Malware Analysis Report

2024-10-23 21:13

Sample ID 240125-v5damsbgd8
Target 2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
SHA256 084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3
Tags
evasion persistence spyware stealer trojan kinsing loader ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3

Threat Level: Known bad

The file 2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan kinsing loader ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Kinsing

Renames multiple (79) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\ProgramData\BuAQUkwY\OosEUwIo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HAEwYIsA.exe = "C:\\Users\\Admin\\HUwYcIEU\\HAEwYIsA.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OosEUwIo.exe = "C:\\ProgramData\\BuAQUkwY\\OosEUwIo.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OosEUwIo.exe = "C:\\ProgramData\\BuAQUkwY\\OosEUwIo.exe" C:\ProgramData\BuAQUkwY\OosEUwIo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HAEwYIsA.exe = "C:\\Users\\Admin\\HUwYcIEU\\HAEwYIsA.exe" C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A
N/A N/A C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe
PID 1516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe
PID 1516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe
PID 1516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe
PID 1516 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\BuAQUkwY\OosEUwIo.exe
PID 1516 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\BuAQUkwY\OosEUwIo.exe
PID 1516 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\BuAQUkwY\OosEUwIo.exe
PID 1516 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\BuAQUkwY\OosEUwIo.exe
PID 1516 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 1516 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2696 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2696 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2696 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2676 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"

C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe

"C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe"

C:\ProgramData\BuAQUkwY\OosEUwIo.exe

"C:\ProgramData\BuAQUkwY\OosEUwIo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsUckAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgckwYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmsogMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIMQkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIcEEkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCUcsYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIsYkIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeQMEEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wooUccIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCEsgEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-353244242-1744012757106025348-1625494322-10385515811652748658-988705570-636352235"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkgEYcII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1349613181-841877315-1277220944-1333856059-2005113749-1755170603618604873-282216291"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8875860701928475797-61429440617214076341324177983-7090304859226358551514074669"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkkcYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWUsEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1771182617-1881230425-623200348864601729-2953190809930272571098524121159037496"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkowkcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IowYgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13928120530493563035644372495208193-560662062-14933154721811983663414449869"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-524612276-363998402440726673881364667-1023987969744105659963633086581005848"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWwIMEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "122264360-1366193312-600552946-838043970-1041616110-11422827303427599551805744411"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiAYIMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-533620160-506401918-256471106-1257081341-427636153-2063402529115621984-348039752"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "947290260229499435-14176965706745709391530729378-1153375320-1186743126-1817063729"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWMskgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "562587348-1539446232-17840727182113939467-15875894491183653779-1635384101927714641"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "90418386420614888421169302896-3559046781413343845-690092182-14451443096821390"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeYQwIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IicIAMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13009444071064602786-13883614151334419420-6658459151986657429-11623857491678372212"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqYsoYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUYgosII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-458758607-2027079746-1393635150-1874617797-6135432431949349128-1863265535-27483599"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tigMEUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2121489088405314280-155059888436146926-1395891480-8278370162048935767937883108"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "193209556981685459-4282879281855177165-838432609-598907160-2072217580-356277877"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqQcsEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSEkMAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkAwYAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19352650194486431291155569596-1489018424358159540498488785-16013908471514114994"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YukgoYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiYYoMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKAgAswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsowogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qucMsoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "569202192-5117149082037880541412561915-1184803791863977228-14187674951141743876"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqAIQcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgQIcAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1541128780-12160056827039084438159914318892204071987288768-1285754548-726450431"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3389196441860904722-2137157300-1556532119-935749575435308401-9387653161258503326"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqwUAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMkkYYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2129936639-134181024-83658136143679745-1286825293-23290141318274218941706850744"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykIcogkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESsMQYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6148600264681983711029367931-1255032716-971865797-280406056216337519-1934131517"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAEUAsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PugkIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "672203567168987435617844038031987039924-1110373817-2064401106-507656311838818142"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkgsYAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgsoEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-513019131160254219228553312613180063651469262898861016373-1314242093-106404839"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "374274566201045415-1053514142-1525860014345467621-1053310823927132356-230074555"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiEwwUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIoYcMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1714408165-6162313221423784340-998639939150687782-1219560549-1087325775681983907"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSsQskQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16374947311014360797-19128870111046754246-582420316-1502372500-1473093910-1614418736"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "125211929710825904461366911950964911104-20201851366487375461031540759794519694"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWkskQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuQckswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1906013451277406859-64186376-1229466240-6675988731258062179-64498251-328220857"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13098750611922060507113519156-1097896932174278274-14735730431658836321564889762"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKMIoggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YooMcMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18053404421955464692-364026364-8439369152865805251331991975-197072869163580516"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1838979230973673206-99224212-181860789644888589682239662717468117792113701045"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKgEgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKUUgUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYEEowok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2802777031029621700-63600172425214259-2071018508-2111487504-602937571314595700"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3749753309589203931146728743153265730018516806291705302608-1104361965-91911931"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "148884796-43807240204316638113091759803184374901581617721635529597-1570090969"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQkcMcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-604684747-1956694566-1093676358-55086529415353595311684890002-7288137801454446397"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUEUMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEggkcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmMkkcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMoIkIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywUkgsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKUcgUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcwQgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgoQMIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17153640926895226141341039068-1820438032201392061434765221-966067272225550269"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKAUwkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-520976641174260772032462089-1359229793-3727195201815762041900033798161328883"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18760511661297585201557771736251935313-1222565157518872245-1319257595-1187584140"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsAcsoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwkccEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMEEoIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "266355883-1258459473899364686-104804043-1174165305-44530329-558158182-978953550"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUkkcocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1721255906-1050252722-1451179709-11350566542001756857508700239-1450393276-528158740"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-130472431113884410601438710808613387553-1564196890652123831-1230118407469488948"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAwwIsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-578680939426898156-18567183781150697183-1333021117-1349958957-19433541981247394505"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMEkswYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FesUwkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1088875028-277936776-48786848-97986900910428392-89750442614837494561182678723"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "956536178-770438135753815317-538528754963939759-14801278381104702821476311828"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUAcQIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMkIkIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsUoMoEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAIcUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1912217564-93298138051286292516025841941775431430-508397209-41041578-1883404585"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiQwUkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-357446631-1144146657-163124268-83847333217575134131960471043-1723590847472924784"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMwcEIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12451716411114862942-1851341601150665943040910544283380667-19335686971982197430"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuQMQQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOcYEsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\usUEUYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1743070173-1362421953-209941535375103364-1951963291313590938-29104030-1782856266"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyokEEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1530265457-747358867-5045265512059136563-1770022096-1200158922-1073765695-725311039"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMQcgQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecIkAUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOAQMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-355852296-1558200945162263634010048459181800030016-68457808655925007679973121"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsAksMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1793011641463658317-14415421351423540708-1882254842663894761578544109-688867901"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUkMAokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-45178228213577748491721759259-957169968-810135404-108502438711286572411289119548"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIQkQQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqwwMgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1824189282504126605-485696629-1126408210-11528415721003679732-898492982180923442"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2066273151-2008936985-36854029217223992801627007287-14467467273524610051447022610"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1886829692831988728-1752093085-1823247217-1249136142-1316005120-350043229-1707722950"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19295884781493789585-13592948191831061000-6175711991755923228-81266717-661366394"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqEoEYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2511438591843941946-405906990-141678221997712415-1181008544-375811662-1396727994"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1652169789538918664-1624352279160244123711659560-1358805658340725539381633827"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-504648447395882401451979682246628462-1333191950-15464207661679943318-1551159911"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15404256571455709267-153855723-257350779493426123-147680552910107309041768056472"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1889704807-18663021131704681946-473068166-1892781913-1525488456-187773878-1903987309"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-148832615514106977251371306128-5529230531469520344-186898761375972789911055457"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkEMAEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-403393577552092300-75276788021146591861211756124-461911451-1251988736-1520949178"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSkAAYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9587630521062818331590532992-20953847891055594488-97066599311207552001399782659"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-106025875914652338391640142525-1589659994-6926230361970912943423955651970935890"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAQUkows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1555854563529315552-1803920439-468600466890192571-800905372-16133782541566462907"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUIYEIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2028873816-6434327521283002940-1763206791-143162264918809594881906604257678941641"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-464425853-15967231-853278997-1401174870-1278608598-1359225182-2043513529814028178"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-464806121353552534-1347601327-91743262-8504609-2003799619-20647009621566688990"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGwQEAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-601344317-43219034-1629335898-8863594556229616912014525210-372450579228843951"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAsEMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19369546211516796140-2063443542-995457069-483663974-893011775625844637-1769177506"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8935808421440540674170386298611081872281593302556-1367615448-1175301010484883828"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10975552551467897000-14051784031935126585-596768224-15999856691499757609-1925535781"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "527984949-55059275114998269971804450089-552481484-1717791154564868490-321778431"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1430054074-14241915311659494715-313876129-346866562-20116583114497442914099427"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "262695510-1703421951-191319316529394314-734031544-920638641935112164-780487585"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1753367108-1736224082-182577252011932050461689784604-903049445-1346468855-386798706"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\taMsUAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1601711644-90654588-85361876-1436799206512704365-3685946301448840084-695165611"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "189040340912517585971906042286-1464470383-1377029764-68976615815133427201324095989"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1127849551-2023134817-542902113178528853816871499771403071044806551224-363348188"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1690647574-797603802-1866322860-19878664969488587861118898275-282496578-779858564"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1665057618202957975712440564501016810991-259987215-210151785-2018399550506152890"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-299538794-21282070311746752519-17928552797413551261619908663-19018387801253279883"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1342496315133980027789315043-2096226733-142263537212171006521548102426-1311939289"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGEwUksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "74162340-1655671914214947832-1807470904-37019366-1748865266504073784197922239"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SascMIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-124792650-2346381831303024325-2124328127-1903909086-7816099081030375984795088274"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "625582424301041080-4463449231269117564-190730232-57309219924904624-1705642098"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-206293929471972647199379787545843205111244607803338515178629553151020887709"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeIUUEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiYMEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "95997552-1601734230-17524086751206716916197977992237147798431723501-1890342520"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1984124301-52382806-1318896408-1444160998-1683790267801332143-547226820-1346158395"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcoQIMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5545463825448860898674057011277629564-1321099462-479175221-215972594-2043814024"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IoksUQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5920500661697699481-738397276-12969618797307036342006699637-367281308-917282500"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\buosMogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4114726201480181959788323785189846193718885334101742660184-656277031-1891790023"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13870267071777664433130556271970537528820744737651185529884-1146275110-2093962297"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-559209373-1163039228830748629-1621165902-701627263-8581232313231764461692166400"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10022757271282429697-2039351294-627405502273532079188652189414560513312117385742"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQAoMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2032401482-2126225660-17118459131084735157-2112959983895786475-20010390081578193861"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWQUssoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "465792622578571172941759558-53986045-2002306381964393953-434511705881464296"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16661235131183162601-874035771-1095742547-1617722746219427207-651409117-1079654119"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqEIIkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9349013671080081525446010888-354940635-1468505333-685484273-1150335775-1678326698"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssEMgYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16865515872126359439381181524-20503095191365828954-1862658802-45114420-1615516263"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19929247201620292895-1896110580-1053344207-1285321406-428486524-1585070915-48672995"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1463896534-1615022981-161606020307729083-5130746482028967513111120866523164616"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECwAAocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1649392957387010310-1957527137-3661016202012595028-40627694329816778-820098754"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuMYkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1258355776-155049099618639771084286419161860519280-1378134714-187285915112664114"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQoccQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1444730406-1989791516-2047897426143293763-465722772-19195597691917373668-934243057"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ecckooko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "722740502-431197265-2864980641845999695-1216286986-2027654627946158779-1184882070"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "569804569905116160-637502054-1805642385-350030658-11789643971178497748-1057729154"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIMMYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19593358402000349518308583698-8434485431499885370-1849032900-8775947461462037375"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16061719481149331865-18695125661964026201-6100721882682857381750968790-1882591446"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-107929920980685403115627974039251840592079941511312003732-1546165860486184067"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkoQMYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQwEkIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17691168215485469491681400651-20744577121130594489-1911794990934080068-1116573049"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-711731950-4979691531079486153-1579701798-580091781049251444-1301153103-1977558864"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8433840314276112521478086059785928990-1990847429-149862333-687390903-2102675067"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14745852603949671238262689821024324790768835280-16613894031685025943-1707564404"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kakkwksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1177294507-1807291293-1633333257-1819892886-568197744-2135633165-1569696023280411446"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-53483290014919402321788542561-765020681440324996-3347064331865370610-1791425357"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7478525172103851822-495043839-236853026-774687306654190466-1687291935385055301"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-207989420582773698812515399851937436859-653183967-446727707421778811299466898"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIYEwEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-689551754163403790-13539848771521639161-1622483032490964701-19798572979043998"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQYwUEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-549916037-1374742676-321748142-2043696211-186252493-2107612724681969133-309742069"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "803301689-762333325-199726710-1860543890864788332-12711953181550621411610663666"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "806956413-1553847781463499187-1726647774-59036887140348744150122140551098199"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1057435370-227383650-1453750852312058362-1728758560-502708210-515342081640454575"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18687541582011723964-201435861738943353-1998044908570987511-349140434-1929957359"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1516-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\HUwYcIEU\HAEwYIsA.exe

MD5 1f899e1d3f15caef4b3d5d0968803ebb
SHA1 b1a05e88f2b6dd88974cc0f131ec41c104e8a95d
SHA256 b178efaf0beec362a949e2593c8839d2504f93790dcbc09d4595620cf66db316
SHA512 5102654881438cf2f8568ffc368c5310d5c15bfa911cc1555b34de4894c57e1ca007789dad1636a57ab5b6db233176d780776c13b29d39e08c1c9a9f7753d24c

memory/1516-4-0x00000000004B0000-0x00000000004E0000-memory.dmp

C:\ProgramData\BuAQUkwY\OosEUwIo.exe

MD5 efe06f447b52838231f82ad11d23805f
SHA1 c5a40524c207401b154e8695a0ee4ff085abe02f
SHA256 c5113cf9c2e609adac2d07240860d5c544d6ae1da44a3a07f1896afc6f7eb0ed
SHA512 3ab1f1fc2753f107db32cecfd52609c99135ac2b88a9a0fa9f7f198ad4149c269fea91373db23ff707a4c497a2cc3592513865c0cf881edce55b45e6e30951ae

memory/1516-27-0x00000000004B0000-0x00000000004E3000-memory.dmp

memory/2704-29-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KiIMkUYs.bat

MD5 42a508277ec5285e70847cfdca59cc48
SHA1 d21c361c3600a3bee607450414ff51b11613a2bd
SHA256 3bc54638cf7f59056a13bb27589b04ff181369547fdc04a1e112649325ad8da2
SHA512 74921d541279190dc5f6ac178857c00e2de390c048e646d620285c84c610ab53ad6fad83773d85f673972c95957b8fc1a21423b9c6400ceb7883a86bbd6b3e87

memory/2676-41-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1516-39-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2988-40-0x00000000001D0000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QsUckAwU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2988-31-0x00000000001D0000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VikkwAow.bat

MD5 b7b0714f236bc834a6bd11d24ca346d9
SHA1 25dfb0a7f2c962980c453012d48c0ec0df1a21b2
SHA256 c0d4c2d1e3296a000871141d84a9cf53ac6436d0861fd1f8ac8486eaf6784c5f
SHA512 77487a426cd209e31145d1f68ff7b22d4040b847bc1189a89f99f3568f38ae779f948cdd7bea5ba09077ba0aaa5f93218aa3377fea99afdc8969b1cbf7383b68

memory/2924-57-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2972-56-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMEcwoIE.bat

MD5 26650fabaa12bb4f92bd7631e74772d1
SHA1 b0a54b505655cbbd2b9b2f7d877c45d096848d82
SHA256 27429a24e32a05d3aad1bd21c58a78eec76a14517a9b3cb8ee342a951d660613
SHA512 eabaa86f43c72084ec86902d23053b2fd2dc299d3db2ac6a4451994b6cb2ad3b3ca5a52dff5a4f28945320820e37b8bab242342ac6b8eb163578631d24311bb3

memory/1468-82-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2924-90-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TywMogoQ.bat

MD5 178582097469d14fcfb95eef3618f6d4
SHA1 852189c22160c85f6243804526a92d498b0ef663
SHA256 40777b08e71b9360f386c9fce99bd9ccc03c3564793d28032e15b0b62188cbc3
SHA512 7c4bc0fdb78e13c4b66d8b9e6b99158f9f4bbf996a39b608dbbc68f49272e2d464dcdfcdb64fb4377d28a992fec0389221da44f1bfeee74dead53b6e2ec389c4

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

MD5 b1d0a5c199d9edc1a273e408124ed491
SHA1 82dbeb87395618e9292b9dd7a414086ae43cf412
SHA256 512c67620d9906aa3db4ebc6839e4a74c832e750d4805c77d6de0e6a76740d77
SHA512 3c3eefcf3679d578fe6d4891071ee4bf2d6e7ae9366affee4838f7a161005035a390aaedbce5527f55fdbd622bcfc47a86b094feeb7f7f454bc71bcdbfd746d5

memory/436-80-0x00000000001E0000-0x0000000000217000-memory.dmp

memory/436-79-0x00000000001E0000-0x0000000000217000-memory.dmp

memory/2676-66-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2492-105-0x0000000000160000-0x0000000000197000-memory.dmp

memory/1468-114-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2316-106-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2492-103-0x0000000000160000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dysEUEYI.bat

MD5 92110dca474e853fbb0871cb1b38856e
SHA1 e9c6d3491c3480415b475ec50d54af07ad373ce3
SHA256 c71f88ffc581c939b29a0fea125eafff7227bd05831d6dd5f7d6c1e282ea6182
SHA512 581bc4f40f87b0e796d56252f1816d226dfcecc94857a881b74c3733a9461cadd9e86b30f2b70c8a349f03e0280e801a431c4f25f2a37d033377ed98514c246b

memory/1660-127-0x00000000002F0000-0x0000000000327000-memory.dmp

memory/1932-128-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2316-137-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yqEEAMQE.bat

MD5 900867d23a81a0968816270d843c7f7b
SHA1 bcfe33a36b2ce96dd4299ea29d5c0517f22c0f35
SHA256 115df1518113a924198f85808c3af68d6c67310f2dea5f8fd3c08640e122db83
SHA512 21811f40dfbc3df22bb2c626e12ce9c56181a2591ea6aa6b80508946adb75777bb69fb3912a2979798bc481a5c2b80d02e3237434ab40e45ba0eef24868ecd61

memory/1932-160-0x0000000000400000-0x0000000000437000-memory.dmp

memory/796-161-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1908-163-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwcMAwwE.bat

MD5 242383e91e09334b95b8e594a70accde
SHA1 a06dc4fd8d859cd14e5c59ef68f70526afa42586
SHA256 42e8dc5b2bbd3ca48f7c720cde151d0bd6abeb231f889c683c1718a51c9d6fcd
SHA512 2767f000d1b036aaacec27a3ddb6335154aee3c62745a587179c9f09d64cbc8eeb44b440cf9d6d95aa2cba979016ce1d55ae2abe237ce166bff2d2f0f86a7a43

memory/2712-184-0x0000000000180000-0x00000000001B7000-memory.dmp

memory/2712-185-0x0000000000180000-0x00000000001B7000-memory.dmp

memory/1908-183-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2816-186-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pqcIEYoA.bat

MD5 dd90a67f0ef7955ada1eae0997bfaa67
SHA1 1241da15cc6d2141aaf1f48812c91e5dbbd7e653
SHA256 b1d6ec0b5a9c63fd9fc4c78f58bdda123077495bba2f9e71c5024645134965b7
SHA512 bcd90d001f122a5762de72e2d67a2d7674252eff5f00cf4e751b295f02bfd1cfb77b3a9acda0d4a5ed639ea95e90d73199680028cc6cc69dc760e40e8c828ed1

memory/2184-211-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3064-210-0x00000000001B0000-0x00000000001E7000-memory.dmp

memory/2816-209-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JCskcQwY.bat

MD5 3fedb4d6167c8b99abed58631c0a2fb1
SHA1 4518a8ec67d1367304784864a60fde7d8acb1c79
SHA256 53d7bf9cb8786be5286d1f4307c86b12fa2c5341bdde9fecc2049613b93ab2b5
SHA512 f2b7713f57c91ec80b53e371bcdc10608302a1b18b056a2fa4e04534ee1bfa4ee7cafc936c667b7691242332c8b8ca05dd5a5444a1822e2efda5f4db207ea7ff

memory/2184-233-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2972-234-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2808-225-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUYkIAos.bat

MD5 37705a4cf19b8d92ce9520169dec90d4
SHA1 158519e4a83bb68f0b67eebe2a9dc04180aa0c47
SHA256 0635f07c3bcf2b6037866a57c3d6367c5e7042b60d57fd4d4d1f26a686059ad1
SHA512 b9698d7f1ce4532545b6e9c33f1a1903cf5904665ab4b2308341786a19befd67d9c3672847770678dc882df68ead6015d2cfdf8852ca5022c50e5961e9f29317

memory/1552-249-0x0000000000400000-0x0000000000437000-memory.dmp

memory/436-257-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2972-258-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1552-248-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zAgIMoEk.bat

MD5 5e7e2905e8d2765b86486c757ffe4a4d
SHA1 ca51780e07d80fd17a0026684b48f05824084f10
SHA256 9b669b080b77547bf6d13a31a4e8317fd2ef29612ad392f925b3ae73695d686a
SHA512 998413083d13bd48d29fb1f46a414953b19389998ea1db4d80a5e3b920aa604a1252d40638058cb9ac4380ebf173eefd4ac3ac6c5a9ca43c8c073a6d33a74392

memory/1840-273-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1624-274-0x0000000000400000-0x0000000000437000-memory.dmp

memory/436-283-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckwswwkw.bat

MD5 291e0f22ef2cd6840099f4ba9eba911a
SHA1 7a0451527eef5a655e015a02b6a3dc2f3382c4dd
SHA256 644b1af36ba2710ead4e1217c4299d630b9737f4c8b9df4499deb9106112db98
SHA512 8d4a263eee2ff55f5e6e9f29d6fa15fe10705633e8a6722cfb802e116003e70a83363bad2b83d1e13a8fb6aea51ab2e5c90d08b71c1d9b059694f6815390f599

memory/2076-296-0x0000000000290000-0x00000000002C7000-memory.dmp

memory/1624-306-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1984-307-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2076-304-0x0000000000290000-0x00000000002C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uosMccgk.bat

MD5 7f5b48b96b2ab6b0fe066caa27c0d2ea
SHA1 5dfb4697d5b088892669939cc9af60ededd83b6c
SHA256 83e29e26c3b07c8385bd2685535f919d88e3c4fe0547bfc354335d74924fcc4a
SHA512 0ae51266f6237514a03c866b0c32ca1ad583a30f157b73f925601c7f756fc0a37c9d2fd155fea6391781de309d54da4e8f116b5c080075a8db71f07a05241dd3

memory/776-329-0x0000000000120000-0x0000000000157000-memory.dmp

memory/776-330-0x0000000000120000-0x0000000000157000-memory.dmp

memory/1984-328-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2872-331-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kmoQMIsQ.bat

MD5 e036d44066cc261cd3dcdc628951186f
SHA1 d1b1a4b78ad7b64304ca6122d79decf925f766be
SHA256 8410785d8fd724ded1af4ea07b1efcf5ffcfacbb721c2e0f50c5b2484055a2df
SHA512 1264e43b207540771579529c84923fb31d50a6698afdb5a0c949c89be386bf979d6bb8f10716e89e3d15fa1b015b5e336e92107e0506ddec95303595137f5500

memory/2872-352-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1880-353-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQsIsUAc.bat

MD5 e41a440e1dbef995ea6ce8b313e18a28
SHA1 8fd3032c6d693286c8a0966a7686a08d6641101a
SHA256 d47bb461de4eef9612afc193fe9119e5dfbee63ac562fca874c140fafa5a24c5
SHA512 14b2620a19211c62646b5a32de502863e8a60e951aa1f1a42fb4a0c9d53c2b4c70b31da4738e2f5df40ca62ec9f9e83d3a0b303f3b61be608227ac1992845013

memory/2364-369-0x0000000000120000-0x0000000000157000-memory.dmp

memory/1880-377-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YqcYsUAs.bat

MD5 cd508e685c7c81250b78a2eadb52e654
SHA1 931cc41eb6dc21c8c7ee91cc805f4ce73ce57329
SHA256 579698fafaa52f5ac54df869048946bcd4bee5772413117d23aece19e5b5d09f
SHA512 731245007e946309988b76edc1abeb0f9179f446c196afc8d75e4da898712966ee3cb6e2e7ff8ae8ac52716ac0aedd3c3700896d9ec9e63dc4fff36d8539c6f5

memory/1988-390-0x0000000000220000-0x0000000000257000-memory.dmp

memory/768-401-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2756-400-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1988-392-0x0000000000220000-0x0000000000257000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bAQgIokg.bat

MD5 5237435e8c07206a2a53b36008508fa9
SHA1 14dccfb7ce6f24e36b6409c35a2db440d8181553
SHA256 e8994c2aff321b1c6d5caa17ef9b69358ad68fff6123211ceacd36c667a615dd
SHA512 ecf9899ebc99d14d31cf69d422da9712ceb61b60e576b3402678e01dd4c6b01a3b02253f968b02e718f5ecd9e37d0936b3a96ea2610fae0cdaf79f2bcdd7ddcd

C:\ProgramData\BuAQUkwY\OosEUwIo.inf

MD5 9a34109f6900c2df0489fa6956f96f1e
SHA1 a92e31c97631a37c6e3a61089a202c77ed3ff578
SHA256 db7f1bfb5362a69213d5f42c86e95a8be1e9a46c98520408cbb9a38fa3033828
SHA512 fadf1ac1fc8e5c9d1283ab0cca7316ea25a176635305c2fb37981e8703120e10086f70581b0a01885c9f198fae5b23fa0dd6bcd9e8c844e6cc87883785f2173a

memory/768-424-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2292-425-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KmYIMgYI.bat

MD5 76b68ae7b03bf7d8f4ca81e5095a9e07
SHA1 5ab93e89f86e1bf3b3ce042de3068cb1b94f50bc
SHA256 4d54aea3ede030e5a950c684b4b79bb3da0ea9df54eea9a1285670ef735df275
SHA512 c6c0e52f6505ebf92a46ad9d07a741f44aca88a3a891ba82bb1ff368f0dc6bff5eab37adf84fdcb39c7df35a1d240ae82b8d87ce8be76303c22323e3056ef3fe

memory/1544-450-0x0000000000280000-0x00000000002B7000-memory.dmp

memory/900-451-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2292-449-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1544-441-0x0000000000280000-0x00000000002B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iQcQkAsQ.bat

MD5 a25c1e187ac28c34d5164ecd3652ebc8
SHA1 d501f66256edd9af36d15cde2e5e973bfd81ca3f
SHA256 43bfc976640fc494b99fbf945c44bfe78dcebf70ac450a0343f610564a91b47f
SHA512 b89628fdffb90274e3864f5adce4c789b920f6b4b224fbc70b59fe464f3e4e9a99bd10d1cb09c758150cf1c5e8569c35f007c756b94971c54e9392530f5b9a09

C:\Users\Admin\AppData\Local\Temp\JqUwwgMk.bat

MD5 b053528d9cd8c260e162eb79d6b0ed03
SHA1 871e9a31d5042bb17dcfa78a6244a1b814844927
SHA256 73e49d3f47ca7049888926ab881b9e197dde71af247ed657b35834ddede9a6e5
SHA512 54b41392bfdf6e00a1f58c3749d6b3ac576be6bb55bbcbcbb8618d40caa6c03c9efed7e897f80f217632ffa098fea8c49b15d26173e3ade1e1fcc898e944f7cc

C:\Users\Admin\AppData\Local\Temp\aegksQoI.bat

MD5 89670ce427c9de1b3c7233f32e375fdb
SHA1 cae08a1ebe1a54d1822b6e19497b7fcc1687faf0
SHA256 b640b4eff45db3f62c264595e58e506be9b5cb7ff28aca3fe5feaf38dc8e898e
SHA512 141634a24b3f90e18107be29633423d98b1e9ddcf8cda5c5f4288ff34b93e23087a5e4c0015fb7656a4c1eb600071b0059f5be53cdc59b1de448de2e42770d55

C:\Users\Admin\AppData\Local\Temp\bqIIwQwY.bat

MD5 fbab88a1388cc76eca4068dea3661e46
SHA1 4c69036fcdc66becabf590f506d549208bc62abf
SHA256 a0861dd000fd8cf60823f6b617095ad3232c05d082994cc94f02f613b2e82a47
SHA512 5450db55c527ed06d614329b404fe8543387cdd35c46e4235ec4b67e49e11767b65f90251c49cd776e59bbe0894d1dd06bc8d80b2c43efa6c759e58e548e1427

C:\Users\Admin\AppData\Local\Temp\vacwgosI.bat

MD5 5f4afe494657162c8605038199012ba0
SHA1 1c53e1431c1a990635c4fe575f65f7976ab16471
SHA256 bcb7afa24c047fd8d9cd790c3f0ccd5f5f648888794d052a3b73e9a28c962a2c
SHA512 52b21d0c81748ebc54b90cac2f11f348bec2a7a58fb3d9dd9ab0e4ade86c9f19bcdf1625fb7064b63bd30372a75470722076aef12794b4a2592792b337930f1d

C:\Users\Admin\AppData\Local\Temp\hMAwMgAk.bat

MD5 9f0e6519d6f3c08604c38b542d397c1b
SHA1 406c502dd2bb7c3dfde9c98519af6f431bb8ab9a
SHA256 6c584b815e4f645934630df6e91a8202e381c47c34461d0d29ce8d2cf6f92e49
SHA512 f94d71c46315c3fa7b050f443abdb4c01bbcab8254901fd96c1c6a55826b78891e4c0c0a20213ddb0c9bf69ad3043830bfcf1514b22b1d2b9a35256f4ac74db6

C:\Users\Admin\AppData\Local\Temp\uQcgEssg.bat

MD5 5fdbbc8525c81a0ef12b0f42e2e354ef
SHA1 1856ce296980e4e22f38197edbdd749a072698e9
SHA256 1d9ad474370d58d6c85105d06704b450f9264c8083a437f4b7c109065ea3aee8
SHA512 b4d68abeb61b5ad5dffe8b1bba2d7385c0ee4b3565795ed394e95b18d20631d85d06b29b70782abde28acc7f6f99692c0a0b62aa0730651f961a578dd1368bec

C:\Users\Admin\AppData\Local\Temp\ckce.exe

MD5 348c288f199f1c3d88a1ddd53dfe8105
SHA1 06101150af4570cd6bf687d759eb93f476f172fe
SHA256 bc8ff6f4f7e9be5c99e2accdcd92ccfe4ab6e3ef4c247488f7a34fb038c2e2e2
SHA512 dde14d36e71d3a23f744d4b8b5f6d0ba042a03b948632da5b8b45f3724e7133b620b27ae6d33fb3297d433498d596a5ee3da158018a4f1b72c71e89c13c468a1

C:\Users\Admin\AppData\Local\Temp\WOUcAUYc.bat

MD5 03d6d1a579c1d46aa36a087ae5c7f6d3
SHA1 5b31a9109e061bb502f745adaf16fd44fb3257e2
SHA256 8217eb0693384b9d25f40679316b65b3e6d9b644deda7d1d1672c9d015d7ca16
SHA512 248fa921cca47c89c448ccc738b1a9a6078fb34bd88ba03494249db97ed441c0278fe836a9df53ab636773389f9f911a0233453fe8569f5c8474d71a71667f6e

C:\Users\Admin\AppData\Local\Temp\lOYssgIk.bat

MD5 9a7b82f51e50f6f65ebe67ec5e5b746b
SHA1 de3d1dace0770db743312f8f076da0388817e8b0
SHA256 b139f82a6f19d9e591a32499ca8d6d5c5f1926d2acc5dc388c41f0c561fd20fe
SHA512 8502cfd442731d2bbec4ff7fb52cdbd83a1dee080647aa5dd4cff1e392693d26e4e225ca6de019e2e494255e7adc5fa0bfeecd455c6cf2aa5f36e6f6def7784a

C:\Users\Admin\AppData\Local\Temp\AWAcEssY.bat

MD5 d41e213ebb3284e75adbf3a999444412
SHA1 ce81755b8bc8a47d4b54b887e7ea05d05abdfadf
SHA256 d96e0806e476a2eb85c0fb16855a8633985c8ad53acab24da2f44aedfe8e7fa7
SHA512 ac3b11f4fa8311793fd01bb1d66ac91fc05c98fdb4649393fc06be467e3eddad1d50de81d13915db9809fd3ac9aed9fc74e08cecbe0509de0a3f69ff8e1a59c6

C:\Users\Admin\AppData\Local\Temp\KuIYAUwA.bat

MD5 973b0d9eec9436a1b009280dffa53ed5
SHA1 cf417cbb4e009d6c3f50693db887a6cc6dd8a67f
SHA256 6b0d3c640fe9c35fb90181991cb8c7b24d25a30fbccd7f7a5018c6aba1a9819a
SHA512 5ee1e86915b317b8b629745c8d34449c4d8a8ca50f51f9114276a87bdde5fcf2336517bee09b1b12b833219b1c9eb9e9099064ea23132b1ea8e7ba8bd0c236ba

C:\Users\Admin\AppData\Local\Temp\rSwAcYck.bat

MD5 88bc7d7c02e40af35d8544f9ce02c781
SHA1 f0e71935c7af1424cc2a5f5befc6d8c185c444bb
SHA256 5fc3ec64a8a1033f46fde50f86a6d0acb7c5b7914947f1bb1eb877ff29d4e9c2
SHA512 9331e2f6dacfd0f78cda30c2af7530c70aa942cd6cce2df97dd9736dd70f569cfccbf3d7ff3f7e13e3b2279f40eb82d08bd4d6064a76188457f5726922ecc99a

C:\Users\Admin\AppData\Local\Temp\BIIkUccM.bat

MD5 dc3fd90a5a57dc0ed7c91ae28653e264
SHA1 f7150dbc490d9e605300710b8e2e2f684241dd81
SHA256 1a70ce1523a4891c5a4e3f9e4e4ed20853cd54f023d193a5534988cc6229b6b9
SHA512 929f088ac4002d99846b02ca4dc5b6a2517c6ed52924a40caeaae29869340f5ac3b7a6799653402e58d84bfdd9a37eb5887adf20d5e990083188832aa8cf829b

C:\Users\Admin\AppData\Local\Temp\OgAokEcQ.bat

MD5 4ea35e135bfaf7f5025985ceb90e8296
SHA1 39985c4cbf5a7f2c8313a0ce54b6cf3ac0693e96
SHA256 00042142914b9710111dfa6bb84e989ccb5b022ca9399d9cc589cf37601e2888
SHA512 86ddaf9e22d4627bfbd0d7f69d13d67b315df417cbcee79360e2b85141018e4f5a7beb7f795d603c3aaba6957a441add724027d8dc4b1adeb3cd934dc29352e5

C:\Users\Admin\AppData\Local\Temp\dMAIIEAQ.bat

MD5 b58d9f46a4e90dd2fe313fc097aef74a
SHA1 fb82647c4547715e706727ad37dc5b11ce5326f7
SHA256 7bc5237b7e0b1bad04e1df9b21012b944b52a85cacdd2ab2f9a092869c828f63
SHA512 d28bce43b335530ace8ebf96610b0fbf4b51a22ee54b55d89e9f3d4b94e5028e57a751d4c83104e9f8cffcbe321aed6bbc3134164686de17e1020db3861e89c5

C:\Users\Admin\AppData\Local\Temp\BccMwIoE.bat

MD5 d86d6370d8844f954bb74a99a2b5daee
SHA1 741a3670a1cddaffad857e7a01fb2ff3e23e81d7
SHA256 c862afa1668fb626542e5e8324e958569c39b6ba90a86a300c284b0569d53012
SHA512 d6b2e7a0026c3fa4c4d54010aa02d55b0f4d3cd8eebc320c9018861468a281b0907cf6cc97f94bbbf219681c286b5704cae55159a78322d37e96c98f31f7c09b

C:\Users\Admin\AppData\Local\Temp\RockscEg.bat

MD5 4cfbb125e9878528bab91d12421134d8
SHA1 468d79c2e0229e3ef8a5592b4df3e148050fb828
SHA256 f302f0ea1db5df02bef4e6520435b493640eff8cf840ac709d6b5e5f746b3f76
SHA512 456f758725f611b3f01c1e5c0a87681d7d16606f92d54bd27e556665304487af14c4e4d05c88523d621c4a176be07d3ca45873be776ced94dc845f73a388253d

C:\Users\Admin\AppData\Local\Temp\qSAkogAk.bat

MD5 799d2ee926df508b0a1e96613951e39b
SHA1 3077c4f1fd2bd38335ff907a1553c93544520ea5
SHA256 81891b46d64d2b78e0bd05938ef8b000d2364a1c236677e0378a5ae0d0afcd1c
SHA512 0eae0691e63be09be30836bab5df7e79e43a03a2f356c3fd37a53a66583c9aee5a5e21a1ce5b39622c87655710ad354c0dee0db6e7b682e11b78b954e7d4fb7f

C:\Users\Admin\AppData\Local\Temp\VMIQMgkY.bat

MD5 abfdab3df1736a1d3cae5cb4a86d5a5d
SHA1 e63de6d38e75109159b1b0c992e12f6f18afbe58
SHA256 ee67f1a08e8b791fe7be63d4bdfa701fdbbd1b69305effb1ebed0e96ae2b09c6
SHA512 7c874d276a2a6f150abeccd177da95b5e31692f1816a87fd343bf7b6e7ba123dd2fa6d88d6e14d33d16fd6b4bf970bb7478abc62250112a43072ba742fc75789

C:\Users\Admin\AppData\Local\Temp\vosAkswI.bat

MD5 01714ad9e435768874cfccdeaa3d94a6
SHA1 2cb9dc17806b65b4cce1e3a44df30187c2dad327
SHA256 59eaf94febb838c12d68e2c53a6429d42c02cd020eac34399e3a3c212628776b
SHA512 ac3a22db8bb2fe950173aac705cd10853a22cfcdcd82f352b515ef14351298966b4cfbad6510b8cc1206498ec5597dd90f798a7454dbd1fbfb4dfcd27836afdb

C:\Users\Admin\AppData\Local\Temp\SOskMQck.bat

MD5 92f1dd300039f401cbb06d661aa2cd10
SHA1 42efa866bb7b9d0f934bc6b98891e68c22a3f1b9
SHA256 51ddd3255e8733891bf871a663c9373076e646adaa8b627674171e04883865b6
SHA512 304c7812a0a41eaa7c8c8ea8fb36bae903813c6442f7705118d597c5bae0fa652298302ec81129a664461742dbeaee5f1b4ea09712fa1c27eb7fefdea3381a8b

C:\Users\Admin\AppData\Local\Temp\XikAEMQM.bat

MD5 a762bb21ebae91ce5aa570d1c65661da
SHA1 fc526cab23676f424fa4be6c81613d3759cf2e5f
SHA256 64c60dff7bfa67afc0c215e5c5d16c93a801617aa9ece2678ce03b9e9fe43979
SHA512 d1385215b268fb20eebfa962910d09333ce0cd6762e292ca1912b933bb477a05d95b8c8af6f8aab5206edbc8576484c7079ce23567f14e9bbe4ff21a883c46f6

C:\Users\Admin\AppData\Local\Temp\wiAUYowc.bat

MD5 55a0e7fef30396aedc43e76c762fed54
SHA1 fc960f2606c07e48345504924605539b51f300f2
SHA256 d6b676654e293f7172838b4ee4736c515df3b99fef089f35c1fa38582a3b861a
SHA512 91d1f4308237215e1a0faec01435407d0cd7f5bda8f4ddf123766374f49de7abb2018ae58eb5fb2a4782f89ec158bc5509ee63d73a67cfd719abf1701c6722b3

C:\Users\Admin\AppData\Local\Temp\gCIYYgcU.bat

MD5 c6690ad255f100696c4cc36842e4294a
SHA1 5cc51f9ff0fc9dfc42720bdaa90fc474886f9bc0
SHA256 f120c13d83a735bfcdf312bf5cfed3e076e41b904549b682d9d18786596ff812
SHA512 26d0604615da9999d492374a7f4d971febd8f1a2e5b80160cac577943ae533e2096a5bb8f3a53e883d8e4971e8f0d7a3d4f021d9f9abd35aae068af13c27d58f

C:\Users\Admin\AppData\Local\Temp\feQIIMAk.bat

MD5 e919f454eb7dc052c306916c2133b480
SHA1 64f265f4b95649796313e028b7959f5c3a609137
SHA256 968af8771c3ef2908c8164c14c6e9de9e46d847190bc56a975c64463c9304182
SHA512 c300b4148ae6233555a2a7582e4b9da6785a3ee72a1a101581777ed826d5acbbd2097a09b85e06ad9085fad48b16cfa5abf5513d52c5077bd9c73e810dcb568a

C:\Users\Admin\AppData\Local\Temp\jwoe.exe

MD5 71f523331acf6c8046d874a626da2fea
SHA1 190898ee51a9febd8b22ade4e043346ba2b5d371
SHA256 d8a9fe835ae125cbc4bfa94d70f65a9e10bd271ab0f65d62499787286c424ad3
SHA512 795948d4ed22e8560015f2eca307e5e0a44dd8f7aa688d292978ebfadc7b5291c8d3f0fe0d1acc0dc6d96d7ccefc97b19a226ea6c294a749a0c9eca6792038cf

C:\Users\Admin\AppData\Local\Temp\Usca.exe

MD5 975d70f59d1d534a68cf81e4e181cadb
SHA1 05b0ce3fb05eb9c2ba0441d5ba2b41998de3230b
SHA256 b796478b386185ed8a1f3043031903e1eeedb6c2ba31808ce9c643e8fa864c94
SHA512 6f8907d20b7c1b0a608b8e0778ffa67087f26592d2f69aa6ccb0b112953d00050b0491eb40737440554bdc7ae9e73651f4dfebbe643fbc311ac7c7a32606596b

C:\Users\Admin\AppData\Local\Temp\ncwg.exe

MD5 0a42694f457a2520aa7d57331f75f309
SHA1 16687fdd85d2e548bff180a84abe59453cd90251
SHA256 1300e2e2cd9d0aeff5335b0bc2830619cfbefbb494af04f54039a263c801b0d8
SHA512 2e07b845090766e7609d35434c8c9b3cd66a0fec3d31c5d3de469e481301d98eeb0143ed755846a330442ed985bc34581d4037e3f16fc6d3bfcdbcc2692e83c1

C:\Users\Admin\AppData\Local\Temp\YIoogEUU.bat

MD5 9102a06cf02a3df65284c0fc3131fac6
SHA1 4365494bf283a940ef27d79bcd17138418fa13e0
SHA256 b0ecb88f30ead30ed0a035fc6e2894a90db86c2b8354606a25a07d614b022c7a
SHA512 d870826c412153e197459d3d16663c6da8af70bfad30ce7b3f0c94428b33224b903d21a4fff2d021be15c6ee3e92228b80b5b0c96fca539858a5a7cb637c643b

C:\Users\Admin\AppData\Local\Temp\TQQw.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\rQwa.exe

MD5 b11e94d939bc015267a188e3ce3f8a53
SHA1 ca71e70143e2396adfd7892ea2b50642f615107d
SHA256 f1638f15c4458976be62d089d7996300b664b79d51fdfa051d687a3900a9d73a
SHA512 db26206c4a8a0f86b91756be2600651da238616036c9f8209b199564636a42c2a10ffc968bcc6aa4fec906912d813706bb032e0b15a32ed34ab74edb3501c990

C:\Users\Admin\AppData\Local\Temp\WMMO.exe

MD5 6cef5819c84b42d0f85c2f177ca55047
SHA1 0e503a48d72f8c5d8b340e40191f259afcbd082f
SHA256 e4ffc17174502220345460cdf4267efc1a3a1a94a76e2e232829a921e26b8992
SHA512 4fcd189a9418c05176855e85aa458515d768eedb818d9232ab423de492dc5ab7736de900dabaff37a62f7f4d8f2db09e71dcf3897121a764532817bc8f401f22

C:\Users\Admin\AppData\Local\Temp\gwsm.exe

MD5 777e814f968a83b540c540dd57465c24
SHA1 5fd863c565f1e45829326b67771a4da38bf25e14
SHA256 5656fe40a9aa4dc45dded15c76ba6d2d7bb4da1e6b7b2c7889ebdc1778c034a3
SHA512 fefbfc30b97ba88f81c395ca9accaf5bcef04ce9b0f21a50bd9b3615128fcf75eaa74a66e0530d5371f95501d7507f05b12f7b1287e5998f41c7afec1b84fdb8

C:\Users\Admin\AppData\Local\Temp\wqoMAIkM.bat

MD5 cf26c302dbedd6d6772acfc763f8211e
SHA1 5aae7641138c240e40a20054c3d5a8e14766fb3a
SHA256 b2e7780d8f94f6c159570991e83d4e5595d52b9af221bf5c0aeba458db3f0512
SHA512 2a45f46fbb52bc0bce759c4016a15a145b9aea5689685b9e0ec6993ff72b477e82b2eef3c08fa70d37a005502f44bc45a117eb1ef41982e5685192cd0013ea76

C:\Users\Admin\AppData\Local\Temp\NEwU.exe

MD5 e8bf304b8e055f0fc91673549d41ce06
SHA1 66a5909bbffea05742293e91e0b6d72f32556efc
SHA256 dfa4d5ba03139e80dc7d9c2777725b36faaefea79c8824a90c8d3649cbc9a80a
SHA512 31c13c422de592852e91f322601f861820dd2ea7ac5b075e7363561688fbfc121b4dfc8c17091798a1c0303f0f133e43b5d58e18508da1c230e241b76653f27e

C:\Users\Admin\AppData\Local\Temp\bEoQ.exe

MD5 52eb2faff39b3e6e1d60a66b68f62b48
SHA1 50e87a42260b33c1fb7b70ce10472d94344c7fc2
SHA256 be0cf7970e27941b57d4746307b4d757382e091121e7455eb65966c65dfde87d
SHA512 0d3e026876069074fa3f03cdec0a92982b274c5e4658e7208cc3d93264a483a306de2408b66cc05de010147e4782f1b0c92216c89ee91921edbd2b28235b7406

C:\Users\Admin\AppData\Local\Temp\BMQq.exe

MD5 fed3874dd4a65945e6aff6d1ca080f33
SHA1 3eb1acb8e0e0561701bece13c0c1705edba31ff1
SHA256 30f45b028fe99dd552ad537d4ed2c7bbea1d0dcedee22be4086dd8a334a2250b
SHA512 240fec11b0829814959b88f08b31c2ffbca943fa00343e7f5e723c1784dc60ea7af8eae63b0539d2c52a6dbf73061118d34cb1645dc3ac61713707db7047867f

C:\Users\Admin\AppData\Local\Temp\juwcIQME.bat

MD5 54c5958f53538afb13d276470ba02715
SHA1 1b702ed7969c475747ff1d6be9041fcadd77d36f
SHA256 46a2dd68f4f362c84300a6091a28619d079c5aaf0898b6918ce68134e1dd9241
SHA512 9cd3f90f2263c6d15b1856bfe0c7e8d5242984c5070c984e2d4a540ef368bd919124e07fa407de9c5b733dcab54d0300221a81eb79d75f10ba55afd422a6d0e4

C:\Users\Admin\AppData\Local\Temp\Lggw.exe

MD5 9ec4b3be3b42f6d9d1509ccbe05b369b
SHA1 75bd618e0278c59e11673a8d33846ceed6b77940
SHA256 1942c772c71e75fd9b3528b519fbdf2b83f380aae571e3563f7c77c104fc6c08
SHA512 f07780c4054df7033a307b2158a73d0ed79b9226784557a0657ebb842a6464d08495f4056682402b7719bfb7c1a4440261352e532532bd1f9286f25ae3845c64

C:\Users\Admin\AppData\Local\Temp\gEEC.exe

MD5 2bcd23232f0c3970244afb541afe7ec1
SHA1 72fe2e18e44b88840408d6b3ed85641820c785e4
SHA256 cdc26011977cb133dda409fe3b8abd23ce918f1d392f74b7cc6483f550433641
SHA512 e9787c8019823a56a42b129bbe852dc9a1fbee5ba37148e78d6383eaf825ff9823738f8a8cc55d13e8cb440cef7a2d3f41a646bfe545199bd76839adf7432d89

C:\Users\Admin\AppData\Local\Temp\gwYY.exe

MD5 e47a9e0b23eeaee14cd33d62a22f4f16
SHA1 891873a9fcf1774b8e2e8adf5a5a6b8d9455cd92
SHA256 d77ae37f19ed22989d77e6488d38b7eea128e5ae1ddf27661e21f764a74e6d6b
SHA512 d08c285c0017d05153a7cbc67e71a8e289211995b82a914858a93752bc798c2715e34ddd9b08127f6b242e028b1f9da13e4726b1b7c6b5176ab173a8c70b76b3

C:\Users\Admin\AppData\Local\Temp\PAIQ.exe

MD5 9e944d0acaa7ff2f7b1b25cf574f5509
SHA1 1793bdb0bd913955adc3b3990173543afd7d3239
SHA256 3e103423b597616d1addfcc7846f6a5175709eda60a9abd9e98ef586ac61e786
SHA512 be492694f60cb5554b9688dcb5e98ec97b1659634b597206178192c8b236fe957ed9506e399c1d31ff6699be0fa35a90771d548ddd7e70a8bdb71552453be4af

C:\Users\Admin\AppData\Local\Temp\gQMm.exe

MD5 26a37242bd4d6cbf18ae3bacac4ef716
SHA1 8f8d55da0f6cee5232b437735269fa6cc8a0522f
SHA256 cea677b9a972399cb2bf7899960e818565e8770768206fba813cb91eefda9366
SHA512 2adf56be358351343f21056842a0dd99a709c2064d5129714fcf793879ccbdb99837270949ffea3d55e0a03259ce4f3e77e3ebe367a247201c51757ed1e052b3

C:\Users\Admin\AppData\Local\Temp\hmQEQwQY.bat

MD5 376f8ba8a03dcdfe1267579cb6bed9c3
SHA1 aea3b86090c6744b63bf2d8cc08687e79fa44f28
SHA256 467137a6e5dd5fed25d579f42fd37a2b01306e042275eaa76de2609d37362e70
SHA512 f0ebc056c57385ca91889cad0c619b889e9627dcce5c63062df868b5997ad55e4f10c32fb6a9fa3a6e5d0f98a51e70fd3bc4c2506211e454c59b4826159c6b6d

C:\Users\Admin\AppData\Local\Temp\gIIG.exe

MD5 abf6f9c48fc6a0a82c60dd6772485537
SHA1 bf251b0eed58ff5a081653ea89ffa6784880fc3a
SHA256 974a732a1e3180b5fc428c177c8a60ba63cfdda32ae1aea28e49f5c23cef671b
SHA512 45c51996120373e919a86c0b6b09ef7e235f433f2c1fb2d131561fe2b967a287be4bb32b8e7f74ae82c51348ed7621da708d391bb97149195e89d4aab159a464

C:\Users\Admin\AppData\Local\Temp\SMok.exe

MD5 67b73b232c670a6a0e4762d7b14e966b
SHA1 72871681db50cba5af82b2cbde28c843f174b27c
SHA256 a123de88f707a8b0de3bd78c71eb019f0236450da74b12dbd49f04f8563179cb
SHA512 47aea5cb152c6c0be4a9f724f27773905b13a7264282eafdc46509e207d6e892263c6c19025d2373fe941b86c89fcd32919994b9aab56121219a9931692c5fe5

C:\Users\Admin\AppData\Local\Temp\vwgC.exe

MD5 1ffdd399fc4b9966c2a9449528cb45cb
SHA1 5c9f7262b8331f399331350378babb1358f0f371
SHA256 cd6ba2d0881a03051d3b5cba9a7ce2a2b26175e6d9cf1af67d697f65d3910c00
SHA512 7969a2b9e32a50595f3411e8bc0315f09b29904cb9fc3cd44803f7a80cd242fc643cdd384df0306255d9e7b6c17e0da323fca24028c2fb9157e78edc6c99bc65

C:\Users\Admin\AppData\Local\Temp\vEUg.exe

MD5 37bc669b270ab2f73cfc14d4d2032221
SHA1 4ed20c7a04039f63c9b209c65ab2cc0ad6513072
SHA256 6bfbe3d4a90635a2ca4e9d1d3520b8e05f0bd5f3bce9c2daade6569293582def
SHA512 5bcf7bd4bd9e1fd42931db2d06da16d21c5cff48110382a0b1f0fc2811ac56be8302003cbb9cdabf44ee905a21ed1b51fb42a78992db931d2a6d2a01bee05ee8

C:\Users\Admin\AppData\Local\Temp\ukgO.exe

MD5 c7cb035ce461ed5f4de45d474061b7e6
SHA1 7aeb74b92647d0c7d57517542ad342c23531d862
SHA256 e0d1752082a30eee5c4b32d78e4fca107702f54865f4759445db3c794a8edc93
SHA512 b6b23f78fc9ff37b2fb4635b5378e78fcb07b458f1187acb03f1c312f65c612e0909776216e9c289ff5b4b23cfa524e784350127d7956415d32468e8f2e2d069

C:\Users\Admin\AppData\Local\Temp\zUMg.exe

MD5 ea36fbef9e49b1d9059e7347b0f586c6
SHA1 8389156dfe8a4b836ce985f79e1fc360f2c2f1c3
SHA256 3c02e9665bda9310713e7ceabc772dac7a0d35319c2772aa22213701c59642ad
SHA512 1562ec455b389a330b7c95c86e17e4cd11868e60edec32aa91608acf38a945b1fdd2d6d74c1fe27993b36888a40ce43cf3d5075de3a9487ebc4f3bb462c812af

C:\Users\Admin\AppData\Local\Temp\bMgi.exe

MD5 a9fb258263c060d3e877a8474a93b0a3
SHA1 db31f2dd421a1a337deb94aa081b613965354fa7
SHA256 cc0180342d87bcf8bb3284c8bbdc76b2fbcd7464d61476192adfb8e66261b429
SHA512 03508a20a497230df0877cd351abacd8a5cde3a6512987df4bcb167cb16a3c365d9eb9b82fac4fd1867905c04fdbf67ead2434de15f32d2943f73099bb1b2552

C:\Users\Admin\AppData\Local\Temp\TWYQwAEo.bat

MD5 6247fcb0b8d56e22edc5caf6bc1d0a8b
SHA1 7f0a5ea021aea7e55377433f953f9f81a97a0556
SHA256 5be4645906d637b4f7311212c91851b64a34f83d48e87e18689a33a940e76c30
SHA512 57101d1b02efac060f2130ee12263a98a79a7a12e4b453d351a8ab2b0ec151053b88a0ea16b0e87399d6778a083fea4e189784d6c68d8e06b505802d72b9bfeb

C:\Users\Admin\AppData\Local\Temp\UUgK.exe

MD5 f5e98c22857dc98f1ca5144cf55715b3
SHA1 b1e96a63b57117862b8dfecb226746c27c02283d
SHA256 e0a0afdc47c5d637174234bcef1b11bc812d02929a16a168257685d6034f7aae
SHA512 5428120dc0558734faebd448900dd480f9efc39874820d6b0ab0404d5c3fbcb6037cdc6c8924b55d4c9e34a4c3a6ebc3b0b8f5775f21efd419e24885b7054c45

C:\Users\Admin\AppData\Local\Temp\YgYe.exe

MD5 604a251999ec2e1a689440f61fc18f43
SHA1 6fe634eaf772c61d0f9f283700ac33ca4829ecd5
SHA256 f0220bf942d57415e7454e6118ad7aa469295f667500d288362f7ebdf97f2974
SHA512 7fcfd3cf2415a099d2d538b069e92090bed66554aad88f9073ad1cb98be4cda1a1fa2b8bc9819689fc627ee18883ca5972a42c70d32042be5bcfaa8ffff0ffbb

C:\Users\Admin\AppData\Local\Temp\VEsI.exe

MD5 003a5adcd66dcdc7a4ac1c5d7d36e618
SHA1 58298b32051d339f7015f61a283d1fd87aedeebe
SHA256 5ab726606593cdc0db8e0f06867dd49518f185ff5cc7a011f4edb530d71010f0
SHA512 2fca8565427c955bc604507433fbb72cc2707656e073373ce7060a5adbe8d59c1dd5413c739625f4fcb38341a40c22dd4b65cfe36e348cdf23b30ec584923cc8

C:\Users\Admin\AppData\Local\Temp\zCAUcAII.bat

MD5 15b35992705d77c8fe2805469c2b45e9
SHA1 0d029d47696fa5f52c8f06db117f9ebbeae7b441
SHA256 dd27bc56727ac530db9045aa58c99785fc31752855a688e37aecce2c8286ab42
SHA512 f9082400f8401db93ab1fe0389f7744fcd70f091974620fc730d0f339fee3c92d5eb737377e6b546c85a97fb461241ebdadfc83335c26a9b92a2e14808862675

C:\Users\Admin\AppData\Local\Temp\wAwk.exe

MD5 c682edc93ced68a9ff78c805a03aa2ae
SHA1 c5c5094bcff6461b7193836b7c3afb17135f6671
SHA256 0ecc84cf21ed4ed92ccdf2d42ef8bfa1962bced66a7c54420f69a03c49dd83c8
SHA512 59c868f475d0d989aa614a5e81ae63076109e70968a5402542a0b64ca478d460be37961294a1ce5d20cd4d4569543d7c1bd042023f2d15bada9a64bce0a23c22

C:\Users\Admin\AppData\Local\Temp\oAYw.exe

MD5 6009cc8a4d57b0790bd976b7b5e57ef3
SHA1 e522dcd99acdd8475987a8d1eb3a4b16f7f24d4b
SHA256 4d769de1be6a79761c810060dda75cf94ecdc7e37c8b91be6dcec1444a7fbd9c
SHA512 80424f7414007c30af4744d82439902af4ed9368be08e10b3080441b2e23cbd6caad18dc096e294592fd64018d246e9b7dfaac3368f205ca6a7a721f273d613e

C:\Users\Admin\AppData\Local\Temp\BUki.exe

MD5 5ea2495f2c99295fe9011621c2903e4c
SHA1 53fc04e36395d09eb1ad401fcb3465e4f896982a
SHA256 4007539aec30815bdada4b07fbc3c97cce564df1be17c815831f5d3de5d7a80b
SHA512 a98b3bcd8589138c7c6f5cdd389c62c79d250150c5ba00eba493e703fe36330b556a9b326e6450473b1622b05237d64c1979e99b2c79e73759936c31af668f45

C:\Users\Admin\AppData\Local\Temp\GCwoowMk.bat

MD5 ad76b47365aa0b420e0332389832e013
SHA1 0254e0cd14a3c4c5a163e8321a02d3d3d5162332
SHA256 1d0d2dbeb12e696117abf7801f262a9fd9c0d804d71ceae991042bec24a165ff
SHA512 e93d788c75d8e15fd569319aabbe7ea9f2952680db55b46b539ecfffce25c06e15e75c2fef5a4b012b7279bcaebcd5f86a3aa45148c2b43a5fb10618220f9a0d

C:\Users\Admin\AppData\Local\Temp\tsMg.exe

MD5 d2d87ed0d75b1914d51cca2631107c32
SHA1 ab90553acd78ef4622ed1b7a7049d82075efce48
SHA256 4a9ec5bd8c82290c03327f09cc696bc0b543bf06cbaad6b4b2bf89cf4fe0e5aa
SHA512 7ccfe9b10fdae85a508ed0b48ac99e0d62dbc8486a38b596d052dd189032c2896caa43dd9dc422689fa36e84ec1f62e7b92cc5b29548a3d5adc3476063ef0247

C:\Users\Admin\AppData\Local\Temp\nsYI.exe

MD5 ad4d1f4db79e96afae91c1ca36d9f8d8
SHA1 82887d0d070785930e49077e48269dc2b5770ecf
SHA256 77c0095109edb184ebe8b9c39806b89a22ea04b4dee122fd3267aa59af8d2b52
SHA512 8791ceef8ddbe954a03bc2c3c912b0dfcfb8de5a59ea451c7f4e4b48b3d75263144ceebef51278431fc535f4f0f83012414bf8cff0808c0adbf14d940fbb70ce

C:\Users\Admin\AppData\Local\Temp\pUUA.exe

MD5 fcc2b788c16488d247049838a7bceb15
SHA1 f0e03b755297b00cd1ecdb8b376577d6af2d28f6
SHA256 711968145fdd7879838f2cb2031a1493f20bc49be00a846d251a5eda4239b267
SHA512 b3d449ea22f1c4c6c429d63a98cc04a8b57dfba9947619f527306ef90101ed2e8a3affec7c96698fba956b2496d322b21623eb997036fd1a85d1feed73983bfe

C:\Users\Admin\AppData\Local\Temp\jcYE.exe

MD5 8e1ac0383909829d43baf0e51c060a74
SHA1 726e099c26cea7f9da6499416994b2054fea1fec
SHA256 55ee05412aa29772073b860167e88ad8d3a05dd8777174336b73ab0b4760e1f5
SHA512 17532e3ffe45fa4198e3171dad8921fb0fb7c9dd6107437af42e4380504900f8ef3c1b5da9ce5582d7b4ecf9b7943ae5cb542cd3a430e5244b8398a950c2d003

C:\Users\Admin\AppData\Local\Temp\qkQm.exe

MD5 b57cedbafe5a6d3fd2c2dc7ff3448fc7
SHA1 d465158c0c4ab7491b91f17189b8830a133f75e1
SHA256 b263f4508a82aca27929f782affbff42e950b5543e15a5e51488fbc83f29953d
SHA512 a69781397254ef88bb3acf273dc0586988df778826b33cfd783b53fb2cd4c5afa53ebdac19ee715751a1351528b7d2f32634325c8cb31c8f6c92534542481be6

C:\Users\Admin\AppData\Local\Temp\msQssQAU.bat

MD5 58ed8948792603f3bc9d50b372d21042
SHA1 2dd93795a0a5c1114121f6a0e0081fc9fa0ae970
SHA256 35dc0bf824982beb3145a6a9fea22b397a3fa8d1c49eb3b6e843fe958256ae99
SHA512 2c62de2b17c04c9346f0385f42f4b7cd14bbb967a6568e8bc7b914f30fbe8c0dfb1da258b5dace215809028004561f0e5423a2bb022591404eb0ed668ffe5083

C:\Users\Admin\AppData\Local\Temp\uEMK.exe

MD5 82bfee64a445435c9e0c10b7723e734d
SHA1 841f9718ea0e82b04cdaba2c47d1aba059573882
SHA256 14c8ae02291c0786425e1a952de8064bac27184c4a1946cd1546453536e3a747
SHA512 ac35e8e88960f10fcde73853282fe7f57ad86c3569d8f72197675ba76e14b4a16a6f0b6c68b33ad8c3f30272dc8a0f88c71f70f72ed7ed5e991bf1e454acaf55

C:\Users\Admin\AppData\Local\Temp\Rsoe.exe

MD5 7ba6fbd54ced11ea5bf9668d08497998
SHA1 4b2d2744319b28eb9140093cbf81e2c9d4001bec
SHA256 7de07427ec3d9b2f9f04e06a5a347761d4c8982a77cfdd023a2e128bca7354c6
SHA512 e34768a2783d31f933eb382d8f23546dcf81dec73365dca04688e0f04dd6038f9d2d324e4b7462f9e48e39e94837f2be9253e63760e80e732c0b96ee8ee4fe58

C:\Users\Admin\AppData\Local\Temp\VoUk.exe

MD5 c89025fdac032136a4650d0ddb5e2320
SHA1 82f46154cc86e62487bf8c51caa69fb4fb3e7ff4
SHA256 ea24ae82af6592a6e3316fba9e5c99b23311ff2b8ca2fd3c8251c484d69d45f4
SHA512 a6f7917ebabd0edd2cc7af58235dbdfbbc5bb89a00667f83004a54356e480e857c7c942dab615dde3d09c1acfdc1850d659b686759afc2d88d042019ffebfb60

C:\Users\Admin\AppData\Local\Temp\XsEs.exe

MD5 514548d92b7d28cf0498c2bc8cc50b96
SHA1 dff8957fc19c46df15939485da5d3ef2bbaefdf7
SHA256 3e4a8d7715729d6602bc4de1a97e752bdc4b202eea0d10061bea3606a4284953
SHA512 24d8dc633b4ed0dd5ba3a234c4e55bd73d9b0fb7112136c00d23701da4c91c75ec2ba58bbb4c69930d7b1ed57b6c155c1332f4f97a91873cf6336de11c32185f

C:\Users\Admin\AppData\Local\Temp\bQkW.exe

MD5 07aa0df2f57df45f769133e7150122fa
SHA1 0587d1d17785b9679e6702842d37fea5e8d29152
SHA256 8f1584cc0ea8a2088059e0cc0ab4b8c89270f8979d2aff05870cc787716ebf89
SHA512 deab52ecd9119b8f19f5a0a087faa0fed36a43924e9c3058f090bbfa7d4650ff64ff1a88cb13ab1df550b6f6a2e81fc3c80e0c771e26bf61738626945467259c

C:\Users\Admin\AppData\Local\Temp\yAwswgYE.bat

MD5 04103d0cbaa7354285c54cfad39387d1
SHA1 f5d691e07082dfc6cdc8357d5a01226efd552f1d
SHA256 7c47207a1f32a967a45461db78c3a2710ca1052b9cb1f3b3750626a824dd0566
SHA512 1dfafb2c744385a35c626aa9159b3cc49f69c541e4f4b5c782edb835122dc8ea598414a083509a455a01168bb25372a8af0401998993c41fe12eef5eb46a29fb

C:\Users\Admin\AppData\Local\Temp\xoom.exe

MD5 bb53beffc00bd2e13957b6636a0f68a7
SHA1 eac8bbfa0658cf3c467e8ffd03f04e340e411719
SHA256 244b789f1d88671e8d126c2e279589505a0ee4fb9fb3f1b266bd6394af6b1495
SHA512 775b3c62836b76389bccca0b5fdb183b208b11609e78e8169ca86cf5f0e07ac075b1e3bcb81666a063bfa3a7e536306991089d951e3064ccc769400487211ea6

C:\Users\Admin\AppData\Local\Temp\bEwi.exe

MD5 4d5d33897b5a62d4e3759700d4596976
SHA1 9dc8f5e8ac7954c427d2a907d3e4ef154df9d730
SHA256 f70d5068c39f03da05c2b4853051f13b190ab004e48ad724f9fea1ebb37ced74
SHA512 155469737c7abf10aa0139058880d5063b36620d9c2b4f3dcc840391a45ea4a795c77c5875941027d1b0fe8285347faffdf48b67db1913b4451cc0efb845ced7

C:\Users\Admin\AppData\Local\Temp\nYIY.exe

MD5 486ce7efb07a92da851e52ee4cc5e9b4
SHA1 6b7b82a24991bdc05ff32ed6f05fe7d17d4a2bfa
SHA256 353b5c3a89199f58946ce972d1ce31943a33d3e777111b2cacd7c8a50a1f967e
SHA512 81d86ef1fb93b0f33507eb6ab1c32669c7fd4b787a23a382903353b777905272fef466063677aedd28814164385ca4df708cd5cc558918c2cd6e419dc9238630

C:\Users\Admin\AppData\Local\Temp\NYYi.exe

MD5 50ef45a5e9ab578d93e7aafe81e3b0f4
SHA1 55444cf278fc103dcf4a711559b85644b0a1ea0c
SHA256 58ac90752580f02c9e78579911650533341796a43966d3b1ea3103940d0f77ab
SHA512 663f58665a54796ecb059d40323afadc85882c9e9ac6cdb3d68287272f9e81297ead6f36f31de5499fc482185daa1480ac59cc029eea386f49e0b2213e90c2fb

C:\Users\Admin\AppData\Local\Temp\ooka.exe

MD5 d4ad0218593d4c23260883b5f21c31bc
SHA1 1cff349a0404c0c490edce006027dcb6b070173f
SHA256 5ae6f1b184d3837ab5f43621584515f7cc9bbeedd71566953190cdec5ed18761
SHA512 4965b72121fea2382f193d520e78ba688d3a5491d9876e8446a0b65ec82582e6ef0e574616c4aa0c77957a96c28e56c17ffad1f295f90a2bde5ab1b938b57c4f

C:\Users\Admin\AppData\Local\Temp\gEcq.exe

MD5 30e052eef4f6022efc09901e7756ed4b
SHA1 f0d49c06e98726626ab3791b97a3e21577ee46f4
SHA256 082f4d778606786f13a00593721a42ac74816a308c21b4bb1ff8281563cc6445
SHA512 e9880a7ecac49092d5a92553305b97b853e8db0536b7c6ccc453da518c1828e37172b2b9af6c9e74a979cd8a3b420c1d4b22d8c033ff417d3aa3a1136812979a

C:\Users\Admin\AppData\Local\Temp\isosAcAc.bat

MD5 e357ead5e75584a6fbec2262ad13e711
SHA1 012943e95f94148f6ced273b843d88bbff7426f5
SHA256 5a206f7ee76570f26d5d1392a5567f1c91b98c23f7f986d3bbce37bfb08a7880
SHA512 a5303c98a5a2521e648086a8f1d13555136a6d172bb4198ca1244000313fe93254528c310858203f6df7707e11f4bc0484ca572e142e76469bbbd7f6151c0942

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 9b9ca11d35036652eba08a3f6bf00070
SHA1 20dd7e22fddee0468114dfd062019b1165b1215b
SHA256 63cd9a2716ace4e9ebef121c1e648c5c2c0382993f979b0eb137d6da0d163abb
SHA512 89ccb54e8c015113782a86e476f2ba506532afe4bbb49425e9dc36ae0979c937b8fb25edeb6f70f126df17b7e805dec8f27e858b646e6db3d41d8614135fe54c

C:\Users\Admin\AppData\Local\Temp\FUcM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\YQsY.exe

MD5 7d80d65c20ea0c657fc77e261b91c481
SHA1 ec9a79e1c84ee207d2c35e5c1137ed069a97a6ce
SHA256 345d1ea6ef37a157577c5fbefdf3cc0ed49300d856875b034770a07a92155814
SHA512 b9dd22454a124ed72538d347d72409e59bc227bd32ceed72229a929e377a11652ed6be889a59ef04f6099b5477710e61b1dbd2b9ec38bca5416fe3af0e8a9e03

C:\Users\Admin\AppData\Local\Temp\lAIO.exe

MD5 f84584d9d98b6e41ff6c4b9bb6b4754e
SHA1 df76635dffd3177043a665305ad325a45d1ce1cb
SHA256 3cae80c74173b255760e48e76653144f7fd7e1cdfd7773a14b20e0f85d00b44f
SHA512 90d755c0d12aa0e885c7516aaeff9308500a7653679fd8a87a3ce3c4ceecdb9299b9456766e29600e44e0ea35210da15d58f009fe39d8214e4dd70abc6ddecec

C:\Users\Admin\AppData\Local\Temp\gIUYAUAI.bat

MD5 c2539c8f8eb81cb1a6567d64e5423288
SHA1 a42d48fa84f920e20bf2b9ed036efeab8de24d2c
SHA256 ee82af746251773678245414978b942429a01a01abb9c067e639750b113854ae
SHA512 76e4f94dca994f11b3e8972c53c7a8821abf8c6d95bdf34dbab43dee4978b8507248a84f9fc61906b571e7371c9fbd4a02731913b6a51679fae81e748e27e92f

C:\Users\Admin\AppData\Local\Temp\qgcM.exe

MD5 e7ceca2c2ca8bcb758f99f097841602d
SHA1 203c8748968b1503c36d0439e391344c402567cc
SHA256 322dcae89c75902c9e7539ac37e7edc164d98b9cbeca366e9f27866c61ff945b
SHA512 698f6f2c65c5d402cf9baf505f7eab083e827128e9c9357b2303b4d5abf61837e04c9e59e3aac37448712d721cd2b17da4ef41acbacd1ffa459a9360cad57864

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 fff7a231c3daaa0d037d9d0ac82960c4
SHA1 744030d5fac6e0e89c48f7135cfefdf41e2a0c09
SHA256 70c4102215f79b2695c98adfcb87f8da4d87ea677dead5c00af164f8c4bbc115
SHA512 d0094ec36243513e9033a7d0d1100e1c8b5c2ac446dbaac122d1d21d25a442cffba170686b00b49200dcd34a031e5dd0cb362b1387b491cdf4fffd1c3ac44878

C:\Users\Admin\AppData\Local\Temp\vgYsUkcM.bat

MD5 2f8ad166d4892b4ec0c6d19eba72fcac
SHA1 44979a8acde52add6d482054dfea0b0f2feaac80
SHA256 da25679554cbc9573f4e75dfea96294aa8df1a48f3a103454bab66a2963ddb50
SHA512 07700f5bca35e937490282bef0c3b0f04fabe0ec9574be06a1ad3640df3e1b69e01f2ab8f538c3fc6a3c93814d94b1f307538fa40d057d053a9cf97333ebeea0

C:\Users\Admin\AppData\Local\Temp\boowEwUY.bat

MD5 2dc0a77cabc23996964538c30c686d21
SHA1 6973dbdf5e2eb2713f9eaf516d01aa243ffe860a
SHA256 caf8ff9f03e8392753b966f9a2016ea175a276381566c4d27b1a54b40086a9a0
SHA512 8f5a98be3bc0b70bf40edaf4464a1859e1fbbcae32d0d16aef25828b75bff8d85ecca6b8715aa486a7880e5e32bf5cabf55a45ef2b1697d9a8f4f8ee33502261

C:\Users\Admin\AppData\Local\Temp\NYQAggEU.bat

MD5 1513465d9dfd384e1c573b0399aca593
SHA1 0ec166520eb7e05b96b2099b26ff6dac3c85b42c
SHA256 08d86a32900c8f88abac7c3ccdc4ecf9af3962a484c44f870b7b1312cf3e9ced
SHA512 128b7b06114a9569b0544ddf7028411a037ebe436178dd2dcc72387b19450a697746485075a07d76fe1fa0fe111146d065068e8cba0fc7d4ad1269a77035d1ca

C:\Users\Admin\AppData\Local\Temp\yyUEkQcY.bat

MD5 ded72e4e6bc182905b9fc149847d497a
SHA1 bc7cfb705c3e47b140abac9cadb78188354a4dfb
SHA256 b0fea18ca3043aef2ef914e25ccee6cbae437280520a91d3c27565e2b4674463
SHA512 70e09ab03cc45736471c1c32d545133fb8cdb2456c5e5c759c94f1b56da5fbae408e915f238136578d776193c434489dea9fbc273fafabb46e866ec22e9a457a

C:\Users\Admin\AppData\Local\Temp\bkwcoIsw.bat

MD5 80da9117ef1cc552e96f4af2b9ecbe92
SHA1 4798b6871cb1613d4eddd946b9e13c320f2e1583
SHA256 ac53263d8a20786b110e149717ee11c2c085ab7ffe9d2c727d63d979ec4dcd9f
SHA512 83358d31f6f49b52527c9d6fe60eebbc95c6644a0c22f871066723b932803d65e3d5a74ebba43bb6ae69dd39c3592a090ab84bdb841cba6ebd74ddf1563ce31c

C:\Users\Admin\AppData\Local\Temp\YGsYcUgA.bat

MD5 ca67e4efcb82bf33d2d6637cf3fb8e08
SHA1 2d165a802c4693e07c7512e19ef08ef9a154a339
SHA256 5d6f1d7ed052a7a46823dcc0dec8983fdea2dbf48569d6c90233aaff779e9885
SHA512 4dde1fec7f6f61376b9b1265fcd893fafc76ecd0762a945c20a42eacd6cbfba712507cd218356d2ed02e8ab434dec66296b071a71005c0953cdaabc5a702d9ad

C:\Users\Admin\AppData\Local\Temp\EykEEkEE.bat

MD5 982b87e62087acb8b9348858b69b754f
SHA1 e80ccd0c63929543c11c0c8781169d6f3042ff96
SHA256 8cccbd2d9c2100b16a44fd59c2492874354169ec679325e67204153dbc1874a6
SHA512 0569e79c95d4040326cc224ef3bbcd6e03790ab3b11209f798cd0f86df35c6447a913c7ab5b95bf5b8592ad36a6a35e1855a41cdee6e0c8b86285a57045e84f0

C:\Users\Admin\AppData\Local\Temp\VwgwgkwI.bat

MD5 e52a2a1eac00ce98e9df1e0e5e112b58
SHA1 2e21dc0778e0b9160f38676dac5097663284f33e
SHA256 2e5afa5e2cb4e4d744113d6d506a32e96a7125d946a9f6b94fc690f214055912
SHA512 ebdff1bfa1cd3a09e6eb1ba420159ad20009a206467b183bba751a1a2f9b8a7291da87a8ab9194f18253adf320b24720cbd02117cffc7742b9b224da97d85e92

C:\Users\Admin\AppData\Local\Temp\VEMYQEEo.bat

MD5 92979eda28f674b03fa8ec8e84224f98
SHA1 33a62ef9b2490fdd0ac32a437f0aa0196c03d01c
SHA256 a8da4138937fb39ebb3f216b56d37b8e9b3fd19bdeffaec1a234d0572a788646
SHA512 d7cb8624f3c870a9f329db5dee4c1e82095c5bd38a067b0477c75dd502c3660d120c16f86adf5febec1430d7a5f1df9bceddd045d7f4d689867aa99d5e983e72

C:\Users\Admin\AppData\Local\Temp\AcUAMcIk.bat

MD5 7fd1018afd9b07eab0be8190d152230f
SHA1 dcf91927b5e41b48c2ce6ebc098e5f1f13a7340e
SHA256 18fe6a22444641495ec6b7df5db460d870c7dc1b2769d9aea4f4fc60242e1177
SHA512 7692831f89e5c5a6e4fd2ad7ce67680a0ab0744da1dda5a2789ea4fc2fbda78ef70687f8561075b66fd1bd019aea68c69d4170764fb32d1122b2122f0d0315e4

C:\Users\Admin\AppData\Local\Temp\PCgsAQAE.bat

MD5 30bb58af4a57a4846cff4fa9ef265757
SHA1 dc52df0c5eedf9b75bd7500b01207f04feb1ac68
SHA256 90aad943019a44b1e6212a2033145f262f6d2f24790c099f6c9e62789338e445
SHA512 301271b7970a85e305080ef634c865514b6f4e8b7448eb85e6302f4710a7f5a58fbaac5503eb6bb04efe743a15cc93799465eef191c746b822b84795ee8608a0

C:\Users\Admin\AppData\Local\Temp\XkIW.exe

MD5 0d1a7daa8f3b5604e4a1378893ebad49
SHA1 6e8aace8f78037265f7df6b826b726e5e30fe7b2
SHA256 9a7579bfb77857896c8aebbcda73f1fc6cb7aa092bc503e708e07aeee0908ddb
SHA512 77dc6bf64e8eb4368bb7b962f869cfaec589cd5919a9f2f61447f2494c4ee4f24aab442750cee9b1a7c7c6d81ec2ed7b69be9c6f67809c9f79fd123aa3e19c44

C:\Users\Admin\AppData\Local\Temp\lwgm.exe

MD5 10bb701686ee5de02f5eb50e63af5af0
SHA1 ae9a9e8b4d24429e7b6330c868c9d26855f3d732
SHA256 d6fb51fee1fbb9a55a74d4157dd3ccdb7aa018d071e3102b39e9535b118754b8
SHA512 be7151334297ffd77209a1ec570d98af25b543dcca07dcfcc85eb9d3fcba331e31514ac53980ec95adabee5d23e72f588ecee7ef95a76cbccdba486986151cf2

C:\Users\Admin\AppData\Local\Temp\McMW.exe

MD5 f27eeb8a868a1539a9db1a14de49b71f
SHA1 b27ccf3292b436ba777eafb55b16b66d0e36891b
SHA256 17ee693c5a33b96e3dfd02b1965318f12004ce799ec3b02cdc883bc32e940977
SHA512 85422d5564c0a22c5b43331b0a5f4d41234fd46da4118962b660b8ead6d63a20331dc275b68ee4b73c7988ab39ede2fd606b661782635d0fe2af61ca67c4bc54

C:\Users\Admin\AppData\Local\Temp\fokG.exe

MD5 27e82c67d1bf086371553d87e5e0b302
SHA1 415b13b9316e374ac52ab67fad5bc30b1dd709af
SHA256 27255ede96dc46925fdfb645fa37418ada38d9aef747fe7ffc99468685d3323f
SHA512 2a14fb3b51b5308ece7b24bd61486b03bc0c2fdfb273c6418d3c9e52a35e21fd794050cd17a95acb2f3f5777d4f4bf9dfe877bc70c638a866e17831263c9b766

C:\Users\Admin\AppData\Local\Temp\eUEoYkoQ.bat

MD5 ddb8cfa158b63090e1d87c11c70fe2cf
SHA1 f7011ff6adf6ab823ac3846730ecf5a302fe16c7
SHA256 6d33ce49b267b5e85b841c0d553a1d79bc4d8e1ee890e7d2d107a046619ac6e1
SHA512 16f6b1df9baf25e4968385044726493f449394e9225d5d70e71e1cc92ebadf1c4f208387b3bbeb48edd2378a5f1f54edd0e288687f481976f3cff9aa68f18ce1

C:\Users\Admin\AppData\Local\Temp\lUgC.exe

MD5 9ae774fce43fbd91c2cf6a1c59ab2d12
SHA1 8ed538edb2cd29cf4230be8f52f541616173103f
SHA256 7da022a6be668a8bfa8f797e3830767ba1dd625278504577c01a2f5e3858dfd6
SHA512 ef0efcbb171fb2eb2c8d4064a1718cbc024200f6d3ab298be389d2be05d16fa11233a55a7fc5da0427e050de4b676fbd760dd05f4b65137bc2a4d5781185ef54

C:\Users\Admin\AppData\Local\Temp\HoQS.exe

MD5 7e2023387e5f6327aceb3fce071554d3
SHA1 eca9a81c5efbd1a8e521d03b82b82930a3c42e7f
SHA256 7f0f0e1f6fb650b0ae6dd3eedb866954670fbeecebd6461a828135c4fd2f74f0
SHA512 888c346d1e95ac4125c466d298a4b74bc03f27dfddc5893ebb389384bbc8eec4232e73629d17d012e948b0ebc60fd72e98c16aa44756987c47430ddd424f8b18

C:\Users\Admin\AppData\Local\Temp\qIoI.exe

MD5 e91235bda561321afcd59de388fcaff7
SHA1 f7a27fea4febd11ee15993f0544c4f70582d5f84
SHA256 3c4b6a554d3c2a6b6b8beaf8414b554009a71b406e066b28a772fab359b9bd0e
SHA512 f69b2311c8455702b10e6d652944870ebc67935a07ef06418f6d2ce6e60b73df38b6d69611cd4fef9e428270df3a6b2f04bb555f9abeb20eafd585aa7daab272

C:\Users\Admin\AppData\Local\Temp\WAIG.ico

MD5 9752cb43ff0b699ee9946f7ec38a39fb
SHA1 af48ac2f23f319d86ad391f991bd6936f344f14f
SHA256 402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636
SHA512 dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

C:\Users\Admin\AppData\Local\Temp\ckkO.exe

MD5 733a85ec3098713ecf52695d081b71d3
SHA1 a510f8741b904b2812dcbd44e73ec3a0c3511259
SHA256 1dde86513d2796d8df4133373af484be5d422bbf14ad328ce43cb8542eff23cc
SHA512 e870bbb3511f6b7d79cfb860fe85ece2cd699df1223104a9d48ead6ac59eaf2b45408f2fd0baa5df969f72aa74d7fda710fabbab8db7e48b4d92312556120d46

C:\Users\Admin\AppData\Local\Temp\jgsY.exe

MD5 f80e83c115c59cbf2b9fb62fe8e1032c
SHA1 9aba8206337dad970d3de5948269b748d654a65d
SHA256 19ac9ec68fa9b934c77519153f569c7830ac3db6fd68c7126cc73f5c03c89469
SHA512 1fb953116484ba1b874b67697aa2675ef158f5cd0c8cd0c2a8315a9ec534f9a9d877653cf8c22065075c5f2912ba5d21c4879024757fefbb3ea9fd0fdf82468c

C:\Users\Admin\AppData\Local\Temp\aMsO.exe

MD5 c8d6481d2630d52191038e5691854775
SHA1 3b4ca6770d4e01ecdbf4d2a4a4ab31299a322815
SHA256 904e854359024d4da8175d80c1fa2a3f89c25d89cba0aff7003e158981355240
SHA512 7db492495d5b7f4b4b0b3d265ec2100d4b06ecabf30c2e25bbe33e98471afc8873103bbd76fe835be6d840810bfb7c14685b16eb385ab1efec15c56e569c9f0f

C:\Users\Admin\AppData\Local\Temp\toooUIQQ.bat

MD5 dc1133b2ea53e1e10c49c5eaddbf433b
SHA1 514f060bfca1310749e7fa8f71c4d91fb879ecc4
SHA256 c73497c4ebaa236a509e52909cea7a5e3e40d5df3b60404bf8b3c09c1649d30c
SHA512 6aeaac5307befea75a38283cc79a150d7f324a23240d7661a0a1ddf0321aff56e4bd6d8361598084fcc562eb4d8f7c3e03d050f43843df4c2ec95c086b911a38

C:\Users\Admin\AppData\Local\Temp\Hsga.exe

MD5 231ef7ba9a062c922f21c7f83769987c
SHA1 fe55777599859f526ad7d31a5539bf06e429266a
SHA256 1a30b68a7ccc5fe35ba2a5e72b5486c878e2570a4a9d2ecf05d69f0bd0294684
SHA512 8517893bb1d8a6f1b2c7de270cbfa5516382777715be834a7e8b6e6858b9cbb30c0ddc6cdd7c589065fc81ca2967cf3607e8b0c083cf2137bac6ed04e30e56aa

C:\Users\Admin\AppData\Local\Temp\WKwEsEMM.bat

MD5 eeafe85303995f45d4e08295fcb9487f
SHA1 55c70e4045ae51971a129dad3b54557a850007a3
SHA256 06116c1345e16f527c1ecd9e2e610d7bfe03d33f29800836bde73df92ce2515e
SHA512 0ac2b76eccfc6e35ff5519bc541eef06e6bedd35c0c9f6359030f9e334141af33756a579d7c1c90f5823153ab732794d13f0812273847483cc00295be83f847c

C:\Users\Admin\AppData\Local\Temp\AYEW.exe

MD5 0b5502abbc1ac7fd20321db41d792379
SHA1 5838e4cc80ad8d76b4a0b545744e9cd5056b600e
SHA256 07deae3dbf6dd2eb85becc4e0377fde17b6ecfd53a2dbaa17324f5cdc2d50770
SHA512 383f936b95de7577ec296672106527b83b53e73df56acafb8a7fd863ecca80863f03027caf740f2e49245434e29f761e0875b524b736dbdf8bc0f3e4a15d5f58

C:\Users\Admin\AppData\Local\Temp\Zwsi.exe

MD5 ec9be94a0ec021818cd90425248c9740
SHA1 cf31a545f8f5fd90c40f025087c33f4d76edbd3f
SHA256 48050a22adef89b98aeec0f9c1b2b20d1e5e4b236125013bb17a26cce3c24adf
SHA512 6f776c865253aea9b0996b1030075e2f3ee739ca9560531c6a2a78955a0c411a691b00463b50d012dfe6c8f6b3b1b1d64a067348c2bc636d617ff5aaae406ada

C:\Users\Admin\AppData\Local\Temp\cEUQ.exe

MD5 abe31eb052ea3eecbccf042a0e7a09f5
SHA1 c95191bf1896dfa695cec9e40d06760fb478b4da
SHA256 d27676adbf3cb50ebec2739231a34add17d431a391b3100e13a71012ec6bb10a
SHA512 5cfdd75640bcd1fa45991e05bfd102ba23d8a38685f89e35ef89c4d45759d850c0d27d85cb8241691db149d78deb1ecf7291d79869c6a9eb9f7115147284c122

C:\Users\Admin\AppData\Local\Temp\HIYs.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\TQQe.exe

MD5 eadc91662c0ae9805a0c8caeebf97949
SHA1 498e83a9d40ad8eb508ff297d5e7fdc452e7496b
SHA256 b8926fcae88a940ad3341c11050c7a190a9cec809c5a79ef3b86ee70d46e7d23
SHA512 207793d58b81b50044211ea956dc66e224f1ed55fe322e3e2ad853bf361ed8354ce6da8a1b75be816be1e31842c548061ac358bedf6b6f9b122d93b87d1fb9c6

C:\Users\Admin\AppData\Local\Temp\XgkS.exe

MD5 90e328ec3711637efe04cb0cd9e06fac
SHA1 a4fd8c26b14b12f60fd4546743290ec8c8590696
SHA256 4351ffe36edc2f1db3b974e6b10230f52a78f7d54b0d8ce7b9ea9307060e696d
SHA512 78451d519859ce4aa1413be11920635a088c1f4a5a353b5f4bfc9925aaa05ecdcfbd81849ebd5686e3b2ca22d691b948c6f7b164ca874ac9f5e3e6ca426adc2f

C:\Users\Admin\AppData\Local\Temp\WCQQAcMQ.bat

MD5 a5ae2a592ad1f75e6cca743945f9c846
SHA1 4fa8b0a2a23e832daeec1e27c3603f673cd7ec4e
SHA256 5dda748cc74409061a1b88501c64b674ae1172c5da4f69c15a4b6650f1feaa46
SHA512 c6873cf74be4bbeb3a258eb24d6ee5234035b93e5de13936eefaf63d13bc8ae9724ae6f0d0dd745d3484b1e966df9fe5e14ebefb938abe51d8a536432dcf32ee

C:\Users\Admin\AppData\Local\Temp\oYIW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\fogS.exe

MD5 8ae9a692f33209145733ee400a3e9821
SHA1 0f5470dee8a522c082ec5afb19ac0e389c2f8786
SHA256 e222e3a28a3f0e2cea806c5f204c8daad7b3bf5266a07fa2042880cfc62a1c46
SHA512 0d85488ced8aeefcb86ceb6f1bb0a506ae5071b4ae775fb2887107e14ed120b15a7818ac59b045cac21087bcc9776c89d93e46f5ba7851909fe75fce1a0f40bf

C:\Users\Admin\AppData\Local\Temp\dEYi.exe

MD5 48ec0de6065c17f1f0de8c80fb14a77c
SHA1 ad0a6a412c790ae13427f58cd0784ef743c681f8
SHA256 19d719d7df7ca7a61932ac49834ceba45135eabb28ef01e8da67f1d81a48e283
SHA512 5fbff6eb8f522457f2dea988bfcdcfdecfe45024fcef1c5b5e2b4f14b920ae8d6de76393d247b379d56a3f2800ce29d98f0d8649163120ab6ca764033dffbe5d

C:\Users\Admin\AppData\Local\Temp\YcgYkIsY.bat

MD5 cd1b33cd51775bb8ff69d296980a50b1
SHA1 3f3605b5ff18a93bf5d104f7afad5d665d90a8ee
SHA256 b44ee21987acb8c714457722df07797cf9f513f2a3ac8b91cdaab7fdbb2a0824
SHA512 23bbcb51cf6565faf2514904f2215605214f60d949cc6061ee792d2d3c2e96f402cb347d66cceab3e5f6ddb3383d8e1aae4b441bb2f2694cab057248584a173d

C:\Users\Admin\AppData\Local\Temp\AAYU.exe

MD5 b9163f64d2eb7fc5b4022a6d5fc400ca
SHA1 1df2d607d0760ea56ad73804804c7a8900468fd5
SHA256 f2eb11559baf70b61e2c347f6444a3ece934267f0f729858fdfb6a7a858e5bce
SHA512 9089af319de7d0d8fcb541f611f61a2efd343380437a5e04271f647381199f6f897d5e7d0df49396638acb9d823b7b8659916f5bafc13600412676881b96f05a

C:\Users\Admin\AppData\Local\Temp\EkcY.exe

MD5 4fa1abbde2fe0084295dc64334db50d0
SHA1 b33d6e9aca21eeb0ec4a20d68ed7f002d0dbac2a
SHA256 1e4d7927d0c4dc299a9738c817297f560dbdc2977141ce9ee6301ee50c09a676
SHA512 3bf708004fd5d9f6b3f398f27dc8616dfaac7193cf52758da4ac7f7a068aa8872f86ed28bb07168378a1c6da8592423d3646c715b70bc71298e95a2ddb41cfd2

C:\Users\Admin\AppData\Local\Temp\VgwG.exe

MD5 5056530ffbd5c9c0a3adb4365728a31e
SHA1 b3043bb6084ad15157ac7f4dc7260c737d09183f
SHA256 dd4ea3bc1bb467790b0ccec2a966208042100acddb53a489da940359e0ad9c93
SHA512 d74caed8bec3191efeb30de8e0b953b04322652436a6b581d62efa4dce1f39b314a3c4a01280dc930547c4237d24619650f107933cdb81b882ff3a6af7369139

C:\Users\Admin\AppData\Local\Temp\eMwO.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\rEMk.exe

MD5 1462c92e3d1cc54e91d2c4c1d9fde6c0
SHA1 2f8fd3b676f41d08bf1dabe64dae22dd9425805a
SHA256 5f30782ea9184f91e66da4448bd954b044f8bb5af1119ab328a3739cee1a8246
SHA512 abf49389f0c07a7c0f1efaa53cc461a32041489050a31619c5c059fbae024701043e7398f5efdb290a8e0d8b7f0629f26f6e1d7cf8ca1c7f9da518b7d5ba4904

C:\Users\Admin\AppData\Local\Temp\YgMwEwYQ.bat

MD5 d723c857a82e368c334ef3a614608927
SHA1 f7b6dd362a39921acd0c560a5ae568d1e9d088aa
SHA256 3b6bf67719a4aa6a0550527853aa9c5078e0ee6e4e99eeb68a9a102ecb4b5c07
SHA512 1f92fff9df93cce1a44d24ec9dc90d49f910c0e355d351427300a669e1b8a527e4bd62f3fc3cf8be7e0af2610b97b2ad2307b79baf532d25ce07e1eee7efe883

C:\Users\Admin\AppData\Local\Temp\ugIA.exe

MD5 1ec69aea05397be8675f7bd42d006005
SHA1 4a32b194940f4e9fd7e7aec18335be0569e0ed02
SHA256 701ff655b57d9038a1d8b29b98cd458607acb60fda363548ba559c93ab54aa26
SHA512 32cd4e1476c0d145daab7452a957877bfabbe0ea4fd335cbb9e5ad3f4398b3cc0138df225aad07b5475e77728b8038d22f40d28a25882d8335937e08e595d635

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 10bfa6aba1f68aa508b060c43a53ace1
SHA1 ca83fe87268a147429bfd0492b8c3abaa8104de1
SHA256 11afe63387ec62e7feef949893b04077bbc9dc59bc8574c5aa4c4ef4f60abe95
SHA512 86ace25a2160876cd222f642dcddaec47660ccc95378ccb4ae13ce12cbd7d834a36fc63655b307e43968788a542a6f8b3b35d64af9db21e5392333dadee3e99e

C:\Users\Admin\AppData\Local\Temp\fMou.exe

MD5 425993518f0136ab3ed23f58d85c43b6
SHA1 c1cf11beed66ffd095cf5103995d3de07e619427
SHA256 acb13dabb15463e8637b48b6a4818d30ba70e39e759902393cb5b5f2e261ccbb
SHA512 015f3dc9067e1002c23b363c6ec0558890499ac842b25f17d3448477c0bd8f1945b00a2ca3237d5ab01a3dfca15093c576de2e29632b47b892fa7a4d1d09cbf7

C:\Users\Admin\AppData\Local\Temp\XIES.exe

MD5 7ace8fc883de8b29417b5cdc448b1db8
SHA1 122277c7a7ebdc27e5dedc199e8b7fb718a54f7b
SHA256 a3e0f324c56e9e27fe9f6efecd07036782ca4f4c8adfcd1a79578c6c13643538
SHA512 8958384ac44b23335c8f83e08c4eb64cdd783f9878caff91e0ac16b90b0b013243678626e3a0bbed06bb796b0d9b0c2434b7a8061bac969522cdc1db0abd9336

C:\Users\Admin\AppData\Local\Temp\YwMS.exe

MD5 0ccc2a777511bc76b09e745d9e2ab43f
SHA1 bce7b81c1b78f3449330a8771669af65775dc07b
SHA256 0a4388d880cadf923fa5c6fdb23cda2fe4809595d29863d967ea420748fe2368
SHA512 84e0a9f27dd6adacfeda8900bcedd39d77228ce7fee5a006d504ac838dc6db1a7ab613f4a7110310a80bf8fd77a6afdfe82f5931c6a5ea95780dd55e012eb628

C:\Users\Admin\AppData\Local\Temp\LcEM.exe

MD5 c108c87b1b9f0dac5a03f659b159810c
SHA1 142b667b8d02c544ceec87c534ab4ebb27a54762
SHA256 ba619cdfcb165c553d8339977b26135b4baf37f7f4eb58488a42f5d56475aa9a
SHA512 add393541704fb4c0fb30858e3516e20effb5197dfb4d9574a295dfec77fcea9a8ff31405506cb2d2cce3fd39de7f99f0d60cf753ef749767a457bd90d69f848

C:\Users\Admin\AppData\Local\Temp\OgYo.exe

MD5 006246186e38a113241940dd56aeb78a
SHA1 9e80897763dcdc796a2e675daae5964e7fbdfd2d
SHA256 b35906487c0588dc2337b4f9815c21d43006ee331c5b2878ccd4800eb219ae1f
SHA512 2963a1c95f59243f3ba867dcad2d4e74470bb05f9c071cd121c77bf0d5d2a1680261c8f841a573e26825dc39bc94ab8d1f6cafa4af443fef8fb30d3fb4526288

C:\Users\Admin\AppData\Local\Temp\awIk.exe

MD5 2c03f8d7bfcc38ac698c2e198053b859
SHA1 12bc52a14cce1cca8ae200540fbe541e9c751d1e
SHA256 341862f22bbd3bf0cd45ac1e084daa75ab9ee849418d91c3db2607755020e95b
SHA512 cdfa830bad00a8048590d68b65994a9b51093a7411df192cf318c24691f0d87f62c241e6d1c00d31491f69cc2e0c892a431d133c139fda73213682d1f03a2760

C:\Users\Admin\AppData\Local\Temp\wKIEwMcQ.bat

MD5 822449a1e9cfd833cee6a6ded5f70cde
SHA1 028d716dc72077471a460b590f36cabf2233793e
SHA256 4918cdf3b0dc6e46bcd0741cbeacec6d3357cef12d51f70029ad4be3006e6766
SHA512 f2b5dc5c1b0a968f5d2ab24332208e55fbdbf0f47334a8d1465053cbb6e3674f3cf18dc3a1d242db54359355c195aa38a684811fc069b6aa0a40ff117c0e4e84

C:\Users\Admin\AppData\Local\Temp\xcgE.exe

MD5 8e8072b851d63cb33b16e5d8db8dbc80
SHA1 89ef30d42447121850253dd856490e76dcdaeb1f
SHA256 2b0aa5b58a5f2806fec4931a5063bb280012d407a06a64979a714cdb58f38dc5
SHA512 b15ec31d7049dbbf6bff60f0075c6584b67b094ce042a877c42696a44a60d2f171a24721d84f8c149addbb3b5be164431b33f8fac770a914b77fc7000eb9d38d

C:\Users\Admin\AppData\Local\Temp\YswC.exe

MD5 42a685f40e387fac6727738591acdf5b
SHA1 b99e632c9874a4f2cf5664850455e662cad22860
SHA256 1449d1d899bab0d684b91e69a60611a88f30d65a4c683f206d8f00f56589761f
SHA512 55d13a6f1eb052b0c8e0ab63e0e6bfc164c59fd308c12008f2868837b4bfba0f4d994b9c9cbc1f1cdea1500ceba5136b52d1a0c33df8be740a752e202dc927e3

C:\Users\Admin\AppData\Local\Temp\IsoM.exe

MD5 81648915bdb1f88c17b5e9ce0222519e
SHA1 3c980af32784c02f39735c84993a55569af6376d
SHA256 a0335ba19c922fb293bc9236601006a160d11749b85a2b0e88659afe540cc2d1
SHA512 b58c98754775ed02bd2f26696d2083a3b38fc857ccd95016c8ef506dc72e6aa7a8273db33c47515ed813a07c209c4ce42b30fac6fcfb86c3fdd06a6af5db6066

C:\Users\Admin\AppData\Local\Temp\LsIc.exe

MD5 3687123076a716bea95821ac445ecac2
SHA1 924479b958151d07f073ef0792cd4491d2a6f206
SHA256 36534ceb420f6ff3c8e33834ec172c88b11de730f898ec1e4918f7234190e168
SHA512 da1ae79e2464c33058c59dc1a0fb39cc68582f5cccfcb527f7230be7817e503563ac4c251a1491b163ee1e0754505b4ab9757146c6383699b21fa9c3d29e0d12

C:\Users\Admin\AppData\Local\Temp\aIsG.exe

MD5 6a08b92634803461c9e03a0f147701fa
SHA1 143b5a26b6d7263f11a1003858bb812dec4624f0
SHA256 19cec1ce932df4de0d315208efa92d0a397aa4595cb5c7ae3fdb974849925638
SHA512 559b8271e058227cf1897949d9f2d498519932153a65995e2b661b2b75ffa3732bc9310657f559dc9c554380e3f490f62ae3c7d65a8173201c2596e2db67a57b

C:\Users\Admin\AppData\Local\Temp\nmUAIQIE.bat

MD5 cb8b4de4ade82979f37d784a40874a61
SHA1 5b37b00245f87d23c7efe9e3b67d2c3a3bb2c4f3
SHA256 788f58ec6041a2b032e147356811e52866d14320f0f4420fd5147870c46eb293
SHA512 91368baffed024b55d2bcdc6e0b94f8760b157826175e85eaff73f5c5b02cc4192507c035b7a6d7006b6b53b79db9eaf6a71056629fcddad80e2c33a700a8ccb

C:\Users\Admin\AppData\Local\Temp\cMci.exe

MD5 7411b71a0d3b47f573cc1c0e8ff5095a
SHA1 8461e4497613f938da19c6ba806c0731e42b06bb
SHA256 20503379ac2adda7adc215ab39e021d7260e614fac5865afbcd670db8b58ecef
SHA512 0551ccdc500c842488cbe9fb857bfa44dbaaaa30504a0ccf49a21a0f86a282d48ee59a767a389dab1379327059a9161d78c564b9d1d02f499338c3c67165a74f

C:\Users\Admin\AppData\Local\Temp\tIkO.exe

MD5 bd9951d238de145995a06bfbec06c883
SHA1 cdbabe8b48cb58ac2e640b0f8d563608ad33d133
SHA256 a65de142aeaff470336ee83872c7a991573b54ebca5657f6ba1131781c66f6bf
SHA512 0453b9401cf77aac9679a1a4c9452223a7902a2ab8046e384b45a44f72b6dbe270aed3a7fca1f925128f2340393715e499ac7a59254954d1c275003310997982

C:\Users\Admin\AppData\Local\Temp\qUkckogQ.bat

MD5 b817af96ac4346761a17637d4e97b848
SHA1 6fd7539c6613caa52dbe7851450258ba8fa1892a
SHA256 33f0752229e662a5b61bfa67dad7c2082f570bf11c44b0c9d2c5da1569544c90
SHA512 9011dfd00c32096a51dc8a44780a519d6ee802799d15f56f95477b870b3814055f20b9ae94f6e51307108aa891cd4d58e0ba6303411e943458fcde1879585fbe

C:\Users\Admin\AppData\Local\Temp\YKUQsYMo.bat

MD5 11a747691431f8ab6de5a3d9d763a7c3
SHA1 d082b767bdec0e93b99254d4b00080725de11a80
SHA256 20b7cfff83340ad0bebab0ea764f5cfe400627f1093b966aab2f04e7e7fa514b
SHA512 824bac67f3ab5c5e96261d3245e35321c1a99dcb2f0635b2c10d7ea9f2cf39bb30b0d463fb06efea5a41533c72158d1cf414000b58778a9ab0fc4bff6c2b460f

C:\Users\Admin\AppData\Local\Temp\TUcs.exe

MD5 11db37af4af89692fdb4248632036608
SHA1 9e8073ad273c7f0866e196dd267b14ac04e89a5b
SHA256 521d3fee73ee71ffa8278472a36163dccb1efc799a5cd50da95829359113eacd
SHA512 41a8d477c94255ee0f6fa4b820c368654efa8cf66a00170131eb4435b0c9ff322ae0dc96f72d3f083e7e63fd0393c501f3f8567a2f1d54555f002bbd1c476c6a

C:\Users\Admin\AppData\Local\Temp\UWkIkgMg.bat

MD5 519dd848df38027387e572e73d5ca342
SHA1 76686f14f5a1a991dd0d6eb3a32b9615d7e05ac9
SHA256 03983ebca81ebe56989c0ff292a443871704c3ff557e93e29e7943aa4f310a0d
SHA512 8e563f921e122c789d8e3da082d95ac38e5514c7e7cf57eef47d65e273a7f6af15034682107b23316152c74c9090d0ae166bf3120ecb4a09ab4d34d9fa6cd38a

C:\Users\Admin\AppData\Local\Temp\JoAO.exe

MD5 d8a891bf7e5a4254e762071ca694a683
SHA1 c86056efad27119ecd69c33b29b55e389b0b1350
SHA256 1b090fcf6d73578383df542c1abfe79757f6f4553d8ddbc0ceaca108949d9d12
SHA512 19622b8c23c4e428f2b2b7bea2526e2222f7103fe5293a4f96da0876b2e88beedba27e60e29466afb32af59429e3f9d3cfe8f33e210d5857c23666c71850fdff

C:\Users\Admin\AppData\Local\Temp\Ackk.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\bwIM.exe

MD5 d382d61d07f73a91674705be91803106
SHA1 59f25c9d24a590dbd2da4095a5e015307e33ece7
SHA256 d31f02b5b09d658f07a5835f0d4f232b0cc115102e621a711319063dfaa2541a
SHA512 36fcd32b9026c3cac241314c29a0470a0fa38672bcb4b396d561510499514851f010145e53c801e3a5749df4a4e63fb43706270bac4602fc530ecb07ca115f96

C:\Users\Admin\AppData\Local\Temp\mYUq.exe

MD5 02f4c4e38edd9d1a674194ecc54d721b
SHA1 1de9e3a66c59cea267bfc0888180bc56d50614b6
SHA256 cd8f540220486c0158870ccd47dc12f0a66d68edff347d4e21c0871586e234b2
SHA512 8e1354d6b8041cbce4f746e9d90f96a85de44e71692c2963a44fec9c97637d99de0263d18444099223f3dbfa73115db8130dcb69e66abae2c7567bfc7ad8ed59

C:\Users\Admin\AppData\Local\Temp\uQUS.exe

MD5 6ce08f2b1b63b49b14a7831158390dcb
SHA1 9132dd22fa9fc2f52d54301ab7928e1a8f24c823
SHA256 a2246749f7b503a6ce2627591fafd4fec6128e395db6d522ccead3a05134790c
SHA512 8b63fd67876955655d2112acb1270342de131f4e4c4e17f7002ac5e423f7f4bf2d0b0532c8b3a8accf44e9b80be589f1cf241b5b88a262986f1e122781b8b0ee

C:\Users\Admin\AppData\Local\Temp\XowgggUs.bat

MD5 14b74649b4f7e9a334475fa07927e74a
SHA1 455f5f969d29ef032d0072ed75ab66e1a5c50230
SHA256 9e1002991955b2bfa47453ec91bc61c8f9349b5ee455cda02b50d14c7aeaa82f
SHA512 204a3e034130babfee5010499ede9ccefbadc80d4f09ffea286f81bf28775e5d4752e7e6e200d82e058a5e73c5caad72975fe3ef116682dd24394155533f7cf8

C:\Users\Admin\AppData\Local\Temp\LsMQ.exe

MD5 918dc562433477ba28ba875fbae3f5f4
SHA1 f55c16e63f62333441964ef1b939cb595275ee42
SHA256 267b26826784d6b097cd91956fa05fbafd42e5d4215643c2cd488198df3aa043
SHA512 3cbb2cb1af12537ed6f990be6fe88ac4aa08d50293644d9c958e3db2b763164d7e2c184dadebda861237e3c317ea1ce4840fc909004a01214abb4dbb23b94fdf

C:\Users\Admin\AppData\Local\Temp\HIou.exe

MD5 beb73a8371f155f6e68dd8fb30967d64
SHA1 2e0510b4cf0ff46fd108fb5cb3bd4457948c8112
SHA256 bc4088c14501a5755b3250bc5aa82809d7e6883278ccac3893e2f034cfa94be1
SHA512 c208574fd3e8112c59bcf86ecc147a1808ed7e71f0d1a0adc7616d1d6fc33ba5829cf9f2518ef8a17c569572e8e1211bb4c5dc491a31a3fb87ee2a4d1bca5c5b

C:\Users\Admin\AppData\Local\Temp\RwkA.exe

MD5 79adb71befa9958541371ba36e933a8f
SHA1 bef3c65d2f456a8b64d7863eb415e339eb32efc2
SHA256 d35c8d377d1ff05f400919b3674bc5fd4c08546852a4b693a14ab715059beb0e
SHA512 c532f0b19a5d80fd76a33e9a59c17f9495b06e59a49ce9fee868759285432931d1eadf6c6ff4fb22c16357611176c28dee33b66ce095ef0ae23a138c1e6bf244

C:\Users\Admin\AppData\Local\Temp\zsksIUwQ.bat

MD5 8304747a692bddf5bac4c8136c83d356
SHA1 7fb3e62073b345210f1f1b44dbc432b15c058a2c
SHA256 06d65971e58ba7624a3b0483a5c83651e07633a51c181f838b3bb5dce5a3e535
SHA512 72b76e3a739c10ab90bd4ba063f7750d95d304dc47c564df233bee6abd8c6407f94805c1e646c935398a2f40ae7edb2d533f3091f38366f4a2365397c14217a6

C:\Users\Admin\AppData\Local\Temp\SEMe.exe

MD5 205ed7076af92d4059050546434954e2
SHA1 000cc16ba0ede71bdf9c3fc7077458519101a949
SHA256 b9bc0cc782b5cb79e993097cd2ce1ed3f268f5f2744b34a6fe490f9177db99e2
SHA512 be009f1f259902606778bc26dcc4f22d24a2d7c891f21ed24cfd0f96a4b0d31d632f6d25126b49223d0486fba9ddd9fca3c959de37cb3fc493c89e9dad7747dd

C:\Users\Admin\AppData\Local\Temp\REQK.exe

MD5 6699ed48d596d8c8c8aab5b7774fbe7c
SHA1 55fb6331f9c2085f2247c334c4957b36211986e6
SHA256 37ca34d28b5e1da467d8e25177999887fa5c814da732df7b439e5472fbd57d6f
SHA512 98ddcd8fd58c830b1f4235cdf1eadcb10ecf6587a6367d4cf9489b490fcf176b3a1dd266cc3a57938ad248a4065a445e35fdc3c8decbab09efa53bc1eb8d131a

C:\Users\Admin\AppData\Local\Temp\cYYM.exe

MD5 75f633ec806ea0647222ffec2c37ea74
SHA1 3d872836cfb073280f7e55cd51ff7de0f77d3f93
SHA256 a2ef9054b6e15cde6f468ac8f7b8ec4e3854cad07cde5c83bacecb1339c04d51
SHA512 9667f3fffcb9f39d470644121a43578f605efb456edb83e591aa48e79ad7c293342ac489d7e6dd93a23e1d894bb6cd48c91267cfcf01d8b1b324ff4442f337d7

C:\Users\Admin\AppData\Local\Temp\mIUa.exe

MD5 e4f9b8e8870869bd4f269cce7ad09f03
SHA1 6626190a7517994af1cf837bd46e9084080d8f69
SHA256 ff594157f469d86cb246d86d84a5465b196423c4faad4e2da83ab8aae2bd0acf
SHA512 589fd486a14f9985d0df3083597c1a85cd9e7b0c5f8643090fea60265dda4c19cddb33301fd1a3b09e15700a4eb33ffd2f255fb5d6f48ce3e3bca0635fa064d3

C:\Users\Admin\AppData\Local\Temp\nUwokcQI.bat

MD5 c9fd31ca9bf802659e93bfe83cab32ff
SHA1 ac46da0e78e29a16704ae0ed100ecba06a24eff6
SHA256 015743f739b9bd8f906dcc6c7fd6aa55a5bea5fc81e55dbc54f5f732b9227db8
SHA512 c5d024ef5e34ccc7a8be3e5028e5cd09b18db77dd190766501999923611ae04774a0cd6729d673478909c4180ddc7ff57299f5ae1d89889d56da0bfb0030282d

C:\Users\Admin\AppData\Local\Temp\Icww.exe

MD5 bdd755b608ba315fa8304852eebf408e
SHA1 97bd79f8fa847773454e132685c7531c073f39bf
SHA256 f544bbd7676a0c7ad4da643f840d5c2586114162ad2fd2c5bea89fbf1a5e200c
SHA512 e190177c25cb5e9c53db60e68c4b0026b1f660f8066e6c1fd007f227f55fdd4894f98fc5cfe94798ed3c5d6040b07a0ca3260a5b3ad58857d206c663b2b293a5

C:\Users\Admin\AppData\Local\Temp\LwoM.exe

MD5 809d15fc1e7e1d6d158590c20d719ce5
SHA1 7e820b2ab96c9660bf1a41ad322a005613d36831
SHA256 c64f0d704f0b6f8e81c557c8b025a343f4dd0edd3512a610cd9aedd9d74d0430
SHA512 4a690071203f1b872444dafb7fc041e4fcb0afd1f3dac60c89cbc42f3f3abcac7838f6c33587995f6aef500b631d70f7047c04e810cdb01cfe51c3dc552105b9

C:\Users\Admin\AppData\Local\Temp\Sswi.exe

MD5 08b8ac9804ce9fa404b0eaf0f32c5c07
SHA1 ca0c6308935b6d68e900354a29a4dded20fe2742
SHA256 da54a4934a5836321fce6e69b76770f9d8967a14b7977e4a3230e46b2a395c1a
SHA512 4774d3b7360de1b5b8adfda34ed92306d599cbe1dd3bfccb79e5d67045690dc56de346b7c35ed307e4a2e9b508619becdfa68c7856fd772a24c3a956ff7cc234

C:\Users\Admin\AppData\Local\Temp\KgYEIEAs.bat

MD5 e2786573f06ca258bece7fb323b9b7a4
SHA1 27e18ab6664e7f3b00e66f5754f52fbd96f6e4e4
SHA256 a8930c211805a583b945cbeb58513cd303479441d579884f06e94278f599ed26
SHA512 988f9d05231329bba1085c7b0a5ffb345d88be714d8149cceb8ebf6e9718a3133ed94e862051ca7c05e3544a81a8d25c5c128bbf06b2d7b58ed56d5cc919f2d1

C:\Users\Admin\AppData\Local\Temp\CYYM.exe

MD5 a2828dcfe51fbe19e8fad22c7adaca2c
SHA1 451d600ac042efb1b98f9318bd2dc37ba4e62b6d
SHA256 9e743e45ec1143a39723241f2299d20578a59cb349f50310054a8fc2616c8517
SHA512 812d766944f07afdd1e95f01e16ac61dbaa9b90fe3ad5da7e68a02fbd3b5b4914f2673ecb8a9f9eda9ff07e387aed3c1ca291b8a2e20d083dd65c68db7c02d03

C:\Users\Admin\AppData\Local\Temp\VkwO.exe

MD5 f4a833598b6ba85465f7da1d4b073c55
SHA1 f71936e13d428e5fc97b7b1e895ee9aaa38d640f
SHA256 50ff0e243ef76eb003a95e0f16fe5f01d2691cc269def46794fb373a5f79ee48
SHA512 0196f6328773c6a2bbd72d2de2573bc601115db5bf48fe26015d520468deccb822484721775270abbcf7990cf42042c514a0bec6d8936c56df2d0d96a6d0f015

C:\Users\Admin\AppData\Local\Temp\PcYu.exe

MD5 3f70c453e6fa9ccba6d3df4dbb6926ad
SHA1 2b4833c81499da6154a102ab34a74d1102f23a55
SHA256 14379492e09268b78cf58b3cc3170f7e492ef49806de24b6eb4db4c53198d8fd
SHA512 fbe32bf95e81a9dfab5eb428ba428007a1a20872f1362600a801f3c9e1d6aa8dfd10a011f456ce7b389d3a0f2fa32b1c8c2a959c7347f92554b17f4863a2710f

C:\Users\Admin\AppData\Local\Temp\mksE.exe

MD5 b659abc66594342d394fc73abfac7a6a
SHA1 3cf289cfeb0dee0247746e3fe3f01b51b47e8248
SHA256 7b8f319b191e8015f428f1609b6ad3cea781868818ab70cd824c095f20e8a0dd
SHA512 227649659559fb44e675e9fa71692ca04621f58d7c69e670f8b37b47c87b56b96bdb58366a462cc77c939257c05c0ff62d003ef824f66c37c4e1e0334207f6c7

C:\Users\Admin\AppData\Local\Temp\yAgoAAUQ.bat

MD5 fab5cc02c57fe6b0a0b8b307f261df8f
SHA1 85140650fd58be51e3734e6b352847dbe2291544
SHA256 e8e1c5bfe2b1ea1d4864bdfe171a4d9f37c33299f0d94eab81c33fc6a531abc4
SHA512 88a8747df8f3aed573aa8427a7d02016f90d926cd34b5740dbb1087b5b7c6eea5713c3932aac15d262be040db3df0d666d7c9c67b37534a68a5e940becf2cdff

C:\Users\Admin\AppData\Local\Temp\Sowk.exe

MD5 a99cdad04f9185421a29768c9c48639f
SHA1 80806ddb0eec55c3802d4013f8a5c414630d022a
SHA256 745247d0fbe1cedf8a916c0a98ccaa29a9bd1e65ff0bc8beabea0b78dd6ad08e
SHA512 bd73b1f5b53b99d8ad012fbb4353e109c9b2993dda2b701a7a360a3a503563333716ef7d48862b10d85d38df8b6be497955c0ea6bbe8e507ddf2db896d3b2ba4

C:\Users\Admin\AppData\Local\Temp\qQYc.exe

MD5 4d4e702efefb0e35cc9071ce69ce29f9
SHA1 dd56cf9c77e56c33ee71c80c22f8764a6123c77e
SHA256 2c06769a039e23c65f9bb306d6a94de2c8e2ca382651c48ac02e181657614e67
SHA512 fbd8391c9d1add47be39a280ab08410378d6e9dfe5178bc671283ec5059ba5c35450a38d719aad30193193a8aa9e65cf6a4485e50bacd4f48738758488e5a0cb

C:\Users\Admin\AppData\Local\Temp\NAkocQoo.bat

MD5 ace230ceee25cbab84a2508418634692
SHA1 fcba7b9b910554f4268bd31dd5e49b7083d0e4b6
SHA256 44700b3e18bc7c4c0da018a3c1e895196bd426711fd972142d862fa67c3d7fbe
SHA512 922370be98094b4fd3c82dd595add38f971a1b77d32d942463d4f23a3d9ef8c41cd42ae2fb76d2c3696edb1310fec117eeac02aaf8a679c414760594c8d76e1e

C:\Users\Admin\AppData\Local\Temp\RcwW.exe

MD5 85f683efd58566ccc26e096409488e8d
SHA1 7f25d465e6590f94745cd514b3d0d53190b823c5
SHA256 a9026248f839914f5a7785712acfea747176731286a885e09518f1a971219b77
SHA512 775e76a443a6949aba6c0f0f9cd50378f9a712d9b3d6fb8bf2cc39f9b77c25f1867b9a623fb3d8b4c65e059c31fcccab2bf7f1258773636573794dddb9c4493c

C:\Users\Admin\AppData\Local\Temp\AUos.exe

MD5 1223cb82b5fe66c2c3f0de60caf8eaca
SHA1 36be1bc03ac75f1509b149393853ebb0bf486dc4
SHA256 23ee18c4af981e78aaaa412d26bea856d9953a9eb455a01e224b172df64264dc
SHA512 379827d17b2f0a6912355fa6b657a5da5afe8189b592fa26ec6f488971b9e758dafa7476b48a5787acb30c9adde004d5e3924406eb5fcdb6dafdd9c2f6afaad3

C:\Users\Admin\AppData\Local\Temp\aAIi.exe

MD5 6b1fde902a3c88639947aea3c35fdae2
SHA1 b5db19becae6c80beb9b367182156253e20fe54d
SHA256 cb623afe3ef122056f470f4ea313cb925e53a22e5e73a0715591bed1af366b56
SHA512 88eb29451fe2dffb9d294037029965989df0072a4b9482f95529791407e46db524c74e41c4e61711c2808fdf62cb101f61609e327ad2aee039ba9ffb722ecf1a

C:\Users\Admin\AppData\Local\Temp\hSgUoQcM.bat

MD5 adef1738074f5601f407ca71da2ab7ee
SHA1 5b5bb198633821d0c2d0f2ace018c334c4a07363
SHA256 110a9b93d4943c8d7941a75f2328ec4a2008aa52ff68a6190ef08171f0fdcee1
SHA512 51bafe99bef4071005d308fab41d88dc2fb9c0bd840714315e453a01e52c04678a5eda6d10b9348e56451f51d2f3a440435d9bd762b8a9fbd1486887adf2b312

C:\Users\Admin\AppData\Local\Temp\IMMu.exe

MD5 8450b29d15911d84616d90ef0567012c
SHA1 6f6393615b2fad67b06620076790320ea033dc1b
SHA256 985b9afbcf2d53826a70f6043e7e06e867c344cfe1d5c4806169608483fd39f4
SHA512 3fc529885f58c79b30afd2b8ccd392c6b4abcc3d517645688c71696eefba91f4470f1c9d68d1e0e2f79491407b6761f1cafe3f985443431ae06b5969e960b2b7

C:\Users\Admin\AppData\Local\Temp\bmYEQAcc.bat

MD5 bb7f9b13f8775f74333d3816657fbc86
SHA1 cefdeeb94eea97090c60ed6b2337a5b23df445fc
SHA256 dc3977f8be984149f30ab297f62b6e0245953c7d4d69e5a334cbf1bb2814716e
SHA512 56dd770a9f8e5d7b68e859c3a65fca1920c219f64c5d50fa2f7708156f0a027cdfd391c43e858417a8f28bd197196c1f09630d091cbf4e97d6f40a4884270451

C:\Users\Admin\AppData\Local\Temp\nkoq.exe

MD5 e2ab108d7c47232ea286bea24d71bc2f
SHA1 8621db95b1fc28cd4a662e4b386063ecf93c1836
SHA256 94378becf79594e58a9e26ed7a407858ff55f50ee3393abeb67e53d6e5b44df1
SHA512 ad47e2df506db8091c0d72b56ed7816f9bc987e3afd58b3647e94390689a9468727b87f338669296b565a5a9121c3f540e1a2e2ba8b11086604738b908eb1960

C:\Users\Admin\AppData\Local\Temp\OoEi.exe

MD5 6cdc477f0bc2b07677688f8d0e743890
SHA1 6200b677cf137b284855637f7cb096c2691c44bf
SHA256 afb8b1011f967164c8f6aaa0242fa96e96bbcb18b8f0203c1b35fb295d72b1fc
SHA512 b14d6c96b1673437f8f0da6c963254c9c07e2d02dfffb615fa3375d915141f2a1c1a91b35e0454ca73de0b4a4c1684bac0aa6e498ebd3a03a316235202ea5e16

C:\Users\Admin\AppData\Local\Temp\ekgO.exe

MD5 3137f7d0337a4dfd2d975855a4b2dc96
SHA1 4b36a4f60b4d42c79bb9a98f3f40586a815b02f7
SHA256 de6212ffa6feb58410d3118923118f40eb7473e2f0283f38f31b46b4a42563f8
SHA512 b266dc3a3ce9e015156499737ce2bef3bcb89bb0401c3340abdee7ab98407e2244bfa1c0f27a10a97670354e66cecfdc3b1ab16018c4c0fd1d0aa6da055fcec3

C:\Users\Admin\AppData\Local\Temp\MwoYUEAM.bat

MD5 67cc489ade813466070eb8f55791c4a8
SHA1 4b8511c6c0e5829924e3b818f6eadc19964550c7
SHA256 35be1dd3772aaa1edbea7a14be3838987122de92eba7c3bd3175f2024db409a9
SHA512 2f4d2b45a07277ae2c157fc53d27a8277dba0d8229c24b297c0c8801cc0d2675ac0c7b059ffbde383c92ac670ac5919322ee12de948d0d4225417c6d8314f8db

C:\Users\Admin\AppData\Local\Temp\REww.exe

MD5 398b9755f840797cdf596ec860799cf3
SHA1 c195d487b503172ce3e0ca421c8a539e304b0df5
SHA256 f2abd90ca61b586bf2176035a0a2b10fe4783a111c8c3a7349c50d1ea75257fd
SHA512 3667ce090ea9c5fe101cecd8792560d40d631d068465d0ea12a142fe10c41acbd0b9d447cc54aa47af1aef79b42a16a83d15c0eca58d82f9ec006be46194f72b

C:\Users\Admin\AppData\Local\Temp\eEUK.exe

MD5 dfacc8877e5e337ae017f70efeb5f727
SHA1 e0b34750cc9234a6415e280c0333b32c088219ec
SHA256 df08368e68291d1bb8ba4c1eb2b356c9f1c5d1cddb68af396de56ecaaa2b3dd5
SHA512 236ba4baf1474dcbf383078bc2ee881dd997a312c25e1ba09d9020323343c231f0b48926f8e06910042044cd7b029717a41e01680eb164de110137bef3edb0ce

C:\Users\Admin\AppData\Local\Temp\gQEs.exe

MD5 580cb892c47684b6e3fb702e7c808ad6
SHA1 1ec3b6640c5aedc574949b5c63d2da991530fb6b
SHA256 692436ff8711d02b3e5d17035d16406a3c09339d14f9621813f2f78f1a7bea65
SHA512 28806d23f31edea53119e1800df50ca265306ec2b450f9e21b5417e3e0aab3a3a48c85112aebf6881fcc132896c7fe069d4a0be9c2a01f0eade8bb3ea18efa84

C:\Users\Admin\AppData\Local\Temp\Oggw.exe

MD5 548e79d45d470a5e267811e6d4b1981a
SHA1 adb3e81e9d9a932690cbe535c6b806ecbaacb451
SHA256 b2c44341ceb00fcb03511118cf8ca5bc7325dd32b412174bd37e58cd0354b11d
SHA512 039c4daa293c01ca7fcf9bb6520682325cb41a29e8209444f19f25b9555b183c71079e9666cfd26b9f1464b3c530ea5881d761c3934bd7f8c837e8c910992d97

C:\Users\Admin\AppData\Local\Temp\KcsM.exe

MD5 f150142376b24fa75f10658af50b743b
SHA1 b364e293fb8373104191534f4cc713f820683914
SHA256 e8ad09f3feed244e02532e96a4d44d02a6c81768be9f010e448a85fb5ed8ec60
SHA512 ac81636bf74b538ba0620e2cc8b1a9302fdbe0872b01e5c9e313d7aa19f7f7711e7ce9a1f70e28cf06c0f034eb27e742585ea36a19c3b66cda6aa4c8c8e44b72

C:\Users\Admin\AppData\Local\Temp\QcEA.exe

MD5 b8bd5cbf874d6bc779cb88487a97b464
SHA1 13e551436a18b9f86112992f0153e575930b2da0
SHA256 48e2623ed0a780ff5e2075ecc474f025e0c284400127da68eff65f63d24b2c18
SHA512 0ff04cc3e36ec484c2b45fba48f0559c102a6d6d368c844c42729dd6483059fdc759ccadc2c62d098dd4ffa0a2957ce8acdb077adfcddc80ef58bb39f0d2e2a3

C:\Users\Admin\AppData\Local\Temp\RUss.exe

MD5 f82d2eec3401835160ebbe2c8180eef4
SHA1 f93af6853c1b667755909f0265976ccbba529ad1
SHA256 c46ca2b15f036d165af18cef1464f8548d186d127f105e73edc1f8285410912f
SHA512 312142a3f7dfd57ed2c08d4f021fc5c7bd37f7cd949c4eece3d30eac1a8e79958babe0f22c60b0d53e667c561261ccdf1cf236755980885b0e5dddb7b1942ce8

C:\Users\Admin\AppData\Local\Temp\EwokQwwk.bat

MD5 6bf282a74918890e4ef28cb8574d963b
SHA1 2138050eebabf561bebb339bb1ebdf678438ec4c
SHA256 0606178dfc91fc1783d0ca4a30b2bbbbf0e64f18a35a611ea34855d21d113b30
SHA512 8427a0c37504521b50ab6ccdf4d1b80057f0a6d8af20342c723c35ff0af27b6fb6e0ea013dbc3a5ca8e9a00b2790d28a7a0f2a9782baa5e41282cf08f96a2c94

C:\Users\Admin\AppData\Local\Temp\fGUYMQEw.bat

MD5 be1c1f9fc4b2e675d98e64913e523ae5
SHA1 8b9031fe4f76f9966cd0e4f86bc36d522beaa22b
SHA256 9ce9e57f3c0202c8edef2e663700650bc88f23f70f85e3dc89d24e8356ae9f63
SHA512 222eb680f0e16915aadba92bcbf2191a0ca02d59e3cdfbf4c9e494601401c45a692803882cc18018712d210c4eba308d5829c2208a2166345a9acb82f1736c96

C:\Users\Admin\AppData\Local\Temp\EwwswUEY.bat

MD5 467ee3d0d05110b783afe2dbfebad6e4
SHA1 1f0024d4faa4d162400ba7f3c21ae8c779d744bb
SHA256 9de3926915abf9ed8b6be4277e10c22b37dc96196c9a6ae5d17da5ad92fd381e
SHA512 d4694183b8d8f2c3a7519e73c101aa0b8a9336022a4d39c5cb90e687410eddd89e33cf53f043bf630e6195e3844dd4a5b2d24910321c38595250b9255790771a

C:\Users\Admin\AppData\Local\Temp\FQQIUkss.bat

MD5 eff34a47a9e173c72c2db1ce20854548
SHA1 5d5a916ac8841eb92e25a84422c7a4494faa3172
SHA256 4bd8e27377dbc62ef433f25360192aeb5f1c25b9694c03e9344c4fdd30b0a756
SHA512 f2d5de6422afb31fdfa22291aeb639bec32a0230231d50ffbac5dc95999a035d394700639ce12e71d9a05a65aa2473c2b4df8291e976e962ace548c35845bf8e

C:\Users\Admin\AppData\Local\Temp\EiUoEEws.bat

MD5 7b09950fa43dc58b1cbba4e1d746df26
SHA1 a87b1d6165d14e67fef0a212cac926a2c50d97c5
SHA256 b052fff9bdc0181ba47bc4a7a5d8fe2dba4ee81ec6f40e029f8142c21426579a
SHA512 5da4171bed73382e4e673f0751b79cb80e7860e44a3f21a6be90d599a1522256e5d62f636665a2929d8c8653d43350ba52e63d2aef118d0faa7d1a3e6b71e581

C:\Users\Admin\AppData\Local\Temp\pqQIMwUI.bat

MD5 a74791feb7d0a2384cedd05fe15b4ddf
SHA1 f7e2ff531920d55a5c9001e1daea2f25c0aff76c
SHA256 169e34c84311d15be4e474692727abd0d1e0a556eb85304ae291b68a7a552a5e
SHA512 b8522e720bf9af672f93585f1f7fd3211b81f584cf68f8782d405499bdc8f3e78335079f74f978d6dd79239b427a45058b5439e6a0b0405b848d2a0de9689c7b

C:\Users\Admin\AppData\Local\Temp\ZogkYYQM.bat

MD5 dbe487b046cf55a4d11cba6c1e1f8262
SHA1 250bbc8ea86a7032d5d61ca5c5d1dfadbc68a8ba
SHA256 6d926a84a448443d8d8f6b91f871ef143935e2e1bbb71ebe0376d907f4fe73c6
SHA512 1bd860a147a4fe9aa3d71064d679df4eabcd0197469d0194575b2f3cc978fd2e8b62cf51c01eef658c00f18c21f0523dc864f7532e6d28725dcead312f5f42d1

C:\Users\Admin\AppData\Local\Temp\NgkMMQUY.bat

MD5 f5b57bbc1a830a725ce7ca884c72c45c
SHA1 e0acf38d317491181293fd50a724a8d6a669c530
SHA256 d0137cd12d390a612aad0d1d4f46d2e14ba4abb9c4597edc9cf71e30386a5318
SHA512 464515d0adb7050ee929851a35c8b93bc1b2b7ce0b59290ff1badbe850ab7b724960b96cd92991fd69bc480cbd60c1386dfb7c1580e7715c57e71455ffdfd42e

C:\Users\Admin\AppData\Local\Temp\HuAowgcI.bat

MD5 eaf62515873fe3084ef9828daa7e4046
SHA1 e4086549480e831b6c9ad113ada2f5eef6cc65b5
SHA256 9677392095002e110bcd0988025d9cf5ac448de441167318bf59f0a3119bf0bf
SHA512 c031aad14bfb9fa5e2435d54cc0c209df763266c096d67dad1c630b93c0e147ab38197601a2d74240d0b9703daf15d9dd5dcbc59ea153f313b0e3abd09ce21cc

C:\Users\Admin\AppData\Local\Temp\LWUIEgYw.bat

MD5 1315e6a0fa3359eb523335071236c4f6
SHA1 fb5d0dff72900957205d8347806ac8169ca9dbac
SHA256 7e2dc1c00cd01da00934b222eff6a4fbb466bcd6f5a721288cc71949e7a68af1
SHA512 f7ffafb88f777cf3c87356e318a79ec38e7548ab179128614a12c83e2ba5c19b2a7e01be6a6addd448cfbe3c45a9c7aa63a69478c086bf7cf8f1460f52fdc962

C:\Users\Admin\AppData\Local\Temp\vgoAoYkE.bat

MD5 e770c2b1a19dc50d1bfa6f8cfe84da0a
SHA1 8bc53a782346c761c0d11321a2ae80edf64230a5
SHA256 a3b24d6928aa4bcaa2067bee6f5660fa7804db3f3385c160e120ccaff7363eed
SHA512 e2bf1971ce87385b84441db167794ca8b8da150c694b9909d3ecacab496bdbf8b376955ffb1e15479f8d1f3d3bfc47872340e1387f3bed99ae53bdc2dfea9386

C:\Users\Admin\AppData\Local\Temp\nGQMokAI.bat

MD5 753288c20a81302a9c89bfd6a74f2795
SHA1 0bc71e26470f4002f654489b0b3280e9571b4773
SHA256 aa62d12fe596768d97316953d891f30a6bb5ecd412c75c195b67aedbcb5be8a2
SHA512 a9a7c8873bc243aa34f1b781d2416c3f9d128adf212e68f553cbf984ead1ac8d073fe09cba1577485e698e770c68a24bcab1ee3d92b14221541be926510f8b63

C:\Users\Admin\AppData\Local\Temp\zCcMcAcc.bat

MD5 4a00c3d8cb841cbc282e64c5566b0a65
SHA1 264b69066fc7a42f245a7ae1f1c1822d98ddc117
SHA256 54685211efa36dc71b6844a89f9ab7b494a797e116c4349188c03fe52b87467c
SHA512 4a06d6028d008668219b9c9634f01c2254f20308ea0ea9574f6d0063c9093bf07c7d8a2531923fec83805326bfc50291e11ff359d832450402ea378aaedf1a3d

C:\Users\Admin\AppData\Local\Temp\OEUMEUYU.bat

MD5 d8114366465114acc4a62a670c718df0
SHA1 3046b2a500fd80140b5708a15daabbbd0e642693
SHA256 1faf3dbdd590cad60d18832a9fbd51d0ab82c89f20927909ea68fb292cd88b98
SHA512 13f762cfeba0a095f1abe8c378a68ee5cc0bb37bc3784e15c8f082de417ba9d305512751e72b880fbbcdaa39e37927084667d19e1c0f6d154af4ae5ad7f8a09f

C:\Users\Admin\AppData\Local\Temp\LMAEUIwE.bat

MD5 cd92bdf34b37ac79d01510469964287d
SHA1 eda63403f40ddad2368fbb7f4f80e78a6360cc5a
SHA256 c494028ad9cbd5f95d3ff354f2692580c1e2f7e65900e41a9f6d0034e6b999dc
SHA512 931a34387843cb624ee8b4586416ba329dcbe03a65c12ef11fd0dc6cea1285995c71f155b8a9145c92364791acb6f0f805f4f4db1d0a6bd5766a7d93da7eba12

C:\Users\Admin\AppData\Local\Temp\VIEoMEYA.bat

MD5 fdf7a9a7e07b7dd4a076ccc25569f7c7
SHA1 9a4cf9e2d1204e2e0677b6289abad8009f6b06b3
SHA256 1197057dfe7da6ae714d323553578794090a3db5008171ac39e865b465e5f0e0
SHA512 d79bb2f208874f7b68598d8e65e93850d704300fd7c2e374b7ce0f4354b20168b65ac5103cf33acc2243d5e11b674043e8254cf24ddce9b5fa617b884b698bb3

C:\Users\Admin\AppData\Local\Temp\xsQQMwAA.bat

MD5 f1c8a8bea091556fc06e460e16ef9a40
SHA1 be6c48cd84dec2fb97b5b544a0c7dcd2d3e11ce8
SHA256 d8dc883041f7178566ba4fb1b67d76d4b9cc1cbbc3a38fad8bda5eb8d2bef11c
SHA512 e297201532afb2acb61265c985937f0cfe1f1ea7f065b58915573212e8064fe246d70455f61c728f495b712f96590b7392ca6d7287864f9460f59adcb181dc99

C:\Users\Admin\AppData\Local\Temp\LgYcUIcE.bat

MD5 48e4b6e48758dcb19eac02881a99ecf4
SHA1 f511d7ea38775ec8673c905f4d47493a06f7db22
SHA256 c0e52ddb33267844919180415ad2e0b6cfe27620ea76ccbb3883fd3a8ed3fdcb
SHA512 033dec6172cc0f077b097236fd66db448d40e94f1776be010024f193628fdac92e64046c622fdc337bb3eb5ce498a7f546cab8f8c7929e39b9cb8485f60c768b

C:\Users\Admin\AppData\Local\Temp\VSQEQcEM.bat

MD5 44209efd29eb06c27aaf21b76686d896
SHA1 8e70298b268bdae273ed4ff37b8e51f894d35776
SHA256 85565cc7a59b33ac95d1a9684d426603b1c8703ffccb3ce939ce460fc5a859fb
SHA512 9ccacf8d3e117c25cf45745e893302ac72ec840ab289c55e97d117377406e1b8a1df041101203d46198ec58041f997ba047b0f291b758d390aafea2c02bbda34

C:\Users\Admin\AppData\Local\Temp\YekQYEQQ.bat

MD5 ed2fb463a40048465aef2e08b4b5b562
SHA1 b32cf0c7c041b441ac5a6fd3d96dfc5d223a4604
SHA256 086f3287aaeed70a54da6010b1fee10f51d491e30aae8f671782b3c84905f7af
SHA512 ca6b41b79abf813a5581fabb37c5b06d218ee06aaa40e22f67590dfab75ed8d2a95d0f53233f1268a3744fce1eb772bb0f26a173ed4193e4266856e2124a5db9

C:\Users\Admin\AppData\Local\Temp\ngAEcUMs.bat

MD5 d1ae67738efac8c7c9a68666243f0975
SHA1 d9871e7b5b02ddce8917bd4e0790ecd8165c301e
SHA256 f00437a928649cf0c42249a604e5bb4f8fdaa32c476a3707830ed7e6979e190f
SHA512 2fa889de9d99f03851e966679a0d5f13c2fcdc6392d9a85690d31c34f8a240c2a0f965a94b79b16897d9049a58ac6dd1e4edda003b6229e1d81c20e319a08cff

C:\Users\Admin\AppData\Local\Temp\sccUEUUU.bat

MD5 83a882fbaac509e371834d359fe41be3
SHA1 ba560838cb53c53691d4c0cac9a126f87860f7df
SHA256 d242b2fd546c29cf84de15bb762df72a5b836d589cfade12c80db84decc49274
SHA512 21498ee1a4e536371c9af1b5d21652a1613f4e447f1c2aee3727a012fa12a83c220977378f708e0b189c30d9a329c6da7b28457b5cab81d381c84058ae69ef53

C:\Users\Admin\AppData\Local\Temp\KQAgEYog.bat

MD5 3fa4be18dc5616daa7dbd69b5aa5870d
SHA1 e960c17299cfa14f8cd3b8a5470acbffa0112c3e
SHA256 6dcfee6c024b97ad9c146ffa4aba07a99f670064aaa45d4b383da19bbe7ce01b
SHA512 973f052e4fecc3966c3d0d5140368ac0b43bcdea39f74ba2ea9215c08c891bc487afa890355974b8cd65d58184563a0ac7f2a1b0788efe4d96805d0a30f00d92

C:\Users\Admin\AppData\Local\Temp\RKYAkYUI.bat

MD5 787d69ffb32211eede3ba5e9d22cfe59
SHA1 ceec3baee12e845033fa14594e67de05641e1ca5
SHA256 bcdbe5cff9a4d2c6c57219545c9a738568abced0c0735c491a1c29df33af4b66
SHA512 65e890d80824488e87c76c96c9f43741249e47e016a4fb6efa1f811277c4aa94bf92494b7351589da3a415592ae609f9973473d4a1f0987f40e8132cc0203b60

C:\Users\Admin\AppData\Local\Temp\LuEQQUwc.bat

MD5 cb6f52e109e34c42858cad48346adb09
SHA1 04a1d881b6e24462bdb5ad176245cd3735582f0e
SHA256 41f76bccb9b0ad9d41fa125e01f628cb24ddcfe5e82a005979f05486bd47d755
SHA512 3f7193afaeb133fa2bae6b822019a7ba1229306042c90611af96132136bd180d780f90a6173cfe68669d3df2a119506c83ef4ab7f3ea20776263b8e8577c7b67

C:\Users\Admin\AppData\Local\Temp\fMYe.exe

MD5 434b1970f321b08c768f8ea9b31399f8
SHA1 d111c87ef9b2d8aa90be1ab4f54fbb53f331c476
SHA256 09566de04b9a77d548c6cee82f16b1c18665f2ac3325b21a5e46a9e99eca12b9
SHA512 61bb481f62fc9e4ec1fdce2af6f004df9b2e561606e0f5e115ae462334157f8214fefd7551ac6d42347180a67dd6508909e252694b468328b66baee33dfe2d1f

C:\Users\Admin\AppData\Local\Temp\wEEQ.exe

MD5 d4fadbf2c226dd04135a523c96fefe59
SHA1 9bb8c7c1466f498c50c3aaa384df8a6c8b788b12
SHA256 afa3c050cd233c12eae5f8efb7d7518ccdbbe95ac8a2cf7c56c1b37b3438d68a
SHA512 38815b695be285b292792eaffb7aa2b048b240dcfb279724c0880b6a8f23a95aaada27328eb22c18e5f96d81c64e0234b185078f98408c41d1ac23c5d97dbecb

C:\Users\Admin\AppData\Local\Temp\EosM.exe

MD5 a78084b964d367f85ad1a7ba4e59abda
SHA1 00d1a76b97e0c6ad99419a46d42e239a93e627cc
SHA256 b141132ca1c723dc7b0e8c6f293443d1428f3896cad3aa3e31cbe7aa2681a59b
SHA512 67feb8a4fd060db6e05449552ef2b14dfae479285cacc64802056204060eb26a5e8625487fb442057dcf22825909a86facbd87d3de9b848b4a06c956681bdf49

C:\Users\Admin\AppData\Local\Temp\ZAsi.exe

MD5 bd8fc511133d717c935b513ecc368678
SHA1 a4a5d7d1c39623a78f269c3e7f4d0b9d5dd14add
SHA256 608083d41a4d0999149c82498ab5d744b6f0bff286443274fc329e84880f9210
SHA512 95e256e89e3d582b7e3d4f230317f97656ae0fb6d2ea0fd8b308b7e1c7d94768b003286ae58afdec5955334c0d97798f0c1f31710343166119713cd56717361b

C:\Users\Admin\AppData\Local\Temp\VUYYkokg.bat

MD5 a4447440d2f7adf0ad048abc9dcc5570
SHA1 1c343ce02be9766c6468655113bb8595c719ba36
SHA256 a1c4ad4816e02df1e9b8116ed88952ed37ef2dfc3dfd433971e6a194f56e6fae
SHA512 087f09af5026109253621920448e4e9c05966e69211d8f36ac98ea4c485ed7ee54e0e219b3ce608853a24b4bf4fb41935d4aa995ee3e9078c994c2f2da0a71be

C:\Users\Admin\AppData\Local\Temp\naQooIos.bat

MD5 e99c360457338e070988b6c5615dfaa2
SHA1 52c1cb1aabd5945d92c36e9cb139b12c397a072b
SHA256 8d5ec9945d0720f1fa2b938ff79d80a318f09f894af744b22d139db20dcd2053
SHA512 c14aba969067877c6461df11ebc48d47ef36973339d2e77efff77b392811244770e0e39ed917ad595caccc848194bfecac17a766f5846ff86efd67bc2f7e3667

C:\Users\Admin\AppData\Local\Temp\OSAQQAcY.bat

MD5 2417cfab6d87ec2beb1f7223d9eac29e
SHA1 c0a940135a65530dc8a062dc0c94e336ffdc5ea1
SHA256 a0ea8309bd8a8f2b6a8662081080942eceb0d4b8a462786ce79f9cc3f741c306
SHA512 b256624e026e978f7b445c19b8b480e668392918330bd57a0efc07ea1841077ccef0bfed20bec6de2142bc3d872be8bf31cc1f87185c4fdf98e0e87f0b0ac333

C:\Users\Admin\AppData\Local\Temp\csAkskAg.bat

MD5 3e0901319a411619b6be737cbea26793
SHA1 91d8bac95907248dff30aeb8bce4fa3dcb8cc199
SHA256 5db294b03c6424c92d2ce42f06fdd4311b96c24d53cd9773c3dd984c1757a042
SHA512 6e5ddad03585e47666f2f9116c9588d9d66c69ba9ec378008fd7d5fac97c79511877aaeeae6d5d6df8ad753b21deb38c62ed296f95ec3635b5a6229db2cc8e46

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"

Signatures

Kinsing

loader kinsing

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (79) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\ProgramData\IScMUQMA\mUgscsUQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsUgAkso.exe = "C:\\Users\\Admin\\LyUgggEw\\fsUgAkso.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mUgscsUQ.exe = "C:\\ProgramData\\IScMUQMA\\mUgscsUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsUgAkso.exe = "C:\\Users\\Admin\\LyUgggEw\\fsUgAkso.exe" C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mUgscsUQ.exe = "C:\\ProgramData\\IScMUQMA\\mUgscsUQ.exe" C:\ProgramData\IScMUQMA\mUgscsUQ.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A
N/A N/A C:\Users\Admin\LyUgggEw\fsUgAkso.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\LyUgggEw\fsUgAkso.exe
PID 1176 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\LyUgggEw\fsUgAkso.exe
PID 1176 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Users\Admin\LyUgggEw\fsUgAkso.exe
PID 1176 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\IScMUQMA\mUgscsUQ.exe
PID 1176 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\IScMUQMA\mUgscsUQ.exe
PID 1176 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\ProgramData\IScMUQMA\mUgscsUQ.exe
PID 1176 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4568 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4568 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 1176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5104 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4432 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4360 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4360 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4432 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 912 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 912 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3936 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1160 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1160 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 3936 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"

C:\Users\Admin\LyUgggEw\fsUgAkso.exe

"C:\Users\Admin\LyUgggEw\fsUgAkso.exe"

C:\ProgramData\IScMUQMA\mUgscsUQ.exe

"C:\ProgramData\IScMUQMA\mUgscsUQ.exe"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICYggoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkYksYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAAsUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUEQsgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmcQcwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssscsEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMoUscIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywgsEQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYoYQogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSMIEMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSIAUEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqAMEkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAkMIQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEYEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecAoEMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgccUAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIUAcgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqcogcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqkwAkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMIUUgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOMYkMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmUIggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eykwgQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSgIEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeoUkIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcUgoQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqkAEgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQIQckwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwgkQoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmoEQIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuMAgEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWYUossQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PigkoUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYowocQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcwAEYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAAAEMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmMAksEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUQkMYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyYMkIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LagYEUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKwEgQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiUcMEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUIcUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqgMMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOwIYIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYEsgkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgAEQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwYgAsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUUcAQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcocMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGQYMosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEQgwIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEEwAcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQYMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWksoQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SewIEIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAcokEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiEYkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUUkwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwMEMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwYQgowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWososUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUssgoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dikkUQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWcQIoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYsgEMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCAkwwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iacgsIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwQQMUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEIgAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuAwMAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haEIsUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMAIwEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkkMooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSwUAksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YigAUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqkwQYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMkYIIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcIggkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAokwoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCAEQwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiUIIEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUocgUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKIoYQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsAUosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQokAQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWQoUIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqcMwkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwkQgswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUsswsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEIYYgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocgsgAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqUUoIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYsIsQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQgUQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEsoYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYAUUEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWksIcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWsAQAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkIQwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgUsocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOAoAYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaggMoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMEkEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUsAIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuUskIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQYAIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWgUYQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUYgIQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UogEwgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMYsEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGwgMosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukIMksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyIksQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSgUMUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOokYIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmgkEQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmIkYsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agMUsQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmYwggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIMskYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMMocIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZskgUgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSsMYkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgIEIQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWkMQsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heUgMAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQQsYoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIUgsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1176-0-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1244-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\LyUgggEw\fsUgAkso.exe

MD5 7a6c998b8cd74a2f13031a4a016138d1
SHA1 f0728076daeac2b1ee95a3844311e8b16c359ab2
SHA256 f983d4fb18f01b35e778afeaf56f1cd8531f98c2f4f898e5e59528ea9e17dc4e
SHA512 b324886f87442b23fac414409891ade30473aa8905a718bfc6b483fb1d832188bf93204ea4d1c247a5fc3b5b10176d6ea5f83e24cf1239be2e6df9e6a7492b1b

C:\ProgramData\IScMUQMA\mUgscsUQ.exe

MD5 95b337aa80812eafc9e81874e8ad3a57
SHA1 0a59bbab4bcd126dc93440a7c0edb0c761625bf5
SHA256 663a87e2945b8569f7703d154cdb342a2cf148976a8034f4ae3088ff41d33d92
SHA512 75f9e800f11fd047b1a849a2cb5f3dbcd1239d0fc28a1ac97b3824dafe432e9beb4fae2acfec28b86e6a7b5f7582410a1578a26bb47b923f11232b909281c8eb

memory/3448-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1176-20-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ICYggoYk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3936-30-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4432-34-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock

MD5 b1d0a5c199d9edc1a273e408124ed491
SHA1 82dbeb87395618e9292b9dd7a414086ae43cf412
SHA256 512c67620d9906aa3db4ebc6839e4a74c832e750d4805c77d6de0e6a76740d77
SHA512 3c3eefcf3679d578fe6d4891071ee4bf2d6e7ae9366affee4838f7a161005035a390aaedbce5527f55fdbd622bcfc47a86b094feeb7f7f454bc71bcdbfd746d5

memory/1608-42-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4432-17-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3936-46-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3260-54-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1608-58-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3260-69-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2576-83-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2156-80-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1892-91-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2156-95-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2512-104-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1892-107-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2512-119-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3952-132-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4992-131-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2852-140-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4992-144-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4912-152-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2852-156-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4912-168-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3260-169-0x0000000000400000-0x0000000000437000-memory.dmp

memory/464-182-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3260-181-0x0000000000400000-0x0000000000437000-memory.dmp

memory/464-193-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4164-196-0x0000000000400000-0x0000000000437000-memory.dmp

memory/632-203-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4164-206-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4556-215-0x0000000000400000-0x0000000000437000-memory.dmp

memory/632-221-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4556-235-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4768-246-0x0000000000400000-0x0000000000437000-memory.dmp

C:\ProgramData\IScMUQMA\mUgscsUQ.inf

MD5 9a34109f6900c2df0489fa6956f96f1e
SHA1 a92e31c97631a37c6e3a61089a202c77ed3ff578
SHA256 db7f1bfb5362a69213d5f42c86e95a8be1e9a46c98520408cbb9a38fa3033828
SHA512 fadf1ac1fc8e5c9d1283ab0cca7316ea25a176635305c2fb37981e8703120e10086f70581b0a01885c9f198fae5b23fa0dd6bcd9e8c844e6cc87883785f2173a

C:\Users\Admin\LyUgggEw\fsUgAkso.inf

MD5 90500fde514d3f611605dfc0e5b8124a
SHA1 38894060432918e7a1a8c08a7efd3e1d9360aee6
SHA256 08bb23b79da985262c2e9d085728cdf88ce679c32a0ac24bc3cb9fd2cb8a935f
SHA512 ab91a8ce971e75ac6b28ca0bd149de9161379e084c499370b405ffe5d2e363238cd3552514de4d319a13ea928fa19b0f748387344aabb29ed50bb9a1fdbc562e

memory/3436-261-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1892-262-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1892-271-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2360-272-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1416-280-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2360-281-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1416-290-0x0000000000400000-0x0000000000437000-memory.dmp

memory/5044-291-0x0000000000400000-0x0000000000437000-memory.dmp

memory/5044-300-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1812-301-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1812-309-0x0000000000400000-0x0000000000437000-memory.dmp

memory/400-311-0x0000000000400000-0x0000000000437000-memory.dmp

memory/400-319-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4272-322-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4272-329-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4508-331-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3704-335-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4508-339-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1256-346-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3704-350-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1256-358-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1712-363-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2112-367-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4128-372-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1712-376-0x0000000000400000-0x0000000000437000-memory.dmp

memory/776-382-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4128-386-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\egky.exe

MD5 508775342f488bf3d98731bfd221d131
SHA1 8e58525c5ba609d8f0d50f8f35641223f92ee317
SHA256 b9911bbdb30fc152fa13c9932dcc000f8e635cf761217723ce8f581fb448fd6e
SHA512 66fb2254b21f7ea6d817a40cc54c8d1a6b792adc9bc77d1e5953d4ea67b10a7596690e4331ab02e0264026558d254addbd8ba7a034b151d3284bdf2f2e245636

C:\Users\Admin\AppData\Local\Temp\cEkY.exe

MD5 84e87d8234dd3a025b247f7ac8ceb84d
SHA1 afef0b27de2c9100584a9d0ca643c5608c6bb6e2
SHA256 6f94c4634d76794f8ba20116b0b80ac4af96783bac0fbb2935319737e5687a09
SHA512 7d55b26e4fc3785c6985c02a071873536565e2f6657cdd545fea7c62d105389c27d2353432033cbb816db669ebd2f9d122679d373180ccca78966e89cd50bbdc

C:\Users\Admin\AppData\Local\Temp\KIMA.exe

MD5 42373454ed08a5c12ff5ad3be1b4dde8
SHA1 5aa379d7f413a84571318d3a9ee0603284c9f90d
SHA256 c0cd5e54e4de909074fc5dc882fbe7d218ed0638077952f681294f39e9349163
SHA512 0cddb926e80110164fcab124f43d9581e9652850df5d371ee43b19d9a995c574072bcbc3c2451d75b71157a55eddc2e8dd615263df754630ad21e35db509cd61

C:\Users\Admin\AppData\Local\Temp\ioYE.exe

MD5 72dae3c84a72e0ee2fce9617e073bd4e
SHA1 b141d6b4616f8e66ca261fefe0355e78c6087d6a
SHA256 76a0252898de98cb66e427c03bd7262144ec1d54b1928ada559c920e3ca3816e
SHA512 f1cc882bb52cf38b2a90e4a52bcb6cf3725a4ab3ae91c4918880144c0889a8a6a9cf9b09bf62e91447aca9c027903e8bc9756bbe0cd5bbd17e3e222365a31f1f

C:\Users\Admin\AppData\Local\Temp\CoIk.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\mMUu.exe

MD5 5b08c8a1e16a30478fed2d9f62f95f09
SHA1 45534f1472dd739ceed7961320ffeaa1418a3d89
SHA256 420d578aa0ec222cb6ccc89993c952a6d0fbdf8457b5edbf6a120762ac7ff031
SHA512 5606346f4f2eab8e7445cd5d03bf35fb401d60bf4192ad3f61c396663971914148fa074851f9246cef1c6d34f7166fa6c539171430a96126de2ed55bde9722d7

C:\Users\Admin\AppData\Local\Temp\AUMU.exe

MD5 e86e1db5c530497e7858360b497ad9ae
SHA1 e8120f7c33f620fb3930664e1982169e3e7f91d7
SHA256 1955c1d60c9e9c0b600773f729eb5b360f78c334cc967db33c5b3b20e498a1c8
SHA512 cdd4103f12c8636e5d925d892a05896eb1b3cd961267a968a6005cb0c365e94c30fff353c207daf823b98c377a6216526a05889e22797811c54d2dc176abe6ae

C:\Users\Admin\AppData\Local\Temp\MwcY.exe

MD5 4fa7518012a00e627319ed7e16398fc6
SHA1 3c54f385b26b9e09146a6750100a2263938ac829
SHA256 61d8390c22b08af31cdc58baed9ac8ec6592cd89d79e14ceeed12ff06f85bbcf
SHA512 7a8cdd0f717b7105e4be487dcc3e557365d3d3feef9a0cce30ecff4a55a447effad631d4452d68c3641d05b4d11cc8e59cc551f7c3b53a42a7786eb0b7fad55f

C:\Users\Admin\AppData\Local\Temp\kcMQ.exe

MD5 9dd5f4349a818cfe258c54d7dcde1910
SHA1 bfd6762dc01de294e1405dac47e954a217692e9a
SHA256 f401a38b92a764991e1feda4fa6a2ae4bde07afaf54cb046e0dad0d6ea3f84c2
SHA512 609bbab3d2a0cbc02b4b0d07f3b23000a1c86ae057ed35a6ebfad816772ded0af6242249be6816cef20246499a31143d5a7fb8dd89f952bcd733ba984497070d

C:\Users\Admin\AppData\Local\Temp\eQgW.exe

MD5 e136485ae0c0f397f4839c85ffb8565c
SHA1 fdb037b5b1f432365382d3b5a7fcc0ac2888883f
SHA256 6a6628e35d6a251091f5713e12655ed5f6f157fde5c9d6916e15699577258ca6
SHA512 5a90a418a3d4f03c151573184e09f184243d01a140445f9c798491b84b5f7116c1e72966be9a4fb28a03edf06a8c06281ad57f4aa64588807b596d858b3cf714

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 c3e3a26e24095fdcc5354d8fc4ff705b
SHA1 20bc38fd689f3471a568d7ff0538290f343e257c
SHA256 fca3a9d00654bed292e1cf2e8b1162febac93d23b980d60949388cf22cb19ff4
SHA512 206581781edf8a8e2ea1c8ba9e564ea1db2f6007fd43ac0a7183b5ece8373289fe0aef7de48ddfc49b03424303e8397af9094a5c6cfba174eae422ca989b6b97

C:\Users\Admin\AppData\Local\Temp\qksK.exe

MD5 242b0829a3d52b7dc01db6f2a288a533
SHA1 26611f42f87291499dd7a18f8424ef8c9cfe2404
SHA256 34d435ae19ecacaa7f31c4e71593420954036965261c3d7b84f00e52542e57e0
SHA512 8dbcefee29cfd12e636381002d324e54faccc8d9288239bb4f89dbf1be7225205bbc8954e1a3120f28c78bee09c8e4e5d7fbdc94380d2baf6febc8d7fbb54454

C:\Users\Admin\AppData\Local\Temp\OAow.exe

MD5 cf2886ba4d351ab412aee05668128811
SHA1 d6fe643a9b8c138e6d53dcbd3e136fcf65c4bbf1
SHA256 dd7bb76ef8d5b82c29870e2d79be323ce318058e3ea550c1eeaeb7fd857fea23
SHA512 ac17c0881c94f5b034527be5a849e59e915208833860f6fbaf9eca20eacba978b8a67372c281bd21c999a091f4dfdc62eb80c4068a1baa166a84a0399be5254d

C:\Users\Admin\AppData\Local\Temp\qYUm.exe

MD5 8bfc5cf4d406ff49db42779aa55ffdc4
SHA1 07a70ef5364cd56aadcc7fb5e4a42c5d1d0b662a
SHA256 18f59088fa015e7f17acd47e911227152478a060bef49d45a12034e266bb3a5e
SHA512 880281309fe6f4d186f6afc5817f4c73a983dbc83f0705e6a16d1f8774ed0cd4aaccdc8a669fc5bf868cd639ba22da705b6a20ce0501e0585f961bffd04a6879

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 25a457adf41e0bedba98ad63959f8f3c
SHA1 2b80290f90c1f3d2749b888eb1fa17f0f45c9235
SHA256 8c53d78eedf03523aae6f7a1728cf9979c0222b3f125ed67febbd1e616367dfb
SHA512 ae6f9c9468f7583971cfec6a310e5bfa91fc65666cfc362c60c8c1e8b4b70fb5f55cbc834a49ed3a5a45c4efbf26f51c4900249e6d9e2a1f9dd7a30639e750d3

C:\Users\Admin\AppData\Local\Temp\cwQG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 e1fe26b37f83575d5746edb20c2b2a0a
SHA1 c211f94d7f5da66a34053d479b1c6e89592af562
SHA256 31718052bbdc4b06876a914a2d8eba30a3f8101762e5c1add938c63efbe96ea7
SHA512 98e371b005f44b144ad755d1a2b0be4aaeb72a7a4d46340a9c5164c88ab80d7255595a72a4e5f7c16caf108441102461ccbcf2ffc0ad20023e289c4db1270ab4

C:\Users\Admin\AppData\Local\Temp\yMAO.exe

MD5 7014609405cf0d510ed1c5d4176c3f9e
SHA1 0f9b3690e3087b9b21964dd5c85fd26453200464
SHA256 806cab95c4e35dea81e26396ea3d27fcd4897281191c3d1dd7324c3cbac35c50
SHA512 0475a332d08d5e664d3082c1e643bceb150eb6c2be408815ddec5206fdb75093c5f4b01d218f1b448aee5c06afa6459e49230a5c8d97bacb2814c7488443f354

C:\Users\Admin\AppData\Local\Temp\YoIe.exe

MD5 d775385119f3725c02a69895818d7d7e
SHA1 4327b25e82f228b3ba55b1c5fe91a3b67a234baa
SHA256 4c5a045a21ef389e177e69f49573fa837763985abc71b71abe10943bb55eee2f
SHA512 d9fcc3bae494e8782fe7405b8989b538c8aba3ec5b54635da4d6c62d5b457a76b6d6d594df9764781be06b460fe28b16b1a7b48c147656e5ffce9437f273f34d

C:\Users\Admin\AppData\Local\Temp\oEYg.exe

MD5 062696ea89e31e9f2f34ee31f3c1ca30
SHA1 52b86315efb08562c3d3f9c0c7f7dee451138f90
SHA256 33706189a2b1490228f5f8e5712a644acc2f1a3f25f8b06f079924b9f3db94ac
SHA512 71bc12c598787dd56d71c0faf9493865478881f3b6b49868428e9dda6dd6514c9300c92cb3ef1d7c1ca04bf2da2d3868d2ee9fbc9891d3b58cfba34a1577a063

C:\Users\Admin\AppData\Local\Temp\OQMm.exe

MD5 273b099e1bab10eff55a2dac0879160f
SHA1 b8fac7649b7221865a0e0e6140161fe204d10e2e
SHA256 4ac176b90ca603884bffb8cea41d945e732d77cbf4460797e15a0382e83c99f2
SHA512 3a1e9fe6c3a032c799286826607f6a9b32956c9a61195e12373083468f634b1ea0a7fd3b2008385f9855007635fada5786c100c6ab42674758026f6a3fc0f2ff

C:\Users\Admin\AppData\Local\Temp\wokI.exe

MD5 f70b4be116ea0677e819f703c6d8e83f
SHA1 c5e8861b80e18268eb2192c96046a4db3a596a6e
SHA256 f87246a28cbadd1b1e108cc30441b66ea38fa72a797bc57fac1851ae716356bd
SHA512 70021e75b8c2e48d9b9017c918c4e70b1f343b21a90ca26542b3ac433a4f53961620df3cf46bb13ca6ee1dd0099d74fb26f35addf0860b3ad2962f9a5665a3b0

C:\Users\Admin\AppData\Local\Temp\ucAQ.exe

MD5 7b39db425645a822266f741eed52f4dc
SHA1 c44c63c5824b10fd374f67fe4a842774d00b0211
SHA256 99caf0b0546075acc93175f03a7649023457ea1e2fe28f51f5a4eb35f2064729
SHA512 9714bb09db6d4601064ed5252b505377d55c3bff54ee384fa97e05b0251958a82c2e136d2209e9c9042a40fefd1a5456ddbd446bb754c39ec7ab5f464d6413a9

C:\Users\Admin\AppData\Local\Temp\kooK.exe

MD5 1528a3b7b00817b6138d61d049f3023f
SHA1 aef486cc1114a7eec5757d17715609af1a23c9e9
SHA256 e24aa84c745cef8cf1b29ecd7b6c9863dbf4070489e2b9841e5e66ad42a5b8ba
SHA512 a789a427cee44b8872b40d0fc7242fb3c68be99caf69025ec9b9c0955e72e6dc7b0c99d5ed1d883ea0c0f90df688dfaf0b5b3e6fc421815430fe27aa16e75a86

C:\Users\Admin\AppData\Local\Temp\wMsK.exe

MD5 710a915043dd7fb1320f1c52c5ea4e12
SHA1 7172c0e010485c475a91613def3e1655c0ddb7b9
SHA256 915e7b723594fb2bf17fbd2c792ed774085ee307b4c1e57cba0cb8720844b7e5
SHA512 7b219eb9fe030ab3c55d959ac9e1e745e46c543a673099ec7bd83a93a6a09cc705e1c8af9b65494eddbd547ee8eb03d4b804377c0ef3f17a30728acc2e43fac8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 136b03d6f984dbf5df08c2dd5c70a38d
SHA1 c168caed94a775c74b7c487a1bf0726351f46c61
SHA256 ae448bdf184682e5cf6d1a57fc94b5ebad9ac45e58bedaf956419b475c7642c8
SHA512 d6f4a7e43cbccb5390da7847214f3639e07b9c2644584fb7ab188e2e2286d38a95707e2a529e478cb8d212ce8a0819270e63919044b205ed3a4455f7debd0393

C:\Users\Admin\AppData\Local\Temp\yQAy.exe

MD5 528bcdceae30f0f99d98bfddd81942e1
SHA1 2f19beb68e29c5a69a2d649239cb9fbbdd386e1d
SHA256 9fe38584663a881858be06bbcf566f03acf08339df69f842a666597520860fa9
SHA512 6685a983bd88036ebedc40ca5fcc2bbe9c02e0731088fe2af1657a377868af812755331433be23e67479bd8cdd76d857b22e17fb3f3adb8f26112ad232d42d51

C:\Users\Admin\AppData\Local\Temp\McEY.exe

MD5 fa121116480d1a3db3bf799d4349a489
SHA1 003185b6f14f3485b668478cd8b8ff2f436c2a1a
SHA256 7850d7d9534bf47825f7589ccc25dce350a77d09818c00269d6173279f56c37a
SHA512 a786b1f24270c01319f1f584461b999b34962ef5df33ec838ad36c6975559c75ee8016db4fd92cbdbb13d5d0e45e991fe2d053c7b0fee843953958b67df3c63f

C:\Users\Admin\AppData\Local\Temp\sUss.exe

MD5 f5c4f7413b8f83d0ffa6508a0d962203
SHA1 52d51f162fe127d605d22e49a3f286233bffe1d2
SHA256 485ca8b499685a1a94a139355d902729af6ced600dae5a20ac098d04d466a240
SHA512 136d95e66e96d3e4ddb84edc465345d90f75dc638cf01b9cfe1519af5e495e5082affed586f0371ce460ce4d5a2269f7d629db5ff398f3ffc997c9c4d5115719

C:\Users\Admin\AppData\Local\Temp\gsAY.exe

MD5 a9367e19e91714b5d0c0a346b9a512cd
SHA1 ff981affc223c52e3597d5b6ed15cca219009f67
SHA256 36bdcc520974ef5b906b8d0037077fd2c0b08cc7e8eb7dc520d50e136eb44e2a
SHA512 fac9376307aca79fe3931b7f81232962fc4787e3720528f5ebca820acbcb1c39a03d0965a261d57393d25bf06e7a99ea717ce1d7f1e7af9859ab578dcc0094d7

C:\Users\Admin\AppData\Local\Temp\ywgO.exe

MD5 f37d0c59278f664d27473f81ab73ba6d
SHA1 b917990e9a196b3148f737a82489f53b28116304
SHA256 90acb42242a261690ae60a9bba8dbee9c850adbccb3e672fb83498d10eb4a848
SHA512 5733a8238b255c45fe8ce609ff08dc2b96820698e4e59b930c4117e7fed54a55d7082324eda1eeec39e759738d8610e0a387e1bede3f9f62b8597527ac5b701a

C:\Users\Admin\AppData\Local\Temp\eQQS.exe

MD5 16838c12a15b65aeef6e177acc3d560f
SHA1 a78438daedf6ef777c75aa72ad7f268b338e0441
SHA256 51f8b8364b383521d20acc1b1b7419df07a57756ffbe60600965941a1cff7a17
SHA512 1d9f3decfb10919b506018a50b5fad909b7593631fb67ebb50e6b2ecdf2004ce5374559ceb13dd7c110654d51692224d71925b2b79164375b2037d292f26d1bd

C:\Users\Admin\AppData\Local\Temp\Aokm.exe

MD5 09169decb38e7e59d8e9aba58e8cde13
SHA1 31d49bc2b4b79c96711b2191fac11054c41867d4
SHA256 04a38dabed51e6b594e33d9b83922134ed675c500994be23e407bd6b5331e778
SHA512 1db533398da02d2de2cd654366e5abbc6fa93b36e6dcb5b8c8cb9fd6cffc10e7159f0dd2c8fe48bcd7d59262ecb409cfb50a8ab9b6dad63ab0e8ae88fb841cb3

C:\Users\Admin\AppData\Local\Temp\QEgw.exe

MD5 289f39267e6c2b2fdfbde5880643d71d
SHA1 d8493849814455b3a85e51bf48dfc1c30b197007
SHA256 0bba882fcecdec9abb33812c0e12d541504938d98f62a93e39ff27861d27ea64
SHA512 174a711de999c4de9dd3e7db2264997c96fa1dca05bd9fa3a5b26b8f8d0b473714ef880b74b50b7dce02c97bba96eacc56089e6d01ebefb81db9ffac38b1f332

C:\Users\Admin\AppData\Local\Temp\QoAC.exe

MD5 2da313fc2f90ec19c60ed525235fb371
SHA1 04ca92c381e2dc600bc1817c7cbc7e9a302998e5
SHA256 ed1d0d97421cb0792a15e697ee484d891fa5721ba191466eb04dc3fa9038db49
SHA512 3cca13282fb92dce7f1d76013255861e373f6056030651597bfcefbdef456094a66d7708e809103d4513adb7642c2b4376e1a0de0085e2f404946f0bbb2c39d6

C:\Users\Admin\AppData\Local\Temp\IAIm.exe

MD5 133a58122ceb4f7e2be568e875805230
SHA1 80d435331fe1c2ad9a96bf7633d5d328b957ee0a
SHA256 1e03605bb51919bcf4937933d9230996a79e508f5767f64b499a0c9229750c79
SHA512 847abdd7aa4209d4fd45ec519281727550e5a515266dc8165218a4090e08dcf27e8fc5a9477485a6ce05ebd13cd1d32b6a57f4a7d8f18cf594c81adfb76ca2d0

C:\Users\Admin\AppData\Local\Temp\IIkk.exe

MD5 b2e0214d5c67f18e184e6670de91be73
SHA1 b82a728863625b528fdba1a99a829a49571ea4b6
SHA256 b5bfcdf6ba1063de8905adc634414adb71d03e5e3e54aef8d42f118386076ac6
SHA512 c744caaa738ee37f0374391a3b5fbc0aca98d1d66a84a808e30db6326d27451f8fdcea5bcd751fe77eac7049563d0f74e0cd5903d641b29bd21fb4ee60e6047f

C:\Users\Admin\AppData\Local\Temp\UIUI.exe

MD5 602a02cb52f61b5e6e443c6d0b1546e8
SHA1 ddc8fde872f64f1fbf9b6ad2fc8ab8e73dbf9dce
SHA256 4a646122edeceb2991ca55129af6f4591598b2b7625fb6063930b463cbb7fe7d
SHA512 3a35bafe924b781dfd962e0cc89e511d259bcb3cf2d6e1e4c9ba2bfe20175c705647624cc3a45b4456ad8bb46c44c835d771a671b14ed39d471fbc6dcde57b60

C:\Users\Admin\AppData\Local\Temp\qYkm.exe

MD5 ecce57053c3ed0ff2a78d6dc11c5c222
SHA1 e47c5c19b79dcac3f201d964e7fdec07ee98be14
SHA256 bb50a6fc5945965b1b1044bbe8424caac9f85bc799d7dcbdcab5721b0a44a1cc
SHA512 717356b8600b8c90b5b931543d0a84653bd0a2fb096b2335c2ab7bb35ae05bb93063c163e8e627f6835cc70430f7275d05d6404825b425338e8f8294fce186dd

C:\Users\Admin\AppData\Local\Temp\CwAo.exe

MD5 e17833d5eb55493e8ed9fedeb806be2c
SHA1 cb15d6dfaa11b23a81b3519e5f9b0ec722d3933b
SHA256 1ac00b7ef1c90c815d61e84d2a631282495d7e388c55725e322207a8018290a2
SHA512 60cb6b166034e30fd399ab41f4331824fb222b1da8ed6a56e75b5b38e0fae224782a8fd483339b67d87f44b3b6f5c6c1e5029e61a176ace10214315bea97e3b4

C:\Users\Admin\AppData\Local\Temp\wcAK.exe

MD5 f439137d3c21de44a0b147d9cc885f2b
SHA1 de8aeda7d03cf170c8585984c1b678d17c23b8df
SHA256 4481be86ad29c7c7ddeeaac3e89dd24cf015b2a2b0e19db102ff6306563deda4
SHA512 2bc9968cf8d32e8463f079ed36261dd61ddc125daa7e838e9bb9aed2e897f719fb0993002abb30b0c15bd79f481cc4dfcb635fed869a869ca562c535a07c7083

C:\Users\Admin\AppData\Local\Temp\ykwE.exe

MD5 2393cb79460dd07d4fa16a606eb6d048
SHA1 350ae650775c92cee22e2047990062f313fc6b4d
SHA256 5e0b9c09a3a37fa87dab0797f67296164c2e878227a46c93ddce5ca4e029d26c
SHA512 e37df0e3a8c0bd7383a229728c7011590f45c9d41d4866c0599187a43484158f2ac5b391507a86d785b84603dd8a71f20bb5e5b96e28762d89eb86e49fb1be6d

C:\Users\Admin\AppData\Local\Temp\CMwc.exe

MD5 1c7721504f3b5fcf743529d44144ae9c
SHA1 d7cff990ba8ecc6869cda5ffc640cfe0022d9ece
SHA256 8470b5eb8d5a52e15f113855baa8c57956639896872a26c13435837fb276b64e
SHA512 ffca612c5007cd33ddf50e06e2046970157f6eead34abc2296855b9c28793d6d1377e33cfb3f8bb85ace1fb53f883207e6e9288d2180db3d519fd3aa79dd241f

C:\Users\Admin\AppData\Local\Temp\sgYY.exe

MD5 b738ca0655f9584ed4e9321c274de3ce
SHA1 c9d40c05440821c40a3a7105df15f67b090be0a1
SHA256 e800fd7efea3fb4b1d2b5e546f8aad1a696e76f4ee0b648a3cd3f93610715cbd
SHA512 668b73f7e436c9c83e7d5ffaf626fb17f0b7987b5f4b315d4f5d51d92c663e434c90166ae8c9bce1cf9b4089d0fd6bf70111e5f901b69130ed44c1817573fb3f

C:\Users\Admin\AppData\Local\Temp\eMEm.exe

MD5 ab8408eb135ad28561b620d3ccb270dd
SHA1 8eba2e29e38134e129315df5dee2832c7ce092d8
SHA256 5867bad29a8dc4cf4eada92180748e88955cd70f0f4524227429110ed9f277ca
SHA512 052e726e82b4f0b544bd64fa8071da7dcb44c1f150d29e20df3dec36b9d7c3b411093c8aec8a2a2383e2af5ef48e104067312f9a27082a49ed94d1a0348d9b56

C:\Users\Admin\AppData\Local\Temp\wsUw.exe

MD5 8ff069946a77e6e4eb39489f92267745
SHA1 df3c33c94c7c4b0046d2c67017a3d0d24fa6e274
SHA256 e82015f01df46d97de044d87a015c6a1da784a78e63f79ad926893bc43a909b0
SHA512 c4029a825939ea8599cfc71730755044ced71e2d839a6bb4479a91223aea6fc784320dc5db03631e9d5602bc4237b5eaf3be2a971d0822be6b7787a4cad798ab

C:\Users\Admin\AppData\Local\Temp\iQkS.exe

MD5 bc3177c8c8f214d7b1a64255ce2bd2b3
SHA1 d30f5fb2f0bacdca51e66136e4c4537f85d9acde
SHA256 2e5e1d26919f84f38547abf1e98d7bcbfe1b07a4fda50f57bab90cc321c6513b
SHA512 8a325caa5d449b1b599c8c9535269bc179209c927232d1e66b1f002695543f623ea8ba2aeb1c6b1a75d472758ff6e6dbe06cd5d4f2325ca578639cba119e50fe

C:\Users\Admin\AppData\Local\Temp\mkgk.exe

MD5 8022dd5924d7726b19dc4cb34de4ef84
SHA1 56c49c880c619d0d05c5e2eb1cb054c833be523c
SHA256 70f1a59ddb914740b54a704e071a51a19e5977168564892d818a9c4d6bf0a3c6
SHA512 7a83ce07ab276c93cd873547ec923e536f6f03658e663625db534f693d77b5588f67a80ca33c44094f4e328ffa44d945a3c3cd0af36c551e610d1a4c83bbd2b4

C:\Users\Admin\AppData\Local\Temp\YwUu.exe

MD5 c7c71f7462c254b5b21889555336b09c
SHA1 8a7a54bea4d915214d86dfc89e168fbb8d0ff31c
SHA256 e56ddab00ea8f68067e43c3b6f03c4111b639ad091c309131db9a6e9510a3acc
SHA512 1237a3f2d16325ca70a659f47b46d05f1aca5a6d5be473e72334d97f2f635f25ee7ab848c5419694907bc681395316b001974f99ff1b3348575f73400ec6171f

C:\Users\Admin\AppData\Local\Temp\Sokc.exe

MD5 992798b86fa52d141c4feaf73f1773f8
SHA1 c3ac6c0b3062030687e9535da58023f2494bed95
SHA256 33a0da35b17fdd5575a6df930576548bde4ba4d0278a916d513fc3d1a598b25c
SHA512 18140e22271334ecdea053b47cd174e15538b39a33f482c931d21ffecc9d6381d8f85414baf92068fb8161159c642a0642fd22c3defcc0c4973ec8c9f1e8e119

C:\Users\Admin\AppData\Local\Temp\eAco.exe

MD5 c6615cfa0615d580248ff59568121460
SHA1 1352c1683c7f847c5432506a8d8240f260a2ec0d
SHA256 60f3ffc9fb99916bc5b13c6777e9b4b0d9efeca04dc4d4fbd25c7fec15baa5d5
SHA512 d0710402ba649e573ad574a99d00c3df54ff2b28562253ce598c86a55eddc788b171aaa13c470beca9f6e7063a6f7a8a80491dc3a7c73791d60d94484e9edc11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 9b43ec770e8c75b7f1a1c0d16e274bb3
SHA1 a2e338919aec42d563c42d8c656457b28cc8470b
SHA256 c69f116a5e4c81b627bacce2ce778237b3ba3ca4f8647b20c1b036df39d5cac8
SHA512 c186b0df349b01e557a676b9bc734601dc3f831d694865d413ad4a6d4d2c1644f6a303134f8e30fc065d2de9edfcd20b2838b082a822dd2690126cb3aa69eec1

C:\Users\Admin\AppData\Local\Temp\oAIS.exe

MD5 d596280b48989db82653b2371bbaf4f8
SHA1 57aebf43ddf3c53c4d3e7bfd45d7f955b3d10326
SHA256 850fa75ddc19d91f07e7d399ca0968b8cd6cc7ca2ee5e3a5d008bb3a8dacd0d6
SHA512 911e0f5f3f3bbf58d2491eb415d430a48e22b090c827d76fdb27c4f9a361481fb110f557089033130da31627ccdee1f5477bde4677fab68da85d2fbf214b6e9a

C:\Users\Admin\AppData\Local\Temp\gscQ.exe

MD5 53ed10f73945bd7350f2674e821570ee
SHA1 04585e57d644e6350f6d981dc48eeea3fba44927
SHA256 d2ccc1dfc6fc0aae6748bec727b40684bced9393992fd9276c1df76aeec008ec
SHA512 895ea22e46a46a8181410248ac6642aa0dcca825cd8754c355e069958317a8aac8cb854359b0e67924d334d235cd8c0ae379a0ba1faed66396129c50cf0f6a2c

C:\Users\Admin\AppData\Local\Temp\SkEe.exe

MD5 60e02a36052b9e4de5df9ebd18de0823
SHA1 476f5d074bc6993098db2e6d9fe8ff938fb99639
SHA256 1027422ceb02fa029c5c877994485163c9e84ab759b8a425cce0f5303a1db345
SHA512 440fd3458a237049dc73049e553619c5c905098d6fe176f7da6e1ff512020992bd09c0721d0ac0a2d4ca9052d9a3fe9f27ee4f6c9db7467f1202dfc5531c1212

C:\Users\Admin\AppData\Local\Temp\swYa.exe

MD5 6bddb60dc3b522f391a8225a6957142e
SHA1 36ff0aeebe9fb38c166159194f01c64621cf5afd
SHA256 b16789d0fbb84d48ca2c32546857a4116f9c8868f8a1614294155d37649c8c67
SHA512 f7ffcd62b1d0a46c76e83649e86625911f722666bc2c998d337bfa79fe830ec98b1b4348b9b229edc972c493670e78b62da80731604de74e8a9212006109bbc0

C:\Users\Admin\AppData\Local\Temp\GUcw.exe

MD5 94d011440bce088567fc39f7bb3a6934
SHA1 ae3a3570d8cf9dae2fb4ef668706244878d5dfcd
SHA256 cd1af3cb25028b1d6ecded958d2fa73c385b106c83ee73b15a831793724c82d5
SHA512 b656469c8b244b8ecc1f436db4af070a36ce517e776975092ff2aa76920d0669b9adc22f125327bd904e6aa31363cb0046dc8cab28c407e28b5dbb2867a9cc4f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 31df8b4aa81e0da5f89e907eda05874b
SHA1 d69b69e8149891e65bd2f8120ff421d06422e211
SHA256 d14cc1dedd5875611c4a30ad1a1d0c7371975475a8caf5cafa621d7610ddb73e
SHA512 4ff7cbce065b0a9e2ddc6e2ff7d7042ba89c22eaa9c938d1e617f5dbca64985f9a3a69f141ae2bf73c0051b64d2467f7a2017e2d8f5602a106a3211b8e134eb6

C:\Users\Admin\AppData\Local\Temp\cowq.exe

MD5 d2d883d7a76c96fbf7e92f7bd8ceca0f
SHA1 db3809f2c3219b4f3651168f257fcf809992d635
SHA256 7ea1e4f9c3ea13bb36f4170b0ca12baebaab7043f1d7cf46bb188e225e6bc561
SHA512 f4f913cee8183b9fac64f24a37b6cda27de8397cec6f377fb61aa20536dc35ba5e2ce15bb7f8ebb8ebdb6912216ad0d42a4dbaf7c75e9916d7a7671de9005f01

C:\Users\Admin\AppData\Local\Temp\Ygsm.exe

MD5 ca9f81853fea7f12987fd05479b7cbf8
SHA1 9dc1d16da41a8d66f9a568606514f65fd01f2565
SHA256 51aac1e3e63a55f8f061ea02761458201a97e7e2ad62cfda342000ac5f73ed84
SHA512 7cbf5636bfa8d52c89afc100df22d8594adb5a63096d2b7bb56b77a108653b44c23e67931eef960d35d9cbae3083ae2bef9b5948629dc104aa38afbfb726894b

C:\Users\Admin\AppData\Local\Temp\WYYS.exe

MD5 3691e39671b1c3adfe0aca8a853e6b7d
SHA1 7fdfb836464ccf4336bc23404445ccbea986c78e
SHA256 99d7ca8ad8c0d8e2b885291789ff90ae5e5ed299bca3be7206dd25647b69271c
SHA512 cb3be8eb14b5da3275fc31c90c86461fe88743bb0e00d13b447b70ad43bc36db5ae2fbb9cf4478680d67b973baa88da5aff70340d1a57f98df1dea7d1d106b34

C:\Users\Admin\AppData\Local\Temp\WosA.exe

MD5 6b0c82cb129f8ecf34789af9ec5b7081
SHA1 49adab735b8be347afc03b15070d3d98fa67d16f
SHA256 4d927a144664e802eb645ac6bd304be299da72408838b7d8be20837d1cd74468
SHA512 cb51fa0168ab6afd135fcef24eee4eca6be0c14b6470b7fe5ad25c04f1c65377435bfb3dfb19cbce7500e9b03a91c342df338091c2085e2be5e0d57fbb10cac7

C:\Users\Admin\AppData\Local\Temp\AsYM.exe

MD5 ce1263a4b1e5a5caf9190b4965660019
SHA1 7138516d4793e93995a324a75ec766887db97c28
SHA256 5576e7424b54f62e3a22f149e0b1ab1fec3f1519906109f6989cc82bc6f99c63
SHA512 f7383c4674fcba02232e24c6623be4b2f00a4ec56a09e569a9ab501fa1f3733dd0425566061a8a4b235e8a89844eadeaa10115973db99a5cfda9d48c11fa0d6b

C:\Users\Admin\AppData\Local\Temp\OYAU.exe

MD5 ceac83641bbf3f805504fe268d071426
SHA1 53f9d7f5faf52143d7bdfdf22cc3a4533cac04ba
SHA256 d40c268f90fcfaa9b57f501f10a26c935b5a97cd865071ea00f3532f411a6a8c
SHA512 f96cf29e2610d210622cf481a5478828b62c434c936dce29eb8cc81d34ebe7a24e47a020df74e39864718c94aec238d17e1770e358e85f3fe4247a72f6c0c52d

C:\Users\Admin\AppData\Local\Temp\ugcY.exe

MD5 c9b2ed239e380d2e6cc044c7e71790a7
SHA1 f33bf197826c061904c726914cf8d1a5d2946409
SHA256 76ad6e65ef8256e90c095af2f33d23fc3d6ef549335280acbaf40a35fa8fa3e1
SHA512 6c3bd1bbb43665d2516a47723d7b59507cede60039f101174027ce44a7223e292fa4e3370acdace72cff0c0e556f29758ff5043c76a1fb774bbbc5caaa5315bc

C:\Users\Admin\AppData\Local\Temp\Qcsw.exe

MD5 8eed99f501adbd2feff300dd695fca7a
SHA1 390c09fd32ec13f2da9df18e902b93bc3606c02d
SHA256 5fe4fd316818535ad8271aa36bf7c3f1b07dc6c1b411f0e94954e6a4a4324d55
SHA512 4229294a7a0b896fccd064513f6253ace0cb27f12144a4b727370e9ad75d5e161855a0cd427114c01ff6fe3d224f9e9dc13b6aa67464be728cd88acb4b01e4cf

C:\Users\Admin\AppData\Local\Temp\skAm.exe

MD5 bf7d13489295b74e47231303232e3896
SHA1 2396d0038ac646056cd96138da69343e976ee997
SHA256 565d9045e5db9b1e3c0643b13321e913e0c52f3ba10ff33e1fce9a97e3a6ff4b
SHA512 58da8b5c58eef7df6dc8b976ca557bf12edd965ee3d5c8aac6738f0e0f370c43775a3c8339349b390a5ea9958fa59f6a1892f3d1d137abc725f62d8a8db7719f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 25f9b98e45813a2745f484b49dfc1ff9
SHA1 72a5b82a882a36ca247fc6652ff313665da391a8
SHA256 4c1969d4b42442a76cb158e0c9f6a880d85f51d2d8c570a702d3a9bff381645e
SHA512 56a223bfb5927bc4f5575736c980a0970305f28ec018eaf1c86bf44ed778b097387eb364a53bf8e9aa27e75c599bf445c4dccc456ddbcd0653d56eaf3652f01c

C:\Users\Admin\AppData\Local\Temp\MAAi.exe

MD5 69a944710128b58480601f9fbdcedb25
SHA1 5072d77af0fd12613be92e7c30ff11928e7774c2
SHA256 ca0ed60e2d1893ed6b36be834c4dd0135f22002308acc56cf6941258cc19ba48
SHA512 b876758c8c8ec9cf79c2d7430ec9e3169a3dd684138aa1749a189c710d0fa5d9b954e8234f6f3aa6d7fd876d1b61bbd5f268ee2d04cfb4c09ea7f173e058b1ec

C:\Users\Admin\AppData\Local\Temp\wUUW.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\kEoi.exe

MD5 9a7fb0ad0aa70b310f2b06c8852b2f2a
SHA1 bb612b57a15e944aa18e3614d304af63406ab527
SHA256 c8694bbf9e0ef06e9c2e46f0038b3d898c29c7df47310442c6e3124f3e56d45d
SHA512 a9596b32c734265584b3aa6ab6afb07eedbaa84a02a3d3ccace665907dc106230630ae614155934397a7d497b2ef8838d54ee0f69635616a29e9c2b2f415953e

C:\Users\Admin\AppData\Local\Temp\wkYY.exe

MD5 e901153e81d1d15a38f151fe48626fd7
SHA1 3fcaa4ef0e858a1ce67222f23db7a24796e603ec
SHA256 63ec5f086eb594b8db2e1e7b939b777c4e8377e7724e338c3b47181ba090f5f4
SHA512 96be75d9de29f519a3bb245cc87afc6e7bd586a207c6ca91ae7c0af0c145ed4d3d2a4fa251ba062a1e9c44678a20826faf1b74fdc2c7f149e9cb3060f8e96484

C:\Users\Admin\AppData\Local\Temp\sEgW.exe

MD5 3ce7119bbcc57a5058b58e96b4399500
SHA1 18ec78e76e8c713853788b5bb14309225c4c334a
SHA256 f208e6590f65dec26993dedc6e6f1737c2b8d94fd9e5ba09baf9d2364554f72d
SHA512 4c23431536e25425205e7da913abfc76fea394e75d0a1ba4cce4ba2b3903cf8a061dd52593395fc50392df3452b2f89992b39e32b2aad22113b3c0f214e12b1b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 e81378636c7aa46402ae1b4558fe40ea
SHA1 eda2d7c5c7dd053551f6a150aba7af04bb65b150
SHA256 e87f01fd825a7548a3fe082a0d304b6e1e5deb30a0ba1f6bc702aaaf9e196b0e
SHA512 719a328e6f40975e2a4e944361865b824711a5a7a8e70eccc48248093fb99f3a2c3e19b2954a08a5c374fb82d747dadbac90e54285ff67f9c0f70a9e226ec0a0

C:\Users\Admin\AppData\Local\Temp\YoAO.exe

MD5 2c22dadb79836bfa204901fdef448fcf
SHA1 b11d450a71282848f555a7995cb79634bd697c0d
SHA256 76cb17871b4427dbf4140c924ec2853cb89075493fa37dc4579ee494ab03f28d
SHA512 0fb5ff205a65ad60fb57591050f11d7692f73b3a5b582b6532013364ec9e3fff4aa05991538592c3ff5aa77ae64663bafa60b402d00e9917d90602a3016840ca

C:\Users\Admin\AppData\Local\Temp\Wkca.exe

MD5 aed1be3c6dd080e3e340e86859405275
SHA1 df50a60658b9c32f0b930758a99f90ac4b296fe1
SHA256 34b1fb01062147dabbbfc093e2cee189a953fd247be60b20edd9337343d6fd06
SHA512 2e7c6cefc9d38dec122c1c3e1d3a8d2a9e05c7ad5492a6cf38ec93101b901b2cdc079116dcb0ca21755a66f30611f81b1bd921c28da9f75690442044db75e8e3

C:\Users\Admin\AppData\Local\Temp\AEIs.exe

MD5 cbfcdef39d02cf2aaa1f2699d9ac7323
SHA1 76ba7041f87e4b0b262ccc26fb493ac77b62be06
SHA256 aeb7a6a681fb7722c26ec74298157a4f83294fa52f0d83b56b94d129aed0d642
SHA512 669478e4ac60b36195a7838f5234b59aba326334aa7749fd8bf5bb8c93328965d08969e8666123196c4491d4852e88d6f93e12bcc7782f740cbec3407466fe6b

C:\Users\Admin\AppData\Local\Temp\CMIW.exe

MD5 f38724c32a2f551eb9e2e9ca7c3e2a8f
SHA1 87256407aef35ae84f9202d166ea82567dd426a4
SHA256 2fa07ace43661ff66aaa2f7e418314ff066a1527a3d5b2150f73ba15c90c9ce3
SHA512 dc11e45b462bbd618869a9fd3211004ec96a83e8eaabe937e5d9f663fd9d0613b0033c40e10e76446d29f366a0f1ae9088a29805b416bc7a52ca38d4c57415e6

C:\Users\Admin\AppData\Local\Temp\ooEk.exe

MD5 22f9ee84fc63e52bebd1dac4f8df748b
SHA1 efa1cf826a9849905bfbfb159c926d1adbedfaf8
SHA256 b6457ad4fbb5018fff7fdc04f6885670bd759fce42930df526a4eb8b356dce66
SHA512 a7da705df9c8b8c0265cd0929ce927d4e75bae77698c324b573776a5142ad328aa31687fccb2dc66ee84afb565b810c3cb675bae1297db0ffb65e3d901babca2

C:\Users\Admin\AppData\Local\Temp\oIwc.exe

MD5 041619356cc9cf9c5c820e2c096242f0
SHA1 79b215dba6b9d1d1e561dc5b094ac6b30033f7a9
SHA256 720511d1bf02ccbbda7be5f0cca18dd319c6f296962830aa39e8d847991385a1
SHA512 4a35adf20b4511ea80cf65109e624511f5f2193ab13961ac28df35e57ba13cab9443c0526837315b40c02c2cd0a989ec6e7a91f451fdfa4f35d6bdc3842d79d9

C:\Users\Admin\AppData\Local\Temp\yEYG.exe

MD5 9f7518030a50ee0b32d26971483d3adf
SHA1 7dffca1e5cabc67e879eb4695ac748872ef8e3eb
SHA256 1a4b46fe979384f61fab7a6006f5ba6b5be6ca9c537be7022e0d6e11ff305b9a
SHA512 4f352d6fa5666d16dff05d28dd7e6cbde1f963bf904bae1b65c555656811577fb7ad1df47ec047294eaca520a8ccb437315640f281625f8e4102efdde2e224ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 c1f6941b8feedf9ca21ecf470ac08275
SHA1 95f703ac4254f467075f495d72248031cab2cfd5
SHA256 e89cda03b9d2413381e061a30f4c929d5fd43409558f27b9cc240fc32f7ee020
SHA512 8a0da43f03589810db4e6928084be7ac78b0890f928794509401ce4059b47973d8d8d407e1240de68d0f67923873ff49f486cb1d73f43c77ba063c8aaebcac24

C:\Users\Admin\AppData\Local\Temp\mwAY.exe

MD5 0d7ab6964b998764f0c24162b1245929
SHA1 8db39c99cf656f52316e56ae271665a7e3a79974
SHA256 81bac2e6945a2e78f1aac0ccd1ec09d6b7f064e41633eab590c9337453d87344
SHA512 8e8f50e480677f98b9a6f6cb940c563b6c55e8d1c9b253feac72504ef3c347fcf6dab3dda86239c1237888c69916f9acd04a10ed21c77143d97d4d829f17ec8a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 f34d4de986fb8faaabc6b8b65bff6e59
SHA1 85fee1195e56b4940a2220f1018ca97c57789bd9
SHA256 e1a7a3af5564a762d5569ebf0c33c1034761f6e502d5f73fa8fba2e55f372e97
SHA512 ed9ca2651821f280c402fb61c59f9a2c37812090325707b5e91c717c35701bff7b6533a4c16579c8a97778cac2dd3110e5b478e2f63a0ad1d452850fd0341012

C:\Users\Admin\AppData\Local\Temp\igou.exe

MD5 2e97802d70dc67a5e2437f0811a5ce17
SHA1 437c5e10f21844ddc8c883c0594fc5165e677039
SHA256 6155aa33d49e649b3315eb91a22bb36182abaff118d5ee910c6598aecccfcf76
SHA512 e071b1f71c7ccd1bfc0022973f01cf3a2a1f96e96437b02840a603b59c9a6fdfa783bd71cfeeb50631b0615d89a557edf51265fd12493f7f2eb9a006ae2b6a17

C:\Users\Admin\AppData\Local\Temp\sggc.exe

MD5 d93d29b176e99797e5f8a3911fc974eb
SHA1 4f70a07d06008b33fdc12ce4ebcb69910ec53074
SHA256 4e6af5787eaf9c4e030539464daca04aca5924aac873b802f3961dc2fa5f8bfe
SHA512 a055dd9d1835386ac5666339933eefa2f24d9cc1a1d84f776d439570a14a1c46950206ce269e92fb52db4fb9ed681ef0f61671ada185975076268dbc9649b8c2

C:\Users\Admin\AppData\Local\Temp\Gwss.exe

MD5 162817d48b0d847fd850586109733267
SHA1 c7d328bd3440ffcc56b132c950b044d42584239f
SHA256 11499d3574200ee7e2bb24de0701f31dd2dda9a2ada0f915d710aa9568227d33
SHA512 87de8ac7116a84fea26c20de2c8a5e47660a33c47edd90e0428e8d108fd5eacded1dc4dd4af07d7c20e38bcc53070689269b9067fbd314e67a1d103d930de6de

C:\Users\Admin\AppData\Roaming\UndoUnprotect.ppt.exe

MD5 06b1c47029bda8a7946f328939ff3759
SHA1 abea4df5df6d4f12955d24404691392ba294893e
SHA256 a62d5c4a1443b0c554533b4ed09a5f00a2c03231c416dfa6c13a5052d5f23fdf
SHA512 686118fb551528918cb084ac1bc8fd0662bd229d62d759af02cc2e321dcf3084fddd9c83882d5e58677141da30c595e830f4cb4901f84f9de8946fbb97aff143

C:\Users\Admin\AppData\Local\Temp\MIke.exe

MD5 3d6ed8503e744329ca072ec389c2b234
SHA1 219b8f5c272b86900e65f44cf13cd6e8c985ee96
SHA256 549120f053ca779f00139a454f03bef6ede6f192999d4b1244c2ca48832877c5
SHA512 cc9e0cc90bca70f2cacc46bbbb349a853e525f6ae128712f938a0da6c3f4213b64446b3937ff048a5359220b3f8609509e35ad57d22f843c8326a34f7cb3bf58

C:\Users\Admin\AppData\Local\Temp\ocUU.exe

MD5 76c7f71556bfafdc09a34df4b07c0bfe
SHA1 26d89aea6ad7f7d53cb8a48f62217cbc0b8057db
SHA256 5a589ee430351f6a7e221dff7ca1bf2727c8fa025417d4cb87f0b78ef498efe4
SHA512 33462b141ef79ba0c76e8013141659840e297818148a660db6fa14d757c318bf9db561b9b6959fd0891af2727e031a56153722ba37b36dc729038f0bf3d62778

C:\Users\Admin\AppData\Local\Temp\iQwo.exe

MD5 dc9d196d781e3beb9db1555f853d3bb7
SHA1 1e5a5831dbe6431680141863423f95b2edfd39c4
SHA256 27f0c76dc81c21b8593a3cfc37908a1912e3a1b865e78ecf2447acb9264679c9
SHA512 96e3b30d146cb5a3f2b9c98c2a413c1680125af40c4b919f9a01704f8b11117036a8593c6c5e041e8c732b557e2fa32e43587bb41581d20258285271b5e8b8f0

C:\Users\Admin\AppData\Local\Temp\IQEy.exe

MD5 45237525889184ae0e4ec2d488c3e908
SHA1 30c5944e74cee44eb61bd2f98c9386f4038900b5
SHA256 6cedef38fdc431747c68bbc2b7453f0dd07e910256287ae0571c754101de14fd
SHA512 c3973e12aa859bdd31669b4573a8389d538bb2995dc1277879c9f2662594d916e3d4389bad37d31b3a8a2d59aa6949c39fddef05a333c04838d7580b5f3ff0d9

C:\Users\Admin\AppData\Local\Temp\ukAI.exe

MD5 741b0cd651c66967b4a2289129b64527
SHA1 8f94e173fc6e3bf9012bf67e0cc62eba3059a801
SHA256 62900d4112a8313c2d86b280b326c703662c1e38370b5d500c51907211c19278
SHA512 2cfdea2f01405810ec2686f161f3b57c497872c28ac1ab2d9392fc2b240880ea8900396f80999e1e184f722365710375416bb851b1b698819338b24602998ef8

C:\Users\Admin\AppData\Local\Temp\Cgka.exe

MD5 1165cd21f96e26c2fcb942022ea3f993
SHA1 6be076ab5b887713b77e14215b5fcd619640b779
SHA256 6bcc742a0b57d9a7d0bdcf70e23cd1d2001f3bb57a08f459ca9f9750f6ef4c8f
SHA512 e5f8c1f41705c88a491697620fc74c8a928ac57440929ed3bf31c3a8ea53bea62c331a3cf840a1af61e16c64758426511e4a771d3ef97c2c747c54a59170788a

C:\Users\Admin\AppData\Local\Temp\UEsu.exe

MD5 52ee09a414af1f3cb4ab74b5e6a3946a
SHA1 8d04d148d83af456bb1934ef1ef7fd9aad54e1b1
SHA256 aabc7d81946fea0fb781cd3a7b317dd91dcdb60996030f19902896b92cd93ae4
SHA512 a4957477c2a170deaecb1784f1c2ae3449fecd3c24baccdd487ea5cacd74b976c46b47ffa7f5b341b7c17ada76457d4f3936f0305fe45a3ff9236f797218e7e9

C:\Users\Admin\AppData\Local\Temp\OwEI.exe

MD5 a2b513ad27167791eadb68779084dbbf
SHA1 7a0ae202e69bbeea3545e60f1f37eab81d1fff70
SHA256 e3b1fe51c10fe0907abce74530e566ddb3c8c12fb37f95b8ce04d675ddb3731b
SHA512 13d84d9c3ae9f6969e5406472090439d2c720ade9a5716431ae2ed283308b105ef1985e09df87e34566a4102a483dac21e32fd6698e73292bc66fb4fd89ea680

C:\Users\Admin\AppData\Local\Temp\swoC.exe

MD5 eec157313c15f0422fa2604fb09b3f7b
SHA1 53635e291a9a37ee8e67624b2bd8b2710bdb56c2
SHA256 4ff9d73af26c710c86b1e47647d0d3dec74d468bcad453ffb53de1b1a408b20c
SHA512 2532a14dd8238f1e9fb832313be01ca7d2f9e7a226cb4cae0dea9430e5a6d6e2be6f386b3dcc4fd17bbec31a5c82857bc0e605307e58f7c7972b17cd0fa761a0

C:\Users\Admin\AppData\Local\Temp\kYME.exe

MD5 534ea02d6fb5401c42cdc57e7b163980
SHA1 099e45b4266e407100a476bb55914d7cb1affcc1
SHA256 a722a5dfce2eb16d0f57b05a9efbfd436b92d0034acc9ab9cd47be9bf7a60cf9
SHA512 12414c12de883a9fd72d466f4bbdd5f65801462392aacdc2d57f7e880d62bb9072964da9767d2df9a3eb78f9c6d1dc0c960514da7c50a700c5da5a1020e9cfea

C:\Users\Admin\AppData\Local\Temp\EEUo.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\OMQc.exe

MD5 d399c33de1aa9c82f8d1f3960fdecaac
SHA1 795ac8ac1eebfea0fd9f6695ef980ad050605d39
SHA256 58fd0c0ed8b42d19c09b0111f5998431620759f6920e78bf5e3d5948cc071091
SHA512 740f7e45cc02e562788f0c33c00960ff76bcd56c7a38b6c782580de16d4d243879adda392289617ba92f67200148e1e71bdb6ff4f4c295323a4642cc4079ff54

C:\Users\Admin\AppData\Local\Temp\SUUm.exe

MD5 f6d1c3049bc1df4ea0db8568485c6712
SHA1 7788ff94252e0a18bd0d24464b267b774a946880
SHA256 6a3f02de00011dba397ced6474497be1de88afab64452c6413d1f77076200b6f
SHA512 c0745e46acf24b2cceb0ab20c734044d5369e76e066b9ae7c14722eb2b2073c529b442ee622ccca0e430a16d70fe66ab2b206a368854fb567ed52df42c7b0947

C:\Users\Admin\AppData\Local\Temp\KEcu.exe

MD5 1d52d4ac39ffb88b80857ab75fe5d984
SHA1 81163a51f35760cf1f41cf14a817aaa50812b014
SHA256 c3db0050dc2be62f5e7405d925cc9f18ca5196b8eb7082a6add5a76ee42500df
SHA512 1ecc3009a3fbb32419b2405876aa71d18e12ceacfc7f2aa1261b6fe1f4b9de44faae2c8e109c122efe178596607bd2d07ad8b557a9773b682d32db711adc54f8

C:\Users\Admin\AppData\Local\Temp\WgAe.exe

MD5 71cbca9690e9777fce3f526c3c385554
SHA1 d852d8b5d9558e1f74acfe721fc3a7db626ff416
SHA256 d6bc7b19cb04f4d62b0676c2ebb2ddc85a9f030ee5c63647d3b0283322dc0b80
SHA512 98abf0324599a19d29a72d78d1c660fe0f96efb35677b497b2829a65949b3b23474216b33ae09b341e1a5cd2ab60d6d8fee01dbaea42be24d779e3e5d3a37165

C:\Users\Admin\AppData\Local\Temp\CAoI.exe

MD5 c15d40bbbf842f21e4c540005afe0b67
SHA1 9f6ded890ccc30685bde805dad63d311d8dbd0a1
SHA256 1272f43ee13ed4e52e1254489ac7761550bd74d69178d628d37b7857f658a4e9
SHA512 fc794e028e5f21d6f7fd5f76e9b2baeca81cf7807fedd291489946eacc025d5ea858dffdb37f807ecf54549ccc1495f128fc078b1fd7fcf5e754dd66b6f8651c

C:\Users\Admin\AppData\Local\Temp\AIka.exe

MD5 2c0ddeff6120f5ef29a973867345646f
SHA1 f57143a085ee95958f89d71435c22d719aae0ca2
SHA256 a45ede2ded97932bd7e12510487e80e6c3e03a55f51aa5490eb8c9845ef0f430
SHA512 4981274f921bf9b28db6a30a715f38c3123b8608f1c9d5b6eb35e46fca4010bd05ddacbdb2330754959e7eed1dd4ef709ee8f8604c763a0f9ab34dec673e7f95

C:\Users\Admin\AppData\Local\Temp\CIYo.exe

MD5 23b1df94e0b484deb9fe01d9c2392d5c
SHA1 a60a3ae4a5df4a21c2fc8d43e6ad53fee089ec68
SHA256 c82e9640a8a785ba8dbf9505ced22fa8a527ab2947f972f758d16ba1a16f7d51
SHA512 505ca00056b66ab24e9a557b8613dc170ba9415f1beba7a0d4e9f2de02daf56e7b57b49915d91bb61c8a439d813d369a8191253451ca87070edb5a284eba18fe

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 30766dd672944f0120638e39d628b8ce
SHA1 a68143ab2796106be09c490fee9ff7a904687fc3
SHA256 4adae8370b9e7c8fb406504137a99c65d4936834fbd04ba68de9788e3b7059a4
SHA512 dfc76317f9056e0f710044987e20fc1cf4e692c6c56ff1d1763b061e5c733e97f174c6e692674611feac448855256d0d13ede1915388b91c00b6fed0a41cbb44

C:\Users\Admin\AppData\Local\Temp\MgsG.exe

MD5 4834c6e2bc7494f0869400402288fa62
SHA1 0e4c06cad75ceebf78e162392378c6b1c2b514b9
SHA256 8b6a390045a89bdbdc4a522d2284898e5aabcd6f078a970e0f5ee5785146d8c6
SHA512 8242abefd799c792448c4794f8c6695a8f34b9c845bbc94526df9ed7e343d9a95953b09e087cbb8a58c48de84ab88de99167ccbac960a41eb997f0e7f4a88ffd

C:\Users\Admin\AppData\Local\Temp\ioMo.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e