Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-c7jlbs1gmh
Target 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock
SHA256 a5d67b8afb9232fb83bc663391f1156bcb674e7af3654e9f394e64517256ee1a
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5d67b8afb9232fb83bc663391f1156bcb674e7af3654e9f394e64517256ee1a

Threat Level: Known bad

The file 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (83) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:42

Reported

2024-11-04 02:45

Platform

win7-20241010-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\ProgramData\deQcUYkA\oisAcQIo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" C:\ProgramData\deQcUYkA\oisAcQIo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\deQcUYkA\oisAcQIo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A
N/A N/A C:\Users\Admin\uQwwYssY\fuokMwQA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\uQwwYssY\fuokMwQA.exe
PID 1064 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\uQwwYssY\fuokMwQA.exe
PID 1064 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\uQwwYssY\fuokMwQA.exe
PID 1064 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\uQwwYssY\fuokMwQA.exe
PID 1064 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\deQcUYkA\oisAcQIo.exe
PID 1064 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\deQcUYkA\oisAcQIo.exe
PID 1064 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\deQcUYkA\oisAcQIo.exe
PID 1064 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\deQcUYkA\oisAcQIo.exe
PID 1064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2752 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2752 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2752 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 1064 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1064 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\system32\conhost.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\system32\conhost.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\system32\conhost.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\system32\conhost.exe
PID 2704 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1672 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1672 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1672 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 2848 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"

C:\Users\Admin\uQwwYssY\fuokMwQA.exe

"C:\Users\Admin\uQwwYssY\fuokMwQA.exe"

C:\ProgramData\deQcUYkA\oisAcQIo.exe

"C:\ProgramData\deQcUYkA\oisAcQIo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMkMooow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwQoUkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsoksYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMMoEIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCUsMIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMQYEUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14932728641467514138-205602193665570017100880403183119889-1087818994458105268"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcUYUYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BecUMMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEUcYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-46939207-781411805-5892886841992105770880779440-1303059718-8382074891345423306"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMcwcoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3971202406358612811987235153580885667-1643063989-17341747705642550391401975424"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEIcoggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MyksIIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGgAgQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyUckQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwUAksYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\twEMYgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaIcwgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8376044542079045834853452266-229110827-450551430-10742463618200623741957326616"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwYIcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1161383528-8156688991013165193602941478-1856001242746601975397426929-1429237585"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgMkUIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAAYocIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-206718582-264878898-10108525482092451512320189081-21225333941821590904704406212"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1497616011-964222482-186200841-4637779087904956576728394-512779111178608661"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQwQgYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGgcgIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUkcIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCAggkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TokEAYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2138062487-594979514741608082-2045167221-1828202307969667455-85113900595818904"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmIcMQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUEsAIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1892992993608353935984647558116559069819924965601599973850708965727-1062792586"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCkMwQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "663879068-21282464842134430312165928234-340916011-1140032152-621497999-1311015630"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EokYwgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6550456621684173319-1760146177-1662639372-2001302591-338526274-1391919112-1888457555"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YikQwEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyAUYEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoccUskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYkEsQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGowwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSQUYcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XigAMogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAwIQMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1116302735-211548672-1185949739-2130050873408088059-51855742863523841254914278"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1884563626-18841445933064445771094941757148847083-1721701396-313700848-1644502807"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwUswMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGAIMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmMMQsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEYUksAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEowEcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-644079061487747681939689717-376655163-30566689-934334039-219493830-206943592"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOcIQksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "425069173-3460543-3467000241280253477297651352-1269683848-320898690-993661807"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14984056051629135268-1672928652-1962855405-77218443-15129832091146416798-1655834774"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQYkQsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "689447349169734398918360982969742710341039908529-3690970893569461381708268302"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\liMIQscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-110267257-153608372516050318352800643161813593764370372395647042973-1075351013"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCwMoows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "23592277-1250302504-1234454147-69192797-743755741-938854262-10088547661945209418"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2122355546600918189-1317105912-628978244379793604-19471131541035462602-2067019041"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUEQYAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-56860307474972008011748909183150226431541840684189500651625232815276624921"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIoocQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "514211914-18098096331083479821-1223115333-12242571616636087191760373197-1893099601"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAkYUEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-104845726571439053671974441520152046691732240263-20927652534705727641266793984"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1773588934-1558681291454770402199155448-610562062-5223091171863409987664989018"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4142502421980395266478756476456202661-12963701181043026589-1000537349390899478"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-615448818507072026164472463014326813891743744566-667712911552163218330368993"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsUMUQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9500418271085887660-1775164546463361654-237174030262245442-3047706601662520649"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\smcIUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "457263549374091603-7208204161339396844899552201955005842-11584013861491669943"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1913248762-18866840971253541629-391485089-1097371363357609349-94610987682991704"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgcgkEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1125176217-1094153383-2125835821403176223-1828515576218198532-1821562604-1211377842"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1360308085-87479593489714781874031601-12128506891060587139-1230637491164877871"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-24683528586493001412762247161583470932-72229534015939083794784049701022664419"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIcIQsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "156418717317642325481063039664316095959-2046945035-2267572011355193491-1954595420"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-628715301097148886183782572212555715104571420581302854284574709179304190614"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkcAgkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "38266161-84305008917298520801531726486-1634652320276960406689863611-113718903"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGkMQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "910121990-2069797105-515476095201499283855225014-10823322841618152621-1990931675"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1335466991148491760-750226663-1868455466-21061802521323182097-4377189271183474765"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-275269675-532413763-1469180970-1465412325-21205732261418729802-9437590941154713205"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqYUYscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-285545042872627443-909840795-220551454-1900147695215807814-13145260381981016334"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xyMYMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "316794083-8741547142810736557798960582045965189941497871-2909633031990879622"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DuAMEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1361479000901570966-664725831254295130382697826122230220298227-1080720519"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1207021797-925968769-1808564689-135339600817208714941394564470-5614970881024316540"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcQcgUgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "486789739-772399170932069889104841442817297543181290135647826578005-1096841921"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1189987254-1069628007-638560381782243700133960187619237659702080346988850083803"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1037945545-369270556-18049413441632895941-1938585924-30996188564975288-1118636117"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMQwMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "112933710713779807691848564904-103515264918773367981169080449932544136-1221623819"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1860697473-672741707-1109361910-10074365328459188301518373350-6579947281549165338"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4303399512125969815703093193-423970345-1980479884-126979375-31938368686947772"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgwcYooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1384047840-106762505067627851017258248471454876351-24069194821325263311918895655"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1158572039-7886065342123226846-683643367213690594120172886192503217622112837417"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12987691968677158951730111183-15064461271234984230-1403453246-740033140-1421131818"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKgkUMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1856896256-720386260110454688617465596611877060800-9904259162124173321-1433903490"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1574403427-5039707861263048282609409467-56539802828499882-1945310371-583545492"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AocUkIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1037010886-1264734187-2051397952193595001511792567-673573975291578180-2018862271"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "319479521-640374581-3776994711082313591189916725417721004621349743583-456415731"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAgsUsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1153301530-911629370-786928791-21148487231324994171-1730017171489028624-126098512"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "58669177815684471251216623518-1374631913-1479697605597111453-879916036569636513"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1980446602-384161830-1145887721-1869941310184873290443642416-1031550227-1319389887"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUAIwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2068794933-17678083524041183261250917988-52096557-1640627128-2098785717-30774372"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-42826528790643151319516504181601499836-6809145701327625097-8279903302006532210"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "279638189898617946-14739616795552385931297659428163752463-1954573078-1504548547"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7172791561772140108-12377828971821882257-11681368578956129521499466786-2093410695"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWQMMsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-97781832852621841-721239577-52035918848737397201185938312911486561353701300"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-957799321044692411-2070687950-312813279-1737265771620649613-670021931-2120062260"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2087829143-6708941481493180671-1985831564297889439-14233265961166633910-640387835"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKoEsYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1589394197-806860687-757864011-1563868739-207329825516036981971896590274912226621"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1356715650121020116-365322492331371893-998823964-1393218368-11700353262051984312"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-88579906-85446004-795402116-386031098-3139911238994733901807775626-903399128"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\toEIEMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "98761951-308821219-94712715120440983481012900491-3268804911599859533-1866845183"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "163632982717068992112134981967-4682640121179656116-8656003799622315291871054670"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2108818958328431935266821204-1749441880461020131-235469678636663764-1796605979"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18546615331440417288134585622614777961891564625253-1100105356-1003158099-767464704"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeYwMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-130627116-1062631419-1141103772-1347883724563212597864819339-910452688145641465"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "889275646-1345310837-384717526-7714752311972633382138979403177430438-1087920471"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuYsogcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1329441254-664809586-119073913-1402374593547508166-848021071658428042-1649769811"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "460779744-283931377721119335143326564-455111247208552997579508376-1947580701"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1064-0-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1064-4-0x0000000000550000-0x000000000056D000-memory.dmp

\Users\Admin\uQwwYssY\fuokMwQA.exe

MD5 62a81d6ab77141cc33425f39f8fac0c4
SHA1 4dac31bc953fb52affb5f6f26ba7f286b006a8bf
SHA256 68ef338c0ef116615cf03d61b2d5d652ad78bb38b23d899615d2fec7c12a0e44
SHA512 8ff19da8bb52f13e52a20243dfedf07ae39a5eac709ca27218bee5388068c6f9e78e587215468861da3a2b96a5fa981ac07efc95540ec3e59cb304af9e97ec34

memory/1064-17-0x0000000000550000-0x000000000056C000-memory.dmp

\ProgramData\deQcUYkA\oisAcQIo.exe

MD5 fc264a4d530485f511b00187a847ddc5
SHA1 2c9875ebda59d890d35dd61f11f6aa7cf394e025
SHA256 f8e34101af94bc33d092ed99e7c447c0af4c4d70a3334ad9600d9c68d1a1b025
SHA512 2ded2d28d505bce9d4c4691a784744996a35ddc18e72c18e8c65d99840758e9fd09b3609bc11cd40d10fe52a0b2369202b494d431bd85f4dbb0678c4a941fab4

memory/1064-13-0x0000000000550000-0x000000000056D000-memory.dmp

memory/1748-14-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AKsUswIE.bat

MD5 bfd8ac3e0ace82417f21d8c6194a8366
SHA1 9ad4329cfc5f3d4b2bd3eb8ff92780ea6bed207a
SHA256 ed61c4b0796a2d5d4d5e819e5467939dad854c04fa97564424256abe8fb39430
SHA512 b9a4c7cc1bde06c45ed0e2060533e8022d6ac0dbedf35185d1a599640f364cf57273ccbd3408a48db9864407e35a1770e0685767d38aff59d33df1872088fb59

memory/2796-26-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1064-25-0x0000000000550000-0x000000000056C000-memory.dmp

memory/2752-34-0x0000000001F80000-0x000000000203F000-memory.dmp

memory/1064-42-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMkMooow.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

MD5 28b1acb04d8fe32baff45c1c266cce72
SHA1 8ac9f90b7db799ac7e420fabc44dead1531167d5
SHA256 7fef8984fe1b6c4a82f5daa9754035f0d1843e726a7e03c1bd1cc7e2d3ef8dc7
SHA512 d02a70bc31d875e28d742388f56fc6e180e69bb69d463d9d02fa4e1db2529b6b4d194ef5bf75d66ae51bcb2915ae7cce4f2e0a9b7dae7ffe5fab560f6d1515e9

C:\Users\Admin\AppData\Local\Temp\uUcUwoAA.bat

MD5 2ad04a13fc7b7a0fcbbfbaad8d4845e8
SHA1 ba94b44dcf7806aa3a3d2c1b8bf01cd8c4367d44
SHA256 0f2627ff40e3fa83f6cf302492ff9e0924492bd8ee0b1d65a896fb3f1bded200
SHA512 4c1ebf757e944372522f78e275f5e248c4620f7175b575d13aefb3d07c4ba2509f0ab7edb4b7b6fcdaa328d00496ccb02727db9c2d05d8be036d1e2f01e9f4ad

memory/2660-55-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2848-63-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\SgkEkcAU.bat

MD5 5824ac67feb8405b1ad63bdd1d4d69da
SHA1 771d9a2e243da59417578198988130fdbac10c81
SHA256 e459b1ad8e23e25d3dba2dda89b361bcb84acd59ec4fcbbdd24847559b53d476
SHA512 4b389b9fd2c2ecd439abaa3681e7fcfa2a5302880dcabe6f4d0a6957538e90e81d230194803702888dc65bd3cf6cbb8e08e616c847347df8b570fb715180cede

memory/2136-76-0x0000000000160000-0x000000000021F000-memory.dmp

memory/812-84-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2660-85-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xgwgsQsM.bat

MD5 72ae49ca2803e078de2aeb3ebf00340f
SHA1 e2365830fcc12dd2d1cd124b26efa8d2a2f6e65a
SHA256 49ef56e1cef501c2fcdbfc5e891a6d4a96165e4398494c7c4ce1d27fe9b619a7
SHA512 8bbf0133200d43abddee4141ee0a47bc20afd3a178873e3ea2e9e04fd7d7c5999f93fb48bc473441a02f1fb171f6de2e59f0f782379d3742a301cfa76b6304c8

memory/812-108-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2140-99-0x0000000001F20000-0x0000000001FDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PGAswQAA.bat

MD5 c8cc03b6ddb9b97f80a421ab384a2954
SHA1 ec6f3549375f03a5bbe0d59e7321f5f1de6f7d82
SHA256 6c5d573eb076bbe3fa2d44d13e86a9436c36518f55c583bc19f126c5a8c3272d
SHA512 828dbc7f9ed2650b4501e1446a50aca822092ad02e3b812ef36878ec277dcfd4f8ffbb550bb815bfa603e9eba93c0b3a4202285093414d32a09ad353871cbad6

memory/3028-128-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xosccEgo.bat

MD5 cbffcde9c7e8894a2e3fd9184a9c7112
SHA1 84b365736bc5920cd2b5d66b525fd5520a387d2d
SHA256 7a91383cfd6375b570df0b442310f5249c40c225184ea1a72d0e2bcf37a45d40
SHA512 8dac1304f8043fd1e7e3ec6061767d324b34adedd61c54ced8bcb4710d7ab5632cf477d4f4fc17f98d906cd518b57fc2b4e90d14f1ac511dcf92b3d717c39fb4

memory/3028-149-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NmMEcEko.bat

MD5 407369666c92d59cae3ea95756de8bd1
SHA1 fae8f276a337ea62bfe98fd168c199628f185396
SHA256 b543d2227e02374c9f88004874d7cabaa6a6427d0093bbb03655dec2b6f9902d
SHA512 4a7072ff07f785b615e72af3056c0a84130d3a99bbc895451a0f0f2c56a1cb796fe8e6cf12085453574e899ed440170653e98fb9df9c593deee8b9b37483be1b

memory/2012-171-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JAQUAgUM.bat

MD5 e41b98f2937c837e981b142721daf0ba
SHA1 ec4330ab55c0abf47ddbc0474f4120a92f624833
SHA256 30d2414fe33bf73440bab26b93f103a9a7470d3b6e0a301323ecffe4c5d86d67
SHA512 75c0941ce86004cdbb7446e1b962040cf68472599d76f23b3048a532a7a79b994719b7c8565bf642b6986046be6837d8eec37dbabeadc668e83cd2f26716cfbc

memory/2600-194-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DwwIgMEE.bat

MD5 9a1cfae16800e1022b44d9d4ecf9d2be
SHA1 6097acce462559322cfc1ce2a6ebf207a45ddb15
SHA256 f2297c7a21a095d9dc617ee4dc5bb9412800033198fa0e0cd3cae499db966235
SHA512 bd69e7ab4520dbcd55c569696e7116922d2ca34bb66bd38e54b4ba0a02a892373d608bc6e858c1db64b9a80a1db2f05763287b35d16de3cd759e93c4c8d21130

memory/588-217-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2948-216-0x00000000004B0000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CygAIwQE.bat

MD5 1d80989b89c35f7b41bffdcf7679bc1d
SHA1 127f70d3278c5810e6430b21e9b463b2663da3f7
SHA256 1c150778239462c5076e354d5688c36b66df4604e8ef90dd6159116962c964ec
SHA512 47d2104eae4fc0765f13b644525ddcfdda9168b0b6abc91b690d89d3b32acb5835f143f365262f8d3d34c1f0e0edb6810ced9d06898420717b8b0bf53a81bb5f

memory/904-232-0x00000000020C0000-0x000000000217F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WOoMQEgE.bat

MD5 e90a4d1694ca69645e6dd0ee662f6c13
SHA1 fe9a255282c756f2cf7705d438cc9a155544ebb7
SHA256 6e90c51bdb9649afa0f7c1003214e66a3f9e3fc4a1943e75773b03ef2d6c8f2f
SHA512 5fe398a197aa7baa40bcb5c0645203add2532f335cd1d7c75ad2d6061f11f12d0af05a91d8bab7145a6701998cc10c4d9e7acfce8c0e405ae528fc5905389f5f

C:\Users\Admin\AppData\Local\Temp\AIQIUAwI.bat

MD5 234be9bc36b0e45387bcad4d139c76ca
SHA1 58f84978a17be6f8f651d622ec8a77fabf6307ab
SHA256 b481d02704522d75a47fbc47c6388dcc1c252921ab7995948531ee520465526e
SHA512 a436f7a06dc73066ec59228bc98bb7e55ed2b54831a50459566b894d21ce936498d928f291e2e57a9802bb1beb5e785917fbfd1895aabe61df02f1c7704eb95b

memory/2516-277-0x0000000001FE0000-0x000000000209F000-memory.dmp

memory/2324-286-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2324-311-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QOUsEYIc.bat

MD5 39d01243e9a5f0b2fa3252b7ebb20a87
SHA1 704c54bca5210689ee247a86aad319c367a6fea1
SHA256 fcc64625cedbec9f1e47731d780a6c5fc398c993fa49e75a70b3a4ce4c2f3bd8
SHA512 7536f9fe23ab587cd0970518d64ef45b123bb7a2469dd206cb657c93391bbc71ce2bed7667e803ebc799e1ee3b8b25b1010bca67dc5380c1b84ee5cf35b17e76

memory/2988-326-0x0000000000350000-0x000000000040F000-memory.dmp

memory/2988-325-0x0000000000350000-0x000000000040F000-memory.dmp

memory/2684-335-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2628-327-0x0000000000400000-0x00000000004BF000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\QgIQ.exe

MD5 02963bb6f2570524399f29ba2b4fdf5a
SHA1 def95867445e20265410096b438ddc71b9af4c37
SHA256 40020f18ca614db1985018ada58457cfb2aeb2871b6998d5ea2f1eb4a1e8e79f
SHA512 0358d0f5cde2f6d77bb0f61531a7fb041d36eee09cc6b94d354e2a0a8cf3773102ed469f9b9c39ed452588fecbb91c895d617fef20fea249fb614edfe24b571c

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/2628-371-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1712-377-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FkkoQMkc.bat

MD5 e90914856ba97ef4a4f92a0c57777b90
SHA1 63ab6ffb7364a13381fbc26cbb817084838003fe
SHA256 ae10eb3e09bb4addacc22260e7fb1ca96e33ec443de018f8cdf057940062664f
SHA512 4049112cf5a5fac84c0d5eed0bcf5d71eeec48bc1c267baea96fa75fc188da56da85bb52f053e46c496e634efc16611b1402db45f2f7876dfd4a6585239bdaac

memory/3036-374-0x0000000001F80000-0x000000000203F000-memory.dmp

memory/2136-426-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iosK.exe

MD5 53ae6cf5fe84b3d791295f93f24ca421
SHA1 fed64c01a4960cbf31795b199ece5909da96e96a
SHA256 6cf7ac5370951d6f6a7c66787043980e65099632246d05e9f31038a7ad0e5e2a
SHA512 8f572c1d321e128cd53fcf7b586bd2a29ba68fb33f7a6c8ca2527b6147f698f1d41b98afdbaabd6779a4a1c56540867c841a71a96d5e20092e01301968c04f67

C:\Users\Admin\AppData\Local\Temp\EIUQ.exe

MD5 cbdff9d0b927a7249e38a8458e54c204
SHA1 73c37569282d5a737e2c31f291e6deeab89ffafb
SHA256 3fc474ed9543a84f1d08504b49a7297ef9820b4f52ff8856d3e2c1b58d25f7c9
SHA512 dde483c79d0e7b95f108ecd12888dd801bf27903ec8d1271863d5ec0c608aa112079ee33682050bb214486498bf2988afc727c16d69d4ebbd43627bb2e462ff4

C:\Users\Admin\AppData\Local\Temp\SgQW.exe

MD5 d54063b4318d4ff6a73093314fd35519
SHA1 979c03fe03448d54a1e9a2db5d64395a7920f029
SHA256 1d49eff2e271bc754ff96290fb06edab5ac63712d05df9190ab024a1cfca828b
SHA512 bb0dae62c7f6810422be9b83837e740ce85ab744bbad426fbc22f771de4455313e934a1704e67b70c67bc920b665b6968c7bf31358e5865c9933a66a884e4029

C:\Users\Admin\AppData\Local\Temp\PuUMMUgs.bat

MD5 cbc5ab48fbf0f5753b3d625e77ca3756
SHA1 0f5a120f420cff6a8895904266e639ef3bb9957f
SHA256 573930cee8f690202b23ab42cb3ad9a2b868ae88a1b75f80fdefa3e3be205500
SHA512 d9f9e778f66e672eec89d3144442bf74e332d39f1bf592e2618d008a8d7a74fd06cfcce0fa1bd82915114a0827bd5ef1adf78210a0242e3c27348a7cfc7a254c

memory/2596-492-0x0000000002070000-0x000000000212F000-memory.dmp

memory/2560-500-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2136-501-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XSMUooMk.bat

MD5 d4e152e40edfdf4fb4365d2f4d516d17
SHA1 e7fcd1ad3459960b739102c59d93cfab0ac299be
SHA256 59833446305cc6145d42ad3d4fb2e3f9a70c2fc6f33406e71cc994042e2dd5f4
SHA512 81ae1a730c56a2a0a754c8916c627b3cfeaba7c971e4cb39907c14893c0d4f52eb5ccf68f810f04228d7edd861eb83d3e0118d68a2102f002cce55015cadfe2b

C:\Users\Admin\AppData\Local\Temp\QcsI.exe

MD5 9fbc9dc0b72ea2a0f16fcd23adf2a84a
SHA1 2b6fc2ffc1bde00bf352a39b315716533b52453e
SHA256 e7adafffeef090b4eb65761db6ee7ecb3de8cb132d8b0d2d1634e77b8c6e4e53
SHA512 885829194c974f74bb6c23e62502304ca876397d35af8c71aff7c10f867cc10332638f19eab782fbba1a6f8ca1450077f5a08aa6dd7f58b5cf079d44a5b17d04

memory/2560-532-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEYo.exe

MD5 c1d6a1e34ec000281c4c76e221efec2b
SHA1 f4d0f3dbb4ffe17ed05cad3e80970c41b0a238c5
SHA256 04533d3d11d74f1cc2fc6b43c914a11ab89edbbf1b6bca114daee41b0aadef4b
SHA512 beb118eeb6d958572b76f533eab3742e3e500c02aca52dc81f23ef4205750d05c19f23700fb68b36c8e4e4ae147e4624c86b4c720bd89c7b8efb07e7629c431b

C:\Users\Admin\AppData\Local\Temp\oGQgUQws.bat

MD5 988de9fb90acf73d1f03c628b7908260
SHA1 3521009f70f5dabc1e7891664b394754e7668cca
SHA256 b7a986df98bbb07711614341be22304d21871692f78b31ea450a9b702f98771f
SHA512 897a8d5f633c1664924fbb870de84f8088f7a46530f7cf95799963baf78df645e5e69a46587ebf2eba5f78381ef672315b85fa5612ae765037390a66a933dd8c

memory/236-601-0x0000000000510000-0x00000000005CF000-memory.dmp

memory/2064-621-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcAw.exe

MD5 390ecf2f1adde62e1bd87119ce1c9136
SHA1 2b0c6026ac96c5e5205b133f5ee7027f0433fd14
SHA256 d440709570479fce9801cd6b15b710a3f9183763169f38155e00b776b2b7978d
SHA512 a951fd1d24efe9ce0d627028996bb0c21de1481c17f950d0767a94451c5a30e113e9b37601b5a47ed386878a89a6bc04eb782054a3771c3821bcabded4e714be

C:\Users\Admin\AppData\Local\Temp\aAgY.exe

MD5 ec38ed3d6e04b26f57f7c60d2307ccff
SHA1 f40fa51907715731fb33b25091ad8347aff44b5c
SHA256 7b8d4d05f6ed7c6f710e567da518a6cd7966eb3a42dc1f0087bed343cb876640
SHA512 a97517f440aeae0e5fc9e3d736e7efa1b5a8a30cbbb107c207f3f97392aec361d30efac4fbbac10f8f4cd68ce434f0bf34162c906612fdc7ac0add472c327f20

C:\Users\Admin\AppData\Local\Temp\IOAMIwwg.bat

MD5 f7cd3ca3f72d4dd8457bc97061640a3d
SHA1 5111852baf6a34cca655c065ca81248cf636f466
SHA256 5085f7cde68be73f7340e4623cafe707c3d02e10467102dba35da6491cbc8121
SHA512 51db719378602f355442081c7fd95980f0435647210865659b93fe0f64b6b94b1e8936d2f958b96a041f7614c2718a201ca3184ead28e0490efc7d4b3acca86c

C:\Users\Admin\AppData\Local\Temp\eUoC.exe

MD5 e0e51e413538a6e2dcc388fb9e496c85
SHA1 26b588120e1e02bdbb66912caf332deca9caf321
SHA256 d129d870aa577e314014666ac841b84cad2cdc0654816315d543265e709e16f5
SHA512 e872f8015af852cc04031abcfb8242f069aaab8db304204268e629792e46f769833551ec1657df738614ebc956270a3dd1553738bc06c8d4aa4dc56a2d6428bc

memory/1512-695-0x0000000000560000-0x000000000061F000-memory.dmp

memory/1512-696-0x0000000000560000-0x000000000061F000-memory.dmp

memory/1796-698-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQEE.exe

MD5 8d6bb1fe84d39258cfc8c53d2fbe6544
SHA1 79f5598ad2b17c09db343a2270f6fb7f89a049b9
SHA256 3f3f776695eb2d2c062f1d7d89f8ec2e7bd33e676cc34327dbfe58b1354b144f
SHA512 3176549d2b1552647fc017a1a6f632765ea1ae8850ab9924cb9d1a766677eb9c7d2c13377c7f30152e8cf1db0bbedc367dfc81bda8c0fb83a55dc04a96aed8b2

C:\Users\Admin\AppData\Local\Temp\IQkG.exe

MD5 64371e81b1b83b54372f63e46be993c3
SHA1 218b5420cb6d277834b9f26765152662dcf502f3
SHA256 c1fb2df708b343a6bdff80c8362091c71adf52ee6a77af1cde011b1ddc829975
SHA512 63945c7e044b21b5fab7a20e26ccf82cc45ab2ecdb93f941fd9102fd2c9c5cc36725e5915a5e5e044f2b177bea45829f1944495cf5c5922fdf489a5be4e2194c

memory/1572-748-0x0000000000410000-0x00000000004CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MMsg.exe

MD5 7e2a374af7573d9cbd9aadbfcdcc251e
SHA1 7df1be0036b346036b057404176bc0876106c930
SHA256 1ed1886b42218a3eb87cafab20e8cdc33e545b56766ee7ece7cfbad87a86c106
SHA512 e22eea474df57baa8a8bc1c3a3b17e53d46536338baa1aed6091b753a307d886586f831fbe4aedebeb3c0f7966156d4ce9fbf0d6e94b480e1688aa513f43becb

C:\Users\Admin\AppData\Local\Temp\ceQkQIcQ.bat

MD5 2db86e1c46070ca1d1014b718d6fbbf7
SHA1 b34bc522c266295362149c4aa1c53bbca9e167d3
SHA256 335a92ff8034b2e43759de793f58c73bcc2fb7cf7a6f068747525160a483c36e
SHA512 53a0286486a24daccf0bd42fc638488d922c1965adaf9603e15b5fe7cfaa2e737db24cc16448ca9db998123306d5cd866355da07e1646c6ce90ed2b8711d33b1

C:\Users\Admin\AppData\Local\Temp\WUII.exe

MD5 58d36935febf1bcc3df6f1f35393f4fd
SHA1 fdaf5e21eb3df414732f9d9dac96c054514aaec5
SHA256 15406ccebda288e32740dce38603bce028366d78f6d65017bed80ef49b47cc52
SHA512 4ee73a04e2ecce81abd1fb06a66502a213da2d605b663daf65a343f570f26a280a8c04d0adff247475a545be8f51431172b7837f8def62821567724bc99d4112

memory/2936-815-0x0000000002020000-0x00000000020DF000-memory.dmp

memory/2332-814-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Aoci.exe

MD5 8102499110b348ba18a146ac19bb1fab
SHA1 7c9f0b62354a8ff83e82aace1168d093ae3728ed
SHA256 b696835a7c8e0e289d62c7dd62a39af9e09c5c987788594350a7c40699cffd86
SHA512 7d59fd057afad1ea75630c62f2592bd7689281be785e0a249cc93fdd07ebbd289742fad65c8e3e2c965c0f8f0fb10dcdbc3f06d7fe755268e2d71f20ac7ca157

C:\Users\Admin\AppData\Local\Temp\SAsy.exe

MD5 bae93ea37a0dddcba5ee5eebe6d6a399
SHA1 90cae388d898cf3a48b08f31188d4d480963aa8b
SHA256 7472a9d4d5d8415b1b0ebf9aafbe22fe627a99fed3f4e3aaf02ed2bb057fd845
SHA512 0aef6ed9a0ec40c33b70221e2a763b5d4b0cd460b81a3b450ab7f12e2e19c44c0a6eb15bfd6d315c459d8a9655cd0d66816542c7bd25cc8e3c8e130648ecbbb6

C:\Users\Admin\AppData\Local\Temp\YAIMkcoI.bat

MD5 3297aaac74a64909c6f5ada4e6888a93
SHA1 fce36beafa38120efcda2b5aa6d34baad0328ecc
SHA256 5e092fbd125ad7bc83edb82bd634a9dc8df19bc50e69993f0efed56347109b14
SHA512 69f9b861e30fce8baa56cb594fa0fdb5339978fa1af5f736f16914f41ecbe0b47888cb352cc2ce0a02bff0b33dcc20988f0233dee0eea4a72069b508d69304f9

C:\Users\Admin\AppData\Local\Temp\uQQg.exe

MD5 9ce4444a40584cf6dc7209b5ac0ec687
SHA1 3801332a3e21909167267f7af813fe1be203e02f
SHA256 22c8dceaedca3ae85766324fd6d09ef5d673fadc74682124596a19cdd53f6e74
SHA512 ef51c7628b6d8edb6dd9a46555d20d4bfc95646d9b581a052ceaa1b0c367910df697221166e5d72deebbfac296caee1a3c81adb2ff490506baaf523361085de6

memory/1472-887-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ycok.exe

MD5 21df10e4f8412a83c7dfde9fb656ac01
SHA1 facd0dfead0b3134fcd2a7f28932e65adf5908d4
SHA256 df144b6c1d504c20bbb7a3e9fbc869fed61820ae66f269c3bc77d8fcd56a181b
SHA512 436f5f517340b41017a9d91b65cc324b7cfd848d29e0470707ea2ac6cbad73f8558e5050a8b0ae0800e82df2d664a62fa1bd8f8ee53bf9d1913d854a70decb55

C:\Users\Admin\AppData\Local\Temp\KYYs.exe

MD5 4b40a2a366ae87298ce1b8dfe49eac9d
SHA1 1f2730f159ca7bdb9aa8cac1da9ab9f3021ead5d
SHA256 50f8dc01badc04cc29b1762797968a9fcc3275824a3f0d8943ef00a305715377
SHA512 099491834d21664da8590210d65160050e9225ffee891616c33af24d1ea80364da093291954e26776bc51dc9d17419a3b774451c70acb9ac781430ce0973fd33

memory/1252-960-0x00000000020A0000-0x000000000215F000-memory.dmp

memory/1764-974-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkMW.exe

MD5 0a987cafd8fb53be0d652986fa284201
SHA1 4954ad66130dd49731e1dfb97e0abb682ba9d0df
SHA256 bafebfefb2ba27b9786802fc4a6ea23a982339e5aa7752c44b1b749aa15b5874
SHA512 c5cdb6b2df45cca88d34ec85816c567a42142ce77e575c290506135a145e1d8580f8ddb6ae59e5232062eb434b750e144aebfa66a0a19055db143f3da60723c8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 35c7965050fb511876495fb11d01f217
SHA1 50e0104ab2e2de705c6dd6f1ce92dca908182086
SHA256 8dbc48de5393c3efab914fdc5128360f46f2fbd6d0b954074fb2004bac16a223
SHA512 324255c5057c78c2bf08da1a46ed7ad88486e8f260cad35eb3ba71d66206cdcbae7b3dae12fb10b7fe324692e4b85517c8ee8751f0212e4085b0d418ea3a7230

C:\Users\Admin\AppData\Local\Temp\wsQO.exe

MD5 7d2b525662bd7590fb680a0202d2b725
SHA1 b6c4d96b637d2241052ffea0e493a0698818fb32
SHA256 b2f58f17bfa802d7b6f5a30b381539ca3af6ac33cb4f7a757c1738ec0823d6f2
SHA512 ffcf439d8c9f5bbd9a66c44090efc1a49b1fef3d7dde95ff55ffedc64207a3cda1866d0dd8899c6293ff5dd184d9402dca74442730976dddce739b30cb2d8ea7

C:\Users\Admin\AppData\Local\Temp\OYEI.exe

MD5 29ad08747177e01e2bb83851443b706d
SHA1 491390b2d264c8df56ce2666b41d98784640443e
SHA256 ec122ee054f7edbb4c5e45bfa6a73fa321e1332166e961b0cf274154eae495a6
SHA512 f7d294e7d71d386cb9ec0725ce9268ae54bb3bcaa2e501456216ad1477b56dc7a66bc23ead2b7c5706bee87b8103c07408af38899d1e31e9343522c3f13851fa

C:\Users\Admin\AppData\Local\Temp\EcMi.exe

MD5 384ddef37a9a84a61773afd62afbef39
SHA1 304c4aa61a96593771cc0913de19b9829e9306cd
SHA256 ba91cff781bf0865f492082f8b69068695e337fb3b106c7edaad51eb87a8e957
SHA512 9d9b902cb695915c755a1ab3430351858d5c05f07aa45a872bc9e0fbca9a27e542ffa1128e2d6e62e099f5ebb875a4daf7e274f61a9dec7ea0a01b9b790c8429

C:\Users\Admin\AppData\Local\Temp\EkEY.exe

MD5 8f268d07ca38d5db7e622b3006f9d59b
SHA1 785c11aca8891593fcfd7ac11db8dbf6037a0e28
SHA256 a119b485536d087dff3d2fcf050b389c6ae19dd6b1932be4e36d3231c82c3774
SHA512 128558d1a1b970133a93e892a785f25e5e707011243d06ee5278c029b8db88b6941109d660d686408a515b710cf649fe04626842c7d9d0953fd28ea7c8febcf8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 fb8afc201adc5175a79b2ab2429a4a5c
SHA1 d4b482644928caab796d5bd99e89feb571fa7466
SHA256 9051d0986e059fc2b4a2a732e17309b303006fb679e68bd3bcbbb6036c296a21
SHA512 ef7ac289bf99c355f51e83afdd43b4b0bbf87995f0702c748ec681fce0bd42e1d91baf719a325f9d67ea603c9a1267225a14e42b7ad0acb0c5ed894f58fccb2e

C:\Users\Admin\AppData\Local\Temp\lkAcQosI.bat

MD5 44c059c7e567e98570d1042c5ecb9f77
SHA1 6cbbff5b07e8e056f201473577a9056a60df0072
SHA256 9df34b319911f458b991155fd579bd6d12d8173a83b6f11ed2a7e344d5c1ec3a
SHA512 c0f078f2aeabbbc6bac14f530aad55ba6b9216658299c3bc1e61fad4e8448ff2d071395e21f86d2b19a43778343c79be232bfbbde4f1e8e2f1ee364aa246507c

C:\Users\Admin\AppData\Local\Temp\eQYe.exe

MD5 771d16969754a51e37b44f0cbccae625
SHA1 ac6c6adc8902c87443532a58ac70f87a11248aea
SHA256 d13b4f852b89bf47f9ef69d0ee16ab6dd6b021e6335d8f95cd4c512d768e2e8a
SHA512 bcd58fbcf1dd568f51755917f624ea3ac0d1130aaa585edbdef6f4b2099cfc1d7bf682f2932b2508ed180896ff99a553bfea172973f721de01ccae86a2f0bc01

C:\Users\Admin\AppData\Local\Temp\UYsw.exe

MD5 14e593e9f5da7d7b25c349053040f158
SHA1 0ee0fd97f7d264bfae1d268d2d1fd96382d3abdc
SHA256 519ce29f5a9dfdd975ba06d90a465acd9c5be0e28870407f10f08d49f16ca5b3
SHA512 2368e0f6543b7728554816bae17723042fab4e73356994072a63fa88136ed96cf03a7fc1566477ef02494cafbe710d684b1b4ecc2c360aaab01d0ea38bbf7993

C:\Users\Admin\AppData\Local\Temp\lOMEgQoI.bat

MD5 4d5024977bb64a9ca4889fd1617f280a
SHA1 077802cd09de19dc55e8f1cac884a1e87e606ffd
SHA256 ab22ac607160bd78674c92664a523263234c693cf4d7e277a8e3a46df0f41238
SHA512 3547ae238daf0fb486b0a76fd3967f40f0e78fe4c507e2556fc4bd6892a889d8ee82925f02ca0fc4ce89d02c046eade4a4662ac082f27d03df45c85474288c1f

C:\Users\Admin\AppData\Local\Temp\ysEo.exe

MD5 a33e6d067dfa59187858db8b69e49fee
SHA1 f2d3422dcd05598c120c951f544ce87260bba835
SHA256 872f2f15b3934285c37af7d210c2fb8d7b58ffba4ebe15fdece17ce22d8b396c
SHA512 56ed5f2e359c29beb668735a93d8fe97d071b80723171d39028dcc96b87f96d397ac7fe0b436cf60c46ff199d1ae951153bd3e548b19cc53861b611054e199bb

memory/1980-1235-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEou.exe

MD5 d9a40aa35202f0eb733190d78052f385
SHA1 e58b14560996dd449f0484878ff515230f35e5ef
SHA256 1667367ce4cd9d5b7b699884b84c3cb3a7a9f8905da06a723cccf651a18d7da3
SHA512 e5d3b5c0d35d515857c5ae2cb001b15e1af183b3c7422904ca2bd6cbe9106d87527e07b647bbb63159e97d458e565ef290a4bfadfc2b545c0d768f9126815e81

memory/2672-1284-0x0000000001FC0000-0x000000000207F000-memory.dmp

memory/2008-1298-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQQoIQYQ.bat

MD5 3e7f33e430dabd3e5fd6f273166efc25
SHA1 5fe6fc336813a3d69f2c003c025a75782e50b37b
SHA256 056a2dda010f14b10fe105a0c35c922639b52481cab7f5cccdc67bd78079fe27
SHA512 bd9cc625a4348e92831d09e8cba795bae30a58e7de4f25742cf4b3816ca0aee529917146c8b9afa6ee22e64495df15b3d98c4fe307e9abafbe92829a29dab693

memory/2132-1307-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2008-1328-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qAIwsAkc.bat

MD5 69491eb63f0daa5a09f5b15267de9cde
SHA1 be490ddb18d3c7a1e5ce8e3e4562cc0339f01f6f
SHA256 a3bd8db1f6b4f352e4f36b808b1389f2c518470ff8c3f99102ed3eea69332817
SHA512 c995772bc7608220bce58ef63d654cc7b083380027f5d096cc4ba801a825e7a61d551b0043d827fb1c56f47f7d49dd0cde1b4996dd4c41add046859ca303e800

C:\Users\Admin\AppData\Local\Temp\yAso.exe

MD5 247cac4045119748035b41b5f2dbde83
SHA1 bea73a6a882c907aa74ad13b1a16226c92bace01
SHA256 43a76e6e9c4b5966a6efe54c21cdb28858d6d68f2e8600aea46589137c09214d
SHA512 9099873c56dbd51d3111a9794dc02e0ac06ba931a0cf183ab66118719e38efdd2cd6c3fca0c85e0ed505d5597532077e7952239ae9ba843a13f8c59331ff6a9d

memory/2692-1385-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mAkM.exe

MD5 f40cba207a1a3d420fb73d86876221df
SHA1 b30c8a937dbcd48924b08a7ad4b7b008eedcc9f4
SHA256 e7effba846785e31d119508186a53c63fc3669896915f21993246396a00304d2
SHA512 524e21e26dc6b1c458c30f44c5e34dc1987f1c1aa740bd8ee1dd3d031e9e9c8e06573c95707a7ceae8ebab657246399682895f7a475580934b8f73f0a93f07fc

memory/780-1386-0x00000000004F0000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uswk.exe

MD5 4e955d3abf9cece39d3288b04634c6d5
SHA1 804405167ffd23e59f46cca6d015bd75b55ddafc
SHA256 f61fe0d06f4cc882833b480b9fe2a7d5edca439a05fc3fe1c2aa67923c7cd6bf
SHA512 3c7dce99486ee05f977ea89cdb47909e6eaba2887985eb6b08b93ac691e00a4bc5e977d68cbc15dab241988667b9f33fb00ee005fc85bee0b00c1ab2777619c9

C:\Users\Admin\AppData\Local\Temp\mEQG.exe

MD5 1751f28d2f0c621ddd953a0fef5b7750
SHA1 091a7eefeb01b75dd7d8852577dca8bd3be35b21
SHA256 dc8528fc6f6a7aa8727c27d6d5d01eceaa3c2acc2175c22804ae0e0f61410eca
SHA512 8c12e82f24a6e9cc4cd704fe7e08e9e8b04131eade8ea36385f32d07d38a25b957b200947f01d90d02b5de6030bcb90c4ece229f9cfc1c141ab7dfa7dd1df050

C:\Users\Admin\AppData\Local\Temp\oskMswgU.bat

MD5 6536a70b45816f6c6743329ed6b255f0
SHA1 15f245edbce617420d66286fc17ccdd032d69d53
SHA256 ab2501c3087b7a2fca71f643236150f05092abe206c19cd403b39d778bbb9aec
SHA512 3ab27186fc4b4c4e7d372768443eed0b9a942611ebbfbb714ff46d9da41263972b92903ff6408db14dc58516d93118d661dd3ff9fbb28a091cbc654a0b8769f2

C:\Users\Admin\AppData\Local\Temp\CEsq.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\QgEA.exe

MD5 304ba699818323c4a324713335b1ff25
SHA1 30219efda43d348ebd27b5fe62044ef2e2ccf228
SHA256 bd5fffee9cbaf59b91db2ce7572714f0a57717b5ea7da0046f112738f617589e
SHA512 245a3b5f5b1d5e820b4394c1356eba41f5a2346c9a41cc41a304dc1b3edbefddbefba439a13d4a5750fc902442c1434641508e531f19545ed16f53c3adbcfd77

C:\Users\Admin\AppData\Local\Temp\eEoUIMQI.bat

MD5 e58a877b2ae9e65d90dc558622cb9ca1
SHA1 440efb785526d0dc6dc6ba408d0f86a4541c19b7
SHA256 b07e87bf35d2ca7bbc90aaa48f9766e218a8a4adbf65b7874a3a9d401da02a36
SHA512 1276628a503c52027d7a9545aa3968202b3f11e82e0e7406f8c116f5a6359c104f08f59b4b88ac811fd2dafeea989d1b8533b7b35ecb73884ac221562b9a3370

C:\Users\Admin\AppData\Local\Temp\oskG.exe

MD5 d2d30bd247a603719dcd0f759e3e6fef
SHA1 325da3978ba4b7b061bb0fbd4fdd66162888e8d3
SHA256 00086c49fa4a40fd9ee7253da08cc7c4b0823e610cfc3fab7d9b0dfcec5b946f
SHA512 6893cb9f66fce4a40bd0c5e963409d5ad11de3be61d2d722a37cd56566185ca9bf092bcae27a87e603c24fa66e964213e5408358581c59fe9c199fc2579314c9

C:\Users\Admin\AppData\Local\Temp\EsES.exe

MD5 d23c95e8adda30e62dc87e821aaa026b
SHA1 1db315a300ddfd06a00fcf36e4dfb5dcff28c22b
SHA256 49d006cd1c560374290320fae06dab4826faf7925c39952ab910e03dd449c314
SHA512 bdccf1a97901fb7415a20751209e05592550b8ef816485bad5e9adb8fcf11963bc51421731803ece95c93c25f12a174171f8c47deb4d42297602699b20a31676

C:\Users\Admin\AppData\Local\Temp\wYcC.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\wQoU.exe

MD5 282bf79f2f27ef88972517329e40ea0e
SHA1 9287ab15ab273b8c88b496b9b415f1bf8832781a
SHA256 c931fa3a80b1b1c79678250d8a177d0c3e3513d7c0817ec37ddcb0b7315f42c3
SHA512 654e249ecee27c75550c781b83e7ce3f6e974b864d9a57e74caa4a80e99e1ea1ba4bf0b370ee21105d9633f929367b2d879fa49cbec27ffb1bd8259f430643cd

C:\Users\Admin\AppData\Local\Temp\BeoEsYsI.bat

MD5 022a646517f776667949810f5ad8bcaf
SHA1 e0e20b7b5513bcca053f20727bc7902636a750c3
SHA256 75e0f0fdbb1424cc2d6d289fa76894db306ab1dc41061595fb13e8339fbcad31
SHA512 cc94c29ca0ccd6cb911396c7dddb78e9a2152420e51a279999c2dbed4d733bfcc521c835bd0fc6714797267bd8c9516366f33d975b2c3d375d95afc900c31be8

C:\Users\Admin\Pictures\RemoveRestore.png.exe

MD5 d98f64cc1a7e870d9e7ae47192462199
SHA1 932c7ee1cd4aed6904525f0ca26e875568736b2e
SHA256 a0aac6c61c1502a457e7774f88660f18d6bd275c07b72de4bd92634a1c503c46
SHA512 ad018cc7da1e66b208b319d60b716ed0d2241d316f96f2c3043b3521070aa699d397def343bedca40c1d8285549d73529f03510483cf4b7f9f1872d96fac7b39

C:\Users\Admin\AppData\Local\Temp\GYEW.exe

MD5 762c4d5ed9148fe3e215cfc3783a5b1e
SHA1 33bab554f84aaa73c2c46c3dc3e3b9aec220550b
SHA256 dd84940b8b36310d41af47c8ce32f99dc8f4c68c1ab913f2b1671ded7459dcf0
SHA512 78b228e217a0b7b6a6e36d3df976f153f4e247b8ee8c5772b0dae8fbed23743125900a41ac06a0805fc3794b51822b0176f4ca46326bc9e7bf9f68f737a0e3ce

C:\Users\Admin\AppData\Local\Temp\GEgI.exe

MD5 170cc13a6ba5272a1c09a50370c5b28d
SHA1 7d4123868b9d877151e2c7f95c69dd4438f95271
SHA256 cc8f1a4f75d009ed8ae21bc4d6277118eaa26907b67abadbfd41b7cb0598e613
SHA512 a7d75837df9b96dcc86a85f78fc5b959f78f87d7faa35969340624025da8af89706243467370cb2e34c0e3867eee46589d3f16b5c00d0f20bf9240791787408f

C:\Users\Admin\AppData\Local\Temp\ugYI.exe

MD5 7affab2a230438a7135ee819604ea228
SHA1 74500f21897633e0962b85fb9e8d7663dc05c2c1
SHA256 ed90248807f84656154f1a05a451b43b73b54522156511745dd6c976796d2739
SHA512 649c0d497dc7c1f227bded69d88f5fd06417be57b13a3dbf933f31cc94e1e393f233cf50b2550e708b9bffc165980bbf85f97ab818331398b68edc08e7fe1b8f

C:\Users\Admin\AppData\Local\Temp\gQoS.exe

MD5 6a01595beae6903b9e8397a45606a9db
SHA1 bd5b0ea0c629d06de0a646916d341f0d8b027aa6
SHA256 38269de60123ecec704dc7fb169d4dc0f413106979f6894c23be09e6e634bf83
SHA512 afb7be51612bc73e8f1e363ae050ee4f77a85437e51f6a6f8bc50f95a1e0d2c99cd2686dc1fa7bb3f1c4846da963d404b498306d9bb57ef066e14d46bfb435f0

C:\Users\Admin\AppData\Local\Temp\gQUa.exe

MD5 8babe74df3664eeb58c3cf91304117ea
SHA1 34c94d8b082f8468970de7015883df40ca745957
SHA256 3919fb34b564bf88f83efc4df3edbb4f17e3d643891e704f63ba62c2c88d5864
SHA512 fbc4cf0a9fc0f8c9c01fab2d400588f803330b57db3dfe473dbca676e9dd426c891f6352ff14abf81e78c50cf149272be1982daf697bd4863c2e6fa787eefd0e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 26b1a2c50ec60021022f854d962e05f7
SHA1 f041fac8535ad44813d1969744411d305e2a165a
SHA256 e754aa5e057a57c6cf510c3f6a04333cb6e5e763c8694ca1008cb414cb7324e2
SHA512 edf94866ed3de311d47d812d0bec43b3087bfa36a49dfbd81830db18a494012cf717d1f817e66dd077be98199cfcbe02bb2f97d9d8a82eadfa6356058ad9d19c

C:\Users\Admin\AppData\Local\Temp\nuUkQgYw.bat

MD5 cd0a623501c4052b82ee978b5224a676
SHA1 050988986a08b4ba28251fe6804153135557b2a9
SHA256 ba8cce1c003867c14052ebb55579c50d0aea49b03ec9425c51c59909e279332c
SHA512 e1aa2b888d3cc7ce664c629e1c6e9be5e6d66d4f9242abf32feadf15b5c267cefd74e83d3512e4c7660fbbd0d28f0385ae36d10bdb76bd257f56e0ac47f9a762

C:\Users\Admin\AppData\Local\Temp\IgYM.exe

MD5 93da75b5b95fad00054dbd59fd6aac80
SHA1 248e451a1ff5ed2f5df087fb727ab345a5a4948f
SHA256 e952cd6bcbe654870a6b4db8d972e1d265a023b50f24ce5b147edc9a3d1f0482
SHA512 5a937fc9f14f49c5351ec709f37238fc1ae1e7f30e9e1c437bcf9eaef176189110f9b5330f9e459a5361919a15b2242023060724b969c2ae79a0e83da2368407

C:\Users\Admin\AppData\Local\Temp\QAUc.exe

MD5 5831cfeb596bfac067493c9edec66579
SHA1 5b9453f322b259654614f00029aa95256d9251ad
SHA256 c95f001088bf04544c66ddace72d018669901675dfc907df5f2276c1cfbbf5e5
SHA512 b856a0c2b07bcff3e671edf15f4fa7f9fb4862c85398ac6224e4be864e8c9310bf82561b8f415e6d117b45e87a8de08e746d8bc4cf504fffd83f299440df24e3

C:\Users\Admin\AppData\Local\Temp\GUIU.exe

MD5 814be91ae7590aaf0e89b97dcf79d0fe
SHA1 d5893cf1582f36be0947f247de5989dff93f56e3
SHA256 f8a21d2a5f9879358824f7cb7efd6c6435846a4a16d9dbcad112af5c965cac63
SHA512 ed57b8f5187daff23588608ffccebc4a06772a8addc6ad38f2912b74309d83c20a828b01ebf95a78ceeb849a5385c44defbb7ddab7ffd35ade51978919c57ab8

C:\Users\Admin\AppData\Local\Temp\OKIIUAIk.bat

MD5 24199532609eae3c45603be720d140a4
SHA1 5bb1aae93bd52b967f18151b7871ad0760698190
SHA256 a44868af91a71d91d781a85148c1734bd0fdb4ba5d98970b8cfee64cc17a667e
SHA512 d1656e3aaaca62ed2f972cbaffa186d636addd462019fed1bbfb85c11ee429f863bd73b2dc870e51de359ea4f379a77d84bad966425dd3f8f66bcd611682738e

C:\Users\Admin\AppData\Local\Temp\QEgQ.exe

MD5 6631a94ce157b3755562e370240f8310
SHA1 c7f2b0f1541facfa74aee6b33acdab1069fb3839
SHA256 e3abbd288a3d2034386454e433c311dd4ea9e6bcaad577559782300deaab6e63
SHA512 7495bcd8da7ec763d060ead452336edf181a365505e4bdb48c38de3bbfcf8a108c16319d6a041d3e15b1819d0cba0690b69c4c3d2ed52f28a6bf0a1e789e5520

C:\Users\Admin\AppData\Local\Temp\UkEk.exe

MD5 8f622d2af7560f91b3f27418b7533c68
SHA1 1875ab5eabceaa62b47a1b96f7e4200ce2c94b73
SHA256 190afd8e4b291322dda364102c5348320212a7ffb007defd5bc2b5e5a556ba16
SHA512 e633eb6f20d0c1c00712f3ec43d5e3d1ffdc5fc3e4ffc4dcb59400f68922fe680a7027fc7bd62cb495ad8567b1771bac8acba4a9d4bcdfd1222841399b74593f

C:\Users\Admin\AppData\Local\Temp\SussAoAM.bat

MD5 b27f40e9e27bec9845be17345ffb05bf
SHA1 240dfa3764d1e009a2d3ef8054347d782cc5166b
SHA256 399943711bc525257d5175a27681a81a49b7c7d0cff2f292b7c747be3fb9d491
SHA512 fe3fa63e69761b4191919fda853b0c17fe57647757189baccfd2977714279728a5bb4f8a44f64c54cbb38e3eebbea37359da863f85c2c8f6b0131c2076af3f11

C:\Users\Admin\AppData\Local\Temp\IsYm.exe

MD5 401e801d1553dfd20e2bbcb48f7d7d43
SHA1 3c4b00a6d6ec3ff02444ef98331fba2834168df3
SHA256 2a6aea1e626f7a3fe1e49b1528bf322d591b14d83f83c2b27779cb5fdd30ed57
SHA512 c1027eba9f1089b4c7e070b874e6bb641bab04da04903f74a2c02b90e1f87a5d4529dac43322189e366b905718809d2cc1e6827dc6b88de890f83bc284c41049

C:\Users\Admin\AppData\Local\Temp\aswU.exe

MD5 2647ebc23b7b0c5067d558b8fb423ac0
SHA1 90371a6537f253db9181218f53d2c2537c4b7350
SHA256 d8255ee3fad6daace03442a250b2832c8a1aaf3bc0f8ccc68f1d560b35bd948b
SHA512 436ae49676c6d2a789d5c8bad4395788f028934f1f6e2ae3e08ef7b5d2fa119f937d314ac968d123ffffbc600d746e86daf7462332de6fbb7c1158f40f1e3b7c

C:\Users\Admin\AppData\Local\Temp\QQkA.exe

MD5 143d364b0bde168c2292dfcbbd7b26f9
SHA1 f036d5f3f355b29759ad860666bba57b4fe8af15
SHA256 842b779bff0bcb2912796f9bed2ff144d56826dcd1534e9470975bd1d6fefaa5
SHA512 30bc0696d70e27c2336d7cb355ea64310a1a451b305e033801d7c00b20a7cd3093e40e0d1b373190f39f106b386cbceac23631ea5ab4cdf4191ed5e483ce8a27

C:\Users\Admin\AppData\Local\Temp\gewUcwIo.bat

MD5 c582e4c18ad4d2a29c26d1cd99331144
SHA1 6583458dabdc94be8148f80d520164f07e99e772
SHA256 9473884972b9a510af97a1a096c7505dd8e7208db7e61189fa7cc1e590818834
SHA512 2d07e190f1282a92c51bf5b67da13f01bf9ac7ccfb6c37b41e81779a870255ba3dbb3bf23ea60632d7de441bc0eabd8138e10954bb3efe390a138df0058031e1

C:\Users\Admin\AppData\Local\Temp\AUAo.exe

MD5 3492f02854403fd776baf7b32aa624e5
SHA1 e17fa59a0e5489730210b544f83456be71481f71
SHA256 071da2846102388c02b27c2a0ada2669f993ba9dc786a793892ecf0ceb5f9658
SHA512 e9ba4f2452c785c226c53cc3c8fb07d158ac6a8c7a6339ff0282ded12acd57257468d2052118e26f10359760a66d509f0b473c6f992a3f9f4092a693e6b631f8

C:\Users\Admin\AppData\Local\Temp\WwIy.exe

MD5 52da6ebcc7b909fdd3a42bf8e1a64a9e
SHA1 61dba66d65cf797b2e87324e6d8dee076322f61a
SHA256 a1d3ace319a952caedac95e6380732fc18aab1d7c9301301b5458bfa1a4640d4
SHA512 848273ed3fb57de7e8806627e0ad864241d1293a7b077578eaa105c8f3f0e6a81589f20bf001fb683366f27404ba4194293ecda13bbc590e0038c808b019b1f9

C:\Users\Admin\AppData\Local\Temp\LcowkQcc.bat

MD5 d63736c598cd7f307a4df56a46fb5297
SHA1 1833f42bfefd5ddccae5409be444923b93fcf5ba
SHA256 788cb780eb34e0882bd04791f3484060620c90e46304d476513abb9b3030e4c3
SHA512 a61673af6ecf628d00b1e1ff01e8372fc05998036c4acf05769f5189b13c1866f814043f30aad006cf918a426f9bb22bbfb408289b90c8abf9668d35d5d0076f

C:\Users\Admin\AppData\Local\Temp\SoUQ.exe

MD5 887aec48172ffe527284078781419ba1
SHA1 3e7aa8d982392f31d2ff989d94273e612c92cabf
SHA256 305388a6603b7cb401b163af6feffce3d9c5c16e406d8840db57715a4d7a58f6
SHA512 ef5c6e27a7b46130cf90a1a7c3612c3e80e9832bc81218aacf3589cb9e2d5640f52aad3ad9098de0ae2365864eed3c9bc9534e1203aa1ea170fc4350dcd89520

C:\Users\Admin\Pictures\RestoreFormat.bmp.exe

MD5 5a211a9593336633d34de1bbce279e0d
SHA1 729fa3d97e55e35de87eb089583781da378ec570
SHA256 b0dd0f30cd003f14bbf359002081d79f939ac4f9a8ccae1a9c5f44c04ffd6918
SHA512 1ff98f7c5ec2de394b5e7b0f5309f4437728238674ab57c8ed1d4a49408412273cff0cf77c0a18dba5ef9cbf18224e974a99407a1ab7b8cc80998f3cd24407cb

C:\Users\Admin\AppData\Local\Temp\lgEUAgcQ.bat

MD5 1ad52f73a436ab46a5b5fa92820c097f
SHA1 b1904181c29a33d6cbd2b006d39beaa182b60ca4
SHA256 6f0b5b6c583767da6ed810ebcda8ff32cb2f67c01c13dbbcfe065f7226f2728b
SHA512 cf7d3ccb6ca302bed16bd44d4e4d2c622aa4ad9b521b60e3ec670f601b29bc89680e71c057c3e16715cb609e6cb6de45f8c994390c49978a8b4e4673e86ee551

C:\Users\Admin\AppData\Local\Temp\MQQw.exe

MD5 a4494d568cc1ced8b9370e533fe7f868
SHA1 1a1a983a2d54ac0176e499cfcac0698c05bdd56d
SHA256 2dedbe46716bf0c4c401b2367fb46da8785f4b26487c6e31e73f0d4d2432d5e7
SHA512 4f11102725f0cfad122a498db848b1c0ae54a1a96a3fefd20e7f7f83fe92d44fd8e2c08287baafdc58e52542c05f0ba1569e3fdfa6b2ae3221a0aff67cc22dfd

C:\Users\Admin\AppData\Local\Temp\FqAMYEMU.bat

MD5 d1f23638695668ebb9d2477fae2113c7
SHA1 4c8731599188d06b248b008e9e5f359063adbc03
SHA256 10cdd5c80c625865d4983917a9166997d8bdc8e6726da7a2e4a6eda844394b5b
SHA512 6091726a50afc4afdcc0975451065aeea1c2878daa2e4478b43a6f842f9e8cf51bbebfa25221138a47bc99440a95d1940d779bb21729b465c978c696702d9423

C:\Users\Admin\AppData\Local\Temp\cAAi.exe

MD5 26fb28d6d13753fd2c4a1235b1785487
SHA1 8053e2328743f4feaf37e651576d87926767e557
SHA256 cfd7ea1046877da03fac1de47746b6a0666c38763b0dad376c085a0a6fb71fc2
SHA512 289eb34fdb7261bb032eaaebdd1802f7dc69b6c28544a4b7e69e5fa0689f47cb837b1661f28e05095051066887d782927a13b63629e64f00d3ca702fdd276ce6

C:\Users\Admin\AppData\Local\Temp\UoAi.exe

MD5 a7b7228767a64670ab8b0c1be1592393
SHA1 9c5b740248916cb793bf65f6f1561a29266e9125
SHA256 c6669830795b709f8324bc3297349238f57f78a40ac315a3804ba19237269bad
SHA512 b0c26e20bd9759702f8c00fb816935b60d30aa81fd7b5b9e684fe7a29bd2c55d2a7fab639729c1e8ef856b534572dfee7633920111628b830860ecabb944e9b0

C:\Users\Admin\AppData\Local\Temp\kUAI.exe

MD5 56375fd667b5bee0136c898857f79212
SHA1 dabf565384e240b9019708e40efd0a7039765061
SHA256 56098e9c58add88dca2d404d114be2cc01da8141d5734ee1fe5ab2cb17bf5abf
SHA512 50dd7484543ac53418ab139d6733424eec74320e99e990f6b87617fedff892a7039250b2e6e2c6832cfe8fe9fbe03c6b5a5d2115ff37f2d9df92626d5aedf231

C:\Users\Admin\AppData\Local\Temp\sAkM.exe

MD5 44437e0c354a970980c41de582c8cda3
SHA1 a335dafbcfcd260d98facaabac0160fabc3d59de
SHA256 7132519d041c38fffdb0776dd2c0ac36c6e4624dce005016fe7e09d8ca5ce39f
SHA512 79363531ab79f9abf461a7ca7631acfb77b476896c596f6d460e37ceece0ca344d79da578333d1d84f203e7866fc641665cf37ab5687efa0d24ff20fbedc090f

C:\Users\Admin\AppData\Local\Temp\AsYo.exe

MD5 197af17750166a55b7a8b072d4ada957
SHA1 4ce15df462745f99dcee0930e00261ce416a9363
SHA256 bb44998d753fda0cfe6762cde0e812dccb7e9fa3ef65e9483eeeaed4fcf9a8e9
SHA512 78613b25dc4301d10137b9ca8e35cf4928ee2e118842030395fcb6fe781fb21dd03e4674e37180a850a6fdd1499cf4dd31696e7e28ebbb72376de19943229fe7

C:\Users\Admin\AppData\Local\Temp\YEYG.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\SQwy.exe

MD5 e339b6265d6611711aa2f313f7ec998e
SHA1 0a356dcfbaaed40887d62e6ae1b33a523ab46537
SHA256 502d4470962386405823ed59182afde04a568fb7644fb3b6e5de4b63077c7f88
SHA512 98b63b5bd56dab4d00b74da1b6a9d948e4806d53b9851b52a8408eaa672b39d60789f11192be17d32ea8250706b9bbbfefb7a4069c9cf712a2ad58a0879170bc

C:\Users\Admin\AppData\Local\Temp\qMgG.exe

MD5 809e9e72fd81180a9d4b7774f9a817b1
SHA1 0edc84e9a496d6d0ebb05c3bfc4c21bd3303b800
SHA256 6b14f51b623535edbf5286cbbab83bc3334bf513b0b5afc0b08b0265b6b421bf
SHA512 c688bf394057c8040d3a6f21f21b029fe47021103b9e9ff87c7373f8cd1678f95561f022c1cac5440d829e2dc3028cbe79e51453279a756b8643ccf6c2c42a6a

memory/2472-1318-0x0000000000420000-0x00000000004DF000-memory.dmp

memory/2472-1317-0x0000000000420000-0x00000000004DF000-memory.dmp

memory/2692-1320-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoMq.exe

MD5 169c649785628fb1fe3d8ff0ecacad04
SHA1 aeca3a5f493bcbd1a97bf42a4b6b0155b80a2833
SHA256 38a3a8fa08ed0291131113752bdaeb20e50bd9e9556dd25bcd225d53ce2e2a3e
SHA512 f5a9e639b72ad3023793b32f0932d1ae80b8e40d305332ea71f3c17164b1a90b7386504b1ad48cde4c49ea251bcd02d7cf80e07c131083490667800f553d803d

memory/2672-1289-0x0000000001FC0000-0x000000000207F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwkO.exe

MD5 7e7ead55f71ce2f846101119984c8d9b
SHA1 bb73db93dd7cb94ec69cb085e14cd263275d172e
SHA256 263efb1a495face0d0f192a7967ee36e042d3b4598f0ef8edc94dc27d20241c0
SHA512 64718e8f527f205438e6158b8d1a1eb00b0309a2391b55558b5d59277768e874cf177ea99b572a3c1e14255dae11a1bef84c40228946a04350d02f3b16094a70

C:\Users\Admin\AppData\Local\Temp\VGQUoMos.bat

MD5 9246a04acf0fa3c62348213487c598b3
SHA1 a1abdddcb72a6a6d40608d0ccbe76eb0de138f00
SHA256 2cfe615d7092084898fc7572b2285ef34b673e8e21702ff99d9d5704bfdb01c2
SHA512 a8c8c5119b316b8f61fb6015733dabc9f02ae7050fe3d82af1297f1c9e204efd3b0483d5ac450b6da0472442bc0a977a46338582c53be25b8cf382054cfd5022

C:\Users\Admin\AppData\Local\Temp\IsYW.exe

MD5 21f0adddeafdf0c41e6833b1c0395162
SHA1 e5b08e612698b0d5de82062a3ee6fcd8585e5e0a
SHA256 0a83056a8542820258a20c4825f4a09658e8930d74809a530cf11ee8c00cd27f
SHA512 c00cba390438994944b4f75d581ea5d61af7d24cfcbd9ccd0e961a9002019d57a5e98474c86a895a4dd4a4bde19fa6c540de2b4f90fe351e99c510469bd22616

C:\Users\Admin\AppData\Local\Temp\uEoi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\MIEA.exe

MD5 b5ddc3cfb8aa9ae5e19664fe09468975
SHA1 ed241efae83ce6271301980d9eac3f5b5358558f
SHA256 695c3ff47fa6128892279c4d4becc5eecb3009a98c47d3c280bb1bcfd6df258d
SHA512 838c11c2c1cf97e19dc0d9b8a675680e8b8a3360f152c491252ea7bd27c9ff1609120bbd4ba7b437368c260be987f89c70b3ccc360230eff7491b867f2dd465f

memory/1980-1164-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2164-1163-0x0000000000120000-0x00000000001DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgMs.exe

MD5 05803054c9a22931855480f53ea8f9fa
SHA1 07dc71e13040b6611cd5ca857f5a582536223699
SHA256 6e286274775c9a7b3f165288935b7ce5b7945e1a68b9338c5fbbd2dc8e07632f
SHA512 b2214e565eb0e9a6adff89da6525a0f096c3f0aedefe04a20cccd94650d084b541a6f407eba8e2d4055ecba1fbaf95a87130c5dfffc9135737abe236ba6a113b

memory/2816-1149-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ikog.exe

MD5 1b1c3dcb444270765f213a1722a43d33
SHA1 e953dfe2b1d3c4d4c2df782109ad0a82b555e39e
SHA256 62159b23efa227fa023add5b0d766b8d5605485dc902b2a6d1e87dbe7b84f461
SHA512 0a38a35b7cc39ac55fccab4637ee11c31732428c96c96345469e60f0206cfea2a3473096ec6786f5e196e1dc54661a40764440d66005354b6107d65d6f042e91

memory/2044-1106-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEAO.exe

MD5 12cb9e1f1c4651c75eb807d1571a830c
SHA1 de7c67846e67074c0deb4ddb87ab8e7209e452f3
SHA256 cad9a180afe8bd1edf3b42dbdd3a64cace508e8c98265218bb1a5470b86a75dd
SHA512 3e849fa850e522daf897a5520f4f52dc6e6950066736d58a3138a3582abf0b999c66f7ec4f2eb1f88097a33bce3d643217b925ab49c99644172b2d700a38ea6a

C:\Users\Admin\AppData\Local\Temp\YKQsAIUs.bat

MD5 746625c66cfd170674b96c51e196f66b
SHA1 b8fed6dc47bc2494d204cf121f98cbee945a4eb7
SHA256 000e796ab6c3d862d9bbc93e7c0cc583caa7f9989a37d0df4b595ff40b20feda
SHA512 c60c1b4fa5af36f3ff5035fc0cce456c3081814fc2d6802255d303fef936dd0740a57ee33dab1407c27fa0cc3efe8456443efeaabe34531d198897519b98d0af

memory/2816-1097-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1604-1096-0x0000000001FD0000-0x000000000208F000-memory.dmp

memory/1604-1095-0x0000000001FD0000-0x000000000208F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIsO.exe

MD5 ee66c982add1b971328d7c37251d86a3
SHA1 c9872e876cdcbb9bc3c5013b7b5236b1ecc65269
SHA256 b6949daad4fd78a1569cae344e88ce925001db8f4d8d5c3713be6e9fb2cc146d
SHA512 e3d01c2c644c997603929c55edb2fc87014958f5833d2017555ef40a91ae70e1a12f7c5525c547083b3305201f382019605dcc18a77d71597a240d78db5e8c4b

C:\Users\Admin\AppData\Local\Temp\dUQowUws.bat

MD5 286813bcd001d71629220d87c103bf8c
SHA1 ea211c70c52dfd4add03185a265e0945707067fc
SHA256 0da6ce26ed1bfcfd9be0bdd9c815a898b685dce33be53f5069cff55885cd6b9c
SHA512 6185a9f27f8ddc057d6d200a7e87eac037884b6ef36c4026edd8df698bb1d523e8e23fbef4f5a63b62efb3e6b443f547d07a42dffedef495dd0b15c8bdd305cf

memory/1764-1058-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1572-1050-0x0000000001FC0000-0x000000000207F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mUMa.exe

MD5 f3a59d61fe018ee9a46dda066021832a
SHA1 dd7e2e8246754844ab162c754210e9bd55328910
SHA256 eb3dfd061989c6d32d09a2a658619bfb9d62426c5dd6411ea5ac184cf5bf7f35
SHA512 6ea22000c2f1ef9c15ea288549c72bff9ebf000ba1987e1bc702cec7d84b365f9ffc7416a24a7ed437dc9dcf090ed0cf68bef79ac79084c63ccfd0bcc19f4270

C:\Users\Admin\AppData\Local\Temp\JUswYIsw.bat

MD5 3f4cda226c7ae7470fb137b58afe8c26
SHA1 9a95bd92417705da78a422a7112603ef9819a8c2
SHA256 1cd0448e84812e012407829317134afc0a321f6fe3b10a775ff27806e99112f0
SHA512 81f0d9fffc1e6a891f52c05e3e3dbe458de9ca405cb740bccebf53308989bbea691c12afa55a04d58460ae2c8a0c292d2c585bc4d5f6bcb705d0a78ca1be6332

memory/1472-959-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uogi.exe

MD5 0f6b65746a08b05a5f75fd3e7cb8debd
SHA1 5b469df88ffdd3e369581bc8ddc772e57eb72728
SHA256 2717db09fe4d0889a2cf060f7f2e2693f1a895d077ddb2efedd24c6aa953f022
SHA512 bfb9e5110f8307db9e6c3a42b49b3e0f955eae44f1c9831c189d2649385df17946e7485229ea42293b06ab03f72687ea68268792cddadb816703859bada876c9

C:\Users\Admin\AppData\Local\Temp\GooEYgMM.bat

MD5 a343ad5902303a96ce9bc305c8f98212
SHA1 12f9c7952def1edeb45561a7d32fa947c6e37f5a
SHA256 1f272ce9f451c5976ccb01f2f3551dc6d4b195a1a80122946d67186d371f9027
SHA512 f95eba81a0812088e95afdc1e5644aecf23c9fd657fd2c295b7f4a9371d5c560ad7d9a51dd507b215d6e5fb2bed6b1bd21a084f17e3c50d302309864df181d89

C:\Users\Admin\AppData\Local\Temp\mUws.exe

MD5 efbcf1b7b19e98dfbf234ed1965ea23e
SHA1 b070a59d76b3df107a3c9a0b94a219adf358bf61
SHA256 bb14cb904c68e3c0e952da0713b3f0340ddf55d50bc2daab5674478d018827e7
SHA512 fe4bc5349e56f4111c2313813e86850275fa4a3b7dd4d765a144b9bf464f91c12e666e2d4c4b77329b5bf3347599b6526a4084ad52b49b1c8ff1681aae43f27f

memory/2840-886-0x0000000002010000-0x00000000020CF000-memory.dmp

memory/3020-885-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAAQ.exe

MD5 d3304e14268101bd5654f293a22ce4f6
SHA1 649acb108e1c3c6fc3de96ff4fd869d70600ba90
SHA256 37b60ec98dd7556fa301440ee984c0812d4b962a590e4c2b56df46b3cbf1546b
SHA512 da94b31beea24bf01bd5aba09b38e3e605c2238fbacf49beaa30e20f50e906561e62741d03262f3347e6803c473b8d69a2e9d3fc8d95d3ba6a9aa612e703e4ae

C:\Users\Admin\AppData\Local\Temp\iYkk.exe

MD5 099844682cd6bbe9ee874bbf4667f0fa
SHA1 3e238d8039986783b9378bcdc4bdb4dbd3933089
SHA256 4a14e4e8237915dcc85ae5017ebffcff35cce477089c2a8d74f2dcd1575a7af4
SHA512 605aace76c4cc3b1a0f14d07cf63274bc4a82b61a46fd2111a5540650ab5cd6a31298e2c0d80d2f2bf019f607873d4261f2d50b342d54d47e5b2e31a980195d4

memory/1796-770-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sowe.exe

MD5 5d0bcea31bf9a3d026fc826c4bc4c112
SHA1 5cfa474829c2d4f67c865ba8d1cff8d23e6d4d7a
SHA256 da40fe07034afd99fcc68d317a868a74035ca8d2755956c2a9187f65ba44c247
SHA512 91c5f96b5276a9046637f7070115da673dfa2200209089dc8ca980560b5da84c205d6afcd68dbd0f4260976449195c2eeaecefc4b0a037347f342b73143fcd24

memory/2332-749-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1572-746-0x0000000000410000-0x00000000004CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYMwkAkk.bat

MD5 bab2017b1d26c7466fcf1e35e250c099
SHA1 d5f57ac6d54f7daa536138e4298478ea9e6aaed1
SHA256 1f231015a01c1839bda321bf4abb6873c254b9dff4ce10b1742323bbb0d2b92c
SHA512 60830633742548bde33e467a2ac60a87eae06e9e2b6b1749903af523c6dd9c27bc2eae894f045d9c611db8c75b7a88d6fd37dbf590cd521a1b648609d13f28a8

C:\Users\Admin\AppData\Local\Temp\okAm.exe

MD5 a8613dda6b77fa30183a2800a8b2f8b7
SHA1 62c4749260dd026b046b768cd788a4abf9845f03
SHA256 f8e74615928e02dd32a1ab428e4e4192c139542775f5ecd082c4e4adc82e3dfe
SHA512 36630fef699321784ff839c5d8ad2cc6b90a3e562ad6c1e03c88530b4f207dac50d0cbb90cd878b54e63ceb6bd708c7a51d724498813ecafd285e2aac8dd9c50

memory/2064-694-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YoQa.exe

MD5 ae9d6fcf77c4a8c2e76f00c3ce74c565
SHA1 01da840be7242bb6f285fcfb6129c55f65878a68
SHA256 a78a11ea76731421bf185c05f2f23da8c23c32d920ffe277fa9c9e268482aa9b
SHA512 fa9362dd36771eed5d9da58f1663650c33ce8191d92889ab6af5ed8e59373ae0e28bc5d95708c789154643c1e11cf73e2aac174b23e42390fa62726331c0472e

C:\Users\Admin\AppData\Local\Temp\EMQm.exe

MD5 b0ab8eb6fc7c866b2d881ff922d81a58
SHA1 c9ddc555ec256062a8aaa3dc95644be13cc729d4
SHA256 318368dd6b3a26a5ade6e13ab3fae00e97608ccec0124d09a2061ea015ebb74e
SHA512 5492eaef4454e418de94e161822079de6c98f3af4cf1c4d4b8e455e93053b64fc9450123148e5a0d0851f6ecd167eee239664e80fd916750c14ad7cf289a89d0

memory/1276-624-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkMy.exe

MD5 406704d81e69027d4c9de2ebeddf4f8c
SHA1 8d2ef79169ffb51be4d77d5f7fbd3135bbced6a0
SHA256 285d1438e34612361e962de2642f31e68b7a22b24874e174f3650763dfb46027
SHA512 ff66a3396a31a14426fe0dc90db7377e4b022c8cfa7ff53b0c869397551c31bc85ccf29e5a8d986f9f5e57c94a9a769cbca19c7ad971f9497ddc42856de10615

C:\Users\Admin\AppData\Local\Temp\IIoA.exe

MD5 6f399f60154743b60fc132522dadfc29
SHA1 46df8029b2a66a615dfa44e5d3f9eaa4f48aad48
SHA256 7afdbd504280c7a7c77e357f52bd3ffdaceff281376ca8457f1398c264fb47d6
SHA512 b31a2099d27e1d102a35a9e79261ce5c840619ea6293531926654c1cba8c98c7dd3caa4d1f42bf2cef462c04c0cb92f231d2c561f19a54099964ece0a170d6ac

C:\Users\Admin\AppData\Local\Temp\aEgI.exe

MD5 142b5c95f6a2a0156e4548326e794093
SHA1 b0d5b0978e558cb58c14046ebaefd7494101aafe
SHA256 22c5b851a777759096de1a57e7292d7ba2023689805114bf08c432f47648344f
SHA512 64c93fb6256a5373e4b6b1054e0b9c22220b105fa5e907b8b9db8588302b236d53a976e8567dc89ba6dc685174c1ded26d3a9a86a047257eeb8a595af2e78edb

C:\Users\Admin\AppData\Local\Temp\uYYc.exe

MD5 7def6c4ad65cc3db7939e937ea621b58
SHA1 5ca4a777201c5d71942d6113dea3446cf98f3ffb
SHA256 b96c6821a7d950cd04c39965498aa74dcafb1d3fa311e9e2fbea7e5e67c0fac2
SHA512 c67f71bec9b0025898096729d9735fe7a5dba4d04202cf00a9a8d5a5be91276f76139cbedd0efdd186158443aba5fea4c2162d1a465dc7f6546f4fdbb02a46bc

C:\Users\Admin\AppData\Local\Temp\QUgi.exe

MD5 ea5f41defa2636e12a7e139773ba8d9c
SHA1 79efdb9ff4b7b84615691fe46c2abe517a6512ac
SHA256 d4c6d7be8efc854f6d297d7e0eb362a15b726a93383d6893d62c56557e10f4aa
SHA512 dd5ec85039508ab0e50b1e0f0272dfde436e25766dc5234726f4fd414d58b25ba8ab7e744c79b9c75a2b9367b0bdbd56d8be0812d82a134ba4f9ded0124550c9

C:\Users\Admin\AppData\Local\Temp\aQUE.exe

MD5 6f4787a6f387e909059e1de1ac88105f
SHA1 20db53e1d42ac429b33ba75e5c9a6ac83f00167b
SHA256 3ea9eb5a7fa38fa35b45fab4418433a7d64523be4db71d7227d6093ed6fe6c07
SHA512 0abd91af5e00d96361c7d7d85298d1eb659f47af26ec1de11dadadda7c44d4194926682e5ec5405b1aa15d00d95232236a4505a6801066067a35557a4099dec5

memory/2472-421-0x0000000002040000-0x00000000020FF000-memory.dmp

memory/2472-412-0x0000000002040000-0x00000000020FF000-memory.dmp

memory/1712-411-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMsm.exe

MD5 9844ee9fe272b64768b3ba7fff0bc870
SHA1 76fc3e81c89c37950ae928b6c24dbc7e67f6b2fc
SHA256 be29bce9b6597d0e2911cfa8e579c606c43a511d805cccd7d60d15ff7f74838b
SHA512 12524d8f2ee3e0eae500ac4a1d6132fdc66b6040ad1cbcd5e1170505c15d61763f8e6e9cdccd0754942e90e9684d6a7427a339c934ebb82ae639e1c7695957cb

C:\Users\Admin\AppData\Local\Temp\McsY.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\pwwQcQEw.bat

MD5 13894ed12bb20fed617a78cfedacc584
SHA1 24be6ba6812c4cee262b4f0800e905d8d6f9ecef
SHA256 60b05e9892214dbc787d8e01fe2e662a03e983774fb722c7e88e6f0c95fe44e3
SHA512 70b4e16ed7611b2cb6fed332e9b6af89b705793cc07e074c183269d8a04cc8f969b6cf25b63db9419a35c16c8838417ffa4b2de499735eb85e3aad3c1b525b46

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/2684-310-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2884-309-0x0000000001F70000-0x000000000202F000-memory.dmp

memory/2884-308-0x0000000001F70000-0x000000000202F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcAU.exe

MD5 056d3ce342072e4ce85811c46390a0ac
SHA1 555bb55edfb3d8e4c9fcb6cf9cf70c0cab37fc19
SHA256 fcc4988d05a1a5b0805dfcd2ddd43b1881e35ec9abe2c6efe7d9418830cf7840
SHA512 012b8988207c88db7b93325c3f2ebebc58c2b7a3938a9297e829f673086010b4d31f621f250013b9dd94345b4ae973a021f2f21989d32abc7f8fa74f2bcf1fb4

C:\Users\Admin\AppData\Local\Temp\wckMQokg.bat

MD5 00d1a443dc4ac3d42f47d4d909de0c4a
SHA1 057cb7d0741ac7ade5d5275b9897f58a4ec01277
SHA256 40dac5a7ef87c6ac11c012e2ae4c1fca293fecb6bf1c5eaab0a45473b980b1f9
SHA512 6111e7fba6e8ac2876a62be5620797527c099e3a5dbfa73a5d803dea26102347e38518e2d4bd3d69270a744bebce693752e959fe610a04f3c7c04f041ae72f55

memory/1504-287-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2516-278-0x0000000001FE0000-0x000000000209F000-memory.dmp

memory/2040-263-0x0000000000210000-0x00000000002CF000-memory.dmp

memory/2040-262-0x0000000000210000-0x00000000002CF000-memory.dmp

memory/2044-261-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/588-240-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/904-231-0x00000000020C0000-0x000000000217F000-memory.dmp

memory/648-215-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KIwQEYwg.bat

MD5 de0ed508b1744d3e7511acfaae5712f2
SHA1 2853d6ce6dec3ad396b23c7820605e6978b8d724
SHA256 03e5aa055604d4e00fa014e867fea5315ebddfd4a45c045ad682db6350135ddb
SHA512 1bde2f2b1a52cd5b4a2e43f30fc51a5401764f03ceb1dd4dd1d21b198146cbe0ebe9e023b946a8d84cdbaee30a09a986ffdb61d6929cd3ffe7215c7bdde6c849

memory/648-186-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1296-184-0x0000000000260000-0x000000000031F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAcE.exe

MD5 01f095fa0c92a80760b6be69120cd1d7
SHA1 b1aff18c15a9e4ceb6b9ef42930619cbadb0c82d
SHA256 598eba58ab67ede305b14cb6ef7719d220068627f43f540c0c12cd97557e281f
SHA512 cfc5a27469cfb9858c5e1c01349a94ee831b9a6c88beb233862b2e0b2f0c3d4dc181f937d9d2eaa6c86e8639c98ef812907ae17d84db7f2e8053e4eaf636045d

memory/2600-162-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1636-129-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1636-100-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEQA.exe

MD5 0212a0fe538b8cdfce7b314f496a83bd
SHA1 65920a4b9d98697b77693b98fcc3e63e27607bf8
SHA256 5d057842bb56a5eff4e193997ccfd7bbeb11a9e1b396e9b18a2fa4c176436acd
SHA512 5e09c0e6c0d58e36c3de05945deed6e634f02052e2531eaef813eeb89140e252821b7d02f4ba9954ce636d387a1a0c272d405014f7eaa3243fcddfc2a93c039b

C:\Users\Admin\AppData\Local\Temp\uQIO.exe

MD5 4f477bc1bdb0c462c458ba63bfdb20d2
SHA1 0a395c4f03bed8a0cbd269025aa2f4136f9b45b0
SHA256 5bb552bae81ab3fb3225be442397ad0edcd78cf8c3367172d606d54f9d4c732c
SHA512 fb450ceed04a945e2f744854926161fac64195a4492f532caf6dda6d670102710bfaa2260e47c0f1f9c9486e2bf40ba3a3a4be87b78fca893a7d7a012a4fc996

C:\Users\Admin\AppData\Local\Temp\cWMkIksI.bat

MD5 8a699e9ed8795591e4a686d67d5428d3
SHA1 c4553a2058b91086eee337bf22efed7cc1b17757
SHA256 8657c885accd863513b926a2ffa9bf5361533e887e72f39e4526a37312da24e7
SHA512 5a6921c013a5ade9803104b1ec1491b04549a8d92ee98fbe20ec6b2f9677e2bc68b7a9c473f3933838ad7200348c40f4d2124bc6dc3a2baefc0fdf5af4e9b347

C:\Users\Admin\AppData\Local\Temp\wcoY.exe

MD5 0d0688f9a395a1a3efccc3a2165d77ab
SHA1 f03a8e15f6974f8e3b4b43a9754f4f7d9be59e28
SHA256 dc99ed5f2b5bde87ea30b820c9975f042a7ab1d772d5c03ce493bf94d5854d69
SHA512 f86fea33b3279c72606c9211d73188aab1e5b4e5f9f71a067b11023d91cdb924920663561f01244de16d73868a8902c39491b866edcd3cd99eb504c9a18b08ab

C:\Users\Admin\AppData\Local\Temp\mMgw.exe

MD5 284653c1ee3b1443139757aac532a582
SHA1 328478e8b8a26993df1a6755896777356556f955
SHA256 a7480244d540841c98a48d09daea58fd3ff6edffd59892caf02e489c56a33469
SHA512 988eee104cb17fc41cfeb4caa2960986e76e31cb40972dd44b87a03dd2fbce2f24c5776bbb82dadb34f203e3039a85028ff4d7d9f6d6828712b998be1c7632ed

C:\Users\Admin\AppData\Local\Temp\qyoYsUEc.bat

MD5 748251753194699d1d1991368da0a592
SHA1 57b89faf87767bd0f70c1f69ab7b973393a0a33e
SHA256 44641568e6c984c25e1fc25fbdf9a077f27569713cc2af8ccccb265cbe9befed
SHA512 919e320a409eb84c96bfdced6413af500936dc1543217df7494b49920ec3422c5610c92bcf62ea9da6d38238924f727f9bed748f11673dda2cc48ba6b6d80577

C:\Users\Admin\AppData\Local\Temp\asoo.exe

MD5 0e401242c7b10f799762dac38f4611c6
SHA1 fd2eb671990ef7557d6e19f1482dca683488014d
SHA256 4adbefc495994b66df146fcc0bc12bd5338c06ec32e283ea4b7ec9d29ef44e77
SHA512 16232eb3705a2324aca4e70afce3bcf61f1199f45d346a09c8f8a2c9bd08ceaef7721a8d8fb892c23422c4c2c9c20aa4dbfb77823f0e37a5c8cee9a66bcf49bf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 6c0e83e5bae56c1215244bd9521a92a9
SHA1 3627493b5ef1aa9a145e63b62e9f0eb6cbccfaab
SHA256 b0e3531e41c2b2dd40fe2a2003712613ec470a2d640d6f1356f4d24f1194cc3d
SHA512 1942184a81c01ce983468d4376767bd98a02ba5692dca92099505b2cdada3215ba32f0f7f2c7c90a5cbd8614671e8cf4de0f93b627ddf46fc71aeb0173bdfaed

C:\Users\Admin\AppData\Local\Temp\QUoa.exe

MD5 90c3e0685e6a78968424e90475f589e8
SHA1 a0372bab3a5827ef5b4a295132b2a05f1ff26d29
SHA256 846fe7fe4cc822efa329b50d6d8a9c3e33a4da8ea68dec16be4e59b02c7b2b3e
SHA512 7de341e71d776da44a50352f2606b03702228503e7bf02ddfdf6422452b34a96f1ab888548a1c7ed77e58f673f358432aa0c9039621925c3d36234a0a104ffe1

C:\Users\Admin\AppData\Local\Temp\RQQEcMIM.bat

MD5 7c7af988847247ffe739a4947e7ba033
SHA1 fd44a8d48d4d31b3587160e41fe5785cf6412c8e
SHA256 67e3d846766de86222d05c7d91462578ceebfd4157ce381a6495e403a639ba3c
SHA512 67af3f43e81aaf3c3663bd2781422a34b9c3c28d23c6c669397954b9395b863404d726c7796ffb3b4143cf5389e7052081e6f2e1a8e591fc3db0e67df1a556a3

C:\Users\Admin\AppData\Local\Temp\mwgg.exe

MD5 7e1668381afdcf11db8993beb355b031
SHA1 e09e3f0295f06341262b552dae8fe20147ecc732
SHA256 7cba6d0508873a17aa8f54f8d7bd9bde7f2941e0543249a8e680a0cba35f6386
SHA512 5f56c30ea8118e944560f43d48d24013f465262c44560f83efd23e4816499b79326e37254fc422954969212339495fdecc7c0d20ca31eecd3a244a735b00b667

C:\Users\Admin\AppData\Local\Temp\uEow.exe

MD5 4244c52872ae889fe57547ffafcb9a79
SHA1 093c2f928b61ef434cc1c364f78d67c5a9251b15
SHA256 ec9fdde7911e486e43ad21559ae37304f96eda9e6bbf509def6a63974428672b
SHA512 cf4d65eb3c0b0b75cf548483d3293ee86cbc7c31c21c08041e461ec8d889fc00521fc702ca95c7315a49eb35deff81089acdeaa466b8d8613895f71907f8aeef

C:\Users\Admin\AppData\Local\Temp\OkoE.exe

MD5 00667d55c0e5d11694da8c06d89e2513
SHA1 ff3f95397cbd36dfa75746e1febf04e049eea6ed
SHA256 7cdd3672849307d108c2da6cb6285236e38106c582b792cdd6e82358ee905ef2
SHA512 10d989f8c7854d67bfb24a118077d18fe395bc4bc1e644474511ccc403279d1864375348b46774e21ee9775fb3eeca2903f47f07479dfc358bc93708662a7df5

C:\Users\Admin\AppData\Local\Temp\pEwIUwkE.bat

MD5 55ee243ee3d45790bd1d4d680f281357
SHA1 cd6b7d4701db0b1ed8a8494d9abe52d9571637fd
SHA256 e4703da3ec9efd8e19be01e9811b1a397cfd61d46ec0dd51284d4ccdd22f34a6
SHA512 f1bda06442c455606b0b5cd1765a0571e9c87bccda3ab978a2acfe9373022e09e3c01e593a62130544f28c39e85c361b3657591129228e42abd3852013bde4dd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 535e96b56d59f60986fe3b09886b82ac
SHA1 86987d61efc3178a015cadbc205e4c9db2a7954e
SHA256 6261853059ec71865a356602ee0126f3ef91a323627441ce556d8297b0cac566
SHA512 4b57a3f6e5037a80fb4e3763248d5a3923d3d63fabd74f2d0a88c31af8db5df425ad1e7ea2e71c7f772ce3c6d94ca8d3a97d97e5b39e170bfd87cb448336b1a2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 686af73893586c574618d8967170505f
SHA1 bc0f82203ab0087c0379917dd3370b739024f8b2
SHA256 425618d8035cedcba34acbc87f2b22421f357e9e4dd952087fbad2b01df50bc0
SHA512 30c39720de32eb783a0803e11ccf8222313b4a5a792d489f12ace55de4b83a3ecdd874b3badf61a9f4072c0c991a56085086fb9e2d4896060f5a5ba8620dc183

C:\Users\Admin\AppData\Local\Temp\SMgI.exe

MD5 3fc51d3a764ff3426482bef600a3dc28
SHA1 390f9b8c7c8980db5660ff1a07cfcb9d69a36264
SHA256 1616c02e9d7dd456a113d53bbec14c76397aef6225323d0fbcdb755e57e5e5fc
SHA512 9ccef2569bcd7b849cffd6291a1a5b3e27cdd42393cc5c53e263422f88f810f035496e5941926b388cc444cfb224b98653ae21dbfe58dd0675c790ce3e1fe3e3

C:\Users\Admin\AppData\Local\Temp\FogMskQE.bat

MD5 0fa16c5172ee87160eaa8a79330c4acb
SHA1 79f0a161ece867b5414bdca420da179d7d6d2d8e
SHA256 06363001066222d87147e30b46ac97631d341c5a4553023eb2c38e59f7a855e6
SHA512 292047ea2b4d3f70b2bd9d8c0a680a22972dc7e52489a2d254cbc6f349e2451a70a5fa0284f368a3cbf4d475ec9014a02bb4c81126ddf7851434eeda52552c7b

C:\Users\Admin\AppData\Local\Temp\EckO.exe

MD5 3c1698eda053a985d97b8d3cd894f0cd
SHA1 cdb0c56fda0966a7843c8ae042b365b7b9e5098b
SHA256 f87ac0f944e707122e43ce8f3fd02c53ab3abe6310189f8d9e33eb54e6839a30
SHA512 cc812ee88d7028904952cf2ac9d3282e7dfb41f83d5c865459d8517677249a8b85a371e1893eeeb0e6c7d90190e35be302cfa862f3f7385a7b510413f5131745

C:\Users\Admin\AppData\Local\Temp\ogQY.exe

MD5 396bc819661f7dfcad198b2b31b6bd3b
SHA1 5cb8e90ef0bf44d99ed2529e010e24df00f7f147
SHA256 53e336774b4bb588261c740e2d4e7b26cc04b3d4552cbe1147f4cddcfe33f2a4
SHA512 e8aa31312838933c7ec9bb282cfb3ec776f166a5cf1fdccf64a6b1e67c4beda379daa2ded5921d069a946e2af8a25fe41aed61b8ef96afd5af7e1842725a6206

C:\Users\Admin\AppData\Local\Temp\XqkwUAkM.bat

MD5 f9a3d5e9ddd0775f5ac228c63dbffad1
SHA1 36834714dafa534db2ceb8598e8b87b5d5bcf0f4
SHA256 784af9f05c0e00ffd1a58d675c7ebc9c73d1a50d2d7d8ec712628912c159d763
SHA512 a72a94f7ea1d829c92e4a90a4c80e26be6884d6cd8f6e6e92346779609e0ec06e23837386067382468e3c10b09f5e95d279e5c4865f31091c8a4e464b134207f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 57b0df69304e8bd958478819a1c9f4d5
SHA1 f4a1461fb858a19bf8903f5e7d75d52cbd4b1130
SHA256 ad93b1dcacbaa37572e953857ec1bad07e3c3f167505d32a8fcedd6fbaec0158
SHA512 f02ca072e04d6bb21d985430e1ea2fc06c7cb7417afa3a762c28a2ebe4e3761bcb7b107f1888c09b0ed779cd741d1d6ee1195a8a2a7c0d352e11b83d81c98167

C:\Users\Admin\AppData\Local\Temp\KwEa.exe

MD5 44971cb3ed05945909985bed96be9138
SHA1 5d067bf613df1e2e715c340ec62ece7cd043db0d
SHA256 e20ec7440a0c1e46990822794182099186c0a51e06545b48bcddbd746f9fdf0f
SHA512 d050fea401035129617caec6f303b057099fffaab155a8bf4b83c9dcc5c7726070ee6514fd3a39d63d58d9a030e0c03b2fff701302a661a4d6a14e26e2c8197a

C:\Users\Admin\AppData\Local\Temp\GowK.exe

MD5 eaaff65c32cfe4f0e35092fd980af6e3
SHA1 e7818378fbe325fcd17c476f10f0fe7210d66015
SHA256 944fc51c46e9a120532d40802b08f695979fa8633fde2f5d76af445d4aeac6f0
SHA512 43ad9537b2b241d004c91af1df23083c79e2337507d07b2fa50ddd4bc9be18d31f8a0b30cecc0f6c9595450a3008829d20356dfd35c2591c7ffc0a8ddda0163c

C:\Users\Admin\AppData\Local\Temp\zKcIAgAM.bat

MD5 0933e5dc022243b8a07fc6b2a34c0612
SHA1 f6c4e1ca21fc775b82958f745bd172cb89686df8
SHA256 cfdb2fe767d53877f66f5a37b4154ea597c8244496ad48d224d5f4b7a31dbba3
SHA512 2b353b84ccda4e348dfd8c06ec2ed1fc395f84888a16ed64b968d2ce1be6fe97a38f0d38fd50ef73db7750a80276e029240cccd5ae01ec536e99ec63a3203e29

C:\Users\Admin\AppData\Local\Temp\osUe.exe

MD5 898941a56bad3e324e4cb1324ee2cb17
SHA1 04a09def5ad66dfb55bcbb38fe4822f8ae68f469
SHA256 1af865d25adc90b06eb6ac2cfb4333df9985f3e095e69dbf65a757b46e8b9375
SHA512 426828bbfa8679bbcb950a0ff7da213dd555f60c6c278d0cf571392fbef1ebc6c3b51199c761d0e0cf4b1515dd69de6efac3577cfc29780ad7d12f9f72210df7

C:\Users\Admin\AppData\Local\Temp\kYwU.exe

MD5 be3933fd59b42f2bd72d2514ddb5d010
SHA1 2fa21a48e7c104b150807a2d355c64662f8ab673
SHA256 a7ab168425f5e7d3ae0eb6314243deb914381ae3e3f5b1dc681874e880ad1e3c
SHA512 5a15d1d377c37cdbbe432b215b3858ebec50a507561e98a9d91a8f0ac30dd19217077e25c4487f037b1a9852c29dff4d243346bcdc9dcf95c55ca5a988306099

C:\Users\Admin\AppData\Local\Temp\vWUMQgsM.bat

MD5 626268cef0865bfce17ff2fccff267a9
SHA1 4d7e2b5614e7d40a60f1669dc23fdd0a96a52d19
SHA256 c31a487afe4e4941e82e1d56a79ec861b17d70a1fa8d086b3908d203d94c70fa
SHA512 1b2cb48130735645c92471f27542eba365b6bb5627c7d7308b749514b26f6d6ebd7ba8cf3abcb385ab8e2b8bdaa7757a47639fdbe37eba5ea3b990d2c90e8975

C:\Users\Admin\AppData\Local\Temp\gAIs.exe

MD5 6e23a4a239b38a8e7cc1dad932ede76c
SHA1 c61f5f94f9aba42f4e2d6ae6da085fb38f2babad
SHA256 4894ab2fb5d0c85b7e051fd936b082f54eb5fb1cf49d44b0842fdb5b6bc382dd
SHA512 b1916305bd0147e0c8f4bc28d7ffcfc92ff147d8d0385e5d5df24f592948f4c3dc13c30338122536ce1b9006d657da19accee240153906e0ed63c8d25a84d70b

C:\Users\Admin\AppData\Local\Temp\UUEO.exe

MD5 f10f858ba7091cf803f271d371cbe796
SHA1 8f4d631360fcabdb811740f4a704e2b3d6b49109
SHA256 f745559c50644b5b33bf37b28888129f63bfaa870e4b4f53645e7a4b85b757ff
SHA512 aec6413bbd40387fb877af368204475a93c94caa924b9305448e818ec341a6140aba0723a62c0c9be738f27815e10e73f27e538417951d65c06ed7cc5eae20c9

C:\Users\Admin\AppData\Local\Temp\QQQo.exe

MD5 5cb58fdb9a9535fecd05da44abda3ecb
SHA1 64741b6ee0238f8a22f2f840efee74c4cdd233e4
SHA256 73319a42c5fc5a6ce12ee9039d8471df03df7cee5fbb2358177634b5db509b4b
SHA512 511940dda9cc7f4108530063c40109d4116ab31d447e9fec4ca70e106fe0eb1864f592e69fb552f80b8be461d8f4746c11714a7490a4fbbc5b2b20d2002b199a

C:\Users\Admin\AppData\Local\Temp\YmsYcUsw.bat

MD5 f0ce7c4622d2eaebca202d9708736946
SHA1 ac92f9ba503b2e4a026a13d5313928f673463973
SHA256 72eae5261d3ee619e690d26cdb86b8b089ad1de871292061fd1c0d2cbdb60328
SHA512 05c2a11c888557ddc9bddce5d60eede23715793ee91ea274c409685fd5001783e8d530558948ba4568c1d3472a2315774a065daf8d272ad7f1fd04c3d50785fc

C:\Users\Admin\AppData\Local\Temp\oYYsgkIg.bat

MD5 5982982c5d077c960d1859f397cf4f71
SHA1 cf34d73ca8004210924e33783be7b5977c8865ea
SHA256 c107b96b32f9e4d0b3cfef66237539978cf181d961ebeabadcdaead347c0558d
SHA512 519d2791c72a3f1d12bc48fd7e3cbc808c155fe8f6ef9db671bebd9c74c144b821da98a573888a41cd7ab0c8f08044589486ad0fd1c0d2fc6ac61ea359bf258f

C:\Users\Admin\AppData\Local\Temp\GkcS.exe

MD5 6b681186095c5832365f171d1d22088a
SHA1 62826f5dc306f66b8b800a6b16ac4e7e9369eb2a
SHA256 3eaa4de005f9a02b7929822489734faad72363770a2bdb16d5e68b1c6186676c
SHA512 05c3240dc6c71aa7bc4ef480e8531ef086f45df67915a0a5a76e6ef8c1fe3851955592d5543d800e359daa5cdd0d56c06ff0769eb9808ce609d7e93b8376571b

C:\Users\Admin\AppData\Local\Temp\YuQAgkgg.bat

MD5 c0c862e331b6173a4dcce4a8df181100
SHA1 386d8686c37e458964b55b07c69fc4c3a8fcfe13
SHA256 d2370c2c7563b053e44666e01bf878e685fb6b87f346c37fea2685001e59ae0b
SHA512 1a0f666a86753d1a4808839d65379733194bc7f0d43c1b913f4703aa8b24201c02a13657b8559bf66cda859b1c039ee145a192a6e36b27f11fa50065510ec931

C:\Users\Admin\AppData\Local\Temp\AoIs.exe

MD5 80930f5fe3caeeb6a355e9aaabdc9507
SHA1 20fa874f236e09db384d3ecb833c69d0ed6c8190
SHA256 c0df93efc57f142c7713cfb6befb025322ad916441efb6c4cda770b8679a946c
SHA512 03f1953f5c1d2f6fdc2a7ff06c078c2f77fece7264641f011deb242ceefb7478d64e720de656a3c043dd3389e339df596cbc8580d8e19c446bbaeca662e90afb

C:\Users\Admin\AppData\Local\Temp\AcIg.exe

MD5 b52b1cc31e3e181d6394cd42bfa2f9eb
SHA1 8ef26ba4ec78fa5f32a1e92d83378334941ce794
SHA256 f2216294c6e7ee4aa08dce03b16485e5e732e6248d3fe534eb2367817ffa6434
SHA512 1f438a60c69bcb5ba465fbc4a81f79cb755cfec4083d86d865c827b9c014b45d4e20b820941fd1c05174e7dbd53b865b3b975d019bd1081c47838e6eada1cd40

C:\Users\Admin\AppData\Local\Temp\McYkYcsE.bat

MD5 188d654b34dd410c1e05edd322e70295
SHA1 2c819f05468f9bd6df611493d690e96ed55b073f
SHA256 f9f8744de1ffb14c5559666084f2510b8e99cfb26d06248cc734f4b5d097170c
SHA512 ca3faefdc4dfec3bcb1d4006231147818528a27c8796b0ddf24cc99d6c7cc36893118f2cf4d1dbb127c5deba2d4e72350e3b48fffc00968296dd4f9cf9ea663c

C:\Users\Admin\AppData\Local\Temp\mUgq.exe

MD5 aa633bbf5f4abf4acab6b5123080ca6b
SHA1 634110a945c66c607bd79025fe89dd54f2cc77c9
SHA256 df0adecf22aed76cca7bc6dcf4b41b3965059b5487688e5c6a77fe8e80528578
SHA512 e64562f5ac16f76fb4a03d2fad02fb4b1ea3b12ad3bce3082e5d222832e29dc313486de52bfbb6ea505e74f58a98ca2d7338fa37412657ced8261ccc33145cbf

C:\Users\Admin\AppData\Local\Temp\mIgc.exe

MD5 c5b493ce281d0d2a62b7c191ab9a398e
SHA1 1e9fe0768d847c8fddbbd4b3880b0db83eccacee
SHA256 821b5ad22d884d282003d02be0ad334488a39d436f0936f5c6332faaa0781bd1
SHA512 37671330cfbab93d0d847c53f2da28bffcf4801f4a03368c2aa5845aeb59f166eaa503911e548f8e9e4df43230e5e769fa0537190ce4330be4ea2386afdcaed5

C:\Users\Admin\AppData\Local\Temp\kYgk.exe

MD5 65c46bd3c219af42c0e61dbe34e26554
SHA1 0777f590b7842d834fe4edf18e8ff8d1129ff52c
SHA256 edb409146e3488491e0e42b4cc5f45b5ff2ae0272a0fc9de5259c5f6bc06f718
SHA512 73cb1f2cab5816be07f759153ee19d761cd2c7f8e16b193009d368825d4971cca0120bb330329447868bb7b7485adacce4965aa8786474c49b1eae0998220150

C:\Users\Admin\AppData\Local\Temp\PAkEkwAg.bat

MD5 9349575a66d4a65723e28f19ffbae75a
SHA1 db7b6549c6052aeaa8c67c4b9114e2cb69e027da
SHA256 98e33da9e0f39cbf63161422ef22a23db97f1ded54d98a5a61be470edeac8d3d
SHA512 da0b49b55051f7549d9e3066849d61f37234fc9699324ef7bbbcd3d7dc9b3eb4ebb04c4f9a78909b1b65e6e7e31771507decc56fd9a1ec9f26414c35b30c82aa

C:\Users\Admin\AppData\Local\Temp\eokm.exe

MD5 09aaeae69ba39239c892e6e5c89793b3
SHA1 f270ccc83c0bb125b9456a72910490bd9a43c323
SHA256 90dc4092f8696d521ca5890d2995a0a89efe6a3ecba9c527573ff6202b88f51d
SHA512 72170bca6fc7adfdcb5f03e99f4a91619203a6f1f8af3d788ad536caab760ce96c90096a36cad08556f2df0d7c73a570f9559ba88e6f9ebf121b4b037f6aab62

C:\Users\Admin\AppData\Local\Temp\MckA.exe

MD5 7200478e4e0ee2d1a65674ea3a2715bf
SHA1 1f5addea1b737a1d1b1c9656ccb7f90873295ea3
SHA256 86bc61c822f0ff8c4268aacfaa6427d572cc16d2007fabdf69a052b4550ea278
SHA512 37ccb5148137a3047cbf4de9ca5509ef3b91b02725712701b0aaae19c7139b73d1144afe049644872e59e3ece3aecafb416f7f93f1c373704e702b2c27cf302a

C:\Users\Admin\AppData\Local\Temp\CwEY.exe

MD5 0d0c0b9f3e153c325065131030009103
SHA1 84cecabcb9c68b43e81c36cecd7cf27efff3ac0f
SHA256 a2c19855a4cbd3c47413d0924508268166ae34b0a1eed4a564505a05fd51c536
SHA512 09e054de5d3c8c0b1e468cfe277dedfd5429200ab02d47703c220c0b49da6492d2e283bdd63e72486107dcdc6e83d2df5a8508a614290262f86a15f457e6138a

C:\Users\Admin\AppData\Local\Temp\zicYMwog.bat

MD5 6217ce7b2ed5cbd3134c4872b4621a5a
SHA1 785137df5a44243633d4c5c40e14878ef01e9061
SHA256 4203c83db4622af617cbb98249b02fa9b3b6cbfd230b66f815705641957c0153
SHA512 1a8d7537e8e07d26a2f836d828fa293ff75402373837ade752ff760ead14aaf48e6d98b083283340aa9eabf6f96de38c8c3cc420fc4274bcd12f18e62ed82454

C:\Users\Admin\AppData\Local\Temp\owkY.exe

MD5 a7d0c81de7c901a94179b0d1750d8f96
SHA1 096a830391052cabf256974aad26a55ed6e2fe05
SHA256 c42986a29946670396456eb80fd60916ea8dbe7a55f02963eb57eb56adcbec7d
SHA512 35d0da719878b32414cb3af5707753667a76f61392cf656797404229b0eb2f826b93676b1789909efe202a150ae66fd818674d2113e7d2271270d412a7b61419

C:\Users\Admin\AppData\Local\Temp\aAwQ.exe

MD5 a741938e62b692454ade62ad92b276cb
SHA1 a8479fa9ba3fa82fd9b80372c84321a27fe21f83
SHA256 ff9aa46c487d74e00f458bbfa061062da11fd22d3a77e683271013c1900decc4
SHA512 2e9710c3dfd7fc74b0289a95f6b46ab2c7081593bb27a3b3441af3a42bd80a4b8ff793650753a7dc0affcdaac401348a6cedc8323a2d33bc6ed1e89f3360e2a6

C:\Users\Admin\AppData\Local\Temp\BQMwMgMM.bat

MD5 fa29952c04e6da348d85e3dc45153306
SHA1 57ffaf3c561f3987b7a785a67bd7f4da42dd238b
SHA256 d7a1954df3d3ca1c28deea261ebe8ad43d6c4e981cef3f72682a941d3942f4ce
SHA512 051a07d0c66c3f09a1c86a5af8656d5b2bf4ef52f09f7bab70fc39401f5fc1bde52f87b9e1d1d71a205c57b1059e46212b4c536716ed5b637f65a371b1919574

C:\Users\Admin\AppData\Local\Temp\TEwgskMs.bat

MD5 dfed37c96d94ac40aecb86019d53daa1
SHA1 327f76139caa2a8f91dd9b43d5b7b349000af1aa
SHA256 781c88848319e3b4d0c7dd87fad87975eb66f2e07fc51a09afba512ac00e27c0
SHA512 84dd7853926415179f906077fd0a889e52c53734d952f638149c3c1878ee0ef7f6275925bf7a2e2afc8dd3d16e743266291131ba7864fadda6ad7d99bf386fc5

C:\Users\Admin\AppData\Local\Temp\AQUAUsMo.bat

MD5 136690883ecab2ec4d5ec54d0d11b873
SHA1 1eff4dcb23029bdd781e817d596ef69f8446176c
SHA256 0dc24292c50f616e6e6300d5635e18711ba22c8a550b70ac6c58686edcecb9e4
SHA512 400d49a215d9c1274478071012140bfb7a12a6bd34bea93aa77e0dc768492bb7bdd8b0cb11899e6aaef8cc3a7e0c38721d0b5e8544b3b7580d9ff15f7b1de28c

C:\Users\Admin\AppData\Local\Temp\CIIAwIwE.bat

MD5 f3570010c6e8db4fef2e8b52864815e3
SHA1 d385b1075177bd63a2acd5b6a2ee23c4087b6d57
SHA256 25f5e445d9a5928c67d9b8623dc146d726da8d3d50457976ac15dcf915c2082c
SHA512 714d81e65ec08ab364976d7ee14beb166672e808420e7d9284693c92b63b9382fdffbf794aeac8ffe767617d821094ca197ebe279794774aa58fceffabd236ea

C:\Users\Admin\AppData\Local\Temp\SyQcsMYk.bat

MD5 b86cde700fdff09e0147b66bb488fb8e
SHA1 cf06b0d972a247ef997518ed8ada32de4d163636
SHA256 1c1b7e284531260abdf8f522e998af83249ce487a70a610568b51931c9138041
SHA512 583346ab077da3888230a1a916d703dc08e86d3b852a02b6bd4dca3471fc9151c4ed25b96ba08a2d4ad621e0d7ba2d8d9be00d6ccae76c1e464b92680e1e2bfe

C:\Users\Admin\AppData\Local\Temp\suEsgMgA.bat

MD5 7eaa0594290252259c36650d51428e73
SHA1 f67b66dfe4d3636c3556112aade7183146a466b6
SHA256 36029946f40497d0b910f7298a22645cfda26ff1f1b2f18426b1aed24cce89fa
SHA512 ef19c40585aa298b00c8421a1a1734c247d3785d087ae08902225b761c4559b51d8aafb40cabb24dcb7bee8905875604cad8ff71b76bb29e737b2dc691e820e1

C:\Users\Admin\AppData\Local\Temp\kEsUUkIg.bat

MD5 86bfecc93406f3c1b0f1d4003b3fc1e4
SHA1 bb6d0ce8da06bb8156d7d7b9d0c7bfac84bc2183
SHA256 54f4c9b63a7008fba64e982aa92fad52d673da423702b24147b34ad00feef205
SHA512 c7270c10f546dec8fdcac7d5bd263101a3708b65b7cc65b6c07891709cfdaad863357af8728c9417779e6e379a6e81fb16dba9059a148065bee1737da582f652

C:\Users\Admin\AppData\Local\Temp\PsUUEAwk.bat

MD5 dd6162040f4a404f1f1a05c56084fbfd
SHA1 90bffe2d4010f5c3df37f2870c0fa69af539d957
SHA256 873e83449d84b55afc7541e6c8006632cb0c9ceb26ef93f254be82642b5d16b9
SHA512 e573801b6617ec60ba03398323a4612d0a7925355144ed6fd6d275b1361145eaadd238845aa242be22f4620e76c9c4f5a54b12002deb54b97c34bdebc95dd5f1

C:\Users\Admin\AppData\Local\Temp\TOwkcMAE.bat

MD5 1145c31a202bb89aa34b2ec334c22485
SHA1 7330868aa661dd12ec30e27f57ad750c5cfef123
SHA256 75f87518f675451aef751214008731f119e3c269c840953e6cdf8a41cc65c847
SHA512 5c36d34e51c10e7c3cbfca7fc810cc5533eb6f379ef234fbce749beea1009195c0e5a79fa0e60df60842c65ef3f5287493e40cf5ae1dbc4bda8c01d8902f24ca

C:\Users\Admin\AppData\Local\Temp\PKcIcIgs.bat

MD5 1165129435f25eab6c4b2475352f5367
SHA1 aa7e90c0e285e1d34ac9ef60a5ce9d2d06de08c0
SHA256 651abab6dc3a3c662248641a57108f2805b39c69981ca94e9d0928a60a787af5
SHA512 1ab553943a4b7e9bb5e8092c8c3959548da05e76db256e14eb0487c971cf47037f6e0c3f14070eaa61b64eb20f84034eca46b71ee11269c08ff973d05ea18df9

C:\Users\Admin\AppData\Local\Temp\TukIQosY.bat

MD5 a6d1456677b35157bd4d64171ed6a821
SHA1 50e7e80d19d80eb5d0016c38a772ca8b20e4f4fc
SHA256 f9652c32a7ca1553e066e96fa3c66f6539666df3a6cedb4deacc390fc1469fec
SHA512 ad215912fe2bf3fdf3ef791a4f34edb4f326912c009315c04e86bc4e8117a43d217486e1dbb8788b351efb755673fdcd562608577a8fe390397e2dc5be2b0785

C:\Users\Admin\AppData\Local\Temp\NaIYMoMg.bat

MD5 59736fdb6cf080a20a97420060626296
SHA1 4f01f873691354025f9a85ff0d8bfdfae08201ef
SHA256 de2b5e0c520a6fa7a4aba3b162165ae198c28f3f3faa602f0d27fa02f2128f39
SHA512 c273b95504adbe427cff5b1c914c7be7ef649dd6f89d2991aff1915a31369a4e4ab9931d0b51714c88459143f3491e319e90832d01e16ea4db44a59fd6f0b975

C:\Users\Admin\AppData\Local\Temp\HKEYsUwQ.bat

MD5 19edf7d06211d91e0257dd06e157b21d
SHA1 8a62310d9f9283fd8fa6380ec446bd6f54f73354
SHA256 97640cffc8b10dc93ac3cfcb8122ad97d497620d126ab77a2be76f354d27c2e6
SHA512 505d96b018e56edb8da991f0a7fd604d6c19fd67760af12d91773120f8af01a29db4587ec762005261d2861c2839ea7a1879ad861ee644d2074a7433b7e45743

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:42

Reported

2024-11-04 02:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGsYccYQ.exe = "C:\\Users\\Admin\\zeYsUwQc\\DGsYccYQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcMkkkMY.exe = "C:\\ProgramData\\nYQIAsEQ\\XcMkkkMY.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGsYccYQ.exe = "C:\\Users\\Admin\\zeYsUwQc\\DGsYccYQ.exe" C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcMkkkMY.exe = "C:\\ProgramData\\nYQIAsEQ\\XcMkkkMY.exe" C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A
N/A N/A C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe
PID 4160 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe
PID 4160 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe
PID 4160 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe
PID 4160 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe
PID 4160 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe
PID 4160 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 4880 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 4880 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 1272 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1272 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1272 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5096 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1388 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1388 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2988 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2988 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 2988 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
PID 4628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"

C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe

"C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe"

C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe

"C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQgwMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckYAsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqsEUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgEAIUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqcwYIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuAscUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAsAkgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQkgwMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcUsgME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqcksYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4160-0-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\zeYsUwQc\DGsYccYQ.exe

MD5 dd386712b24ae972bd54f02a9b897c98
SHA1 24b563087199eec069aaee9bccdf7ec2845b1aaa
SHA256 dee247c60887a0999d0fe1331112d4f5c8f0b77d7fd88156e2853175c24aaa87
SHA512 e59148187dab8732d2682fc807e25b019e794e124991a340a95e54d0a48dd14a6814d50f1c818314e2cd02e1da6263a5408a8acaf5b4634e02203dc1db2b26bc

memory/4824-6-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3744-14-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\nYQIAsEQ\XcMkkkMY.exe

MD5 ae501a5cdb2c5c84f93ad659033ba911
SHA1 456849f9993cc050f6cde2b52862ec367d659e1f
SHA256 c4bf48d47b1780f578c184a78610bc37ddd6e2985a026f8b948160b4c8106989
SHA512 8679651efd2577e20a0d062aec62f7c71fd2abe45dc2c6399f66c54b2b45341de4b6bd688408b177527b1a804a3f38ceb5c7a3fbadaf765521441325c9bc5052

memory/4160-19-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/5096-20-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsQgwMYA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock

MD5 28b1acb04d8fe32baff45c1c266cce72
SHA1 8ac9f90b7db799ac7e420fabc44dead1531167d5
SHA256 7fef8984fe1b6c4a82f5daa9754035f0d1843e726a7e03c1bd1cc7e2d3ef8dc7
SHA512 d02a70bc31d875e28d742388f56fc6e180e69bb69d463d9d02fa4e1db2529b6b4d194ef5bf75d66ae51bcb2915ae7cce4f2e0a9b7dae7ffe5fab560f6d1515e9

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5096-31-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4628-34-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4628-43-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2152-46-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2152-55-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1496-66-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2036-67-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2036-78-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3676-89-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4628-99-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4928-101-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4928-112-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/4384-123-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkYQ.exe

MD5 94fd346f25c04ee78ac68df072fc808d
SHA1 7ab339ecdb5dd4f61708de85dd8ca824d63c6b31
SHA256 89f35588b12451718857eae26a68ab5cbe8e3b3a1c94518d687481aba247deb9
SHA512 9e4a8755d74a46b2041fe317842f0e96359738e29a0b280ec00764dad0536f039ffd30ddeddc38b2107025c7f6c168d25d88f3bb0a1fe835e27dc914bc2094ad

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 6d96b7223e8451989dcb4925cdb1d7fe
SHA1 0d4a1e16294305e4809a9176b731e443e4f51f04
SHA256 037dfb4a2655c7fa6fee52511c6c1db855228652cd05dca53fbe116e6f1b9453
SHA512 a4cf5194f0c1d637ab877a23ccc5fc5594cb511f492c092e82f9fbb12e9dcb07b0aa08f20857e90f970fc79299735e16790bf8b8dc97844886368e059b4303dd

C:\Users\Admin\AppData\Local\Temp\YcUG.exe

MD5 db3ead72b8b1c33e29716e5eb6377db5
SHA1 45bbd0daf5d0c2adf86d86eb6a0ae2560fb11501
SHA256 6a1793dd1798a11b9e9b8417997627f23a93e00510f48b5699c4ca4dc055d57f
SHA512 efa869a0c6ee8ed9dd8a57b39333b551e9068a493e42e2a1ec9e0bdb9ca3c772ec2efa7608aa5542347c7ed5dacf14d62919178095c8f6209c3f969a7d53fcd2

C:\Users\Admin\AppData\Local\Temp\aQUA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\SUkK.exe

MD5 6456016024a68091d00b309c0a9baba5
SHA1 0a28506ad200ac92df00d39a78851278297f89fc
SHA256 5a5af73b14321eb6239f4b82261331bdd36035730ba9cbf5651406ed13eca96a
SHA512 57a9e652d9260bab33d4e6245e2175c02e2454d80aacffd4d58d1231d1eecf2c9e5de564c3e057841a4740241431374824af242447d21ebeea1b4d1114f953ac

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 be861d24667041b95a0527ac565a0c34
SHA1 b968ec108c9ef43d96dfd76cd852b9785bf0fbd7
SHA256 85beab556ee7090bf1c983f986f642c7cdd3911ce0be8d91d41dc946c58b8956
SHA512 90cf3c5e218e2295c56a842f710eb8933d3c78b53193905ee333f13822d9c1c5de3381cfb94f87efec4dd698d44334fafea8023f36a986d714ded47a3b489cbf

C:\Users\Admin\AppData\Local\Temp\CEQe.exe

MD5 c05632654f3a1cb0253749346af00eb3
SHA1 9edae2607509ddf7af64dc4f5221393c91961fd9
SHA256 0b8599a0951ec50d302b205f2effdd0b4725b2c6f4e205697627c4aa1d343ab4
SHA512 7e63a6cfae41c96ca9738d18a6c58535c6ed9c2e984d78e289d9aa1ba62212aae97154a326bdec927485aac0750a2271f7aed03a4da735edefb4c333611b906a

C:\Users\Admin\AppData\Local\Temp\SgYS.exe

MD5 a6ba59009ea504a1c936039eff16344d
SHA1 a6a4ed074de8449eb584cf375100590052f938a5
SHA256 e784b6b1b0550816bedde0d2c334ac8de3822d9eaf0b15e4c9a50b2d92856466
SHA512 4a399ecc99acce85d74af1167f8a790b2f146a922cd79751b57088eb766a119b30dd1bd5e869a5a4741db58ae77201bc663f2bfa15832b3e06fbe41f8c7307a7

C:\Users\Admin\AppData\Local\Temp\SscC.exe

MD5 96fcb6d785185ba50cdbb62b4690f13f
SHA1 756fd171efa7d0c62cdd8bf62ab2f1609d04b698
SHA256 f007e08c9ca26b8a49a702862d4116a97ed7c44edab9855a636291a493645448
SHA512 062dfd559996c0ebfeb8a8037cbad214844e2ec602b01000723332a344c093a7b60b6f07d530117441479287e5c50a4485b5e3fe5c494dd0f28b75f45534eb5e

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 339face22697640b84e614d65ac17caa
SHA1 5d223025f6325428a5dfd875239d57e812c20622
SHA256 0499415b11a4cac8fae2a0f9dbf687654bd4b0266b62324f1df3d99934884c20
SHA512 2811f707790e1c17a89aca52053f65eb97d0208ec703bc49bc67bed0d0fe22112aec4049c0a52319c1a77624a66b5a2da52a5918e122f4b84e3dafbfc92544ba

C:\Users\Admin\AppData\Local\Temp\MUoW.exe

MD5 b04dc2055cefc5f9d02a67301cb9eaee
SHA1 a099355945b614b96a3d37200d5364783bc84fcf
SHA256 3c1832d7f5fe0115bfdb9d927e83069c2d3bbbeeec2423f3a398e7b17f2ca82b
SHA512 288b0c20e52857827966eef6d133b9b9a902cd056ef021f9c62d61cde59fc739bbd81cc1f7c93fecb99e75d2e4826537c592102060260476ed7714f6460f1e17

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 7cbdab42e6bc8168595c4547279703ab
SHA1 2143e63d4c1d141baef73a9a9c6de37e5b24f26f
SHA256 04d9573bde90286f7330d732275122d6b726fd1d1b4ff5109e4308bcba53ccc8
SHA512 a6ccef6a2a05cb828bc7b1f7d08bcde19158e6bf58cb076f5aec2b526aa6b27faa6ea8fc5d4e0ee13f38e4da8b8ab5ed2a60a11e61b25aa1148d39a8d69398f5

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 19392f343fa5fde373a3ba952dc524df
SHA1 26e8d3fff08fa822fd2c6ddc1fbbe333bbc367d7
SHA256 5f7206483d332e951d92de3418eeb161e6f11b0108f26fa8e95635fecc171aba
SHA512 024865e657ffc202953283bbd7021e161aae399a34a0f601fd68456de21ee0128c0c6cb3ab74b2e34d96ff843aec2d41d4e3e94fb85cb50e7da03e06bf5f6a7e

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 929070e27e21e4a76eb24bf8b9c2ad3f
SHA1 dae2d338d715a66336014d32e14a2ad34713c15a
SHA256 59ff169ac8ab5eab343a3a12301c29407bdbe61d62e5e841c48e8d30a3f377d9
SHA512 9d14808b201a4364474c0e581ef2ea76ec6d680ce56abcdb3b1f66e1a3882b1fc117fcb24290d6745facd5bca8d59fd62c02bc69022189b27e1df30d0c215e60

C:\Users\Admin\AppData\Local\Temp\wQEa.exe

MD5 e62f5b01cc4b03ca833c2f4909086337
SHA1 0c9b5358d12dab2ef6edf562e9574734c46e132e
SHA256 8bceacd979b1a7c01003fce41386d2e60ddb772406859b1dd26fff1fa3e1f77a
SHA512 45ef42cd465486e2e039f9d4c7ca32d0ff14a8d348b9ce57f3b2d23348c4e8ef77667e29b238d26fc5194f115e7cda201c5c3521f21860912c90dddd2deeb6cc

C:\Users\Admin\AppData\Local\Temp\UcAa.exe

MD5 a2bba11a27c047bd990979dd7772f866
SHA1 caeb298d7c1bc9398a4929d8bfda16da2f57d7ab
SHA256 5d6f39a542333a08278d6e04363e8d8acba44254c67bcb6cefe482b685702106
SHA512 33316133bcec0f7a088d0f356880b83f019e8170862a3cb4245845bf4f463624583d36463484efe3972141f59770d4c481ea53a30b3079d2eb922c463c2f5fa1

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 4ece2664dcc830d53830d0183afb0e50
SHA1 c3af73e8ec52c2fe76cb9e4a998a2255d3fa8b33
SHA256 fb9124cce0e33adbfb7b51e0547ab95f77907476aeddfecf724d750d50f940b8
SHA512 4111659cdaca7a04f9816fb09eb2605f265e5531ad214cdf8fba204ff6d6a045782ff002844a2149d6283b435a97d205eabbec259a5ec69067cd386ed1228d0d

C:\Users\Admin\AppData\Local\Temp\yYYM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 b98d81d273a4489a97c00a151d0263d2
SHA1 08fbf2bb90d2431d13b248364df17f58ed6dc7d4
SHA256 27c81573469247fc04176fe6e887d5cefe9271e253cb882432efaa1e500452ae
SHA512 f4933f6c11a4d2db2a1524df2d7377806fbf00cf2e529c1619186efb31558bde36466fe26752437c3aecf4c0f1bb3e60ce4d25b4989129abb377d2cb4d44ddcc

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 634bed1a75694c6157ec22ec8c06fd13
SHA1 76ca7f6dc80250ba3ce6690f74cb06def54a820b
SHA256 133c569dff73fb8635f0771f0880535cfc9025983c84edf72a15353a3bcb90c2
SHA512 b96e41aa59364aae9f3c9fb8b51487c5fa6b1265cf218f12dd488b4ff460b21137d0e41222b36af17a29474b4b6389420bbcb452b5db4f1834168525c9118f7c

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 83e455f5a67090bab3aa4297ffbbcc9b
SHA1 fbcab7ca33a1ffddea5e8a42a03f77dfea959b2c
SHA256 08719c230f702515a5e0283d502896c74211bd170b86ad5a6f2857d38ab24b3e
SHA512 1d67bddd41b2d6a5f924fccdda9410e841d8f1752a72e202566827328243ea0f8f6e1d26fbb98c3dfd5f1110713c22a7624ae777f36283008f9b6aaa9a7d6441

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2267396646bd0cc74902f99128f12829
SHA1 22998de6ec72ceff83f957a9ab36413f016b2422
SHA256 73a8b040e264736af70b2f366fad58db8ff01e2fb0e53a675e2dc303d17d2cdb
SHA512 453744ecac0d5901a290ff99eae826d6f6901acc80099d5fc3505905bb6f12cc105fc8b74318afe58f7beede232271d65764b86fb597062eee6f46540b9da20d

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 d355f1504d21386cf4915773fb54345c
SHA1 d522027ade5196372b0bdf406c724797eeb5375e
SHA256 e4596f4cc7cca88d794424a889d3df4a3ee1df4b26ad25396c3cd4500414e19a
SHA512 a7d98d627a9328dadefea203e8cb65c019562515dac3b0b93d29728f64e2b89b09dbb9870c0088b9f4a98002b58501a986c44ca0e3276f493abb0c9c86e2c04a

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 ad7a0d5d8384cd713a725ed783eeb660
SHA1 5285799b7c97a17df1ec7c699a1fa2e5c76b5062
SHA256 ea31c52462340a68883db4143b2c3a835032e13c4078c4cad1ab8952c89334e1
SHA512 e52cdb6aa26b248b486c2e8def9e2ec5f0ccd2836338a91b465d4e9e7255dee8b46ba3eaf967d94cbd40ef00d1bb6d668291770b136f1165299a6d2f44d6ff5d

C:\Users\Admin\AppData\Local\Temp\mwAe.exe

MD5 3a9454c5f9a27d3bfcc03ac8d5f23044
SHA1 a7f6078c430f9ba74c256643c5a1bada12ea01ed
SHA256 00bfa4d43697ec80e2e70ff778719ebebe1f681beded17db0789ad5423099dfc
SHA512 e4803ac34625a96cafdda646aac7483238c576d3e97637e0d2f94feeed8168389278ffeebf56ad2efcaa3196f66d6ffc5c6c10b6eec3e90981e32cad050edb92

C:\Users\Admin\AppData\Local\Temp\Qowa.exe

MD5 bbbadb4c200ea0b859541fa6e6a55f15
SHA1 8183176c4a264393fa7aa2fea07eac5a15e14122
SHA256 6d3e072d1863e2d988f2d4377170fae8c8b1b63fcb57ff47b34ccedcf5570101
SHA512 4e96685ed75fd8e79b9f33ff5001c606ce3d139d6b4d4b5f31786211a4c84b063282227af7e66734742fe31ba0972eeafd86c62b56b01d6d2f8bf70b3a234465

C:\Users\Admin\AppData\Local\Temp\IEoq.exe

MD5 df9a20ea7ca96a9d5dd6800e478e846e
SHA1 91f27cffbca75d983341db78b47597504b4ecc08
SHA256 ad0f97961cbaa2f694b6f0012b106821567a0117e04d952cb432e49a67970bb6
SHA512 02751d5772a713044d78cb01d3f5063e94b80c81f5be4e1681bbd3422e6204211030453be31591849b8779505f48154e0f99e239b7b56476ca6c4df53d147917

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 e5f34fd66a2eb0b869add0735dff51a0
SHA1 2bb7752a5aa23fa295548200cf06555518ca9b5c
SHA256 f5cc01bc223295ae1bb78658e9be8dbe03bcc9b30654007944ee8d35e03aca02
SHA512 236e11e222864f3a31618ebb70e73984bc88cf312ce9e7d86d23d0125bb644e9bb869ebc488ab1a0984e555adb4f89b969522ed5cd6354526dfbb52a984ee489

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 fcb45568227d2b7104201b67112e285f
SHA1 85bf464c8b31001b05713d7399c8ba8f287604df
SHA256 1a3d59d4bb172c471a05c2c4c0cb2fcbd54fa168f8794da3b87ec67c8d46ed85
SHA512 b123bc923d0b76abe71a7be47bfc982cb5cd3095bcff9657eaa8111fa701bb25944bd49ce87106885884383cbc3cc11b51301040514ce8c2749c9f6dfdd19ea6

C:\Users\Admin\AppData\Local\Temp\usEK.exe

MD5 4197f8dd05003c860e083466d7a76c67
SHA1 d436f108d33443ef6faaae558d6fa79625630326
SHA256 2c75433da1641206ddfb7754d53bd3897973f762b47359329221f3832a28ce56
SHA512 cd8bca4ef8842f2a295c65cc79cb84220acc2743d760f39f6d1b468535c2dcc204cc28d1a753f1ff2f5735f860c95527abbbe7806bbc3e05c77b5771ab000eb2

C:\Users\Admin\AppData\Local\Temp\oUQy.exe

MD5 0840dcd8078fac5db04bdc4655666101
SHA1 49950963126c25dfa31cfdb2e2b30405c1642ab2
SHA256 4712c8f960afde5fcbc6702d75d5c493a705025d2e5b7725973374ee734ebb66
SHA512 06810f4d18e8d83338ad56c5943c8a74dc9ace6cd918e67002a7839e0ef029ccaa2cc172f999d5c99a219d2283bd0a978576329a24a77f8974950c762419e4a4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 fef84f23504e3fe8ffab34ffafa22c02
SHA1 9888f194aa4e97514c1e3be73e4ebc1796e432c1
SHA256 651206af5c38af0124d487372f65a23bc0485f3c446bd1e0e24ff5fc85dd5664
SHA512 0ebc5dd42989ff5b507d62068f438883eebc67569c612a5f93adbf65febe702769a31f62a93fcba00104afb287642a43dab7e79950e63f98ae0df9fcde049a53

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 593032c8367ec3c7a147d4397512eab8
SHA1 1c8a0c31c96761e68c1df2ea301d303f4f552700
SHA256 84b046806309934ab5962aaacf7d5f1c068affb35c176acc04c9626d1f1c7d39
SHA512 3df05689c0927e278992451ecdad13646973d73b2222573e1517aa6ee49830aeb4511035fc1213b7ed02fea7cbc0ef4d44f1a3883b62be65bb8d3b0be0ed706e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 2660bb9295814e97dacc3543ea03ce72
SHA1 f5b6775d76d522f85c7cfaf7eae88a372c6090f4
SHA256 b93551a885b311438265b22d9022251c96e6b33d8c4d539bfa1b30dee59dd81d
SHA512 4b788785079a4ffd3e6ecab08a0677de384213b74651c6327a7b31f430d77683271699b6bdea2af87ac955dbb9535226bd52b4015dd3240a1b266f03a08e0d2b

C:\Users\Admin\AppData\Local\Temp\YcsK.exe

MD5 bdbffa46352bedf553c6aae9ca3631e0
SHA1 4b0d70679d388f96813d70abd0b6053aad8e491f
SHA256 e32dc4ed36deddeadb8a22dc61e64e84f3f311265846cd67cb31f4d7b5aa53e6
SHA512 07259e852add608c3fd4544306d179dcce1a62f7efb1da1711f16e7aa53a2148a67f69f96c0da6c1d44f6e48ac3f8c41afb56e30aadfdd40060a5428360fcc11

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 3673146555baaeea74b65d967e829162
SHA1 711827764f6598d2318322279c04400c814745db
SHA256 ab0ca322ad3504eda62c2b1eabb81490f5bfeb6a6ffd9d948dd0932e177fc49a
SHA512 0c99720035e5387fe5cb97b718107e3f6a034eb24c4d231344e163c039e2ba5e2265cdc60f65f20eb7054ba88df94406e3e127dd558e7b2e307025e9d39ad6ab

C:\Users\Admin\AppData\Local\Temp\wcgg.exe

MD5 91fee87a31068655d02a4b57b12906b6
SHA1 98df40975b90bfdf69e0dfa1da57c552c710d6b8
SHA256 cd3f3843090e89efa126ba50b6a5e800b298f4a2e5b1e2e7d40acfa5e1b72a74
SHA512 90831ceb3d3b18e163389817dbc478e074cf99c79cbd0fc9cfaa50909496502d525e94d5e192b374590a321492b33e08157f72872e781fa5a02ec3bdde55d539

C:\Users\Admin\AppData\Local\Temp\QMIy.exe

MD5 8f64cb0deedf3a37a5eaf80bd2b95100
SHA1 7876b79653404dc323bf4e68ffebaa59cad99641
SHA256 dea9c65558e364fe0c97ba7a091972c31ac48e7a9e9756f5332d5e298b10a747
SHA512 b78ccb6664844709a403626d70ec4412e31915fb84a2c2de8b638b68e97866cbf83445f82ced2c678fb714e9a93cf6dc2b930a43553fbf9382ef29eefd78cbec

C:\Users\Admin\AppData\Local\Temp\scEo.exe

MD5 9aea4bb46bc96d5a6c274254fca823d3
SHA1 257bd9d7f3ed3a77fc29c8a2061c6318eb225cef
SHA256 9fa3c5412a97beb8a72ddc4de1ddc5498fd120d18a72df02c72bbd6b46f39317
SHA512 80dab3808bb172aa63e98fb7192ef3f20f0b835f045ed21a6e576cdf12e126db2f4e53b68dfb11f63c221244d4e9494b05feb31cc9352be44f68af4f0570b4f1

C:\Users\Admin\AppData\Local\Temp\AEEG.exe

MD5 90e41da9612feba4805e99a87b2d167a
SHA1 541a366a44513773d158f0ad8814af5f9a545efb
SHA256 2cab9a3de9f38e8b8783bf13b2f9fa8647212bc779b40dd3fe86dcf1e2e3b207
SHA512 e92ffec003b0003b16545e1c817a8939e36640ad9835320ff951e4bea16ac120373b37ecabd91239f58db05c68f114d51d7741ebc8796ada6f8d29fbd24cfc71

C:\Users\Admin\AppData\Local\Temp\wYEu.exe

MD5 5ac53bdf6c373580ad7f2361832d1dcb
SHA1 fa4a50b527aef9f23644e2cdc9875daf94cf61f2
SHA256 81b52dcdb2fc04476a1b08ac63cb50e9e7811effe67174f9407ae731042c8fe2
SHA512 43c4b992348a35aefd001fa7b8cbd9bd259064f727f7d5bc500620b434bf7e35d01271b800655a52aeab4fe209cdaa5e51444d59163632f201fd49b6ed5ba1a0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 05a7f9c92a806e69928576fc9a4c6ffa
SHA1 7188702a7ddcdf51122fd7f2c2d58573d9715cbb
SHA256 e949368c8918e4f91e2d281658d68512aa730f0a0e4198b2523617cdf2976eb2
SHA512 e6b8efcfef01c2503deb3db10ab9930e0f56cea532f27eeabe2e25754cf1a37edbc4d54ee2f3bfe726de3da4631f889224058346db4374a13faf3de4f6b28db4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 967631c1f6fd15e11e02961501eac389
SHA1 57f57d1964939c56dd5d4a1147a331fa0b59dfa8
SHA256 1f6f2c715973621f6f78b2c43210b2acbf99d28b6aba6cce7ee65108431a1733
SHA512 3073796416adae5c9ba3ce859515a17c8476b89c29cc72baee94c07ae39ac038358659e3dc31db95cd99a40c9ada9f2eb69394eaf89522dbaa05483ea16b549f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 d7363ea95e5aaf40d4925f142a34b81e
SHA1 78449d5f71f8e53d945271970a676790e98afd17
SHA256 0383fabbc8567a8ab613fc2c7b4f0172047afc408a070c5d79ec464826915b59
SHA512 db83bd5e5be5f936e2b579db478ab8bea620e0bad97c9dd9f7a17ba72beb29a8b9f3f3c78db1fc96cb0d9d11ebb2250934eeb276186347caf6228ced42506f4c

C:\Users\Admin\AppData\Local\Temp\iAQI.exe

MD5 cf267aa2ebebde677fc5c75d3a91a381
SHA1 7acc41ab0e9293802a6d2d28a17c66ef45dad3b6
SHA256 bde43772878f0f1ebd69ef04efe4aa8d7706b5c51c17e92953355a42c5c7bdfb
SHA512 97405babb94f691a0869711879a0b95d69baf7bf7b5a3431bc28702ca47a89af92e32ec68764d28e7378734e51961823eed1021b2f323979f673a3245cd4be42

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 59b05ff8746393a97c02891150f8e19b
SHA1 80b83bc874f2b9b07c33b1dce9056cf3713d90ce
SHA256 59acabe9b7ed2fa5c3d9106e86d472aedde366ed4bc3520ea546b96ef491d02f
SHA512 617f7945bb705be31453f85777ea06f6678db60227de44de925a951e3f613b414ba2a0bebf664e7bd3d38d9f8141821c94f6825d4cedf851cf1e8951435a0029

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 ca464e4b509e36ff7d0d1932c046ef52
SHA1 37a5a983dd5027e626ce6ceccf26a42200d11dd3
SHA256 da7f8a343229cf677247c338d545a18d8f74d7a2449933889d7dffd1addd636b
SHA512 28f4e8540bd17fca426afbad88fdabdae96d72de1f7e3bf61123c625e29df31bf80713d00a4f7d7b63f9dda83bb24cae910c6382d2f023f844479ab7317c1a88

C:\Users\Admin\AppData\Local\Temp\eAYG.exe

MD5 850fb74cc1a6779939cfcca1d0e030cd
SHA1 e17897cc90cc750b874a133b02637f5b17eedda7
SHA256 889a9da88b2d9a5846ec85d1cca225683ca5fb05e76c4cd9356cd3e67894ecab
SHA512 c17c8e49eaa95189bf88294f9d4557dff1c6d178bf636e6bc0879c894976fcfc78f82d59883bdf0c38eefc0c9c5a75514fb755612d41fb74f5085a50530bda0b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

MD5 0391fabe6017df3b589d4ff207827b8a
SHA1 c1626e35b55ee00f5d1e14362e5bdf45271b7d56
SHA256 1340a45440865c1665fbcb382c6655c0dd5bcedca530e55156c5dccd4d868998
SHA512 33309a9ac6ee964346565148d776ba90615f085de6b249396829b304e3274b1e483a56296e7c84a2bcac7a38e51cfa17b16aa223ad3f829d97862eccacf3834c

C:\Users\Admin\AppData\Local\Temp\MYEI.exe

MD5 53eef7658abffa1fe73c2a5088fd32ce
SHA1 2529c5d16df2d092920b02f2e4a9d74ed2e8c89b
SHA256 25e8d3d02cba23bb96c7b69d8bf7b529d7dc9d263076c1a32506d4914d95d8df
SHA512 e026e02d713ed1a2c52d95ccf9c5b5ff766c1540de137a70bff260ad0f583092945e1d683a7cb1bc6b4e46e49a96eff54e252f8ec61e59f36c9825c77345e60d

C:\Users\Admin\AppData\Local\Temp\CQsg.exe

MD5 60fb96826fff1d466f294a0362627fbf
SHA1 dc134e0f7877e46450d35480fd0f5524b8993fcb
SHA256 7101ca46487d51ff0217b1dbe96b19f447e1f69aadb4241c2994a666d691a24f
SHA512 bd64f57ff675b1bedbb1bd2a0b50e7129b0dde417262716e6799281f6ab80f97819e6bf955945e7d586e6d03e5fe964aac155ef755ee152d9cb05799c907a327

C:\Users\Admin\AppData\Local\Temp\wIIC.exe

MD5 bf1e7e3383758ac3ee02e6feaac0c132
SHA1 bdf5a5e7ea98d8ec4cb98231220453184a0610a6
SHA256 43812821699bc3eecc2fa0b6992a3ae77a6fd5a1cb9606f423d9d680d0bd7130
SHA512 1033924b12f3639711e211fb4484d59a6dff859d9b3eeeb0fede6b0ff24a83e4432b5e057d21c561ed483a1f9fe08d7d90fa976d489c700a826eb19566cfce7a

C:\Users\Admin\AppData\Local\Temp\yMog.exe

MD5 e1fc7b2f5f7f138d6480cc3acd2b0c7f
SHA1 85a52404f55a97b4a2354901c94b7b211fd14abf
SHA256 bcdb37689421c31f85f7e7b02212de383eb1abaf1a74cd8b058bf5eaec2fe7ae
SHA512 1a98daf6c1c50ea9d59ff06929eae01c8cd274d6e419427364e7846380c7a3f6ca6962753840521cce1d8a08b783ebd35af61df1613fd1b9b3736d13ec32c75b

C:\Users\Admin\AppData\Local\Temp\gkQa.exe

MD5 449ddaa70938322ac9e6defb5eebea4e
SHA1 7e70890d173dbcbb5c0b08bc991f3de20b48e0bb
SHA256 a0612ea892ef322cd58aa9601a240c61e09780d6cd89e9ce9651af002d481d35
SHA512 5bcfe76f6badcb7354bfd81689354997ee3fb4d0659e363359d41b04dd6a319bf9a4e12100ae0a2281c83d883a46da75755a31dec645fdb2f819df788c8ac567

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 f3a2c45d061c1d0354f0216452618fa4
SHA1 9e3a5f191682ea4b7e8316ef95a5a44eed9ff6c9
SHA256 7f53d394f8f1ad297752896e0ea0e39fbf397c3c4f87040f0b6f3f63438e8440
SHA512 09b88c3286acf81eeedc9d57fb9e846113788cfade8ca68178f96fb04d8e7e6b99fc7f97ef3d22f34ab6ce8e7f58a897b5b562484ec476f50ea71896ed112a36

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 f5c72980c7acd0fef75b3be6877dfcef
SHA1 107eb00bd21ad40fda4dc154b04eb478eb994c8f
SHA256 b55e2961648d799411388dbd090092592430d8a52c1d43e82ea37a26d8ea0a84
SHA512 3f23587cf4cf5ff5f1788da7d15fa7df24250c53907dc28c9d62c72fde0afa3eca6deab96a5877e368a9baca8139888746df952ccf64fc9700ae53576f888298

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 9784eed61a6c719c017876e25aea8b9e
SHA1 f9737da66a41ecf2ae8db9274b0783aa1bde6ae6
SHA256 0218ab4160453e07558669e5234d07e5d0b0558af920a137d273a1bb6d557614
SHA512 ff386086bc692c6bd202956cfabfc922c217e3b1dd2e4225d52b382e8a4fa63d24032e89c670479a26cece7099d7e184b0fbb8ed95895ef3c7d96ec2c0c925c8

C:\Users\Admin\AppData\Local\Temp\MAIq.exe

MD5 d9c93e716611fe86feadb61bfda2d27c
SHA1 dfb2251b8b25e41249cbdfd3a105bee74a1b09ea
SHA256 1451228dcb561aa3276b0e79725b345a7961871a8880a12ca724fcd3059603a5
SHA512 8ff6aacaea4c861861a90166fb48d94eef58271eff6e67d961197b90cb6e6b770fd238a866f2527c3bf016b3472eb453108835684b95e6f6e945bd9f7430c311

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

MD5 31ee5359a7829869b4c19fcecafb6022
SHA1 70cb2643028a7ffd4b82e39f8b98c153bc622fee
SHA256 23108d7713cc0d6466c1eeff558891033dd7fc7e1457edac3b164d86fb824376
SHA512 5ee383b064e6ad8ae476da76e5795f5305809c1edb445e5ec10c593142b21680239f8b147495ba18c12a940fc581d2ee0cdb6e8843719784cb9ea07f30b0ff2c

C:\Users\Admin\AppData\Local\Temp\oUUE.exe

MD5 59e173744543bee5cb53d815b9dc269f
SHA1 a6f09f7a6d7fbaed940e24433c7582db5dd84908
SHA256 6e65c31eba6321642a106eef7cfefc71f556fd2237df4c5f0f32f5efd088ed59
SHA512 3f0ff21843de512c1ff6fcadc7b3b1dee5334f592beed4c84077726a5018beb0c3fd4ea551839004e33572f090ab3d1fc3e4ef1539f7542d6b547a577b58d72e

C:\Users\Admin\AppData\Local\Temp\EQYs.exe

MD5 e1d0ec870cb3dd31512a20cdb272f99b
SHA1 ee66bc87c0331e522dc90c4140360f96b0bef49b
SHA256 85382a21d98766aed83c64f081e7d282e640e9279801664193c304f73af3764e
SHA512 760ca6f986bf5cd054c58f17ef1684c64f75b66cb5cd2425522cd8d784bb196eea0571f02229e599cb72993bcfa0918e20fdf511b423eb34138c24bff14d92e6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 aee576e9182fcc0f0adf9cc3d58d6f0a
SHA1 0e2b7b1e2ecde349b4c1addfd29d10a8c0d54b77
SHA256 bf463c71bdb4e5e99b89795ee94bf30e98c4699dbd0648f6a908658ddeaa35a4
SHA512 c2dfc9853b3f0aad0467a610aac4a396ebc75e7cc0fb79997ab381a363f892815e296aad3dc87bff329110697c53070d2841916a89c006583e2f70d558ffe8db

C:\Users\Admin\AppData\Local\Temp\uQkK.exe

MD5 b6bfa1f6931347c38b48f056df808ed6
SHA1 b01d2906cecf378211a29a5482293fdf6612d907
SHA256 42b36819397a12a1559bee0f392216da228d0e90e79eae4d43d94274f8f0ab90
SHA512 16e34cde72fb66ec5aa42f05e206b3bf4ce84369546be5f418ffee4f3acb736c36b2ba1ed934a9ac2b11b0134b607f5003144b7433bf4d8cd88616381dca63c3

C:\Users\Admin\AppData\Local\Temp\gwkG.exe

MD5 28d88b6cf8c5e579cf84ae8e30c0af6f
SHA1 5e58e6f0138abbdf88a32ffe639ad8a809248344
SHA256 8dc359e0c02ebde95233f14f7bd1ec2cb12ddf931698bb9a058e06f1abacb540
SHA512 de690d83b1a9c109a0807de0fd9ad962ff4b1c911c6668e9ff2bfdf77d7ce1c969bcc5781c8d7caaef0d8cb2427b90a241f3c34dd7dcde4ab94dfe7c136cf084

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 69336dfa5b42e076d46f6310aaf37f71
SHA1 76de6a38dff61635f2cb288ed5dfb6f0e7c3e944
SHA256 74695aed70dd1103702b65e88b18ea5974b591e6600804cc39b45f049bf161e0
SHA512 2dc0f91dbaff412e7bb27d70aaa1fe1ff0a7990389337ae11448dcd0a25f592a9add1d354a9b565e0ef768b31e861af60d29d4e3cf00ed6da24e8970292cbb19

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 d7f8a2aea43e6ccae6a21c679c44b740
SHA1 696c97dc838ae22b4b05fa0ca3bc29410f948e35
SHA256 b3d05791ca61a00fa652b9f3a943ad8acd5c87cdbf5014546d86dfe99be1dd33
SHA512 c08b7d67483e40063dbc85acddb18957a2a6b6845e9e63b42d0ce6a0672ddcb1b4541e0330f35c5a08d341fe431f85ad1b0ac23a2ae6bc9de1d6e2459c2b41b2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 b5abdbe36eb57d50f1e595ae73b69988
SHA1 bb4e92ac88281e30dfc96b53c207b5f663d79702
SHA256 8e3b60fa1a5374e7997e2bba7ada919e1baa2c255969381fd6cb2c7dc24fd758
SHA512 a086b68c76945a967d46ee44f357d125b5668fbc194d4acbabe6f8a005350bc5556933a1209809cfb8f0a17f1f9668988f80ff1f28f37d1a8183ca1a4406bc5f

C:\Users\Admin\AppData\Local\Temp\QQkK.exe

MD5 21513978dba0b0c86a116baae64384c0
SHA1 cac9ace4ac38f26c2e4a8bbae49c97f2dfb2f8e8
SHA256 05cab3c289dd11b50e4319b548df5d204421d8c0e4f5d8316b65855cb87c45fd
SHA512 b073860dbbffdf982b38ade7387d1a2bcff4d962144c279ec17c0e5eb44dc15a453cf74cafe05d9dd8df9456eb653993eb08c03c513a6fb05e3681e76e20e9d5

C:\Users\Admin\AppData\Local\Temp\qwEO.exe

MD5 07a89fd3c73a10f4e558e5d5b4790554
SHA1 ca74f99abb7a217546deb73313516d96ccd663df
SHA256 9704b799beaa07d15803c156d24d7b20cdee466fb58e3bf265a6568a23bd91d2
SHA512 69af2994e6ee681ceb7a75daf5b99213874bbae5fa2a94be6b00f133f9e202bf74818ee2bd2f6d2d4c64de1d1600e69da122dbe334af6000f5404d942fbdc9b9

C:\Users\Admin\AppData\Local\Temp\KoMm.exe

MD5 82c09fa7db66a90a20a5701bb049fd9f
SHA1 47c529abc370a2fd617dcfd75ccb9c7ae0a4cd89
SHA256 5f0588addc736a1161ab050d4ae3a4318d51ca2b5a25b6af14e9419d6e6e2290
SHA512 35700c97277dd7d553b4741640300ef3b9af4a41c0557a82454cb466f149e02e6d8d2c74f983cefa37391236a6d637ec2dd3aa24d5ab06b8249176ca099eb427

C:\Users\Admin\AppData\Local\Temp\UgME.exe

MD5 702c9c1eb31ce9905796fff199d91039
SHA1 b3156bec3b3eeb7a608c7cd8cee0788f858ec6f3
SHA256 021ca5f0e09eee0746c15c6d765fa0051902dd3faa7332fb1ca40bdd05978731
SHA512 0ed51b9276b0c911d6a205fa820deb06a96b7a55ec3a5dbf634e5744d4fb00e55430ed6eec75fe059fa5f08e7bb9720f5834515d42b65a0eeccaa72fb533f3e6

C:\Users\Admin\AppData\Local\Temp\mwkG.exe

MD5 feff665167901eb7651b6701c75b6dea
SHA1 4456adb7c3e9b813853cd139515845b36c755617
SHA256 7c2d33813435f3be127104cd94f9e2a8ee9b9956ed67616a4aa1bf3a5750a269
SHA512 d3ef38a892f551b18e916c59159472d8b2fdf405bc2eeeb327121847b600f0ef6d2e51f600379dee83d26c44abbe1b815ed75af8e78a49a2923e155493c60b86

C:\Users\Admin\AppData\Local\Temp\uAwq.exe

MD5 33771e29176038d787a534fef79091e8
SHA1 f09931d22b95c97ddb8febf838eecb58a237ae48
SHA256 8cd50a0d040bf5a7b8b27eccd0b8dcb5cb7dadf63e58dcc394b349442e28e21b
SHA512 c120e4160f24d84173ba2a243e985725fde0b61271947114842ae69bf03eaa96f9abd6e57e3f2e7cb303226ac218a62e4d90990a8c1133cb138dd20cbae5dc0a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 70937c55bbec65199148f297c1bbb8d4
SHA1 21d52357808e941c0093e2e49740eaf0fceab281
SHA256 b030709111e3479df2aab1ecdb0ac96e02873386649bb89def7c87b312ab96a7
SHA512 4d0f969eee115a4acc038bf48f2d37628c03e655908bfeb3c699ccda1276970983513610ea0b8c450c9bff864dd8288f42a228ab9f31700d65a23f28fe2bcd87

C:\Users\Admin\AppData\Local\Temp\aoAK.exe

MD5 630677f3cb7eaa56c40e4fa53fb17136
SHA1 a214530d7957ab50d89ca03a32f8328682db8e0e
SHA256 327e3d9903c40fca7f060149f3b0493ca57948c532ad7a86278fe565d8bc1419
SHA512 89740da428610fc666f43ddff9de07a2f426c35e1affbe9a9a90625d18e1b66ecd7bf1dbdb4fc7e1852c61f10083357e43357f8b088bca59079e46bb27cb6d4f

C:\Users\Admin\AppData\Local\Temp\qgYY.exe

MD5 062cba23f30454ee51efc2ba26071442
SHA1 cf3067ccae9a0202bb6444487e489d5b15e44021
SHA256 8db93cbc3dd0a33a9d5392bc00563e0c0aefb2b854fb00860dc45fe603f96a26
SHA512 7b54daf69c55937bc5a8fd95af915309290829e9edec7bc1ffbde7cf4010ed320ea430e2d961cad1bf9a8962320fecf4f3b515706efc75203f9ad4cbb56fe44c

C:\Users\Admin\AppData\Local\Temp\Mcwe.exe

MD5 23e70b55bf48e41bba32bc822fd9b5f1
SHA1 31b88f0c68ce7925e14f01f37450fe81896bac2a
SHA256 90f33af67160eae8733c0f29cf02b8566d5e99da628fcb2eb775ea5c6303268f
SHA512 ed4a84fb954d0248cbb9cf0aa183c2f94a6ec3ffa5e619f0ddf6f13726ea423cb29642e8a4fb272c2672485ba9c50a19a1c95471af1aeebd56b9929595c8b7d2

C:\Users\Admin\AppData\Local\Temp\cMoG.exe

MD5 8d93daffa229c19b640820ff28505b9f
SHA1 61535613100523e0adc3e9a610702ea6480e63e4
SHA256 e56190f27ee2189c9f7df828bc2d65ec7eb47e80a71b31f389a79b52d0c75b94
SHA512 bcedc223199177206e8ad59b49a8d788c037f3af0b7830065bda15ba86cefb268eebe891fe22fab47ea6bf584bdc4d644edbb89a396bd307e97d44c7b5217664

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 b379c008d57b4821dd7b1deb4e3c635d
SHA1 cdabcdbca1f25938f515ce7b021fbe4a4c0e7e43
SHA256 dfdccbde81fbb789bc005c541a86c4a4f6a4602c64ea4e6c231437ffc5f3c2c6
SHA512 e85669e08e2da724ee88225d4680c86d1c5b772629c448e650724b1906a331318fd28c6eaf07396e9dbbea1730b89907c29ba052613f40f3c9685be3904cd739

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 5070e20ba4db536bd50b1789b2ac6400
SHA1 6ec2bb83827f2915f114434cc176b30d07f1da19
SHA256 16d3fe1c057776152a53f52e7f0581badc8e2d98505f0349317a73c14e7406d2
SHA512 b2ea5dceb13b0da60eb585faffff1e1c1de2013cf74789f3abcb42620bbde2840b3e7343a8dac00df805b2fe47535c1948a9486e51ddf63bf30eb4d891656963

C:\Users\Admin\AppData\Local\Temp\ywEa.exe

MD5 5e13335ad83547474346723c2e57225f
SHA1 18e611b0466a9e9023ce30209a21eedd824f0163
SHA256 b7cc2f203ca10e3c73b313f62ae60672f4070f8f5cef4db70a9e4a5580c5e310
SHA512 e2feffa92a615e9f83b528be919d530db871c0c10ad5080c94bd3d8e1a3f30e707e16ab4baf20547d2f784bc217953314a0992cdfb49a0ae97eeab6e1a6f5754

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 a223774708f1cc2430e4a000c37d07de
SHA1 9661f91f0e0dddd3f5663c648bfb88b75f78f290
SHA256 eeabb053ca0e9cfadf76606aacdef804d574b9306d9e7dfe1f96b9ea2ebefb5f
SHA512 dd8e3dabb27bb9db5302111e32243acc8269d879e97d54c558d120f313d8f72b77f4c494d470bf1a02a325ce0c341714389cf2fedeaaa163ad28fc4d50e072c3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 6ce7874d4741ee69a49648d04d82fde6
SHA1 d9a69c5f3af79fe162d659139a76149036dfbe49
SHA256 873b0578c1024fd6a714efe0d5f2ae7e615ac13c73dd81d9aa681abecef0d76b
SHA512 69ca2c2a15cd1775ae1dfbe6bedaae04327d635323c4ef1bfc7209ae992f959b7b90ae791b9ae350dfdb11241c0cee9d82108b20fd8a537c1787beb38d2ec962

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 cab4332d9eacf71cdea711d4f639f5d3
SHA1 2e987b60cdc66ebd1a41598eacdbd661013fbf03
SHA256 2132d270a48444f6446a8d5cb70a9046378c3e3d0f4b269eb5c836c2b66dc02f
SHA512 59ee2afcb6b1253dae085efd95d128298c4d1b0caa969edc673ae584d53d5043291e643cf5c6c39c554bd5130c4aeb8494cf1bfaca7ce1b06905260d59aa3aa0

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 4162c399611cd28afb5ae57cdd53e60e
SHA1 693efb9f7ed83140895b52e56e284d5a2bb207e3
SHA256 7c4afcd62c90de9364dabf9c6b342e6eac2ac8152c708796c56b63314a5badbf
SHA512 57e64dcdd79e683c837723e190327ff4c8ae386b7b05258c2447783638c271a51e544d0d1b473717154c60283bcb8d859487355c438e68832f906cfd8bbc20e3

C:\Users\Admin\AppData\Local\Temp\yEsO.exe

MD5 e616cac348ea5dd9c24eaeba0a34d5f8
SHA1 d7981af4c2a0f9cfa4b909c2ebc9436395875e42
SHA256 c1c1854b369fae76f6bf6b69c9640d958c5dbe64f8fd6381427e2f268687dd13
SHA512 daf70c9470cfd43f295a4ade45849c383c12d97bad8cde12b4916fb2b7d5229496dcbcc16bfbf907b3a0533faa7daf3e3af4c864a483c75b374ff35a65aac9b3

C:\Users\Admin\AppData\Local\Temp\SYkE.exe

MD5 d3c93a7fda64aac56738e74d3b42ec96
SHA1 14c2d9149c6debb5b1d05628be316f542a0c7595
SHA256 8756d96ee1fb47a2ba9cb99eb8190530b7f54adb15c7bd2bc510c28e0f918672
SHA512 db589e2f2cabbce876a2622324500b3c04c8cd999d26cd8d505cd43e11032654481c97abb1079829a1749953c6f7d71405ab153e9b3602af0bf033a85c11f444

C:\Users\Admin\AppData\Roaming\LimitDeny.zip.exe

MD5 548a2eeae5d11a47f8f8687576d7ec80
SHA1 d20024158c0e69e970ab64e6cfecdf196d4d10b7
SHA256 d00ecd9fc61dfd40470f03ffebcf3f3a5f507db2e428944d04b759805de5ecc4
SHA512 ef1b602244f2f684538d43f183a2fe6d873b0e0e556203e1567ca4415e2d6cdb3150074a2a1382149c2cbb2c41b940fdc8184dfe61d6413bc772485f32e95f23

C:\Users\Admin\AppData\Local\Temp\osoa.exe

MD5 fac6c81a827d9be3c06ae63542266f8c
SHA1 a905fb985a01520116da03d724da7eefe24e7c5b
SHA256 9ac0decf9b801ef2085b81f6f07786fa367d60f813ed10d680c90a9cc9a9c040
SHA512 e54e9eee1e926a0159ec095db58439aa65bc1612de9aff694322622bfeb15afa0d31e6a9c88e94f8159f970c736d1165be21f1b125ecfa3eeacbbb732ab51c49

C:\Users\Admin\AppData\Local\Temp\qEII.exe

MD5 86f71b6acaf6cd2754fc07352631c4fb
SHA1 89c38af7b82deac282e22e7bc048413684457dbc
SHA256 e5d0761f1403c2113cf7ea1fc56b647d7a38aa1dd5b85ab69c2fa1a31db12a84
SHA512 9e45fd7decede4633f37fbea1db5c718e0040fca38ec1cf4096a0e7681a5bac1bf186c72947d55071035bd57227914f4bc396e81cd8199c6c01a21123e3a7234

C:\Users\Admin\AppData\Local\Temp\GgUo.exe

MD5 8be7f6651c533a36571d833977ca84c2
SHA1 cd2bcd0f21860f696d0c099132ecf937eb7ad877
SHA256 d19aa506e8fa35efabe87322af9099fc3b1ab68e765790beb83b974023af9b98
SHA512 3f3851ac350f4c329acad86a0db089995ae0315a6ca33659a341c89adb4d6114d9390b0cb7b2c3672b26ba7cfdb910553a74ae7f91c70ba9e8b4d69d3745c24a

C:\Users\Admin\AppData\Local\Temp\usEW.exe

MD5 efc9c1c7237171e7ffa0387541efc695
SHA1 60b41acf238ccefdc97e99d1c2884a0b145d8a5e
SHA256 1710d7f7020e0734afb3ed65c8365417e557f6b42d0802cf61326f5219d0571f
SHA512 1e178877bf4e0bd343a2aa2cfffa27b23358a42661103005edb0fd7ca39a60d7a54e7ac83df194c4698459a121f85208b8b7207572f0a7df98d941683b6af6a3

C:\Users\Admin\Downloads\ConnectBlock.xls.exe

MD5 1ad35e9c978edb97f297e26b93ad65dd
SHA1 be41971b6091da9d3960fc680b717fae06ecd999
SHA256 8e90353be0e9d6e0fec161a5119eb10d56084059bd3b7dfba9b7667d4dc03fdb
SHA512 a36bbde7a9b8db7dd1f5ce7e594497b0742198fe5caf4de7e117786c1a34821c271d179e159f2143db6d0d10891810ad56c9ed6de7d5f24ee4c444e187c7ee7d

C:\Users\Admin\Downloads\GrantGroup.mpg.exe

MD5 185276164f30a49709582430eeae0e75
SHA1 0942b55d9d43467c72a605f1f598be91faf1ecdc
SHA256 d7c5e16fe14a6c94d137e2298140bdf7acc2855892d1dd14d3a6090ab4f318f3
SHA512 4a1541ea96b49d218a89867c6b5ab86581709fb3a349f8272e1a47a53eacdc769777f5d6211814bd0cb4471eaf02ebbc72f09136175b5009fe838e399a9db86b

C:\Users\Admin\Downloads\UnblockRequest.jpg.exe

MD5 6da70d500584fee8267bd3a6508b706a
SHA1 b0b4f5c366031596feb408d5a9cb7dba470f1dee
SHA256 02c7c6819a043cd1cb93a9dec203215939435a513851a8f5db459e087ced0a63
SHA512 276cbcb88868b180378a87524bafa28e89f29c4ed2aebb11c520ae7fa31fbdfbbc7ecd5e94e21c8a9daf586d137de06b3a8b343293e5d83f7e15c3dc96245e24

C:\Users\Admin\AppData\Local\Temp\KUUe.exe

MD5 46bf5084ead3fc63e4b19c49d7abcf74
SHA1 069f1e12e9596958f85f69ae85a7dca35bda94d2
SHA256 f6c9b127310fd58ceb31441f8a4c862f51fd2dd3bcca4f9600a3bbfc70a85dfa
SHA512 8028836834a6465b7ab892466cd719d04b4c79487a894eb8c625d22ea955716ace8e43bbcd0a7dbf7fcdf146077c9713fb0441b4ca725fecd61d23126530acc5

C:\Users\Admin\AppData\Local\Temp\YcIm.exe

MD5 d0e79822a7a5b7df92bbacafd3752762
SHA1 f49c8b0108a286cc27dfd2d831ca2fa04d53ee34
SHA256 3004905876523b382016d89be33e5c0dfc5f0d899a773cc259e9e5fae206276e
SHA512 f7443bc8729f5270c2af18f7d046463fea79a038c069aaec31b5da21d187cc3f99287fdd7eb6dbeeed63a50c6ffb973fcbe92dd383283485db684cb5dd25767e

C:\Users\Admin\AppData\Local\Temp\EkYY.exe

MD5 11cb94e49dc5a0d4f6bb5daf95e45d16
SHA1 bc1f8e5e7574c77c154dc090df97640f362bfe5a
SHA256 d30ae32f63efb7f73483d0426836fa9dff223963ebe416c73e48627a29e52f68
SHA512 80dc267ee6f8ec01f197707deaf7c64ee60cce3a51677f782f8b29ba3e3b1b4a0618162f2228c56e8a1dba441d166da3050d19a6b9060163f04062f052f08016

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 08b4b0ca0e26482577caeb5779100d10
SHA1 61dc8eef5fde100c9e56c176392c2d6759e7d789
SHA256 2e7d460e3e7e4b51995f2035a44e58c869ffd40393c14e8621adc9bbcea0a776
SHA512 9169b42ec592def74a08416429b9c4832464f8f3a7b9a3865035e903f69e3c5691bffcef74e0c85338dcea0f0f9916142fac9ecc9ad983c5da77581773862984

C:\Users\Admin\AppData\Local\Temp\OcQK.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\sQoG.exe

MD5 a7a86feba30712464b71230ebe9839f2
SHA1 8dbcd342fa467e6324b6e1bc5d9875c785b14324
SHA256 6e06d1e83d00fe487694b2b467e6f284a625f640f975bd73d0101357d175efa7
SHA512 67ccd9fbaa7d5a9eeefb938cdd4b3ae98df8494a69f4a742a5677426fb8e84d6b9df0b9444bf67a5f41e15f9f970c209762446d9db90d4660705af828a2676a0

C:\Users\Admin\AppData\Local\Temp\KQsu.exe

MD5 04e7e0c18bff94069080d85ea7a6be71
SHA1 64d8eeedc14e778d9c41fea6f60e17ed744a2ac8
SHA256 aba50d5ed639d5a36a0c8f817090f6503e82d23903748483be0b0ab15abd2504
SHA512 1af08df743f7156c907e7637178e50b691c3dc601df33f8f512baeea3ef31fde2eb3fa46de7c37383cd93cbdb296e74b4f0b9c8093fd8959ff4de25fdc8572f4

C:\Users\Admin\AppData\Local\Temp\mAEm.exe

MD5 16e39f2e923b9a472a405f7d617ca203
SHA1 38f77bf58bc5f39545547ed747913498acb60737
SHA256 968be72a14f57a97980b7ceabe841f338c88a34befa3f299c1547d2fe7fd8bc1
SHA512 55b9921a8f743644162b5c11b5f0e01e13430a9581ef3cd49b918c3563d89d518c9ee2d95488720152d3927c3f87603be3629eeaa42b32d3b7a23a6a9e3633b3

C:\Users\Admin\AppData\Local\Temp\MIoU.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\WaitConnect.jpg.exe

MD5 3e464b843f493903923ffa0bd466ef0b
SHA1 d46821e6505d30501a8268c3a726af6381ffd886
SHA256 e5cf7ca69c527cab89a0601008120f209cd06c63badac999ef223362888da08a
SHA512 411a452af0495a362631b5798a4ded7f4e01ee7fa111cc5bbbd579ff82503b5570b8f59014bbae7c80095dd5a0a6724a9e5d1f05ef82e3e53e0adf52d114cdd8

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 4f17ff0778cbd445e64b20521c5dcc05
SHA1 117269d7e28771edaf3f8dd1c46ebeb2e1c86111
SHA256 bf15b54ba8f03eabde06f8f6ba02c5cbc32dd8dc070c5122e17bc186924a830b
SHA512 59af32a3a372ab7acd82b879fbd24e8790ee28d05635944b4603eb6414ecc2f7067d34ec11ee5170f6f33bd43895d2264eeb58d77a58772524dca91f0c2f065e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 91f48e93ff81db58ea1b6ff6267a52d5
SHA1 f7110d2828cd79d6785d023c4d51ed94d81b9653
SHA256 c93170b2bc4157d0ee5fdc400cb99d68c05b7113eeb805e3da9ca870af747c9a
SHA512 0ca6c25d6f5519e8f3de881abb995173c01d27ecfca35e25e8e373198a60a5748275440faca921ce71fcc7e3ef35eda15fd564f29ab79dde2543150be12d679e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 386b49d4d1500cc7d1c2aed53ca96d54
SHA1 06737215b553b3d18e04d31de6a8750b25fab906
SHA256 75c6b0c182ad3ea166a91edbac467cc6b283c50682f569f609eb1984dfc97c88
SHA512 a81ac2037330c04851283d3569c33a8c904e71dee610c3dab777d155f34245a5bd439fb2f6b8116d2986a6472d3b2bd56c06b7c60f4f96cf79cbcb78021947fa

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 8c674e7b1f44e81ed436a58a0c76b68f
SHA1 6ee6a9df9ed4a67776ac84846fc4ffe0bfeef735
SHA256 28f80d1f62896c3eecf744ca07ca1a17b13df08e429f0d7745f5b5fad776d236
SHA512 cae2aed39aa2331964b5e89cdd11d929b3f3eac30a571449d1ee5255c2d5717c97267c9b2ca76cc4db77656a0b94668123c804f25dc09ef3a59106f429e128be

C:\Users\Admin\AppData\Local\Temp\gYQW.exe

MD5 b23448df8c6dfa9b7280142efa4fd44e
SHA1 6eb24bdec9882ed8573ae1c9ad73d77d36a15c40
SHA256 268c10311114a842610615c4e6480dc741cb04d6d4ddd6a4e87f1d1b9b3e4851
SHA512 01e466b711dac3013c4ce53ca66a69488798fc63bbad9942e09072d9407428f5e3dc71eefac56303564ff5aa0118bb69616e91d7d62c56d61dc0123e62e817cf

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 1b76d5bdbf0b633b5df3d923e06f01fd
SHA1 8ec4362e518d9f508dc4dce751ec4116be369807
SHA256 aa617f2d771725c3c1cae636a29e72529406c1df3cb65a27bbaaa5328a8fea20
SHA512 6e46812ab9ebf1bcabac476e6ee4a3d019facaf636a1f61c0f64c3a86bfb5a09139115a456d77def5de29778354e5a89944fa103a88f2e10051168e1f191c28b

memory/4824-1660-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3744-1661-0x0000000000400000-0x000000000041D000-memory.dmp