c1a616f0a

C:\Users\Admin\AppData\Local\Temp\CMwQ.exe

MD5 fced8083c90088ab62f2f512e3a72ad6
SHA1 49cbc3243e32b983ec179c905645288ae93b0926
SHA256 ecfff96839a2cd04fb6e8bee2b5c75eacd2b115917d4fa6f9c21e05dfe5670a2
SHA512 e164fa969be3389b3e53905825cdea38ddcaf35eed9f13dfaa9a993fdf66bb6107a98b5f242dc7138fa426423c8e48ff9703addc414e605e1c250a77760bab97

C:\Users\Admin\Music\CheckpointStop.rar.exe

MD5 bc9249f5193ceba254148043dce91b5b
SHA1 a0839a45c4d6e0c77a40a8fa49d69ee64fba4576
SHA256 d38906733298c4fe345b66593131c9cb4f5680c58bfc570d6e959e7aa7a3fdbc
SHA512 0fde46d9429cce9b2d3999820029f603f47b4c85db902ace72714c01411f736e46ba878cdfc70f0728d89d7a685514f1fa72610992fc1e70ffbd1919320d6e68

C:\Users\Admin\AppData\Local\Temp\egwY.exe

MD5 1d66d74d209e354070e508ca7fe900a2
SHA1 807b3af8bc45b5a66a630185591fa0c51af19f2e
SHA256 1160622b89faefd00ef33d8f2bb43924d88792fded2301af6510b1daf0bc540a
SHA512 e5682e0603a2cbc95ad65c4516d96fdb2625e153337db3d5843a6d5718e898e68561e6c6d2e91c8b6fd6ef2b31884ee542a3f7deeb614dda8bd345ebf1f98896

C:\Users\Admin\AppData\Local\Temp\ukAw.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Pictures\EnterSplit.jpg.exe

MD5 a71225cb763b008321446e723a8fc588
SHA1 801a6a628d4d7cb214947d5b00b33b01e99c8eee
SHA256 a57f62585872364a4b1584b48314e0db8bb71d4869a9543cb020b871f6ce9ede
SHA512 4ba0561fa3bc661d1606310705eefc4b8b43a42943ec4a365b3ea979a11e1d28141399e0f5aa16a5b012455e96c7349130623e0de9189437b53e73c1fbc034fb

C:\Users\Admin\Pictures\ImportSwitch.bmp.exe

MD5 182288473b6e0334528de22113b65c0f
SHA1 cb9e7eed7a1bf74d8d3461547b2f1f25b6a3ce0d
SHA256 c4f6e1c3eda25613e4bc845ef7f5dc98fa0befaa5216e76a57eb71589769fee6
SHA512 b2e3238d8d30739dcdf79263ba7fbe95410bb6b2755b1299ff4e0609991f506149aa2e6f792b2f6e2089b040ac116d38772c819a5b755e3029163ab3d40034ac

C:\Users\Admin\AppData\Local\Temp\yYcO.exe

MD5 0ab1e6038efd29e09e0cd9e7f912d92c
SHA1 0364d4a7049538575909161d3dc4ec0a53177292
SHA256 58c817da05b71e76da95440f69fb9aaa8ff4b2bd32d614d699834757b8ad8963
SHA512 6853056b727f89274caae70bf6934f270c57403059ebe52267cc108835ddacfc8a08685d664c056c2d666d5cc9686a2bc4908e32c3075a5a9f8377e983bb3950

C:\Users\Admin\AppData\Local\Temp\UUUQ.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\GcoE.exe

MD5 a0f43f465d10298a69a17e46dddf90c1
SHA1 175720edec3e3c8d7456d2d9b6dc2af4ae2fa73a
SHA256 8267711ebd7d05d4f6150c349cf871c525afd952d77c25f51ba9222c4f1a0853
SHA512 afceab3546e3f8f098437c96ca871f22cf78ae295d736f0bef65018ba2daa1683bc97d9c4b49b1408ff5eee7ed551d49941a517a6e88a3bb7b454195288d8dc6

C:\Users\Admin\Pictures\RenameResize.bmp.exe

MD5 a7927fe755604d5d0ac30375b188e1ce
SHA1 142d9dd9adffd27f1a73d72df2cceaf3d19a6f04
SHA256 a0a7d9eb76f80e1d49fc9ae1e0f0592470ab2d90af89dac06d2d41536f17b773
SHA512 718b85b0bad93604daeeb35ea5437936f0c3a56ffda914363d1d9ba6172c3a3dbf56429d5e28bf183254172ef08abeecd9fd7358f00fe683b9aa1b1afab24d7f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 eb12750969f30d5d3b59440a58d56ab1
SHA1 53954f11078de0e1b448c91553e23636e3f2548b
SHA256 1fdec25621eb6f8f5d356a0332306499a25ca51640ff1f7b4b74a2621717885f
SHA512 651fc8b6a0b47f0a6bdb469f60a5e5a50bc0872930c6b2869e0e37c698f62e90a3e92c75d61b04d5ab426a4934f4bc95155c51d9a662a4d0aed5b1aa8a991e08

C:\Users\Admin\AppData\Local\Temp\KkgA.exe

MD5 5e48895595cc1db0b51db8bed6cb6f1d
SHA1 3571085c480e523d14c11f228e96aa475fd2584f
SHA256 cc6eb6435ea24bba4cb38239274e4b79cf8d7a2fb8d35a796af4555803cb4319
SHA512 287b4b7adc1fccef0527d83c0f3fb5bd97301a637dd4a54c2a9884b255444a2a1ec39c95897eac692e2d742ebb4457eb84e39de1509da719cd18062ba1564c76

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 0740b8be35d8e9b248c9dc33b945b9a0
SHA1 9a796134ea4a84f974084370edacb20cc5096409
SHA256 a31a63333cb4a23397dbcdae958b6c05c25295de1f09691fd2bcfb582cf91eac
SHA512 c7ab860e27b8d07aa2307c514a87065db4ef54a1e57d475b93058c636f99a58189b1a918ce7e05949a500c4c554fab5e1bffb5001ddfccbd91f94166e1efaf3e

C:\Users\Admin\AppData\Local\Temp\kcwM.exe

MD5 dcff00375c159739c09030d5ca468620
SHA1 3edf584664a05291571f67771eccf53ac63cf08c
SHA256 e126a78e86e23545feb58f496840a217a255123ba8af47c5ae17ff05b1f4748c
SHA512 714490754fae694202560821f1f1212ed99b0c96a87a8134bbcdfd6abc41aa990500a2d954232aba7adfe302ea1eb46409aa6ce70019a94368a85ac10474032d

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 aa369307547af6411c7c7ad6c94c4860
SHA1 0c44af1ad47872a3a46ff29c31cf57c45291587b
SHA256 0a72a77ab34a9ece0cf8a12cf8f5c4031be68a344b453b2bc592686a9f3709cb
SHA512 43d750e5a2ac75d47dfd34e7d01961ba50fccc647d371e7a2d3fc5167f3bad7d14f4ebff54f9ee55ff0963de8782f554e1302b03bb8e5361af8116c96fbc7e1a

C:\Users\Admin\AppData\Local\Temp\KMYu.exe

MD5 707eb00cc0659335c1c8025081aa7edf
SHA1 d7a36885b1c29cacd5638de889829256f613ecd4
SHA256 80d9277b3b617a1acdb81d71367954c601001cd497f08aa18c6c1a4d51c381e5
SHA512 b1ad84c65c1a268ee04d5b50bb1b27243b3d133e0b56705b8d7df44348893df45b2dcaca5ffd6f6da3391b5f8a32dd716cb38e4aae0ca5f1842c66145ee56ac4

memory/4528-1670-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2180-1671-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 22:56

Reported

2024-10-19 22:59

Platform

win7-20240729-en

Max time kernel

150s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\ProgramData\bSAoAYkA\rYEAAgIo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEwQkgUo.exe = "C:\\Users\\Admin\\ZcgckEUw\\QEwQkgUo.exe" C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rYEAAgIo.exe = "C:\\ProgramData\\bSAoAYkA\\rYEAAgIo.exe" C:\ProgramData\bSAoAYkA\rYEAAgIo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEwQkgUo.exe = "C:\\Users\\Admin\\ZcgckEUw\\QEwQkgUo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rYEAAgIo.exe = "C:\\ProgramData\\bSAoAYkA\\rYEAAgIo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\bSAoAYkA\rYEAAgIo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A
N/A N/A C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe
PID 2128 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe
PID 2128 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe
PID 2128 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe
PID 2128 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\bSAoAYkA\rYEAAgIo.exe
PID 2128 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\bSAoAYkA\rYEAAgIo.exe
PID 2128 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\bSAoAYkA\rYEAAgIo.exe
PID 2128 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\bSAoAYkA\rYEAAgIo.exe
PID 2128 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2128 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2708 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2708 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2708 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2740 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2096 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2096 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2096 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe

"C:\Users\Admin\ZcgckEUw\QEwQkgUo.exe"

C:\ProgramData\bSAoAYkA\rYEAAgIo.exe

"C:\ProgramData\bSAoAYkA\rYEAAgIo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWgIAMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoIUIoUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biYgQEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VekIAIos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYQMIQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FecUEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AOgkYUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUAYsoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWEYMwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agsQAIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuIgQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xegkUAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWYAQows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsMUIAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWgQQAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwAkQEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IakIAAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\msEIgwAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWgYAsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMoEcMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\faQsYYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2142798588-742214994-1041628400-178525294824747307-512404587-427112398283715557"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEIgEQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIEgsUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-175585495911241790791001869426-11847992532006072403-735964963-9354805041313287291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1605574485551995664-1190363826111783974648428136218287254111143956071-2005223885"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwwMAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17683077745175121251222166198-1903013520-1115877458-149539996-72970670997904325"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuIkkgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQsooYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiEAsEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeMMQMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1317947074-1205223475-1277017956520367825179241219-1305627367-1532661791442765459"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaQIIsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\diwokQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-37008820916076748021481098640-2173799254346217451917861323-937030434-651829471"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWsIggwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-824757964294839476481135724-1660521328-767769304-2184264322101862805-911660474"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaMoUIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1093410326-19633638131562876725883541381-1553610930466285602-12474628851205131257"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaQUMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1645498553-831565046-606897295-405073779-2168431194568403421666412179566885596"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "28188857514579814978550754711664452973-1412279672864425464-395579844-204766248"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\scQkMYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-738912037-1461205798-115572172-712717383-456022758406462611418529733-640456863"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-636102730-1245831502493801256-1163043987-186270039011409779767658671791086700950"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsEgAMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSswcUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3466015021132984152-634961921233674480-4559678818849454161469805050101788802"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FywsIIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "702776342-941252554-850154930323325321180186393211711503551235289012-1483599909"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1552129013-1145455650298187682-705085785-841025427700560664-15049341271900324025"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGEUkoQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-185184961777067219467387760-9345831851413368020-14920938111507715155-658583558"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1385870120-14473373901788827637-536423670-914666461-137544531919074206991434410664"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSAMowgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "790243010-723070175-1505544942-178086948613813064891254867516-1359250038320171387"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGMIgwAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "612704633-116170484-149061229-1646252775-14786683802531270114329594021179996904"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1258029792-2101761607-936696833-5314210521888056906-1253599375-1776994950-1045939421"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiIIUccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-216782515116358242-69641085-2043682677-355311285-1800614129-547305200384037039"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15731242911688780050-1452170745-1759548631-1057282018909067394-1154443443218306111"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "180693792965328163951241536-591553648387371462317550217145920936-306817234"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGIYcQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MikIQMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "677563969979111747-379424564-18946049082447125129674328417289318532143283373"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQMcccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16525815019461499961808575255752449308-21398981501970900912-10186046071738118418"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1010460311220028641-69523268-5554862182146388238627092062-1202928080-566081173"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgsAYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuAwcUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1900474616-890944911-212533305112601522291485413393378848591-10908013461859849075"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1700827071-11300481574163847661564775997-99440627585111802-18942771582045281300"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\teokUIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-499596126-2023613440-8692062738577140531094187497-854412661-1318766825-1579104885"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGQoIQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWMkIkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1934658811-11414877351953805538-1753790130-1789998841810686014-554301801121309121"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-450188763-2060245287-1422358219-50144672288619834961881064-1046711319-776271458"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIoYwIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1379887391-229299821-1345363664996513573-13678850891932364217-956843376-1102327577"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwYcsUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMYIkwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2052274495266844458-749412281170092566714489904811797906242-6260242571113053843"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1453586402-1856811980-571853799-191760428372553058415944711181159907160835293074"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiwosQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1590850030901252949-9044723135610672104467350118007347801850987123-1435461437"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\juAMkQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1268067241-981625089-5464893522042164250836516220103680292179114606797743363"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11577234841614264503-253089630112665234943878649970990753-1652065243684777106"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEwgAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12101441911764657273-227840104-16600359186335588031465971788-1937249387-1431184471"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCYYEQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1595200390-8677079372147242048-49262042377157843-140179028281819216056308033"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1632186869-287061216-1816553377-1203030862-1996593355682984004-1321936520-805209325"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWcQcUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1240762533-20362082061753240361412658474-1575335757-1086155734-2130077394-1669122115"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSEQksIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8464635541459669489-117175291-819416421396108679-86384967272512122535090594"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1881338174-96903362928745196-2795785841101200343-30293367613792003071903263419"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14925960091027187587705696242-11336394671787572155-2755848521347427905-1426124435"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bggYUQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1044125841-461403815207130442-68073979212148866661324785896-15565874871729499873"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuUkMwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "725166449231987969-4713393569434751531846947493502300104-1090932918-269079024"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2128-0-0x0000000000400000-0x00000000004A8000-memory.dmp

\Users\Admin\ZcgckEUw\QEwQkgUo.exe

MD5 9efadb56a5b3dc835654974c0372d618
SHA1 40f10775471e994a6ef941c572a1fc34b07a3470
SHA256 fbc018ba620b2e70f24beb633c4d76692a277cbcb34c1752fd8b02ca65e75364
SHA512 9105f20eac34f835ec56b79b4d5c07ed106ed61615eae3e9fc9b470807b0c4402a648d4dfb86b060febe28966afe8fa1bc92accd435efb9c4491ab2010d361c7

memory/2128-10-0x00000000003E0000-0x00000000003FC000-memory.dmp

memory/2128-17-0x00000000003E0000-0x00000000003FC000-memory.dmp

memory/740-16-0x0000000000400000-0x000000000041C000-memory.dmp

\ProgramData\bSAoAYkA\rYEAAgIo.exe

MD5 5ccb14a59f261a1dc7f5110dad630ec8
SHA1 55cc3cf2274ed6a03914c5c2c4f2c1759d7f27b8
SHA256 0c0777f0cad05ee1f16890aa0cf5e454b4d526eaaec22d4860b78ddb4c3da589
SHA512 9fcabe7ed0075d294a7917f1054dbb4e69dd5c60f0ed1ef0c87b32cb7d282d9c3bed74d6d5bbfa1891033559f23d0eb67bc74ce370bfd77f00e644edc554e38e

memory/2128-9-0x00000000003E0000-0x00000000003FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ISYsEQQk.bat

MD5 ae66dc695b6dc6c34ca1bb467d8381a6
SHA1 22452f3c4d6738b174a607ad69344731398f5f54
SHA256 71aa3fef529a0e7d7d215edf6e26f0eee3e7623bf0ff30541c36aeb280a4cb2f
SHA512 c9a4799efbb26e0dff8546a88ec69b24c1696546fbaa704d5e998b9e882841064c0197b719d2c52ff6dcae49be7b6f2a4d3926fa1a2216514327acf9843256f7

memory/2740-33-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2852-32-0x0000000002360000-0x0000000002408000-memory.dmp

memory/2852-31-0x0000000002360000-0x0000000002408000-memory.dmp

memory/2128-42-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eWgIAMAE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

C:\Users\Admin\AppData\Local\Temp\csMIksQI.bat

MD5 881b21fa930a66e0eb35ab7b3d1a6c8a
SHA1 530335fed6f9e1aec6ac62a6ef4dd8bd5a0de4d9
SHA256 bb408a9f9ebd44f6e4581a3ecfecb1581b01f931944d775c1335fcb72f5eb302
SHA512 8dd10176d392f1fab841c99e72c060ca2a87233342319327ef6f06c3ff8cb1adee0240210115fc293f184e7bbe95072146341670f526c6f8e374f54416ff2615

memory/2740-62-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\jMEMQYww.bat

MD5 47c6cf70c1f35e20b0130a60f7c8a9bd
SHA1 40b9428c76c0eaecef4757f3a57521032e736d19
SHA256 e79a4a40f1166f57678491fbe6d252fea881b6b833f8b0dda4aee81052f1f43c
SHA512 242fd00086c1760cb84142d92ddb532e7b9a615e6ea5b16c2499a394373ef2c2f901708029b2af46dda3d709fb7bf029e63ed5dcd3ee72ed45a256b4ee748102

memory/2688-76-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2428-85-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pSUwgoIw.bat

MD5 0fa2965e35c053d350a0119b74b4b41c
SHA1 5fffc3e30c9ff08afead14e020b823e1f99fd514
SHA256 a421eb0e0ada654d4929a3fe436bbf2d706707266d29588f3875934c89e92ecc
SHA512 3b8d8e6f77266f686f74b89d14406f3ad302685ffacee611db7cc943bda8658c9816419e91e0072635d6a508103f16f8ccfda32d2a0f135cbcb9de918a494ebc

memory/2688-108-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1512-109-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2568-107-0x00000000022D0000-0x0000000002378000-memory.dmp

memory/2568-105-0x00000000022D0000-0x0000000002378000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HeQMYMoQ.bat

MD5 a640420476b248dc650b0443f9027381
SHA1 259aca92ff1ec1e28d827d8a86086dbd1199c567
SHA256 e694414b5d6795305b33c66ea4739fe83f1c00110c3ade4ac2ba1fd8e6ed4885
SHA512 741ebf46aa7f4aedaad89354968f7308e1c541c968b05c23e38fa8c727bbd966b477d650d56eeaa6028fbd0c29643f838705bd94608eec93ed708b3264dd482a

memory/1512-131-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1200-123-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pCcUYcYU.bat

MD5 19d0c027e953163ce809f4eb6bd53f15
SHA1 63fcded7f4737188642475a6816a327e61185629
SHA256 2148ff3daae4d63ed7553829afe19d463599bc29774741341af0366c10e41c19
SHA512 af24d2a9051f1a0642726ed00435f946c5a1048f2d1436a443a5620072c6c33282fce42646593b881582f7a1ae3afcf8a25059d766ad6be967f9e07e53afc230

memory/1200-152-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYQgEAAs.bat

MD5 8fbe651299332285d7bd425b9fa3c053
SHA1 9a3112b5d64be17c056cca8b56294b6a45e98297
SHA256 0a821e4cbb09d72518ae24247c956bccf5578c99ad1e8674e5765405a2f163c7
SHA512 aa1652268a2dc07a464cee8cc36a3a5fbe48739c3dfa2374adcb4af7f9ba9bcfe52a7c0ee1b365cab20eaf05abf8684c2daf61e771c82a5d08c7a7aa6dbe2d5a

memory/2624-165-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2288-174-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GCEgcQcs.bat

MD5 d16ac84ceb029cca2fd744e656a96d1c
SHA1 8e1d0a99e4f22a2796393e479dd2ba3fa58e8e0c
SHA256 ec1656fb7e95b6dc201c4300395b874f4cc08979d084894f7e09a9dc391fdb67
SHA512 a7e49fabd382b61872eba0dcdcb00ebef0c5eebc0530028d3a1def1c693d0830b1bf54e39fa6333c0bd47b7000f71ad79ef144da5a38fbbbe7ee4549c08f0674

memory/2624-197-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1496-188-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1064-187-0x00000000007C0000-0x0000000000868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QgEMcUAQ.bat

MD5 2f49706a0ae97374e81ef3768f5bd4d8
SHA1 c0d50ad14c6b9f2779a9dd2999151e6a09bba0ca
SHA256 c11d501ec694d5873d7af1ef75b198572efc2d6bf62273950ec752b88e723300
SHA512 9e37fe0eeac3f964b13c569b07efd4ce52338013984b40cb059b4c8eb151daab2821b7dcf57e0395f3b61aa310b6bb993a36be2ef29461660f334c077f9e79e5

memory/2936-211-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3060-210-0x0000000000260000-0x0000000000308000-memory.dmp

memory/1496-220-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wOQAswwM.bat

MD5 3d631703fa14bafc43fd8e3ff6af2044
SHA1 b1a9ac877d8d1eb06bcaf8f2fd7024f1837a2a38
SHA256 4d773b04ad56174474c76ec7ce71e76ed46873581cfb9c7ef4ab3dbec6f05105
SHA512 6604f6100a440b0d52e8d706d9811ed12836044ee6a40e2d0c5fc50d1324a86560aa5318d23d349c50f657c54121d5e23670fbf227fe1168c4ee43359383ac72

memory/2936-242-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2552-233-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zGUQIwgU.bat

MD5 38caac4b006bdab6dd9fbee6dc4128a9
SHA1 a69975418dad65b1acc7d5435f4f2c3b671a0184
SHA256 cafa95eab87473e8137d4bc5a6c654fd8f01db74437741629b5814f976b42f7d
SHA512 ebca344959203294e864f674b3ed5b51f44d80acb9d2bb6b651ba362c1875fbd4964ec0bec84d6c56653a2f1c4d23485ac52f5e080a947a15ccfa8d95c163778

memory/1996-255-0x0000000000390000-0x0000000000438000-memory.dmp

memory/2552-265-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1980-257-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fsUMYokg.bat

MD5 b483a1fafc55239e22a33de46facf98c
SHA1 81ed13d3083d99f2aac7811b97d36a4470d8462a
SHA256 f5219d40f640f8eb87b5d7314603e7f388a26059e983cf75fa87be61f932ff18
SHA512 e2cb114c9f9f959658d0e3d9e713152f0cf0edd65b1b44a500099d9045cb73d24ca44cbf0bf512153732a45eede2a56200f18a0fe62a57d73b7afc252a04e5e4

memory/2680-278-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2188-279-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1980-288-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PIMcoccg.bat

MD5 d3509e693a34ec8049d413853ea5cdff
SHA1 cfe0866b6b978bdd0faefddc66bc5debb5807a0b
SHA256 37eb340b79224de0abe3657978a0d2b7c94bbe7320ee6e35467a1bf06a5eecec
SHA512 a1c5acebb47c99619c3c0910a6eaf8cd169524cae0ed9b6beaa3c57001288c5f9f85f96e9d57f8616f4391772fab49ff2a7ee2ed9cd785a5b88afeb5a3a5e834

memory/2752-302-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/664-301-0x00000000002F0000-0x0000000000398000-memory.dmp

memory/2188-311-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fAwMccEk.bat

MD5 288d8e11a56bc2d8bd8feafe4cd1a72c
SHA1 d44d92cdf654a5563c910f7d9c695e7c9eaffb69
SHA256 ae160ac14d2b1e4908dae4e60a2b78c1a7e7c5f165c877c85099ec7692234f72
SHA512 728dd49ef516b22ad82ca02df98bdf9ce188046814bd8740aa24a48343533ad57483b5290f6661b365f45e79921af65d6ec6aa38926fa6d23175d242820d6496

memory/2636-324-0x0000000002340000-0x00000000023E8000-memory.dmp

memory/2648-325-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2752-334-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEEUwkwE.bat

MD5 822bfb4c249bca7246115ec47cc7c12f
SHA1 21de59583a26708237fa8e37dce54ed4f386d182
SHA256 3e32f04f6954add56ea8e2318af3daa1bfa27688f1d118f9b327ee62ab7375c6
SHA512 00629073ce94df7c9301a30fec4fdac880df5da38f04f4d1f6207f68ce11145248e0603cbbbf3de8e427e186e3729145fe8e4724d5e1e180140fe49061470732

memory/1852-349-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2648-358-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1704-348-0x0000000000270000-0x0000000000318000-memory.dmp

memory/1704-347-0x0000000000270000-0x0000000000318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\amUgcIcs.bat

MD5 b181ba79c873b14a1b1d68980f8c1edd
SHA1 be6cbb1b1c19b51f2ec5492f266c240d6d34d568
SHA256 d06f66ddfaad6d31478e1d4ad069a448b0618b4360420e63c1250d4802b993f5
SHA512 0378e2f79cfe4bb41608854668265b943bd0d1d202bd144b9bfa0a1a502bfeb7d067f2d5f2b69f9b25310a95f34ab3d377b72248cce0a2cc3044164d10306647

memory/1852-380-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/560-372-0x00000000002C0000-0x0000000000368000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WCookEQA.bat

MD5 164e343b9c409606a49b240b46c2bbb3
SHA1 3ef8431e923c53869e803b9c6d0678743c25ecc6
SHA256 a2dde6819c73bab6ccebc2cf2c96642c8c85a8e7f90ff5d7ecc305247be80632
SHA512 aa7d798eaf831f9d58bcd3dc524e8619945b4dd538fcc95e27dd1fede102d5927b78babb310b4401bbdf2d1a1adf40738fd7ab9eab2f3f405fad9a1f1f61de07

memory/1540-393-0x00000000022F0000-0x0000000002398000-memory.dmp

memory/1752-394-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2480-403-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aIYoMgwY.bat

MD5 a07012acb1675e5252dbe9762c376f17
SHA1 8bb7c387fa7551b448b13abaff8baf0d9b3363cd
SHA256 7c526fb5980cbb3c6a297f8db12988ab123d9f12636db2737b83c9ed1e3a64b3
SHA512 654f2644b1ab92060b125f4fc068cde3c81f6e78c8a7682a721c7d92c934df7ef9a293c429277d90bc3d41437e1d33fdfdd86f6cabf26064e42461ae618a014b

memory/1052-416-0x0000000000150000-0x00000000001F8000-memory.dmp

memory/2812-418-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1052-417-0x0000000000150000-0x00000000001F8000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\qAwi.exe

MD5 dee15573b6650b6ffcff4a527fa131f4
SHA1 3e87484b2af02e3c415c3672553507b0196731b5
SHA256 06f2f3108ea7af4dd069a9f0b870b9334096952f328eba0ab4c2bcfc1ba82ebf
SHA512 7326d2439e79628964dd8e6c475adf115a48f834a96ac7e5677f18f1703f6d4489a82fc31de6695bcbc07be4cf827641331636f487fc743187a8aaa66e00a95b

memory/1752-443-0x0000000000400000-0x00000000004A8000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\XygEsAgg.bat

MD5 4e8298583c11bbcc4c8bbba3cc96a9ea
SHA1 7ea973d4d3eed85635112faf7b45403c928862a8
SHA256 c64f00a6f04ab44c64258cdb2befdd8bbaa043e8ad988125770c4d0d7daff024
SHA512 67dcdfd4aad7d30156febd7e9bf08862a2e92e2abff02cc07b11ed263cd56e1a9f9125f6da7fcac9e2f06b29e7a36a44487468aed835ab97ee7f7e71bbcf2062

memory/2608-456-0x0000000002260000-0x0000000002308000-memory.dmp

memory/2608-457-0x0000000002260000-0x0000000002308000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vmgkkgkk.bat

MD5 e4d1c635c09f6be36a2f231cd306a749
SHA1 b1f4c579551e26a435182f3d6a74d3e4b76fa178
SHA256 cfa6a3d50e2f59d1fae61791c82864d6eca95e2546a646d7e4e58195aa508496
SHA512 21e1fe7723a084e5fbfc8304ab9459407a14a0cc2211bc7c5a1767842f62b098ea5604d1b1f053c9dfd6487eca544236a0d6c3dc812559f98d368caeeb6863a7

memory/2812-467-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2968-479-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2436-478-0x0000000000160000-0x0000000000208000-memory.dmp

memory/1632-458-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1632-488-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEIe.exe

MD5 47cbe7b3e2c227dd8d2650e487ecdc4f
SHA1 022390908a82bf6eedab9480b7b7a704ddd5a065
SHA256 65bf951ad7699242d1d968746b2924a7ad2d2df87726a9e5b623c3431848d438
SHA512 51a8c30e2cec81e7b222854b94767d9c586bab997a81820dc806d6a9de23df40a3674be714319732d81acd4bd1a49b20d8c9e170f17aee34f0b9cf3ac93c0432

C:\Users\Admin\AppData\Local\Temp\VAkEQcoU.bat

MD5 f83605ae4673641cf9b5cb116e8b2b85
SHA1 775b1d6356eaf5d0f5b68897f469df1536345098
SHA256 cfcdfa61cc40b5cd18bbfcc91642483f69756a779b114cd49f2f968706aa9c4c
SHA512 bd1ea05a301eb9795b77e5ac43aa07f0a2c0e39b339c29acae05c8c69b6dde9f1744fb178aca1b145efb28072f8e3726b91c7c39ce25516eb1fd7707e53c4dbf

memory/2060-524-0x0000000002350000-0x00000000023F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkIq.exe

MD5 361aa9754172f49d3dc958bedfb97c77
SHA1 0127f7db389930e75a3c506117709d6340447962
SHA256 7e37afc1e147b0f3215dcdbb944da14aea70fae4d55fc2a6c6ce07554236cc09
SHA512 5024fe9356a01726d2f7bcf465f40c946ace095936dd5e379069aafff90c4e32305a745060ca98ad19943ec69bcfe05d1f2e3cf46b9d07d84d2917db2bf2e211

memory/2968-533-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SYUS.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\moYK.exe

MD5 c4e64077dd5fcc9ca75ccd0bd8093d4f
SHA1 3a31f30be594e6cb871756e975972f2404c6c9ef
SHA256 500f4198b16e75bd31497c86d9028b9e519bdb42e44c9b0af966ef567092c7c2
SHA512 9d4bceda6badcec4e5bae5b42cfdc44795198c836218ce75c0780ad21d85c3353b3548c2fb73db2556d935b3e164bad238c490e35e09c06ff2666d06b1d423ff

C:\Users\Admin\AppData\Local\Temp\YIQo.exe

MD5 5d9fc3d5fdb43384796e1fc85162c7a1
SHA1 b4eb4d08affa80be01e5f4d3497af305c94e886e
SHA256 4c13c9197adbadffc66bd7deff2f078ab50e3a7f42d13a741529685c64e0df74
SHA512 9c22a3ba8ed6e9c9faa99fef933a30dcab38bc2a8856d2c2148adb81294f4aa2d87ef8e95493b67b314c529572636d354764b19144f1d0d88eeffa1d43d4341a

C:\Users\Admin\AppData\Local\Temp\AYkK.exe

MD5 c6ebc536793fa5381deec8ab2ef290f3
SHA1 b5fa52bc76b1098b5a054869e664376082242906
SHA256 df0e53d36d97d093d7f09e36237dc962126219763f5ac11cf379ff38ec39124a
SHA512 b7eb5c64c54af2a8e2bc35497fd8d7f4ed07534ce79e56346ac7ad84702378f7892ab61423d6a80d9c2f8df55d0890e2d5c2e48101374ff98cd362db6ce21ea6

C:\Users\Admin\AppData\Local\Temp\fqMQIsYQ.bat

MD5 3b4a288d98ce6d992ad3d291e9ad75b3
SHA1 6f4e8e129b2e9aa53893758b7cb7ed1085dc2185
SHA256 bca6bea8c482682f20473a8ed67879a98e803e33253346c1c4e7dea0660ac605
SHA512 0323c34255f2657dabee27f4ee3d7e0c20df5327ea50522833fc91b42a1db5d1be796cdda305aba60c71cfad21f94a2b143bd9f8bdc5977a5128e9cf8d1e5149

C:\Users\Admin\AppData\Local\Temp\OQkm.exe

MD5 a74bb3543fa377a7c2c195f628f8eb84
SHA1 6cf0e6d803d54542e94b618c8388efcf23e4b1f9
SHA256 690a4eb1d7278d2a8e9e70ddae0c18d6cf6a59b710759072dc1f70359ad6e331
SHA512 89d3cca5f64a174a2b0aa4821300272ff75c46e2f7ea43346254011791d17bbee72afe8736b30546a4fde23c27c8b979d89a0eb2b3987eede1ef2241754fbbca

memory/1624-595-0x0000000000160000-0x0000000000208000-memory.dmp

memory/1584-597-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2932-614-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEAe.exe

MD5 46cb456eaa4502163b8141c3d38062ed
SHA1 04ae959988d1db84c67916ecf40e140f23f07929
SHA256 0b82c4899cd2a80b898b585e956ab7a2ceaa8d36ad7e538c1bcd91fa1985e19b
SHA512 60f1017dfa7e655a5b58527e03253348c6923a9df2f3028cc76538d817029a1814841d53dbfc349825f06c55cb5047bc4612fa5938424f2324a1a4ecdf8d6bd1

C:\Users\Admin\AppData\Local\Temp\yUIs.exe

MD5 d6ac1db468f94fb2505541d278c7614e
SHA1 f0c915c89e5691f752012786e8c7cadfa76d844b
SHA256 5033c1a470280eb5ec18c5bc0f6643ee1f9bf13ea8a5657d843545fdacdbe2ba
SHA512 385fb4cff398f8b569292e78fe66b93694e09ecf912191e02c21e3e49cc0673d4de4b3cc17188f82f95aa94c2dd7e65bac8ff1a71ce4777b28694798dba081d5

C:\Users\Admin\AppData\Local\Temp\oUYY.exe

MD5 e0ec0e566e8f765f0896c799a7e43091
SHA1 249747e0dd350a7e378f2ae43b9d106b1abc2b88
SHA256 017c2272455e263841f467705149e6eff57a9cfb16f2c661747ac5c78a2f9ac0
SHA512 da85029effad7fbc0be5de6f102bc38278109665702ee883010d3c808297ed386400e07c31760139d4f84648f8e63cdae210c363bf5073caca1d48970dae2e48

C:\Users\Admin\AppData\Local\Temp\Eogc.exe

MD5 7ba13e5eefccf22e0eee903ae9e438a7
SHA1 772817fc165695245c588c8e2e0cbc9c0113fe81
SHA256 e12c71a7e7f83343ee6ce4b0a66a0f26e4de39694f434f09b71556e63fa59268
SHA512 285e94edf4eb25e817a1ab29d9f68fa23d27ca9e6661a84fa85b7bb75f085306d4d3f44f3496a43ebd0389491047e8630b3bb6aa83362eb0a760569bf71301c4

C:\Users\Admin\AppData\Local\Temp\LQsMkgUY.bat

MD5 56ef850c0af5f9fb6bb4212c20929263
SHA1 9153a19db837f0a14cd7592ccee1030ed4475360
SHA256 b47359f69acbd91767d169db6c39ee7f799621efd6266b25b9e237d5f5cfc6c7
SHA512 27a0c87b08416b17b7aaf6877f743f7151ef470d56841e428fe373dbda86ba05e501669c2f3cf1d946c198fad6c517c355bf8099556a8f5eac4cf60a9f5f5b43

memory/2024-669-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2264-668-0x0000000002340000-0x00000000023E8000-memory.dmp

memory/2264-667-0x0000000002340000-0x00000000023E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukow.exe

MD5 ddc9163ad5dac01b8f36f101cf8d4fb0
SHA1 54f929bc9427d79272fc7354e332c6177d2f0889
SHA256 d5e71d922ccddab479a2714ba1844d496aa7b0f145fb53d3d4e05cff634e8fa5
SHA512 10eaf557502989d75bffff9d7dfa1f7b3710d27c658a52312c4adf88fbf7ca585e4bfdcb91c64f554fd52102f610cb773ca7b70b72d7bd5224765adb5969eb9b

C:\Users\Admin\AppData\Local\Temp\Ocwm.exe

MD5 102223d954423e00a5ae9547b7541916
SHA1 d683b18ec37048ec12fbff34484d8d814c3cbf02
SHA256 e8b7e37f4e1bb8a9e1601574138f9b173cf41f0ef495084fadb8a1ede9a92c3b
SHA512 2bcd93afcbb4fd832a4e277257a354c95446805e89527d66c4c6ccad10e80404a5038138aab523910a1b9cf0711785c9233d4316876773e62460a310399f857c

C:\Users\Admin\AppData\Local\Temp\cEgM.exe

MD5 44b17f6a65bf37e7ca0ee9cb0168bbf9
SHA1 c2710855886dab07bf18d5a82bc23a2cfc968816
SHA256 ab52422a46674fabebbd5334bfc69967ba1b6398cdfb414bd24f8f2a2742c352
SHA512 ef780983705f0cf0aa916d40a9c09ecbd883403c2f9356757dac3e7e7073fdf9f82a6d1546c89d91626c9f444f87ebc12a85186fcbe37e38546c2f02905ec229

memory/1584-730-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yscs.exe

MD5 a33823858bcbd35be4e7987dc039e358
SHA1 d2676c18f300ca05962af38306cd4f48fd904a94
SHA256 16c05fc03549989d073d9c42231ec4b275ddc4f7b9474be6c6a1ff110b236eb8
SHA512 b3669843d8f853f41e55bc51ab2a4b6f71557b50de8065ab3653715ce888169f4f92757b75752513f08a35aaadbf5876efa34475d028d517f4b1db432b5dd083

C:\Users\Admin\AppData\Local\Temp\WMcM.exe

MD5 e76b0fae32c2501d8f98c0538a1ac5eb
SHA1 c116712490c823efc2b9ad0d5380c46e963e416d
SHA256 0530aaa72e3c8a58f9dc5baa3863d13cc6b320c3f421545749a34f20d22a550a
SHA512 27e8fd9b09d71d9582009fc33536e6e7d0f34d26d843741c2eac84240f34b76d3cc41cc78130cb62f4a4f8c3d39a826d5717de59a3f7f88a14cf18038542033f

C:\Users\Admin\AppData\Local\Temp\GScsYIwA.bat

MD5 00158022f54512ebd928bbc62cbffd1f
SHA1 afa540c8f2e7777d1537a3dc8746e6f173845738
SHA256 ae9f3c02621ead0976934087786b1852c46c2f387f5434dedf7ff1cc89390688
SHA512 3f8c173ec43cdd661128ff3cbb498bea7d074beeb9705132f0a6198fe6fe5aace4124258a88b9f3a9a02f08dea7819046b3606d342c0bf965da9cafeee78f0eb

C:\Users\Admin\AppData\Local\Temp\MsAO.exe

MD5 0e1756076656bff191553b40bf62b58c
SHA1 4d01ea702f4712b71a344d5375204a7ad076a706
SHA256 9740ae7d8753a700bbf2cf0a5390273fa3c77931819bd84f06586d39a005dbfd
SHA512 e09f70885c87547f41cc4c526b73b5f54a1bae5a1fc28829383c1e51107a78cbe4ff5c82b0c0274bf966a5bd16711b3d6d86d375cb0d28e102785e5c6eb5c53e

memory/960-755-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2216-754-0x00000000007C0000-0x0000000000868000-memory.dmp

memory/2216-753-0x00000000007C0000-0x0000000000868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EocC.exe

MD5 0248f849668fb0763f0d8179d1500203
SHA1 b31035346e9ca467af6ce7ccff1b861ea531217b
SHA256 87ca255d7dbc94e5a93869612e455db0d4da116dcd2f322bed1cde971b7f49f0
SHA512 72d21f627f5274682d0d06dd8cf00663089c4b8c98e0916a7314b2d12203cf5db9af6e95fd85a076a05b1bbfdd3266a00cce6ff59847c768cde64b67bdb6fbe4

memory/2024-777-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIIYocog.bat

MD5 7c95d9c221b9f8c412d434df15fecbc0
SHA1 f902be90b60cb7c88d9532d7fd844d98bbac7ac5
SHA256 857ff9a7ce1a092baa44c622c713bba9e85083cc89bee7522743028f05c59bec
SHA512 021c05da05cda0f65757eef439176335ee3b9176bb1c8eb4f39658ca1769575c86dcb01347fc7c22d115fecfba7ce64ecdfd6e693d864f9a12b4256df95c53f3

C:\Users\Admin\AppData\Local\Temp\CsEU.exe

MD5 7dd9159b83ee18a83e5c45526226e05e
SHA1 fab3774e4591bff42845696b3c358d62ec695e55
SHA256 020f7392b4faab93b1a6c4558d4e76690d9e6f9d76839deb0cca492afc5267a0
SHA512 ad0284f8357151caf594a7d2c06918683863844263746099a0a83005e7b713ff4a9037069cf6ad6f42e9586003df3cedb630e79b8aa3469431acb57047246c30

memory/2532-813-0x0000000000210000-0x00000000002B8000-memory.dmp

memory/840-814-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MgwO.exe

MD5 22aeb5d2bd4ef52893d25c87427098f8
SHA1 b53e739384e91c647655d4296bea7e8de175c0c6
SHA256 01581868060a59380e81c8d8e397b0b1a43cb57f3ff637ce968f70ca0020b2a8
SHA512 f1833789beacce8c3117d9c47461d02bd385c6c9b90d20835156c3462cfa1df1c8701c343aa96a70cc47788a0f0790837785801707f51cd8e853f505ea16f721

memory/960-836-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIgG.exe

MD5 5f6b70284da54cdc38f41d45efe2cd5f
SHA1 0df3e5d582429426b817c29f60046ab7429b34c2
SHA256 e47bfd1957dfd96e764a6c7c9240c28f14aded07e4d98d9b57517adb49c37063
SHA512 937ea8c34269dc074fab43707b08db60e4e66fb948fe055ea349a5ca5f5088655c4a13580f29bc00d8a40c3209b63d8483a3afa559230678802a892bb75a1c08

C:\Users\Admin\AppData\Local\Temp\EsoG.exe

MD5 85536b1b3c751d2867356330cf601e28
SHA1 64790d268eef9520f01cb044cb22cc8bd5d4bc2d
SHA256 4335b22b54ce563e4058177df0ab3301a12c389615d63cd82dca8cd6b9bbcd90
SHA512 ae4c503fe06d3f50a88d565d7729ad97363f9f820b642166434dafc305465045a329bb11eaf086714af424e862a415340f3392e41853ebfcbc6e066dc0625913

C:\Users\Admin\AppData\Local\Temp\ogsO.exe

MD5 d973cae3ef914a553baf517c0e3bf051
SHA1 39ffca9761eebef866ff20a64b092e3eb403629e
SHA256 36fdba62465d448c242e3d485f4c69884d3452c0de2dc981874b6e6bd0168274
SHA512 f0bd0e491f16c7706c016b3b19f42de43321716fb392a8a0ecf64793dc8ca04c74824b23b71443174ede0f8fdc14692de5ce1f2869dd64ef874654d544de0c25

C:\Users\Admin\AppData\Local\Temp\KAoy.exe

MD5 21a8c423371b790f00184900d68d326b
SHA1 6bb36732fcedbc032a235d51cc2f306c8b00a8f3
SHA256 20f7f6088979e0669675d73c75101d434eb7542f4274fdd08a56b6dfaace5da2
SHA512 95131fed3118be0694ed3d92f14fffca41a600ef4abab8b0b78e93732e0fa6c539b7bb0735156637d98a7e17fc2737a666ebe78a1b193e8477e08240e47be168

C:\Users\Admin\AppData\Local\Temp\iUgc.exe

MD5 7273e76327e46e7efb3eac708116aff3
SHA1 f4195f259108fe9017cd4954d9fafb1e7a84ebc6
SHA256 76801feedd0947a285c4d57ff8d5dd9d7495a63ac8f426d86ce4c7d750062c61
SHA512 06754a116c8eb0fa27eddd560638c750b6b502a464ff3c589bce7b1d822a8c9cc0c7e389b49e9466028466446c2560f0d5208d39a3a7cec5efcccb2f3258bf10

C:\Users\Admin\AppData\Local\Temp\UAEq.exe

MD5 f25da05ca512e9fa818587f32c1486d5
SHA1 25341a96289ff64e06cdda5417d212f71620c016
SHA256 ff0b1fc03e699eb84d88522860b493d5dbfb75e3b9f4672b3b629cf0d7f6fae5
SHA512 c050be9eb7ab77946326e8893e34396b9f05df54e53f7d662d337a8f49186ce4dc0bc98089e91c54a95b6eab7e29e054af80778e7e96a66e5ab3d6d2705be817

C:\Users\Admin\AppData\Local\Temp\uQYMMsQY.bat

MD5 5c303352a4c89c5d4c3b57a44b0ac69e
SHA1 b9406420e0ab872010655df2595959edc3fb66d7
SHA256 c5e672f4124184ad68e74f6110a43cc069f5482a4e5877e54023f0a093d21d56
SHA512 4b35192fb4377e2e6f026fb28ecf32f8d67c337e721dec5c1c18c9aead00173b525da0bf04e0350af927751f387dde95cff5417191b4197cbdb8db9d1e7dee6a

C:\Users\Admin\AppData\Local\Temp\cQMw.exe

MD5 63b8b2ef23724d49ffe73e0abf7cfdca
SHA1 328d2c621ff1e9669083a8f25739ee165a6dfe51
SHA256 34bb1fdcc32e0baf6b49529431983a9ef8ca74ee58ca9a52b44748284906b6a3
SHA512 fce3125b3d4d16dc05669a1a54a141aee7477d24eaf109cd9ff7505fa1e8578f27f51e564771c77de492642061bed81395fa6ab45473cd3a5e37e77885e1e07a

memory/2840-937-0x0000000000170000-0x0000000000218000-memory.dmp

memory/1640-952-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2840-951-0x0000000000170000-0x0000000000218000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIUA.exe

MD5 6610fd15486e8a66c03afac784da6a99
SHA1 521d8816c0821f3332c2222b02040dcdbe4365bd
SHA256 7357e27dad8f1c7b28d821462b9f7e149b28157f458c61cf4cf033197db98e58
SHA512 7cf15e713ab17424d5c164eabfda76a11733c4f6e53ee67a5406f6b47a7e378e5a5591ae3cd8b516e3e27b5b6db1233fd91eeb453fa0e6adf9207554d39e87bf

memory/840-966-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEMa.exe

MD5 aa1118c84f279f724073790c78b2b227
SHA1 ec8708c2abba18270c83eb23d8dd50485b241e73
SHA256 8e9c1346ff86ed30135965d5c22b1345284f3944eadf6851aaf6ce3e7452a5d5
SHA512 e29f92b808ac92fea5e78a8f65a01c787e1feb0dd03f462e703db98264661ff0d76ca302fdc7a65737dac11cb2a00ab72140be72c3be1e211a9ead84efd782d5

C:\Users\Admin\AppData\Local\Temp\EgYs.exe

MD5 cb1aceefc259e41f159af6457729a312
SHA1 ddc580b9cd267ed87ff274c70770b7e9d103acbc
SHA256 7704fb16e257b89a4794cd5592610a5b6aa5d9aa752b05f465100b1fd826f539
SHA512 698f262421b297ea9cba0bdca029a4e2ef02c5369fc4fe62304514235fb693f1c20b7c8894edc6900c7af8494e2560f1eb138bcdef051b54da3d398d93483a61

C:\Users\Admin\AppData\Local\Temp\iIMe.exe

MD5 900ba5d5f797ff37fe2eede12d1d08fc
SHA1 5238036c3cb8ead8e42d8c7e2170fc4fa52562b5
SHA256 4810bd5578f89e92afba3d61228c5d92f6c29a5b5d6b4a94ee447df223ddd8ed
SHA512 efdb371ebb00ecc3ae0358cb42e12a042978e92d71bcc187d98f7d43a168cbca41c21a01c62245a635c0cc93dd603a778c5f69b160b1d3a9c8729c8cc846fb7a

C:\Users\Admin\AppData\Local\Temp\gsEIsAAo.bat

MD5 12dea1b00e654528457a83f34cab63e4
SHA1 3e2106905656cd84d8a6ab801ba046dbf5c8909b
SHA256 b4704a401285307ab8b992937a8ffdd9d730f3f14bb888f2566c0661ee940bd0
SHA512 99ff0863af47a91ee15d1a0849af2a9c423e64ebc902a87a83ef5150375503adba80bbcebd222a31629040a5020a21e1da1e284b3c05ff4fe244df5a56cab58f

memory/2260-1024-0x0000000002340000-0x00000000023E8000-memory.dmp

memory/3036-1025-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2260-1023-0x0000000002340000-0x00000000023E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQUy.exe

MD5 2cfbc85f7c9c16b9e384b3b0f96e897f
SHA1 7131e32c71cc63670ece8154648c5255f4c1bc2d
SHA256 b8853253ede08af660597d7c241635251bbd5563b2885e469a668636cef40660
SHA512 cf0dae3950228c3902b11760ce5806981f7e48e67f0459d5005589549da057996890699b5180d7754ed6d3bc8f8acc118bb7fb6833a842a273423fb626ca3774

C:\Users\Admin\AppData\Local\Temp\aMIu.exe

MD5 04c107f738f966c8d76d8c1430739827
SHA1 d990713db569ec8e33b317c72b65f4d20e0257e9
SHA256 1a84c2d9544fdc038c11782452fb49857284b553941547fe98dd6e1090164fe9
SHA512 23aad0c1202bd0ea7acf6f3d9f7edcf9536c3e5a209b1033dfe477cdfe5e19c0acb761b25058611f54a7a4b9a6251a21df6cdea464d4ca04b3641b0b37cf3f1c

memory/1640-1047-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sowO.exe

MD5 4575ea3131bbd6555fe98fcf8c621c7e
SHA1 e1b06bad8126b1d436a9ef631a3339ce7200f52b
SHA256 d26490348745e54f2c9a7366dc59444c7840150591d7e7a944eae6a8dbccde27
SHA512 ec09b0f86fb914081d18dddc3b064634a24be3ce46efcc4ec1e584a38d939c770d7d52e9e9bfbdbdf9b3b04694abdcc7bf5d273ad629a6b877a2e468c55dc0c5

C:\Users\Admin\AppData\Local\Temp\SGwMIsIw.bat

MD5 24514506bc5942b5376898047e172015
SHA1 6e46af9ac0dd55371678cb5613901aa60ac285f7
SHA256 ca805985522be459b5f831f5744d969ec0246caf91be27c8d238383d1db37868
SHA512 425a43883fc7b8eaf564d8025d638ef74215bc54d68e1875cab8d099b16c1a3f0e23607afbf8cd6ace094c003865b042673f17c131d49660eb644af5603e5fc3

C:\Users\Admin\AppData\Local\Temp\WQsu.exe

MD5 b88d8e83182c72c702faf2cccfe8392b
SHA1 6a69547a68bc6e5ac6e24cc1424c985d291386ba
SHA256 28eb1ce02c4e972abb1703ec8d78da2347a53200348000f3d524f87eba642af1
SHA512 922105e842fb333b214b425ed12528290ed734f3bb7204398ffd3068e44024cb79aec3223cdb5846eb75a57c5475dbcd1cb269ef22edb368ee34a38ce088dfd7

memory/2192-1083-0x00000000004C0000-0x0000000000568000-memory.dmp

memory/3036-1093-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2512-1085-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYQQ.exe

MD5 2a9d6991a277a46e85b0863130727571
SHA1 8a9e090d32d60d8475af9539bdb78b9556ec5deb
SHA256 f846f3aa93e823d4a599f64be2fbac08f9f34786b1f0880af4dc79891ed5faa8
SHA512 396351b64b0bfc14de359f72ffbb216b5523da7968a6813d862c6e431b880727a257b25d720d3e2195924d3c684ba0d3acb1393998bd0d58765f3fd7b7fb6e56

C:\Users\Admin\AppData\Local\Temp\aYws.exe

MD5 a32ecb8b49f8db26ba1eb4b6f1841a75
SHA1 000a32c44e1c23cdf747fe402087793248e35f24
SHA256 05674882cf84f09897b19bbdb17e9399b6d095a272be16f9ddc4e9c975ffd852
SHA512 370ecf6f242d7d1124dd7c6d83bfea71b73201ee0cd1aa6d7e46de0b86fedb35ad04f65b975d30c31edbb775784858eccf1cd7032ef68ced639da1e59d2c5f6a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 263bdaab5252e3584f76952a8d60be1f
SHA1 10e697dcc2b1736dfe39da9008f97aa93bec837f
SHA256 3ead3583fbbd9e1f34ebd02c9b1495bc448570999a70dab6610f40a7c8a6e675
SHA512 665628a4916d1eaf149a7af0ed40c077084e10d47f5cd962c101fe09099c951fca57aaa0053fdf94b2ce4ea79937d57f45c2cf4726f7ff52724ac49434ebee1d

C:\Users\Admin\AppData\Local\Temp\cAYg.exe

MD5 4bcc3190cc32fcf90c1119a7af34115b
SHA1 8ad5778ae6449fce624418ba3472cba02feda8af
SHA256 6ffd5549cf0ffe03418b58a1dd4920ffe97e421d130a31bb6399a67e4c84317b
SHA512 b84da48220ec3a736408daec4eaf48044d71c5ce27e00a73b70db65ed4d08aeb4052bc3511d9175075511b08a9c284afd112c704bc1075aded3b912aa7ffa047

C:\Users\Admin\AppData\Local\Temp\xegwAwkw.bat

MD5 2fda05295434702c16f513742aaee528
SHA1 234b089ad79d7c450d9dea8751ed4274d606df15
SHA256 fe4469d0c2296fb262ae6a1008be984e2859c290ecae10d0379853f4ad6cfa6b
SHA512 1749925aa360025cd51ef676b7dbfcbab65a9902f4ce608245e7afa2b0328f138f98945c83f5c776bad22f418c1357e14a9d384ee2033cebd1851a5004d89474

C:\Users\Admin\AppData\Local\Temp\OYIk.exe

MD5 a3c997c31bdc6b6bc302ed54e1cb18d7
SHA1 2916344114f96d431dbeb79f65d7ba6eebe9cdaa
SHA256 16b21a8f0a637b284668f7f913d7f9a6139dff53779cf12333017f37d49643cf
SHA512 05959eefecdfe1cfb7012b64359eff008f4ad20d032b8757147626325beec34034b8929d527ac55502941ddb0947d62df3a9f235dbb938d101159eebd1c222e4

memory/2920-1155-0x0000000000230000-0x00000000002D8000-memory.dmp

memory/2844-1170-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEEO.exe

MD5 e2177e8233112876ac785b9fff3bb3c5
SHA1 2271a9f20c4e8634a791ad5cd628934c78f2a0a0
SHA256 66d21aa64b0b46b2efdd42d9c579dc9ae00c47a13a68d902acf1638af8be73ee
SHA512 21b8700f59c6f672ac8becb15586b0474795bb3e6b4c22b5984090564132cbf55f95fc4ca1a82b4c506c5e443861451d74af0adb4c58d0625f996983e1bf49a6

memory/2512-1191-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gMUM.exe

MD5 7e08d673db4212e44bee6fbb481e0987
SHA1 e4317718193ac4ba78f746d91efef7dd3cd07497
SHA256 e0cdf08f4f3fd140e00b69feb5b99efd16fc6f103598cb1a144cebea90f69a50
SHA512 aec1197f4d930ced05f91b329ece90b5ef8379391c1eb1e1567ddde09336cc4cd33d4618f58064c965d5df727cbf11670be5a48c5f615d7bb68660416812cc6a

C:\Users\Admin\AppData\Local\Temp\hKcQkoEI.bat

MD5 6a9811b63ee2ef7364183ebd7ff2c056
SHA1 946c60544835fa558c9958db6944e261c65fcf69
SHA256 ce94a62ec823a78ca82025a51c96208088eb8958cd8f3125cc7a31a3b7297b03
SHA512 18b483480f6024a0f8073892765855ca68960056abb8d8914b92e08d33125abc37855c91741806e552b5de36fe0bf5acd43eadb744033d7b01e3331593300e71

C:\Users\Admin\AppData\Local\Temp\EUYW.exe

MD5 41ca781a3af862c683dad08137d39f88
SHA1 b890f3aebf91cd4a6fcf95da92bbf9eefd04063b
SHA256 2eb5cc40841750648c51ef3b31436112b6d17e37fe3b623db660e783750e1ef4
SHA512 1171fa873f017f64ce97d65c686d7bdda19898c25274f3eb719097887d5abd47c80fb61e8776a07c756d6849fddac689f89d48b19822a5ca21ab5db0973bb3e4

memory/1832-1228-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2168-1227-0x00000000022B0000-0x0000000002358000-memory.dmp

memory/2844-1250-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQIo.exe

MD5 f39c5e148adc1224a2c80488ba19416e
SHA1 7fdbbbbe4e97a867f52000e5c4bf514d70bd2d72
SHA256 cc5a10b2e1116a11e92616c3741781c816554e8613f85300805ab5da3595ced3
SHA512 357f52becdad1bea0bb03d5d92b288a8fabd5002256860b77f0da52efc8609bae9305cc519a717e8251d4b8c2230978996306c9ec4483176056f7908cc7be582

C:\Users\Admin\AppData\Local\Temp\ikke.exe

MD5 bc8d89de1243a2eff6df1bd3fcdbfc54
SHA1 a4cca96c34817b132fdd71dc1a3ecf00ece680a5
SHA256 f49e3b41671259483694077a3f31f6c86b96c821bfd271285885013ca1ec4ca6
SHA512 2a53b407b27772cc7d7ad750733c598a0570ba306383dd84e559dbc47379d3cf54d5b0d26ff4751560d270c566d0c8194b3392937308a049d0ef57cbe3ef1a80

C:\Users\Admin\AppData\Local\Temp\aQYk.exe

MD5 c45cb671beb0738604d019993abe0dc3
SHA1 18b04a48408f5383eb76a4ffc600f5e9a3c77dbb
SHA256 d6014bd143b1fd8c68fa1ae56db09f0a702be57a8babdc3e369df366c00087a8
SHA512 46927ad2c621e209f1c5810d080314dbb9ff1e24936c0ffd287a6a83b3a2617400ec5b83d339efd9a4379a9b2ab32eff39b15c3cf9aa110436853e413e6ebc66

C:\Users\Admin\AppData\Local\Temp\SAYs.exe

MD5 996aa036433a4b77c7bfc0359c447987
SHA1 13d712429f594b6e8a2f3ee905c71703371f5afc
SHA256 14a9b20ee0413bd82dd39ded567986118ba43bac5a7247927848c3931e5bee6d
SHA512 e7613670d7c21d3dd9ac0dbb72c4d138e56b6c481f79aa0eea8e9f474c4e5d339024b12634c87438b848c844e79d9c207317764fbfa95c49376d45ecd3ba7b30

C:\Users\Admin\AppData\Local\Temp\AEEu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iEwc.exe

MD5 356d54ca950cb8dd423923d1d4e85d80
SHA1 f31df7a2798989b86121d11e98eae4afe2cbcc29
SHA256 b80b866888f7c92dfd27bd504fa707cc40b2abd1300597f87fd5c2c317d8bb2f
SHA512 38eb2de34f6b861cddb76166e01af0a1e194652008a31029d463943571c263dab39dff6d399eb43ce044672ec18b051aa3483256178e88d25e6dc90fa3af7081

C:\Users\Admin\AppData\Local\Temp\IYsa.exe

MD5 810c3ab20eabd11f030a8323e7e2c4d0
SHA1 4c4592804041a3b646ed1fa24a551039e457ad1d
SHA256 2d844c75ffa726ce01edafc525f91624994b28e616261e3e751a424b30deac8d
SHA512 0e88d2e80457bf129aee738cc8109b098d7222dff5d7d348bbd8936c3f309f6c90f00cb9ca0b023e8b95d5bf6870e7b4d4f14f112eaf55e37bd3c13af6fabf53

C:\Users\Admin\AppData\Local\Temp\nKokkgEQ.bat

MD5 ecd79f0f3ecbc68d973e3adf8874c51b
SHA1 6d0494f095a562b6f1faef145f8ba54dea5c518e
SHA256 12fbcebf415d7d9ac2d7c3b3c108b6b233c9eb9b356b56d1e1b04210dd8d341f
SHA512 13f76c5f880a62d86c5a70663c2d5e02b4504f1e3e35ecc3ed192f3b89aadf61ca7720306a19596f3ad28130f5f4925ce1ff797b1583379954ca5a91cba73598

C:\Users\Admin\AppData\Local\Temp\qkoC.exe

MD5 41f796e2ad5b4a41991a5d32f33c2878
SHA1 4fdef09d4c4c60650045f61e0a78a7c94acb34bf
SHA256 5da68e3457616806a6668c83e7b9ca43838c1bce4892a84c4e924da5c5b2d07d
SHA512 3778f4cd1b1c7787ecdd455c752d883e2a96c826f48934f4a24ec7b6e1d4cdf3f032af012da6d99fe678bfafeea202e44da06a812060dc44ce320056d844750d

memory/2752-1339-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2104-1338-0x00000000001F0000-0x0000000000298000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUoM.exe

MD5 fb2c5fbbc8501bd229bcb1d566e40141
SHA1 63dc4c768ce80bf3e314276eb600c1b17ea751d5
SHA256 8ed113db883cd036d15bf564bbe770b04c3a963a45701f81b1c5adc686245ab0
SHA512 9a26f185cb9b0312efccdb9cfb01578bf31e44c406df76b7c8bf191b77afc4404cf7848b645fc95a24ba0b54323c23e65b71b7d65cc5212f3503e0cdd95b01a3

C:\Users\Admin\AppData\Local\Temp\ToAEgYoI.bat

MD5 7536279c9ed03252a9deb4be8214680e
SHA1 c7fba6f9242edbbaceaf568ce7721b0101b98d60
SHA256 525f2b10ca17f8cfd177d5283c63ceb6ba13203f849445c38392c0ab79992138
SHA512 01c6c6879acdec660b252014605f6127117cc2bee2f56ebe2217df00cb20478143cc5c904d8f4eaeb84996450d0f2265bffe59a7123208ee09f8cdfc3193894d

C:\Users\Admin\AppData\Local\Temp\mYME.exe

MD5 c426fc85f2bffd8880b56446f646d7b7
SHA1 2c1a0ebca7eee05772dc5230081a2021cee4a020
SHA256 dcdb7263b3b47ac7c1f276634d0d1fcdf6690fea9bdbcdbd23f71f4acd5eee0d
SHA512 95f6f7a4e664a3e73b74c7da2ff5ef445117af50ff882fa612e728e07fede9e531ae44edc1672f38009725f5decb7b65bf42fe53ddd3b64178de80dcade4ff90

C:\Users\Admin\AppData\Local\Temp\CsME.exe

MD5 452c4d69b0487403f582bc2e5f57230d
SHA1 55f96496f5f81801036d5d9d5369e496bfdec884
SHA256 7d87a5613cd1a516ab374d87f3b472479b9c0dc1c00586f2292a7b70648c4c86
SHA512 f56594fe79dae2bfa663f2b0361a9fe7ee62df24682eaed2e0376d583345286c4216190971a2dd147ddf04704f8f54408a70403175c67b4e8d756bf3878dea13

C:\Users\Admin\AppData\Local\Temp\UsIE.exe

MD5 53001fb149ecbaef292f30f0931e24db
SHA1 1303b00aaf6b3e02e99a5a19549b87c84728ff01
SHA256 5db77991edba74cc9d3b46c19c56ae20edc93aac0fe9ff3c76d78edf7f86b244
SHA512 3c55c26744d278afeb2984f11b8287cae182fb55344f2d718485eda3a6ab33fc32a4c7fbdd279dd54e52fa4c126f8cf3c34522a1425fefa019953af28f39a7db

C:\Users\Admin\AppData\Local\Temp\Essu.exe

MD5 a41e84dafacfd0e89437ccbb481c54e2
SHA1 64c9f8ba534e69cf5e2262a4a8181ea4ac8effed
SHA256 4ae1c0166b42517a850e2b9e13f6c20bf67f4a857c457bd09ee5cbfcda3b6370
SHA512 3e36e2eaa2d014e9345c8e3bef453f450fcd9c86c9064bd45205f4cf497fb0682799bea015cd5b16505a84fa17b61549cd390fee4807498818fdd9c70c4402eb

C:\Users\Admin\Downloads\ExitInvoke.mp3.exe

MD5 63fce3eeaaeac272c1e2bdd8e17f3800
SHA1 6a683fb4cf05e398024944b4dad06c0586cd1d2e
SHA256 37c212eeaf539d737714fec4e63d0f0cf08e34865459e22c6f016966569a474c
SHA512 8fac35baa3384758c30a73ee5bf7483ffdd6a5d143bdbf47be00f50a717659a83497d9a96ec72b657320a1b994b7f48c74e68c1dbde6eba3dd514d747d74ae6e

C:\Users\Admin\AppData\Local\Temp\mYIMwYoI.bat

MD5 f8d23d7a23e8b17958f742c58d3f8ab9
SHA1 1bb4d82b021d74fb216c9f5b5b7b561b44d8ad08
SHA256 1f1c18049d0dae56c80b42d7a0452e9013b2050d2461db343ab5ade093bf1fdf
SHA512 09fc3f1efb1ffda5ee5f6cf37f2b9a23ef4d96ccd049463a3ac90b28aac749b6a9bef39e8a58e1db9ab9eb55453499a42cbbff7fa427ff12c7422a842a13e283

C:\Users\Admin\AppData\Local\Temp\AQcI.exe

MD5 8c8a9fa668b497dbfd8726b058e966e7
SHA1 523ec0e197f5e902eceb4be0a66fd2320ce4fa2c
SHA256 0eae738e175afe523601b30a01eb266bfcfa20c8c474e6bf21b6fef42846dc61
SHA512 bc95970fa23ae4b26689a674251dfcd73fe52e2292f6ab664e05b730b862ce0a640dd36e9dee101cfb5bf8ecef1dc95d1f5d35ddebba5c4404d4a7cd9f2949a2

C:\Users\Admin\AppData\Local\Temp\qQso.exe

MD5 ac75716eb759b9b212e7b84f5d7f7dcc
SHA1 15e6487380f88c780b4c8edd9d22ea08ec7b81ff
SHA256 cf624529e5189ec39cc67e9a29ab4c43f246c3fedccee6921c7d9f3edacd5112
SHA512 d584cec901ae8a0ec288ead65c25811d85113725fc8f547fe22378bd61c507f6868a0180b2fab048eece0ee39d66a0c8c128fb607d67fa9b20197a129fcdf1c5

C:\Users\Admin\AppData\Local\Temp\qsgG.exe

MD5 522f7c932fc10bd66162475e56682ca7
SHA1 335bbb8b43daeb15ea11a1380bd3bb81a4985414
SHA256 8501d0622effb801043a623126597d3ee729fdb4386fd0caf1c7f10d3c0c5e4c
SHA512 9843ff53e0347ddf11acb0a9f73296ac9217898778f0ff30b7c87807bd40cf1ba6292c851b4e7cd7a12a3c55003244e587fc0fe2891a2ffb2a9cd0188901ca7a

C:\Users\Admin\AppData\Local\Temp\AQoy.exe

MD5 63c0202225fbb8f83525605707e85f5f
SHA1 16bcffa418d0837520515ac971ed9efe4d2f5201
SHA256 48ee16aea9db9fa84ff846494640748f2c729f9340ace0e420a1cf79ae71ee7c
SHA512 fc74012a260936dbca1f852195e831828ca8ce29869c6b66ea9af41c58dc350c81038f3457a2168d97f7c2b7f8dbb45d39f31c0e56d1a96e647ff919cba8cdd4

C:\Users\Admin\AppData\Local\Temp\oMIs.exe

MD5 1a8840622636d60f7f8e1232a75568c3
SHA1 af27936d3c6eee67f9258931894761c9cebf7ec6
SHA256 f11292c6f47d8930371f5528bd9dcc468f7e31121e4f5d4f8eeda745987672b1
SHA512 98103813ad6e5a3523ee492198a369821bfb0bbbd860af4f72a06629de3e1229a660b88381e30c02829780a9779ed38fc8a4ba007f91a2278bed63d00454ea50

C:\Users\Admin\AppData\Local\Temp\wcsC.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\MUEm.exe

MD5 e6d9bd9c437765865ddd737b7443180f
SHA1 c847c7ff53f85f1cb02208ac7bb9b5cc3967a24a
SHA256 0d92a520b425d48dd1e162a375863ea28d093e8c8b45f5f1fc4219c8e3782280
SHA512 9647ac025a1c33c0136604d7e4182d583b567f5597cc849450145ebbc0f764c476faae7369a8b945a0aeda5ad21d4f7420f8b12887ff5fda4886a81875af12ee

C:\Users\Admin\AppData\Local\Temp\qMQwogYQ.bat

MD5 59dcf9885d84fe88919bef299cb5003a
SHA1 42408b2a3685165877e707802f7ac31fe9b783ce
SHA256 a7af29e00ddebe24cc625416167a708b66f86c2c18f68d3826a1c91ad3667a55
SHA512 15092d8c23699e81ce5ecffaa528059fe275399b911f51e00223f1baf529e168d7e181e6207c8016cf43a759cf6f6b331e8397901500783a8197493c178bce59

C:\Users\Admin\AppData\Local\Temp\AgEi.exe

MD5 d7fe509765aab31d2f41e65f608f27ce
SHA1 d1ccbcb46ecf6ca103a5bf399672de144d251e67
SHA256 a59b712a4c5c863cb5533fb6a890a8aadccf5a3f9c01a82f03c2b6fd0b168d6b
SHA512 4af84df64d2ca742d8673a6e19c4112ea565b1afbcb0afbf3d6127f8d3edeb5434ef96e5a87e19a87f27ef9eee7611c7c05c464d28ee359fdfef77b1ca531d40

C:\Users\Admin\AppData\Local\Temp\iQsA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\aYMg.exe

MD5 82019062f39ddd7205c4feb71d989030
SHA1 2d759f9ed4f4ec140da3dc28391915d316a1c5f9
SHA256 f4487007a6e189b40614602ba807e125100f8f533c0b0b3ea8a136866022d4bd
SHA512 f59ee33fbcb3997929112db05b5d2ae55987e162b3219c1e0600fd77da732839ab1ffae8df19b4e93c96a98b6328a65d0517b787177cc22b45bb8408d6976c00

C:\Users\Admin\AppData\Local\Temp\aYwe.exe

MD5 e0d959d08a4b44c83c66185ef3e4d883
SHA1 8428a9357963cc23d5b5eda4ee9efc381de9e5b1
SHA256 baac23c194452010fe99b4158b435bf03896b3137cc184d71683a6bd2074922d
SHA512 52da71743b3fb2777ad38ca3a179fc746df67a146af712281f981275c44ad3a5a9fc72af8c4b9072cfa9d8e6fe3510da35f78c11b5089e3641fbb7f796383b33

C:\Users\Admin\AppData\Local\Temp\QIQm.exe

MD5 9127f474119207d70efc199eea6188f3
SHA1 d864eac8a564799b5b4525316caa17f9a9150d42
SHA256 2d8dbaf3cbb740c9e2def42eb8a7a3b100f76868226145f3c5fe1688deeaeebb
SHA512 99a229452121ca1992d590112e75059f9f8f0b293597a5db8e95d600b6776e810cc5733b086fe66b58610d0a102d22729ecd5616969c19d9199a50e7a00bb086

C:\Users\Admin\AppData\Local\Temp\ywUy.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\kUYM.exe

MD5 6de554579d14e3f4c1a159212cc3eb85
SHA1 93a71697929120d1cc79fde07c00da9e52e44b41
SHA256 4c5186d4faea5cef8aec5326efbc6afad370ff58b62691c2b9b8a3450e4ce801
SHA512 3a0e37835a14c9a3737296d54f94eb5d33027b13cf047f6c2c89e0bc575bce366628b1c341ed6f9b44a8c990f8d832660a899f85d523d9f2375f6e64a9c2f860

C:\Users\Admin\AppData\Local\Temp\ImIgMooY.bat

MD5 2126ffc1936fc58eae9ca3559b42a21b
SHA1 52264dace8440cb4f9e473b1cbaaaa4213d1f8b1
SHA256 aaf7b495f0fafab0691d62585c30a129aceba0f0bb35880e9944242a79073f2b
SHA512 5409bb4d2d2f7658c472a3cfd662a3cd198778372a34e403eec5f3202b87c449d01e20fdd6db567cfcf2ced065cb4c943921c6da6cba4819bddcda903ee57a84

C:\Users\Admin\AppData\Local\Temp\SMoo.exe

MD5 a5105c500d0996bbd4a630bb42c1d6a0
SHA1 0a10eecf8e89f8d92563bc6d533a8c63c35a8737
SHA256 ad2355e08ed244c3c895a96a545c0472d3f95bfc94370f5f055a4a594198b60f
SHA512 e534f7212785ae386431ac00bfe4c811dd92e046a63494edd4e5a27f37e947bd88fb506b21b94c4c217f843dffab3e59688341bbfbab91747f314c5815df6bb4

C:\Users\Admin\AppData\Local\Temp\CUcc.exe

MD5 c79c29a4263bd4f0feb68bd3384aa988
SHA1 ac84f335e436190cc3c0305c6286e040e3f87d1f
SHA256 e010854bda55f1daf4bd793d7d610ded78f09ec6764a773a3a045a61133ee7a2
SHA512 5fe8bf44d3c6b39e45a1af7a99ee3313aecb2d52c0d729e391b8ea8f85ecf6aead6746ddab5a2e76ca7082a4cb69855807ef8764618420a90e2490b116832a75

C:\Users\Admin\AppData\Local\Temp\QMAS.exe

MD5 cf4e6aa4b22c456f916206b266170835
SHA1 c3e69d005822ed7a8f02fa1563b830b7274f8a7a
SHA256 27b7bb75de2e8eb6b96ac2022fab30bb45e0d905b3a39cfa6fe638fbea35262d
SHA512 f6c41909adb0bb48e7e8566e2587de0f692d3e20cf94149df77ad30422a5320c9f178c130cc11be4c370505296f4d57d8dc8e319544aa4afd7c72a08332f2c4e

C:\Users\Admin\AppData\Local\Temp\sYUI.exe

MD5 68c57d3ceaddd703ddc8d07466ddbf80
SHA1 9adbb516d458daff35fcab803a232d790f767848
SHA256 78f43a5641315a9a23c6d879bfe0dbd2733c1665179c3cfca92c2beb8f45a008
SHA512 4c629fc43e00e46cb4ed9cf013f941bda899ebcc7020a39e291ceb5ce1948e64c2c3c678743a41f709c97b301ea243e63de8e6eb32756dc086ac1f5b540d587d

C:\Users\Admin\AppData\Local\Temp\qCIIYksI.bat

MD5 df9e0735dd282d432f6499f38720eb31
SHA1 398bd25283fc83910eb7e206e6cf6fca28672877
SHA256 62e3d96bc0973ed050bbd4cb7af0eafa2a665f53a492eb7924b479d3899866eb
SHA512 3f7105564ce6a33bd799c8476177e4078f89b2cedd704e3b0ed709ca4721d95da02ea02c767ba93cd1fcc065da55bff16763f4dead06b0418f0b1ab4c4383bd2

C:\Users\Admin\AppData\Local\Temp\sIMe.exe

MD5 eba3c7895beeed7f29e8221c5c5a9966
SHA1 eb09015e60e5df3d26c35c6e1a824eed3944d6a3
SHA256 0b94fb4e658286b6cda17dab8b3d4585ca4fb94dff619ab33f22ae71bdb5f55c
SHA512 0901ed7ea2042208099414b66f7838c9cd833266f912c944452938e222f62c7d36d8ee818471f46d4d0c6bbd34b45fb5514f7e699f845f682b2d0c9da72d3704

C:\Users\Admin\AppData\Local\Temp\WMAe.exe

MD5 93566a97ea2b2faeafb45af5217674c9
SHA1 aaadbcac24737ac8ba046a857274dedab8bc3ec0
SHA256 fd537a1fb7b8f38aab41b84e6a661fdcf6fcc6646368a850347f67399ba484ba
SHA512 aee03ccc0729d7cefa943b68bfa473f5f4951dee775c7674b55891c31d95d3c73fb8bf4a72556f7be9c3617a4a2f3105071be4ff2d48086f518828800753d239

C:\Users\Admin\AppData\Local\Temp\QEso.exe

MD5 7fc90f389aa73d247887462c7f8b3e67
SHA1 5d121f2ef52b8b11f3dde737b0dc102772f8ccb4
SHA256 6797e43eb90be8378be40a75aad90b0f99439fdac51e8f8f3adbca15eb8ed96d
SHA512 c1eecd96018747442714264a8d1aa30b9d0058b55c4823d9fb5ffe0676731d2d5bf985bb81bd3a8b796b84e5b1c280ceeca5b514a72d5bf749f88289829ca673

C:\Users\Admin\AppData\Local\Temp\VcAUwkow.bat

MD5 0aec67e00794649e7c108c73ba12e721
SHA1 bb44b604fc909bc0f015309ea6fc4d6013628207
SHA256 54087cdeef39e58a39710db92404786080a40f7a205e0512ad1a939e69537b1c
SHA512 e591d10da12332f52f2c769c90285df9e74cf452301d02661b4e395bbabed83114fbf2a9d0f8cf4d247c69437f134fbfe3bd5f26d091343719a80d81e45f777f

C:\Users\Admin\AppData\Local\Temp\CIoe.exe

MD5 da4ee494ce8368788f4ca3e68a3b725f
SHA1 78a4650b6da7bb3ef6a2f82225eeab7c3af32fd0
SHA256 04725d03c573c4e4e3dc555f70225e6ab369fbb1116e6db364d3102e3f7570a7
SHA512 f65d91fad53f0b46a18d180a1b7dbe9ec1e8b438ca3c4b777b8f7d4253bf9875b4a8ad2d6148ce9b20620ee994c8a0c141720333f2ab41f5c10740443fdd5545

C:\Users\Admin\AppData\Local\Temp\oUAS.exe

MD5 92d57211fb03af6df317ccdd281be88d
SHA1 f7f6df9805c63a7f9f63c733e8840c3c7ea77988
SHA256 e74f6303cc1045b023b610e83a65196e5891781b36ccbe68bcc50314f76c6fb8
SHA512 b7603dc07c5b1748109918740605322229356be5e3420215d27bf19737782e9f62d33ff61b6db386d5a84230d5fec53476d2ef5555cf4cee4a1b1a83d03ea3a9

C:\Users\Admin\AppData\Local\Temp\KEoa.exe

MD5 33cee3de8a9c9c4d5758103d7c14d283
SHA1 dfe980ccf672d42a32f431a19304a90636bb4677
SHA256 3d43a78d3b1337480b62ff5b0a35b8d7eaa99fcb9caf96e7452c2f785c121294
SHA512 360bb909c9b8cb238750baf74ee6dc9620af3648e18b6d24c753161e52d65d85b139bc6bc52f40637bdb2fca9eb2309ed65bd63e7fdc76755ceebfb75827fae9

C:\Users\Admin\AppData\Local\Temp\pewEwAIA.bat

MD5 1a1aa1e9da6343cd21b75bea01c1b6b0
SHA1 6ff734ae95c184ff0c72f511272a15e8e9788f4c
SHA256 63abd4f3419445050e34fbe749eff0d40794ba064a33f1659f899355bea48532
SHA512 a97c35b90e90b1a0168e39772b79aa23a484ed19a52d8d24dd5efcf4de37f10c73a8d783b23cd4294264bb69017da980e2d1af65ded03f99c5c130887dbb0c65

C:\Users\Admin\AppData\Local\Temp\IEsU.exe

MD5 e998bf968e340d34cab328dee3b29f4a
SHA1 e2bf7493775f528a4e509c64e61c4277f72ff0a0
SHA256 3a168ced93dcbbf44c7cc744178abe4bef4016893119f39f626b9d41ae079246
SHA512 13edf7007a42f0b6f09ecf7fbe49b617e5fe1afb54586cae0a8088597d2f06255b429748d9094fc049509de6ecd26063bebd882dcabf17c7ee6dcafeaf5e8270

C:\Users\Admin\AppData\Local\Temp\SEEa.exe

MD5 3552008552d5c19be433280b5dcdf928
SHA1 fecec3e331374799e4877a778f298acb37d060ab
SHA256 95cd2f21581848754a279c00099fc213424927e06f28ed78d7f2a145d5639806
SHA512 bfc5ee78a74dc2f006ba2acc47b5ee73eb45927dae44d1901d60fa885e2d87ef6d23738c449ea1e43f30af4b7adfc86fd3ff18985ab566a262a97157b15adc3f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 349a3f3751e538fe519b1aba4d930f98
SHA1 c78cae88ed9fe91fa7c47b370437e9437f981a0b
SHA256 035080d2b113c9468623c72a4d4fc2050cf62ffbe627e50209a932b7ef8e934e
SHA512 bd4394c3a2c704a03f673874b72afaddaa931093d7c79ef61e32e1a2244266da2fb9966d96246e288e49cf522c821f476b8cf8e9d5fcd2cab5de0d46d4245da9

C:\Users\Admin\AppData\Local\Temp\dWAwoMYo.bat

MD5 ad82aceecaef1b54a22dc68c81363f69
SHA1 2e420f2045b788eb40519c35690f633f8dea29fd
SHA256 9356ca72b6b2952d17d43a7c593a2b2484a8f92fb3bcb21b58088c03905a3a3b
SHA512 948680d87b03d454953fbb61ff5e32e600183db7692aa3adc7e9476456721a4051945ea461162860b1112e0ef70ec80f40a342db83ca30c27655cbec53267a98

C:\Users\Admin\AppData\Local\Temp\Aowi.exe

MD5 d1ac7163425ab2593e9bc5483ea90322
SHA1 5767449f508e435db8ee456d1073dc8102be9a94
SHA256 da43193966c53de9ca17337e4428b2be61b9d307a54fea19c358f0c07f1040d3
SHA512 4822aa2c6c55dba9871f6c8135f00717ee90f0e4aa9c7ba5575f5ccac2b1bca85ec997a9ab73698c4aea8a7828d6eeecea350b5f3e31bebb548a619683cc1b85

C:\Users\Admin\AppData\Local\Temp\sAoy.exe

MD5 e890a9e498fb4b3587b4cfa768846993
SHA1 94304d467f8431a09a3c6f566dcabf62a1d79d95
SHA256 9a36054098285978de38f1371036d3c6849a821fdce06105cc25fad8c35b0886
SHA512 18e957281e013f70f335d667bdf64165052df4f7e654251cc099cd393182961810ed7a7dcdaab39797783a698b521f68bea1091ff4de54e35c16c8668dd05dc3

C:\Users\Admin\AppData\Local\Temp\KQco.exe

MD5 d3967989765af726d2f80c2c738a9294
SHA1 babb72f21d264b533db1ba7a08242fe88ee8ba99
SHA256 8231be664d3757d30f7a3b85faf9044558da9b75ca4259990a2f3ea26c47170f
SHA512 597e1d5b035bb05c3fe0cd86fdafde71d6a091f8c9276c4c1b7f10ef68fe0aa7f0661023eaa47ba69fc6612b7e01c06c5263ef72a73e2c668a16f3f53ac32c3a

C:\Users\Admin\AppData\Local\Temp\EsEE.exe

MD5 de8754f8c9e0c69d44582d9f8386501b
SHA1 c337ca0ed8fd8c00cdec979411600b50d697aa70
SHA256 3bbda15ab6c9ce3604950fd383877e4ee7c8d90be290b6f4b3a902d312d0d508
SHA512 391f0a7204bdec33b61f991b07df0ff53949d19b41d6e6904c98e474ed597d2de7be68c7cf504f2d65d99d8dc26d9da780c630b8f79221a5ee08e40bb5d13636

C:\Users\Admin\AppData\Local\Temp\CYoq.exe

MD5 d704827b0a36fc98bdbf57aee8ef486a
SHA1 2a3086b232e0cae808ab2fa01c468ef38fd797e6
SHA256 6ac8f1b1ac8e2dfb20b16bcf093e019c6a19aae81b49e09f918cea9ecc0e8967
SHA512 1b23e085459e9df56bd38326f468b05a633f042a083345ff762089472b0c775c08f1e0cce9589a275c038b0fc33932cad49c2fb367da0644381f18616b4e5928

C:\Users\Admin\AppData\Local\Temp\XuwsEAks.bat

MD5 5ae3981c40b696c03538d652526a48c7
SHA1 dded64ecb3c60e5e23d7376a4f27246f672a0e3b
SHA256 c2f7e5f9525da7880595008f65f5b7e75552da33f52093e338468e26fad0a863
SHA512 6546dd24bdf2e814a32614acac324538e75fbf4eff1477f8d3586d08dcf36ab51b48acd7f175b7636ba0cacd6623412a5ea3b479fbbc9469e7e3fb804d1150e7

C:\Users\Admin\AppData\Local\Temp\AEcS.exe

MD5 c6d5969690964ec85a496e53e0941cad
SHA1 420399752b525e75d1566a3646ad131bdf256574
SHA256 82ae789dae356eb2fe8d9be8da8fc5a18863c7481d0a8d679c7d3c6baf9a9a71
SHA512 7ee54eaa2f452fe95b9a6d3c7562ba659eed07a07fe20348158da36b5f34c2b1075abb9d860d3d232cbf5731ae3b53bb22481328549a25fa8a5eb10dfbd749f9

C:\Users\Admin\AppData\Local\Temp\KAIw.exe

MD5 0f641bdf280777c580a9f95569f7d8d3
SHA1 9f4023528841bea2a0f2bb176064e65c19c339e0
SHA256 2ab7d9df407173c1bc8246acf177579dddbccc0d22958503696a6003fddce7a8
SHA512 e2cc22c4754720efc6a7fbe60ad6dc27ebe8e0d5108c34ca83b5b92745c409f6a2277253f8387b1ce36daa7a529126ad200e37bd713a34105e745847b1028314

C:\Users\Admin\AppData\Local\Temp\mQsM.exe

MD5 da324425a687ddfae4a828623535c11b
SHA1 9da3928049fc7c7cc0c4eedb8832b7bd15009b3b
SHA256 c860485326c285fe68848d283b3fecaea1f63239877e4517e27d1be6af80f484
SHA512 f739871463d659492f5940080147c112b03163c58e64ddb72fdb2dc9ad246b816839b4bd019a9feda984d2cdfbcf3e463297c4443ba27abe69d4b31147acfc32

C:\Users\Admin\AppData\Local\Temp\qQoA.exe

MD5 026b275b9593cb2a62a96332ce720e08
SHA1 e3f91d37361c6acf0456e83842bcaf1055173c38
SHA256 4fbb7ed46994a31eb9d15b2366d4c4cb1e13ca8528c4da89892d9aefef8f7869
SHA512 16350b9f0390d9d133146424bff7b5f2ffe2388c6f2652f076d43961dfc2c976e4644837ecf3382b38141342919bf6914f5037e8f853397c9efe2e2b02aa4b38

C:\Users\Admin\AppData\Local\Temp\qYUYIgoU.bat

MD5 dbd6a0cf11f2e7b60dbde6ee9456c0d3
SHA1 4dc1a079c97ed0ad1dd7e5036f7b23e4ac45f3f6
SHA256 25af3ec2c522df740874ffafb10028ebf8bbe72e6e1a93fc9412ffad5cdf0be3
SHA512 47daa0d17eff30c888c1968503bd0a75211d6607cdfa39cb349b48a7131de05da20d00c9e8bb6bac4e5b4f651e8faf029c1d0d07408a3173013fa3a114444a67

C:\Users\Admin\AppData\Local\Temp\SYEk.exe

MD5 729dc741754b414b8b9f8f6154afd4b4
SHA1 d25861df24a4c028bd832a80a800d1d4e1f959fc
SHA256 9228d01a616586adc654dacae4bb25cd09cc546b16b14c5c045b9663493ae13c
SHA512 06d804000c61aaef1b8935aec433f84f02d225de9e81cdb6bdfa1186d5df6a0c454ee1bbf57abdb7b043e7652d07fbb78fd86630387785331549fb74b3537100

C:\Users\Admin\AppData\Local\Temp\qQse.exe

MD5 1983fdd6a15724f304ed05e5b997b39e
SHA1 d456286b7ba236eac3bf388ca1cc835ca27c0f5c
SHA256 07cc7b47d29e55830f7b635426e57ab471c323ca5324a11524f8bb976229a17d
SHA512 204061cd7e8bbed8080e4a3bccd86202b69bb441e0f7cd7ee6b8a32aac511de6b67552d4c0ef1b6145d11c70a0e9512120a4f943daaad7df5a3fd6f82ce80682

C:\Users\Admin\AppData\Local\Temp\IssS.exe

MD5 83ff3a2e309a36be9527a285b353c96b
SHA1 6eeece7a9c61b2c2e66a717b09620365bef735af
SHA256 41647185b275406287909d363309e7df52dca8b46c7c0030fa279f0b13f5a8cd
SHA512 f81d0158028b6cc2c45067c060e66c0d11eecd05b777c98123fed05d881061f5ecda10a2b2926b8fad4550081cc5d70447415a6220802b31390f375abb4f9a4b

C:\Users\Admin\AppData\Local\Temp\oGkYIgUw.bat

MD5 f83b8c955b14a37c6c56f7195d1a3af1
SHA1 4e7b91e477b5d4a32c7349f40208c7c6b6ec2a37
SHA256 eafcca2b578893d9113e1f4b0c419395e9273647e0800d981798d7380e558056
SHA512 7fe1465ecd1ea366349a788ef63674bb135d3fa35a3a69bdac53c8431f29dd29181214e3979158aadc9007976073eeb332b0ff0fd5b3bc017a1c0c278cfb9b3b

C:\Users\Admin\AppData\Local\Temp\cgEi.exe

MD5 d0263af5c15236422e0e3a03e898f05d
SHA1 ea7ce2bce79227f7f64aa4056fd2cf7e39babcb6
SHA256 39bdc3988cdeb5b1f3fc51ea7aa1dbc523da263316fa0cb0f3a59298726fa3ac
SHA512 3ad166e3dca89ed519e7470fd0a31e5a308a698bd65dffd5f690f9313a4446ae4182dbcdf1c495f51cebb651dfc7593a3fd2760dbba982bd964f556bbe02257a

C:\Users\Admin\AppData\Local\Temp\QMAo.exe

MD5 af20ff7738dfe2eecbf77d93148b0838
SHA1 881838914f244f55e6cc717ba34f758e75603a11
SHA256 dd5fb916c6f4f50a56c016e479e00a58990dadea01e98713a7a5c17d8d7bef42
SHA512 30b72a2fc61cf12e0f05dd81eb75d6e87b25a33fecf9556298689324ddf9396799f868f21da8636f7b1b5e40f2007e71fa43b87b8d3bf383ddd41c1acbbdee31

C:\Users\Admin\AppData\Local\Temp\IoQE.exe

MD5 46f2268bb97598805b61cfdf8fa50508
SHA1 b628ccc291e61dcd0a53e33fe4afe00221815219
SHA256 1d96321e403f66582b1c47e7c3220d67f2284118fd917df8ee9f7993ca267096
SHA512 d1e5b390b68f6e62491be5d75000c7a545c66e347792f06d47a6cfb25e717249862b143914fb985bf49b9c2ae53679f32cbecdef21f050b39e2dfeabeba462b4

C:\Users\Admin\AppData\Local\Temp\QocK.exe

MD5 6321513f48a8dd037f9517e33b92a64f
SHA1 9b4d5978fac00a43e66f146652d88f9faa4e261c
SHA256 92588819b5f19261b61464ad99df4962ee3ae8df5113219dbb45262810f8a9ec
SHA512 4039dd5cc7ca6f6e1f35673857c22bc41d728c2b1cb4567e340203c0f1a46a1ad328f9ac33ee841d148c71de8bcb8f680d01c1d3bf7f910e345eca7f09ac878d

C:\Users\Admin\AppData\Local\Temp\kuwsIUwc.bat

MD5 93b3e192eed699f86a155a4d96211aa7
SHA1 65732a1aa2edd4be8dde8bfdafa5313379611d30
SHA256 56f7e3d4f3ca14aeb874f61670b0c849f35a693891395e29f093b1c7638bed32
SHA512 44f7a830af851596da684ae3980197d6aca50218877bafacbb925bb7217a4039cb2ded1b2086cb88c9768caaeb78c45c7b7e56440d1bc99b97ac34d90284150f

C:\Users\Admin\AppData\Local\Temp\KUwe.exe

MD5 0b29b4b6f49e29af302e2b9fb0fea7fb
SHA1 5adf000c42dedaf6e9aeb9bfc441589080c6207f
SHA256 1f213faed6c1e95e0cbc6867be918eb4c69eab4a0cf146627d1a2e574a1faf64
SHA512 0a8a06f2d869943a40526c57bcc41371e4b8d3eb56df26e65c3b4a048c629a9c5983d88061c4c3a5250cc8ac347a080ecb600d83f4e0a9215af25946f2bdda27

C:\Users\Admin\AppData\Local\Temp\UIEA.exe

MD5 17fde31fc02a385400a6cfa19d3d6c01
SHA1 e8a9696c28559a386ad25e95b2d32e9b9979a4e7
SHA256 051bd333f9f10b2538a9b9ed5045e347389989b10bf4b8e2909742254107122a
SHA512 50f060bea65e499c76eaad53159207845225a3cb4b423fd575502d8fa07bda76dce8e9f400c1c49373c93c5bd11ba0098981d5d2dae50d1340deaef86ed93c75

C:\Users\Admin\AppData\Local\Temp\Kgcq.exe

MD5 579cfa7378512fd326370917e593f3c0
SHA1 191f71b8188c852966b93aa95d389ff13f960f31
SHA256 532f6e6c309a74544e840f928eab4afb398ca0afdf62323b7e8959bf18f76334
SHA512 6f4410df062fadfc49909267ed8fe7eb5b7f2d226aef0ed57c5f985b78f6ac50c92f59d4b9e6c741140687baf9cc677632e1659188500d3988dd48a8c4907c08

C:\Users\Admin\AppData\Local\Temp\CUgI.exe

MD5 b016dbb68c3bffb48dc7ec6d95d7a99f
SHA1 9894cd78ea30046d6e76a1f0b900ba74d91d0c8b
SHA256 f476f2aef03de6add377554bc8576969e7fc1022468498484bac9cb113bbd10b
SHA512 39b140c6335d847f71624d03d48fcb449214b6c1551e2ae7e33a565e9d45309721c616f251f61987535471eb1591727ccf141504e1ea657a917ef85f4c290645

C:\Users\Admin\AppData\Local\Temp\kugwsAoU.bat

MD5 2a754d685464f479bad13ca10a61dd30
SHA1 ae7f9e82ff1f6fa232e3ffcb2459a944d01b5cff
SHA256 4e76a32e76173384b99ece2930847aaed68ee30099ecd2c640527b5d3cabf67d
SHA512 05e4a834745c15bb3bc2b30a99ab70d3d814829d3cc8619dc110e4667994e356a44258cac3d4b2b0fa92d2f08f2ea999048c84463fd23631394e11d33c3305da

C:\Users\Admin\AppData\Local\Temp\UQQy.exe

MD5 ae3859f7ca1eceb445531120d5767b89
SHA1 0f6a0430c0eda447284fac5a984bc3e03659ec2b
SHA256 2c9ac7766b8bc259bf6daadd2e9e968c26801ec6fc78d6e2029efb775b904967
SHA512 6c258147c5ea7705d59edcf61257a9e036760028fab9d0dcaeedaff1198374c6aaa0a4429c59a3dc7a77dd8508afd54265f9172239fc4b6116ed56d06cf7b2bb

C:\Users\Admin\AppData\Local\Temp\yUgE.exe

MD5 a929d34be61406b1024dee8c5f3d4d30
SHA1 9608e1d6aa546ac43b22ced972f6ec51c407b1b6
SHA256 2cd14db885f1f27601daa6ab4c8fb085d4f5e9a39e88f551ceac8015de6026b4
SHA512 633a9ba45c5fe1d8ccc651f253f852e0f56d83c9d1785953010279441322be237ca4680f49bbc75f4fd5ace888c729f66360dc21e2cb2edf5fe06b9a2b0dab36

C:\Users\Admin\AppData\Local\Temp\veUQocgM.bat

MD5 9c4ef170cd06f5c5f2e7f691252e5a39
SHA1 185181b90e4eb1621bf83eaa768fa52d3cf2595f
SHA256 af10d7449bdd7582408f8acc8e0b91683852e0d4c1210e5420b507aaa056ca71
SHA512 f967a214c8826a77074e60284196f59db2b8bc16dcf19b8f4aaa50e9ac45772d62230d9107770d6ffa1a243d88dcc871b85fc65a8597d0ffc22ccdf56a85a235

C:\Users\Admin\AppData\Local\Temp\EUUc.exe

MD5 38cec4888dd80784112a158d09baa189
SHA1 c971e6f5c798a47db4be82070ed3fc422c12c189
SHA256 9d732366961bf9d658ac8efa52660d6ba0faa5c0057887ed98300e23812cd9f6
SHA512 c3faa6a67aaac248624ae55ca61a19ac4a9d9c3b743503ab6925a4fc8bfba2208eab552adedcc8980d6d56faf66a3fe4e73e894f5b4855483a8c3ff8c3caeeb9

C:\Users\Admin\AppData\Local\Temp\gAgo.exe

MD5 154ff772ab3dfa98c871ea5baab8c362
SHA1 5394c5c0a74bd0860f6933fc6a705867520aba44
SHA256 f3afee40a177601c81d1772153acc09e5734458718e5e7a70747e77a388ed2d5
SHA512 5abb95e3a3e9073ca43240ed872938175c9750936a768c2239b5f58cd31d0a0324db3f2bc4bbcc5af4914afd98a46954bdf2395b438b2188e047789c70e7d265

C:\Users\Admin\AppData\Local\Temp\mAwg.exe

MD5 b8f7651f3a09a1b3a933747b02890d39
SHA1 5c90951c42d0ea9a519553eef5bfc5549d938510
SHA256 9eb3ae54768d53b3c390dc763a71b725a1bbd077fc85071ef784354fea3ef3b7
SHA512 197b6d9a5674b5f5c4a14c9c5138231cd178b72828950d0f537c00b31e085092ce94abe3f9f9b4644247176e4e6fd478c5fb1c77320f0b093f84d7eea614f2a5

C:\Users\Admin\AppData\Local\Temp\JCsgMEYU.bat

MD5 ad3d7ab8dd64c35038816f241cd6a9c5
SHA1 36f632168c76ebaf3e00a189c11bc1199497057e
SHA256 b4b9cbc7863a835b6efff58e4b1399395c360202847fdf99b8a22e35d39343f7
SHA512 271a09a38f3c633d5931fd121ee92e9e7d8aebceff98edc21c6fbd94bebab14b3142db77d5e5c932a57066560495af0d8d721be96bedffbf8f175bdb0dfcdd20

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 12da0a91abaed979e89700966ab01a94
SHA1 2b819bc1abb09a8d4d67019204e19befec75f489
SHA256 106ce666ebf436c452780a958aa122faa183b61bbdf941d175fb22525bc511ef
SHA512 2b5dad746b9425b1655f7415c8443587eaba8856e8b947c64ead714b1b4337c79c301ed0e837411aa7fb82d0947efdb26d47bada83486e83973031f5c332fd0f

C:\Users\Admin\AppData\Local\Temp\kQsC.exe

MD5 3984380b41a0a415306a837408e4fb0b
SHA1 ab081f7a8910d55d6febd62409320e64d24b52ee
SHA256 62a38725eb4e291dca0777f0054b90d3db1a1ba776a23b4d2891adeb3cf45509
SHA512 31d20e4d7270884953992b6710a588ac119c8e831e14b2f0290403c08f033c321d36039df169fcd87062c14e7e8b90f8b51745efec01af25cd02d0ba77d6f245

C:\Users\Admin\AppData\Local\Temp\McwK.exe

MD5 327320fbc62d190d7b3e2da25cfaa2dd
SHA1 148005a9fd7c3d2e8a4a20ea59174bf183cd581e
SHA256 d7ea21671aa347b6705bf0d16caaae4efa5e9f0b65b3545a86a1dd96ca1ffa84
SHA512 66be38aff3511c387533c2d4b2b402a022600c85fca6f81d1744b57a21dbd5cd462ef7def14431d4ef25f5303d7aa83e8186af8fb99f44ad9ea722ae4179843b

C:\Users\Admin\AppData\Local\Temp\yAga.exe

MD5 f1dbfe3a1e9df118813c88ffcbb89eb8
SHA1 d89b23fd0a5905c8396ed1f376f957381ffc73f6
SHA256 514e7659f4fb0036712815f095a2cc21b5302b987c3495be19afdf16277fdd74
SHA512 171758f97b4f488cee7e78f90809b3490e8ea0b2db714afdac50e9d8c93e7584da35f122656abf99d0a42c07400c5e0f6b1013e916298d9c9c1eaed82014e656

C:\Users\Admin\AppData\Local\Temp\faMUkUIQ.bat

MD5 4e4286164e80a9a933b22a52e10bb35d
SHA1 5a6717cb0501dc3b41aa3b22e97d0d49eaf2000d
SHA256 6e08e7d9e7a7618b62dc9c3f4f0b50c59281877e196b7977282bc391aaa8f191
SHA512 fbad1585364e8b8a9357ece70966b45963022c7cc41e473097e41dd25f74de5110fddfbe2591cb4b9b336d719a36dd8862b4aefea27c6a9c4f5aa426fd34fff3

C:\Users\Admin\AppData\Local\Temp\MogG.exe

MD5 0d809c42f1950d904eba08dca5f2b0a0
SHA1 aaa9cd7e3cec6c06ee84785ba5195512d798bb32
SHA256 350449a177aa5f4a4772dab97bb1956385e9a65b0fca8923f7de811e5e5a8db7
SHA512 2dd2988f9ef74fc03bee57ccec0f1dd856361c369c9408133674cc3e8770715e7d9e30d40e5aa2d9c85a275ea27b4a68d2d36147b948df2f37ffa6a1443ad1a6

C:\Users\Admin\AppData\Local\Temp\XkcsIYgs.bat

MD5 ae669ae215b018733dbd993842554b2a
SHA1 cc7ca91f44334f13afda9a1c90dea0e625034197
SHA256 53f7ebb169c89f92e1d40fd914d3a418aa8baf1703fc51f13967c7edcb357746
SHA512 1a3aaf43cf87d572bc44a01e43a671c26d4df22f388da50f21de1f2ded532079935bd7eb371880fbeba2af216d8a90de2471734a58e238c470788e33272135e8

C:\Users\Admin\AppData\Local\Temp\YQwE.exe

MD5 24a918cf3bab925f6d4b72f8a640229e
SHA1 953d44dc746e459fe15a4a95660ba554b6f9c616
SHA256 00949f95461e79ecb9c9937c1c4c27c8fe6d8ab2fe11b81cfce6260c12532b5e
SHA512 9aca76ad8a1e0548d0e5cc982d8ef0026fde9bb720da6ff1816097a4fa59aa455f81e0dc3a47b667fd796213165fc2c81a14d567390d2efe0e5aee503f8fca6c

C:\Users\Admin\AppData\Local\Temp\UkMc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\gckw.exe

MD5 82a032d5a5bd8f83471fdbc629a435a8
SHA1 8fdbb9a66558d331a98c3869e8890e74f1e8f921
SHA256 f3fe00c16618845d427f00d89b789e918ab5b68cf2461e3700bd841ad73d7266
SHA512 60c7b5fd267ccb56bf5d5d827ee1abc1f224bac2e988e52d2794193fc6ed7c3a4ab9dab8b4faa523e757ee13f4ddbe32a0bd63999113df9dadced73268291d32

C:\Users\Admin\AppData\Local\Temp\wiAYIsQE.bat

MD5 1482741bfcd526c1d057ed001c6137ff
SHA1 0597209d339fd6030d4fe47184106eee23ce938a
SHA256 18e86af993505ce9f4e13b8d5c945d9fe364f614269c51fbda3359013a063015
SHA512 6b1aa9a9df8c17a04d0a5e0c381844690ef4344c04ff677645f1cf5105371739ee1c3dfd851e5da932c838b9e1e2a544d6f353294eb273ba1c85489cfb4a3fb4

C:\Users\Admin\AppData\Local\Temp\uIUY.exe

MD5 f2531ebdb9470c53d3f753c5921a930b
SHA1 2748ce0f66a435e713d7276e37db3e44b287a6b3
SHA256 f556a1383eeedccf8f3774a783bcea233c496924e26c17d8c807a20f835ccde9
SHA512 7ded4500adf2ba8e2da5bd0b5e5b5a06670e41dd1d1627cf32f48dd8ded0a93003db0cdc94a957d08e1f372abcc8de54b47481a5cf19de13ef7cef9f2c3c0367

C:\Users\Admin\AppData\Local\Temp\AgYk.exe

MD5 68d18df8e8b6a320f9d1d011d4fc38bf
SHA1 4138590be31110488ed0487e4fe7edf3ae49dcc8
SHA256 f9557bba0426ffe1bd2cc4d00eb1033a86355b43bae4816af1ae302243833bd6
SHA512 831bd0b2d445db581e2d4e0c658bb00fa7e24ba8b3fc406543012c62f4e59f795189e8fc0b0e0e9908143133f0906f7013517dbd41218686177a7c6b3cc1ba1b

C:\Users\Admin\AppData\Local\Temp\IocO.exe

MD5 cdd058b7d569fa2787326d2b1f7025f9
SHA1 2f4de810039bb5e2f1642a5b58f43fdd4977f65f
SHA256 a57305732ef07802f9baf3bd4e3c252c5ee92c93b28e1bf95cebe8f012a1fd41
SHA512 69777cb786ca6bbbaeb71f7c5be8b1434de2bf06305950729d03036c2e41f2f639de4a09bfea261a725001817d87fd976c1bd8b065b908a1855b01dc98ceb432

C:\Users\Admin\AppData\Local\Temp\cssM.exe

MD5 c2f93b22acd957a1fb094ecb10b7b8cc
SHA1 0deffa2ffa7ba2d8f661f6fa78feda007ca0627c
SHA256 6dd077136b1d21dd96f309fdfff95ba7e72c6b6099a1d4acf2caeedd1213ae20
SHA512 998883e7901690236f34e504dc7a827360b0a675c2beec2b3337c5266b85c41a6a9d0ea30d9751d6eca1f8411e53f516794104902469005a6cbb022cb9a63ee9

C:\Users\Admin\AppData\Local\Temp\ggwQIsMc.bat

MD5 ad2b70ceb47c86fdc9f97f7d7d749ea2
SHA1 16b18691f32c03e32b97373d3be68df6e58aa7fb
SHA256 ca9fe5362a280120ada17fbd8bdbcdb66e031bd2b3c94429672add0c532692e4
SHA512 7a05fd990a29591ab8d8e1cef3f7bdaa8192346a6fb34b426fe73d274a8fa51028437af29296f905c04001c6f8664982843c539a6e7544b5d6e5ec9b4e108ad5

C:\Users\Admin\AppData\Local\Temp\AUgM.exe

MD5 03535b24d04d3529f27f64ea34b8f91a
SHA1 d56d5b4ac28f230045389deb97519d7653be5456
SHA256 16aa56265614d3dfb623882ba992a706fde708901abdd72482023f133fe139c6
SHA512 39fa96fc058311d2c58f5a8236b87ed3b91aa2b4fd6d609c9c252debbec6092a6b165545c59a22cc01fdf0323876a30fd6ada1416a731f96ad3c7bc95628e1e8

C:\Users\Admin\AppData\Local\Temp\IIUE.exe

MD5 058d7426dbfaa0f125f46f267726f359
SHA1 933e69a51b7639a6af9b18740fd9f0f3001766ad
SHA256 cc2613516c9f3805ccd6535b166d6ab458fd228a8d5c0b25153a326558e69138
SHA512 ef456c2b8446fefcac48e32597b0e3c62ab0c8258f5ea98721058e373986bf6b7125c8e52d61cfdfba8f18a74a0a7b4db9eca5ae28be9a6503e352137f4f6b07

C:\Users\Admin\AppData\Local\Temp\acYK.exe

MD5 a544dcefe42663b5e3b82156b09b11a4
SHA1 97b50b025c9d7dc6b31f7bbc57b6c9a0937aef98
SHA256 4c0494a3268980ee9a2aa09e0bb5b28deff69892994fc8111eb5a8d0b696053e
SHA512 8561fc0d020f3f4e001e129b3076aa8e9896321ad5019434ccd3dcfa2d131b662e4c52eb316a5d194048906bef56b4495fce699493c40cb657057011d5f7217a

C:\Users\Admin\AppData\Local\Temp\eUUy.exe

MD5 e616ff98b92991f5c1f5281763fce8f1
SHA1 90e4d7d0e6428046fed3e67906cef89720f6be61
SHA256 81eee545012751de4eb9392dd55ac8aef5780be560f658b948d43decfbfecc4d
SHA512 5e71dce6200306ba50206a3f339c1e7797e54b8e7143d0349e0be9a7fda78dd514cec568e9a8f97ed4c74629e6579a1bd38235b4693fd87ef492f51ab37f7d98

C:\Users\Admin\AppData\Local\Temp\UeYgskcI.bat

MD5 343efba6349cc12713449c5ef744dadc
SHA1 47460b736c378bc9b9a370718fdc1bb4bc8d8731
SHA256 f0a2e91a10fa1743e262d490deaa68e3400e9152d18453e800a6babf4a479dc8
SHA512 d2e459b4c8e9562aaf0f6cb6891ae8b03e9710b05c5c847441e44b04390e337518aac728a85a5155652ff37ecfac7f647a8e20b9ac217087b0870ec6db4ee95c

C:\Users\Admin\AppData\Local\Temp\eswkwUQA.bat

MD5 7afaa7cce64600e4a55265ee053c5f31
SHA1 754aac4dd6e85fe33a72ac5f8e819f0cc240d317
SHA256 80105d111d0476ffc7d92923b29f7ff623054383a40f81318caf2c61ede76040
SHA512 cef3df9c94694de9a531d8479c0ebc80a3febe4ccc38e7990cd86809859931863b4426644835c18cbe0bd53f17e69eecbb91e691b93183e056c40e77bc4669c4

C:\Users\Admin\AppData\Local\Temp\LekQwUMM.bat

MD5 e741afbc4d965a7aeb1513702eeb93d3
SHA1 992e5c57832636f74a811f6c7141902dfe0bebc2
SHA256 3e5d2b5f406b475103fc8f39f4ef8956281539f8852858cc618a0ea2b754cdcf
SHA512 67b3a858812b928021ca99f7c7a4c4d4f9cc428a829730f0ed8f7d15704742fd9f91a222abab2010e1efc9c535e6151cd1212da4b547636fb625ada772a03f19

C:\Users\Admin\AppData\Local\Temp\foYUYYIs.bat

MD5 a3d45ab4398bff9f78c02030f0e53457
SHA1 0633a90aa7c3f493fe4143d528b6a50143ec9efc
SHA256 0492c3a47fa36b1cfb7d4fa955fe2b9b6c3b99a3a9146b9be1b47eb13575b215
SHA512 886e29fdac39b46e3b76f14c3839c77bf02ef0a4a390ea74264c10eb9ca94bc2c497426766859beaadb3c82ea8ea1995675acf4bf2cd099a9bd7922a542d9e31

C:\Users\Admin\AppData\Local\Temp\DGQQUwME.bat

MD5 a187862e20177330e732a29d39d999a1
SHA1 ffd4382a08847bd4631fe0bca2c441fb14c6e4a4
SHA256 6666298a36d6444a7eeda6cdc58a0623dcd150e7b0e97d57e9fd247ba95ad8a5
SHA512 c87be767fe2c15d9d3a5ecc35363e073a3b7bdde1860df9ad3737530f6a0acc251d7e65f43ce8f1c9ff0ead2b8028136dc4c9754890652b9fea5e0628348d157

C:\Users\Admin\AppData\Local\Temp\qOwAwUIs.bat

MD5 2ebec76ba0d56d4e75e641716d5a6720
SHA1 9184ecc604b0f92219919dda9e4b7d72d35d9bca
SHA256 22aa83a6b3536fd49a6fccff23db085ce8a798e18d9b3cc75d0e1ff7e76fad97
SHA512 5dc0b9035832add0e41b325c56e7333cb6b59b3d0fa03bd9a5c62e265e65155376f4bfd2d0cf7007798e547b4d80e63e7cea01e43b7f557d22ff2510d25a3c4d

C:\Users\Admin\AppData\Local\Temp\UOcsQgYY.bat

MD5 ca8a9b0dcfd6187fd697f1047791b2a1
SHA1 50ad3ac14c143a730f78ce3757610d5b45ca6b27
SHA256 e09520e6a54c914e16c3c5dad84d721fdaed895ab71cde947fb126ea95717ebe
SHA512 7110d47e2485fa2de09ccc6d345b387db65c9fa853d5b5e2128a49f463e8f50d15f4c48ff8a6952b8e71ef498af4a3041f684cd7fda1ca76dbdd2606027c9b26

C:\Users\Admin\AppData\Local\Temp\oaIkgQAo.bat

MD5 d7729145a91ccfa811204e146b11c9c6
SHA1 42a409afc3f44519a27d88ef94b0274bafb8894c
SHA256 f4110f4016765e0721647c6ea5773c9c74c592576e77d6a32cb4fc07ade1df2b
SHA512 9c45087a204705e0ae4e4e838e9b40f14dfa7d3a6945ddd75d9896753dfd783498a60863d0d562482f872292eb1b932b62dbb0dee9fffef0fdc776634299deb5

C:\Users\Admin\AppData\Local\Temp\bCkwIkwc.bat

MD5 d62c2880b7d7b12e7e02eecd032f26cf
SHA1 ac0c94c48a900f981f39d3ab8ad972d3db14e782
SHA256 81f834bfda6a27bbe77d32054efac38f55c067d2eeb9f78aa0953972cbdc9094
SHA512 38665721777d8336502d6e6ec3b221745b360853aec280bc0b60cc61df97539e6ad21bda2dd607cdd3e162c22151c8d5740a11f9ef1938d2e81ee60e685ec7eb

C:\Users\Admin\AppData\Local\Temp\nAEEIokw.bat

MD5 a568851cd9275b707a0eb182448bf0e9
SHA1 2d2ed5b8bd2c90e5b474bf348a0c3c72907d70f6
SHA256 88e1ac5c23d1cb532cbf3235f2b8a8936c36f4b4cef6d93812b4e7154e42a228
SHA512 313e512e900db0959b56ffd8d29ca1ebf84a06fe94ad3f25cd5714c203d7f3492364248d4e3c685d9e388a76644bb0150e5c99b2da873ef3a0e28264fc34adf9