Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v7ld2acgcm
Target 2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
SHA256 91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e
Tags
evasion persistence spyware stealer trojan kinsing loader ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e

Threat Level: Known bad

The file 2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan kinsing loader ransomware

Kinsing

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (80) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\Geo\Nation C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\bYEYkAUA\NgMccEAo.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NgMccEAo.exe = "C:\\Users\\Admin\\bYEYkAUA\\NgMccEAo.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DKoIAYIw.exe = "C:\\ProgramData\\GUcYAwQs\\DKoIAYIw.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NgMccEAo.exe = "C:\\Users\\Admin\\bYEYkAUA\\NgMccEAo.exe" C:\Users\Admin\bYEYkAUA\NgMccEAo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DKoIAYIw.exe = "C:\\ProgramData\\GUcYAwQs\\DKoIAYIw.exe" C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A
N/A N/A C:\ProgramData\GUcYAwQs\DKoIAYIw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\bYEYkAUA\NgMccEAo.exe
PID 2436 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\bYEYkAUA\NgMccEAo.exe
PID 2436 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\bYEYkAUA\NgMccEAo.exe
PID 2436 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\bYEYkAUA\NgMccEAo.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\GUcYAwQs\DKoIAYIw.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\GUcYAwQs\DKoIAYIw.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\GUcYAwQs\DKoIAYIw.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\GUcYAwQs\DKoIAYIw.exe
PID 2436 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2436 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3052 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3052 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3052 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2908 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2908 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2908 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2908 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2624 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 300 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 300 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 300 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 300 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"

C:\Users\Admin\bYEYkAUA\NgMccEAo.exe

"C:\Users\Admin\bYEYkAUA\NgMccEAo.exe"

C:\ProgramData\GUcYAwQs\DKoIAYIw.exe

"C:\ProgramData\GUcYAwQs\DKoIAYIw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAoQUQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCUUkEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKswMMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\deksYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuYgAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\noMIYAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOwIEckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\haEAkYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1952500770-1321879593-461084620-725921287-13888639214089867371818726384-1960750020"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIMwgcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-64220645021214872271347414253725423500-559227278320523117-8030999621040184860"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCoUMIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1479271381586108198-62671666520480109021012858620-415145732-7766866171153408726"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMcEAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-47871712-778632472169035436282585269418878024002105967983-1762236526640350754"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fIIgQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1902896264396233328463291321-1962459218935255241561853396-157524142842245812"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6448299931463210161-1009692710-1689260393-1417520638-17659667401584996645-1293108188"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "387275362618583152-8481661861418199474-266150737-1392033915993106759333838642"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REwEYEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "908828006-708037052-1249240235824136110-1325707984-2137745751-23152455366260545"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1456728357169056691595276407-1988474086-559263290-4928500141416249552-344251247"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOYgMkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKsAwEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMkEAkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "716726011-27433214619236715921224428411437977141735441228-18411253451306078974"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKkAsIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkUgAkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqwkUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-950228755-13592073011490241697-28730201417767491808394112071986457918-801148760"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "162605204-984277181-12162675711788754954400414382-686282397-19915751721335727294"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuUgEIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiEgcoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCMgcEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19318172002986086531616716312561182451775210077-5748815952143094453957766659"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1375139616271837417109684120911411562741396406148-477325923794869406-1388872648"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSkowUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkAIsAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1269192041-943291399872256849638108230-2019626051-1169839896-13386282311289214218"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcooEIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1590199076-11184235462079356286-31677373-21174682451748183287655974825-359047587"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuIAMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11595258858127812326132355-2034403451-7455428792033014385744282480-31684475"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoEAkEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1108523960798033734-661446110147745870-1861991096-17454343021501766283-311309957"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWUwMEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1463619514-108341206-698705710-1487855861170554287542553435-301322308-1440686090"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkIIocAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1365962795-395710330594526829-1281681042721207809-78048728-845893132-2009712911"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1162459095-1995005628278130969-1883771196-590676543186620237-1960660725-993890229"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqQkUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1572854793-6975011755275308091281586340-866907987-1168502454-8587537491493041487"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1139199376-751480312194825673311363083011614779863-1235038737-1984672206-1425488451"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYgIkgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-997878498718384191644750398-1643704584-779129417-13019819041581131675-1860263257"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIkQEsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-28855755688673714512243387061350832845368072093-17414367651307351197-1727656562"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgAkwIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoMcckIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7093429422059572032-9978026881707808336111616068-2088983204-679749944-1440462700"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14431276501751026225-1968041801-119859298-235477718984852456-82261329679099527"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-601149151-20587151161568116918635386931377782534-1973429058-1769834496-587692273"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGEwEsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2029590555-14580498721931643965-220543125-1889984442-525887593-1187264823998851826"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-164983365418951161291710074906801927794379188425-1291220133-1791046858-1670414375"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REIgocgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcAgcwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14975094409616844020938070551168725606-524258174335898151435506061695570048"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUcQAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "353885522445345741-13185772672130629539102889232210834834317442641572110151771"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyAEcowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKskgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1174506080-136628287910087607763824677191327948047450651812-479086740790173796"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1805026214-172531079139414398-273006745-1202569236-759486783-115108016-105316746"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWgsUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UigsMkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOUsEsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1250050466871604773-1150427417-2116752472-687136724-186378482911198946501105473663"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsokoQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1799036456-165498226716382192171357565317-1999767982-17241072059218630-1292368343"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "432252302-915582659-2015716240-1326315275-726308364-382813603151966361180810590"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\igsMkIAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1400425082457588548-531617183479672780-17402153241812746103470088296-1010889583"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEMsYkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21414527201909795752-116222784115586300561717181941836197257-1773831300-141165833"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQswQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOYQUAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10649618441863969573-591353327-3177758436658032-1157116302-14324269941428506784"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\duQEMwko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcMAIIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1920920847-12516130801877645091915023546254195289-106325760-525485450-1936911481"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1479890373-523349439-1694475777-1755109760-134836732506356659-2131494142-1058905089"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "50913372414003782477849769684801135361411269435-8430671877311679421014316822"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMMEIMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WewoEgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCsYIQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6351386411337741464-1666600566-2087492495-1550778906-199463618110470791401963366478"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "415374202393421819-511675763-14816345452013678952210302576553153802-1527986590"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZksMAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "965989040-530798791-807239022714256294-994343023-1026524562-18048289541629654064"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1294531100-16894162171521594858-844954743134091796311197860471133207352-2061767618"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-481989697-107376638610459302301490360222-523582951936114920-352126195-531032377"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAoQQUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqQsIAsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKccsUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-88774345314039785321619038102-18286176221841918097-1939309303-1444128070653037006"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1784585411-145767415014186643051016711371611852004148149052-1953007552-1234991716"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgkcUMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "119696803-1584728467507982819599242181244912264-486836043-852760481-44047034"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeMgUkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgQkEAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyEsUwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaIcccAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "226119869-328361567-1241988081-487660532-18252175951499379534-1643253163-126607927"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqAgQUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kawosoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQgUwskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EsEwswww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1036471153696991314-12807260711050622783850424939-9746464081780317865-1828011214"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyAwMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "309995788-7254774232046923504-45668924521341170141400213946-291321417-1659906623"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\goUkcQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqAgIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1932376475440481077-1763973361979023965-774480942-620739019942201856125549780"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13867327012144005421444665971-659782664-701819763237102129-162200344-286103028"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWUUwIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1253155719-888031582406564444-58538248-665076238941997864-83057692433842380"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1956159302-585540550-1846276771-979778995172123691-376189058-389312445-1066092705"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYUkQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12065473344791574331677003792438668284681177065-1067151684-1522202501-602810261"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-147762248249543047068595989014040271611609940343-2013900551-1294646801-3480688"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqkYsoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgsoYQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "332118164-4721966861283959442921577633-1372353726-1259248264-1806880214-1573810342"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13592861152038675785380594049-1627103380-1552957208-1558415786-9392262071524987131"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReoQsIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1305125338-1185470076205999462413119141614717525911120838783-30961554-1289451134"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-686257963-1435287505-17218569582132440207-16340402431281011648-260716632-1837573541"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1510800534-12706308527510698915518332271660008583-1872880825-929986450-1226449986"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEUgIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "79233235657652193418301679021273189251-2062944279455398655986897279486525801"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fegIwQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1996815485-1735296888871295141-5635557931775692905-474871969-2001409511-1380266739"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-886785284-17627935042324729467355413642092455281518141055-376829506-110757239"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYkgAIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "546490661814631098-1825544982159468818461031856828687237-3055072531371902594"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgwgMogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1015993723548020822-159494603913836319176100303561466453435-589209857-2085097185"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYUAAIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "558700845-1023591604-1524444040-10728837112055362669-666618691-1265281362-1164558635"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10044762912095805388-809737382-612778849-146050286218092712469080644681816670871"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-90579027-515689281-203320290362365319-792971771-43264133873398658604777521"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "963080724-157243441467503809-12624864347470792547962942-18675563631334926582"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEQIIgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-451984990306441783-1647111631-21197376-1730821323152178175215886719831679149578"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1866112725-15260492801226773674-6123626493598482384978951081614592954335621899"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10960098961786493706-784807084-490336669210077337453169638108121905779716181"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUEMwgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12783447131579683879-389894845-1878818635737384101599233802-999360765662346782"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-79314146-1412261301608101908-1433879319692670746-211904343917118031341128970400"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGMgkYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5743492201444823946-115995898-1589612931-112622834418261694512146148885-599935284"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1614909881-506383830838716600-2041477529637122627-2551224491124271487-1901660270"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vswgUAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCcQoksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "877142120268156917-2445863002002493108-20179068537393879211160777673-1371223680"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1536874781-1230980082-237074292-1089125528105905234454144239113557146602017719845"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-849440601461846048316049792-475197658-4271284572129592693-1349687650-2097925052"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGsAEcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1529470145134476043-342795929-1291688758-775575477-1216389270-1764162130-194915833"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1395646630-1951787833-480806943321724536-1170516879-509950005-250739567-1201454777"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "219222438805216957414109488-1067154353-147079511-2061331486-16153297381979020159"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3040628398829990874793482201793510489-211019793-26151566910949839481034035532"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "838697505134788252-18670790761090855226-323044828746745636-1729762241-2105433318"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYcgggEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19946764111256632926-16376378677640095761083502130563211741-1325993073-1158882908"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcYMUUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1252143903-1940258450-1253416390-4963174571237976011-1386956252-119844147-1509460942"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\loYkoEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1695387779-18674514381492038998399064201-1327493130-1827145937121067593-1521771988"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-72116879015778763482127811743-1523617062-806183134-2039922519890190671446311045"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgUwoAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "713209546-5244462871261675141-786378482-9129322795499192411004158039-627544842"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "757248298-170807956816524800-1107647426502134166-141396023737859626126262456"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCEMQoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1084032731-1072684921689356299842900854-614935518-13270069101794150858-1981328306"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-900170893-17949946905422879884435771731748586274210503276782708718-1076073454"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "700944418-1763492773-299289469-1006948904006865228691466063543584191094942591"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "637645454-93533561956872985-1756189398770213851399077963-185607552809631782"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaYEoAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1028984357442664344556712614-503577548-903878734944250451611408844975594991"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14297584424231358301574284868402921447589343581874486226-1541974347-866302608"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10459179771090881441-1885396742-508557286211465504912902285973525660841792547873"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoIcEccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1015728975-13066777451343420339-20133014683120519021948904338-1379779705562721736"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "394761393142228183579373326-1712763363-1149513071671411793-966498431906236306"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17980339749521157274480315781570402967-6759383301502592355-1403663896-1015474118"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOYcUEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6020243311531288420-19102278601251229085759817152-80876948112186822332061025615"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1794053187810781623-263051849-187350476822751951072980702-1684001483-1380784749"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2050540155-98299963512940735141805916361-1490084733285260912-1942619091-33971022"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "535820771860480578-691409413773270-134156958-1765560947-1203495101-57995431"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6980723901849891601794404291-14757845341344121470-20954221501898246537-1864504517"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgEAkwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "912905395-338818144-571233723-717156222-1273478531-502136620-663167714490341038"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5264985206971431191263633249647889239-1497159530-1295719716199270693089136427"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5274442541008989147-5427136351606433703-10981270381015167619790561258-1282673175"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-662491301537589520182460136620136631781106956463-8159227661036161572-1561008924"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgUAgUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-508612351434942817-1450502618-4009532021488023867-1015546536-169325267-1824824288"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMAgsoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1682859139-289371168-2031444241-1540533344-355263792-1394288603-2044600895-328799256"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20287202305009604221914594462-1645831523112764910613206684422513396-1411243528"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUAgoEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "127124797320875011871638461535-17165997292076891021-108920840-417815498-590073700"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1472032837-22023869214503801691838514764-1899509432989602937-722941163692773941"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEIEMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2436-0-0x0000000000400000-0x0000000000438000-memory.dmp

\Users\Admin\bYEYkAUA\NgMccEAo.exe

MD5 c14aedeaf9b51e5e22e08447a5d7a7a6
SHA1 022cc5a431901257492926a53e8ef8685a60f739
SHA256 7a577124cc231a5a78ffd93a8215239d801e172a15db32373d1cd6a1335bd05e
SHA512 ca9f72f865f9f68035edced8b6b23a0e4ee39e4102c7f89169220e92e315437b7d6f1fb8a9527ef2d2e441a3dad8fe942689904670a970f6a05365f0bef7ca03

memory/2436-12-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2436-13-0x00000000004A0000-0x00000000004D0000-memory.dmp

\ProgramData\GUcYAwQs\DKoIAYIw.exe

MD5 7fe4e3e87770078fd092160b8e92e836
SHA1 18437742994392f946144ad98b947b6f01fb1251
SHA256 bfd33dcaffd8d75a8937039542175437531aa493c50a3f3db3db50f94877c10c
SHA512 1e066c4cb9e7997a0c477e75e62466c0c891267f3e404b24acfb9ac7a3f41efce6947b24b2d2490fa21fc3ef50206e30233e33b8901e692f347498a3c162bc41

memory/3036-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2436-29-0x00000000004A0000-0x00000000004D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vOoogggo.bat

MD5 eec02e7bbe44e369ecf1818fd24268cf
SHA1 22422007d67f32264ce3050714d8d6a1b7f3340b
SHA256 345287c5a0bd86abf2a61dc7070da65f4d1f134da68b359de6d2cd1509e46743
SHA512 1099d7c80c5c628241692a06386b70c5e71c817561eb06b2aafced4dd8cde524e8a8386de941fa31d9a681b5d143c0bd6e9061d6bd742781092f2e6c29b3c4df

memory/2436-32-0x00000000004A0000-0x00000000004D3000-memory.dmp

memory/2724-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2684-36-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-37-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zAoQUQEQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2436-46-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-45-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kssooIEY.bat

MD5 a89dccfce8f678e3f7c587aca9c0ec22
SHA1 cffd5ac7e54223cf1026ba3f6bcc89258f25d53b
SHA256 9bff5f3871e02c01553b18cb54c4b392d0b3a4a41d9180393ce32acfda013417
SHA512 3b2f10f7e7a19a5034b3762d6ff89493c85dd06ff6f419487fd9378a414443f8620328ebeb7cd3d278f88d41f03598161fae12a2e9ae375743370c3e51bce698

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

MD5 e0a80154e2c7c04bdff156ce10733245
SHA1 1c79f105e609481391cd58ee99339abd10dc8926
SHA256 19a3fe8192c7b0b9062dbd36d0223aa2d4ed15e571e2a16ff5090297b268cc21
SHA512 1fe4c9c18322fe7fa2bae34cee82dde8aa1d99bd798fca8486a2a5c857e6c93f645dc0780478a827574cd46492dc61a1b9044cbf8f101305552107f5f4c07e10

memory/2624-66-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2908-67-0x0000000000160000-0x0000000000198000-memory.dmp

memory/2884-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2908-69-0x0000000000160000-0x0000000000198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\JeMcscMw.bat

MD5 bbdba7f344f723d22b5c90c500ca643f
SHA1 3fca97eecb1d6a2af66c882963c113543f85a71f
SHA256 d3201ae7cb77459882a16290c9a43403bc4cbe2f1668c048db44709e5ceb3025
SHA512 6df3ebf90e8bd0993962290c6a934fd9f9aac34bc342529b2fb32d067263936ff01670e7bfe74b2d635e095f129e1677987ea52d543c5916d311a6d9b54aed2c

memory/2884-93-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1484-85-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2396-83-0x00000000000F0000-0x0000000000128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\xawQooMA.bat

MD5 2a9ad15d83a727a9e5516f493c5c8113
SHA1 68b3a99ed2dfe5f3ca57daaa1b009c6dcb0cebd0
SHA256 452ae5208c5ad76e1c6e41847b2816c1760502b63899a250bd81068af311c2aa
SHA512 27908d1caaaf7e816236dd18832a72b69319d573fc33550f14d745843baa1fa95ef1859b10205b2270cc7461f45f48a1297f7f2cd63b6b72155cb2029280c3f5

memory/2344-106-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2244-118-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xwAMAYMQ.bat

MD5 d0380b8b83805b1b095b0334ab06707c
SHA1 d099da21c32a885004e49c93e2c0bf12e0357194
SHA256 18fce03440e3e4ca539a4c7f90fc06fff80b9e348fcbf9371800e8a871a6f1de
SHA512 5ac60737bb5518c2b47a6878b6ccd30440b0375050dc30f2c0ec192826b5e88b0baffbb9c30ae9dfddb9951ded751483bdd2b242a3c33a8f9efc8dcbfc799489

memory/1484-117-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2344-108-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1304-133-0x0000000000320000-0x0000000000358000-memory.dmp

memory/2244-141-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1304-142-0x0000000000320000-0x0000000000358000-memory.dmp

memory/2764-143-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hacQwEAQ.bat

MD5 ddfb339ff0df0bd82117406a13b6b96f
SHA1 df55ef3b618224bc02ee0caed36b336c3691b479
SHA256 38a4819435e43b17e1ed6dd88c72776da34527a811e25384a0321e59cce0492e
SHA512 c2cdcbd11618b1eae68b676c38e4afa77e9948033cae3d3eaa6846f617cbc8664c6a89957421a6373f9acfa0002d669941ade65ee3678a5252b9cdbefbf6cfed

memory/2764-165-0x0000000000400000-0x0000000000438000-memory.dmp

memory/968-156-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2024-155-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toIMEsEs.bat

MD5 c7dced58a67dfa94b3f6c52e9529e52d
SHA1 ec07ee322ffdfdb9f0db200f9843266570f7bfa3
SHA256 f9c04dbb033ee60523f4e142f84f076869039b5cb2da96e0d044bd9e4fdd5a34
SHA512 b10e36c43b08c6b45489302dcc6456141c0dd63bd2f2e09eb7b1c1e9da5e63e3d5915f0e76aef54b8d0fe02c3e7df0ee5236cb71c2aa226f8eaa6fd7a63dacbf

memory/2748-189-0x0000000000400000-0x0000000000438000-memory.dmp

memory/968-188-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2320-179-0x00000000001F0000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kMMwMcsY.bat

MD5 e7c411c63bc77b25656331acdcf18f0a
SHA1 fe534c363acc80bc0e5409588e9d69b55f479459
SHA256 f9cfd6326b489f6624e3f06296777cb96a97ddd18e6c72dfd0f3952877240afb
SHA512 641289165481c5c81f669cafc0118183eff51e113096de16547339a825312b76fc4f8e67c29ceaab1bceef5d9059db027cb39c8f5d75d2fec6bbdadd2dddd17a

memory/2304-212-0x0000000000160000-0x0000000000198000-memory.dmp

memory/2748-211-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-213-0x0000000000160000-0x0000000000198000-memory.dmp

memory/1684-215-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PyEEgwok.bat

MD5 0052cdbb22a1766090d39570cda69dc7
SHA1 963b03fa31771625311372189896e6353d9378f1
SHA256 e5cdb9756a6cc25fa46203b3217f4f3ac36b0b56a5427fbee024c3457d2175d1
SHA512 62cff580aba29745d214e7f7238e6c0bb4644600461edb5546a0b9f4f1f5251df4a0e98cc2684fca688180055880b9066c0baf57f1f1f0b68d4a21fede5c2d21

memory/1692-237-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1684-236-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kaYQkIgs.bat

MD5 58879f74b342aa6fe100d178bf68f86c
SHA1 b9765c7ff85d98cfc8a53891041525cc9869e8fd
SHA256 af6f2103b17a1148e6f8b45aac2a7b7aa70fb0fbfaca362217e7d412a721851a
SHA512 742acb5ccc91bb5da197653cf91a61bce101902cdb69a475552c831fe3ffbfc8a1aee4edd2f6d2fe7a1874916e5875abc45799d537381ff937ed86ff4a48f81d

memory/2012-249-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1464-250-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1692-259-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HWccQcYs.bat

MD5 855f4959f89a18a446950f3171ca820e
SHA1 13cdc7e7b59d1bab6ee28dfe98f66619713e63c7
SHA256 76c9798e6bab133c10635690940ed57b3484a4072edd43e1b7844f4593a954cc
SHA512 7a954589b6814d3b6ebdbb531ea42c946334783373028089c68e90fbf7509eba15941bc3a0f259193b90bdd89f11239247b2eff1599069aa8e873bb37d5a3556

memory/1464-281-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2348-284-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-283-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KYIcssYg.bat

MD5 9efb18e802a2ad0e2175840a7f8c0d43
SHA1 d7c1d1a5b98221d902dd0f2605043551533bd53f
SHA256 2d26c87d278906694b4387eb9d07bdae5112f5a2c665096ea9cf1808f3e0940e
SHA512 dc76fc055b8bf0d1affd5d36887fd22ce00337cc25cb241dcda446e4912558ad1c6e1300f161b7e1d7efcd9e34c1a769cae3195135c5c7b6c25c2a15d1ffd910

memory/1600-307-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2348-306-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2180-308-0x0000000000160000-0x0000000000198000-memory.dmp

memory/2180-309-0x0000000000160000-0x0000000000198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pAYMkUoo.bat

MD5 1fa06db72cc45813916f27d11a23e25e
SHA1 44a00cd5750e99f6ebaa035f2f53f3fdf4febfa0
SHA256 c63734f7cfeaecc728630ca7647d3fb923a6c48df2b74a438f5386c6dafa3a0f
SHA512 531e65cb3d3c4b6d87b7d78b9ced337d884703077bbedbd1cbe7bfb315fec5c0c9a28c8ca228d9c83d79996ac8c0609416c3de8792194441a311adcbc57e79bb

memory/2880-331-0x0000000000180000-0x00000000001B8000-memory.dmp

memory/2828-332-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-330-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZOEcQwQw.bat

MD5 6e07a85562a7dd94447125049ed29f62
SHA1 74195f105bc9d3fc173d294fca6f9827f7ec9b20
SHA256 8779b2f9d686aa684787ddf7cf338216cc9c420ec01778992c803fce61e01890
SHA512 4fe6fc5a0b02ca01902d5a8a209ae891f4fb123971dbc53f53eca99029c69adfd82f501adf8ea38c06b3749536ebe26bd1ea60f34f81b16c4cf79245c3302c22

memory/1912-355-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2828-354-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1912-346-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2232-356-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KsMAYYMs.bat

MD5 90b45782ce7a6e3823bab49b18228768
SHA1 9bfeaa8f6dd8046b798434dbc75b2bf6373540ef
SHA256 35124d86b5bc3882787b79e57ba2712327440e3a7a1c91b994eb788fa5519e3b
SHA512 cfd20397668b68fc3b6aaf96f0f3aa2967d2ad41e2b4d8ab22bb03c02d3df1a904798074eb7003566225f653f8fc7b328375cc9b437ea36054f875471405ed65

memory/2232-379-0x0000000000400000-0x0000000000438000-memory.dmp

memory/796-381-0x0000000000400000-0x0000000000438000-memory.dmp

memory/796-380-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2328-382-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keggccYM.bat

MD5 a18bcf4e91375e291061e48c79cbbd75
SHA1 fbc54ec27382da216d9881819b7653f73e0c628b
SHA256 451412ada97b808b733edda0b2e08b6298a5639ba4bed6e29a4f146db95a2d47
SHA512 ec74f8e0a91cf68c906b751075a22c05aa971cc23efbf5a436f50105f548251707accd7ce9d515c160a2d956a5e53d44ce4890008a077c7a3a1cc1299dcb881a

memory/2328-403-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2472-405-0x0000000000400000-0x0000000000438000-memory.dmp

memory/300-404-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GawcsIsg.bat

MD5 2a17fed74e9f2b069399cc68414299e8
SHA1 46bc8acbd26b5a5b2e01aa0af86e50fadff2c34a
SHA256 ab83aa31c4c797eafed072f009678e9121cd229e9809f2c953f82d34e4534398
SHA512 db46ed3bd7a3ba775641fcd1957d68a681c8dd62f6099176930ed46a7606c2c597c56d5474af30472969097901b3c1f999a5ef2d935803bb5aab8d0272d71e11

C:\ProgramData\GUcYAwQs\DKoIAYIw.inf

MD5 f7177b96b8615aacb6fa83e66c692818
SHA1 a7a03efc4f48ab9d2f85d7bc32d24c5435004be9
SHA256 4961f7d104a8851f6750ed1a2adfbd66d3a6dd18191bd4b0b54119217419aa72
SHA512 2f42320c5b88fc07e2771d61a6f74710d71c21335fc5045951ab18cd631f7c886329daba68741a247ee71531de9ac0b9cfaec7ca2fba653cfe89c563cf8245aa

memory/1036-427-0x00000000001A0000-0x00000000001D8000-memory.dmp

C:\Users\Admin\bYEYkAUA\NgMccEAo.inf

MD5 4fecf058a94f1fd3adc93a4ac536da18
SHA1 bf1d4caa59980d37c46a7425147af2f0f6d8e686
SHA256 2b7376905ae6f4dbbd850845635607becbd38b11d860c1e736a111f2abc18a8a
SHA512 1fb25fd09628cbc5aa106ba6993c825f2f3a6e1729ebb2c3ece475b8647e1d325e1e7f162b1021048464e269ce5e4a164e061fee77819cc553cad456c4e95e38

memory/1036-428-0x00000000001A0000-0x00000000001D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fWkgwoIE.bat

MD5 63155c0cdcc65ed6af15dd2a8b48064b
SHA1 cced75032a6d312049f9f092e9df6da440d383e4
SHA256 750aa8f2650597a3364b3f2dc596d721ee41506cd3d90bc2dbf426e5c2ef5235
SHA512 3079c451dff4057429bb155aef008f002adced1998f3c95929149b4238c6199eee513eeb1ebdee80aaccee6717064df48dc7a8213503fcb05c44c50a7ec2b195

C:\Users\Admin\AppData\Local\Temp\EoscwgYg.bat

MD5 41073f56b77b883c17bd5d1f2465f59c
SHA1 923cf7e60345dba3ae0b9aed1b2df27c00b31d3b
SHA256 6a134489a099492c42b54cbdfa87ce2cb1ec46a777d67985a8fe06dd9dfa2ff3
SHA512 ff99d85e99afb79876425a27dca01fed20a5a2868f84aea49fc5e37ec27facb20dd31b4d0b1616d1a3d4d8c15b0d5be24a5e57cbdedac2da71a1ed15c1eb65ba

C:\Users\Admin\AppData\Local\Temp\YUUEskYg.bat

MD5 93c404820210b74fc141a219cac3347c
SHA1 8c555642185924469092f0aee4ea1ccaf543e9ac
SHA256 a6072b80c68a339e42de08bd97aa25c56be8a7d47b36134a9330de7de4d2afd4
SHA512 77814f1245c79ead58f75b02743408bbccefb7abd3bc57c9cde3a8a0f9fdccfa47bdc3723998e9fd720fba297945384f025768cc4dcb1439b407674ee6d78ddc

C:\Users\Admin\AppData\Local\Temp\GyEgMscQ.bat

MD5 6fc0461124161512888762c9259a4258
SHA1 1105fbd8166818ea5cd430c16eea2ec19eebf518
SHA256 3cced5d6161de367df3bb164b5f62ace3e60363d0abb3687635b547069130b2e
SHA512 32e65e3c9c51d3ffcf6601fc214bc25c0b3b298ca9a8f6995bf27240a0fc0d3f65a1b27a6634adb7801e55a93b4b9d0003ca98495f62c9e19e52e6be31dca83f

C:\Users\Admin\AppData\Local\Temp\LesswoYQ.bat

MD5 1cfdf0e8d0c87a228c1f40d9bee7888b
SHA1 526cb7425ab8d8d55c981974917cba26fab9834e
SHA256 ae5239ec63f28cd401ccd63e9f56e4ede8254a738a135ebcd33e844c18dd247f
SHA512 98562001733fc78ac1c3632e1f3b722c2e079000088dd153f3f0f2def59a8597ff8a948cfaba9bad8fa7f847fcd9c2bf8497c8d8a0556183fc7604f696c13c91

C:\Users\Admin\AppData\Local\Temp\pwAIowoI.bat

MD5 4e6448d6f10ddfa7dd2818d4ac4fbbbc
SHA1 83ffade4557b9ecc09f752b2f6ebd49f2e3be7ec
SHA256 51ee317ad10b13f252033a9eeeb16015cc91e08b2959a48b97d770bd0a0ceb01
SHA512 2f6836ef38e7b51b38c387ce21203317f208f106ff08ff5e2bda4181c32be7a128b0154aa38d25514dc4d99f595d48c54118ef0ada814cbd37575b2554d7b898

C:\Users\Admin\AppData\Local\Temp\rQYQUkEY.bat

MD5 8c4cc12a5ebba644c2aa30e1e14b0bcb
SHA1 790b7a66a4817a50a9a32da18e76317d00f423f6
SHA256 62f28dbe4598c834a83daf0d738ed6df669bfc0f5869321063cb117840f59917
SHA512 63a6c58a80d9e16f0305b763e38419c38a98d05cf184980643abf755dccefa144cddccaa9961782820b26c51969ef7491462a0e357795fd80e711950bf43753a

C:\Users\Admin\AppData\Local\Temp\DsYu.exe

MD5 ff77daf578a5abf1d37f707eaff8125b
SHA1 9f374418740fde367825f45f0ba6f6fe0b2dfcbd
SHA256 d2577fcd3c5ebd05d0c6b401a959b59d2e96311f5221f060f5d2c648ef806f64
SHA512 deb641b76cbb6f7c6f8a23fe551c2e993dc29a6370b5aab4f2c69ab68f6905dc46d24cacf94e355aa715a063fb307a090b6f63b5f696a87436601c2f2d3013c4

C:\Users\Admin\AppData\Local\Temp\MiYEMcgM.bat

MD5 5ec7270890d27b334c45eca986d88b7e
SHA1 85c95143179cc6faabf42bed8129fc3c2c185b82
SHA256 e50b16f9ec90aaeccf4a2673bc5fb4a85146262e9ba3092eecaf4f292a8e0442
SHA512 86912a39c23440065e3c3fb9aef0a7019750d74e99ec4d498d48ad587d23993f3b091e3836ec457ea5e8dbc62cbd1c69bcb0f3ba13f7884d8255783069618f4a

C:\Users\Admin\AppData\Local\Temp\LOAEIUYU.bat

MD5 7efc9963ddebc9af9c5b77ba86984df6
SHA1 7949376be9c5df9ea5c48e47d788b53850d47145
SHA256 3ba6a10b1551ae99717cdadac0d178aad24e7a12f767b3d3a9929872d2cfb681
SHA512 5384782c16a42f4a6c6af86e8358d9b6370fe2d128e19841d52c5d0e7599d86fc0f69727bdd5355394b55390355c2b80748fdf7207aa4eccdbd1411642928dd0

C:\Users\Admin\AppData\Local\Temp\KmoooMkk.bat

MD5 ccd3e2580ef8ff1335d1ddd58da515e9
SHA1 aa78ad3034a2767b2fa54045b5452654df8556fc
SHA256 a87ba7f5821003d5b9cad5517ee1ef5b99bda5e95b49b17a9d5ecddb10092f13
SHA512 c45f6349673358c35944bc3622bdde177aa680cb782c09ae9f195d86547e18f8fc720b2201f860d07964e682c6f6e70b158b7d4eb07cb3e12806635f0c77a9ad

C:\Users\Admin\AppData\Local\Temp\agAgUkgI.bat

MD5 8c340b4e4f7a80b8be61e82319440e2c
SHA1 de59ab2b930adc4ddb6f9e83814fcdf9e47ccf44
SHA256 62ba24f8ee56fa7f0493b94bb0869a209baca95a1074076ab17441bd261fbb7c
SHA512 12cd466e56ce7dfc68915626fe87342426b63ce95c9d5719773280e5dfabc481817b5ce038d5f064101c538326b3b2f6b510e822d197a5236d18da200f419f56

C:\Users\Admin\AppData\Local\Temp\OYgMEwsk.bat

MD5 3a3e267fd1bde55bd253078573a72235
SHA1 6d9aa3a2d2b222133f6dc1d08439a3b93efc0b4c
SHA256 e1db7dc9ef4040ab09eb14ce53e3db0cb85fda3c68a7542a8981ec589047660c
SHA512 22d13a29af816a7b5e5e010bf75b8b6caa2153ead7f06e142348da0af90ea97f86a355770d27a88716eb18e48c2dc76c41d1c642029a7f91e6872a79f900a02d

C:\Users\Admin\AppData\Local\Temp\tackIYgY.bat

MD5 f22494ab05be5b9088d11399193ffaef
SHA1 5de37ce0dbdb405457d0afcf03a68fe1f62cf8c8
SHA256 a98a567fef8938db2755eaf8ebf93ea5318b58c6ccce684f03bd11a7cecc4020
SHA512 f02d162fd40c5a9cbbfba03f02cc357859e2d4a49f020a1332302ba9381ceb1eb7834ba5320f5892caab558b7c39c9d8523daa67d3e7f59c93c052edaedf637d

C:\Users\Admin\AppData\Local\Temp\CgkokUAA.bat

MD5 6d4906f247f21a7b07f4ffdffe47d860
SHA1 474a4fa0cc083fad6edd013ee23128ea11bc435f
SHA256 38c42a9e58f6b5d9148ac9cf680349be168201d4caf52e2db67f3a3a6537d17d
SHA512 1b1acab81d2b470b5a5a721c3e52cb8e271f97aa5685290a2476778ada203dfbb31e0f70a75cb1be48e13b6784c79509ea904a72e26988f019f20fdc524a1523

C:\Users\Admin\AppData\Local\Temp\YGEYsswU.bat

MD5 a0c514044147d4ad5aa27e895a2f434a
SHA1 c1393f6746fb158a2a62db9274220b10a7197a1d
SHA256 a14f7d1acbd231028c291598f20af14cdbe7ba2e80f3c8b6393174bd1d4de66b
SHA512 11bf00956a79cfdb5b6e4e60eba8a3d1560421abe43729a92ca3ffe6c23db178de85d7832c4629c23608fb60df7b63414cc978067f01362323f71982d9f28877

C:\Users\Admin\AppData\Local\Temp\VCYIYkgU.bat

MD5 95b0e9eb64953508bca7fe072e9daaf0
SHA1 f12c22b6597178ea5a4beb38d815333d1a3e1b4f
SHA256 32fa94141537982663e9369bcddb74fbf1787607a88a3601ecc7501df4e993b6
SHA512 27c197de4b304dc48bd38808e5c8b6203f3776ce6770e23c1092bf999bfe50bccc207316c19003844a4127e88dbdcf387d0c17f71da5ba36c4c094cd58d32540

C:\Users\Admin\AppData\Local\Temp\GwoUEEEA.bat

MD5 378d67a7f24d48f8727e6b8dc008c8ff
SHA1 96bf758ff68f415cfd7147a90323d625d403c1e9
SHA256 007223149cf507de69a189db6bc0ca35158e151c1b316fe2db3bf5c671373bf3
SHA512 edcda27de4346dc0698338c01ba56290aa13b431b9dadb823065fa0e2e5d2b9b50844fc056a7d9ba0897ff1e18d8613e9c4ee2abeaa6f23e1e36bf73c9dadf4c

C:\Users\Admin\AppData\Local\Temp\XgUAQsYE.bat

MD5 914948e9a1b6153f9240256aa8b8e360
SHA1 a842b92b2a43819dec6a422749b090294f1699e4
SHA256 ad7b6ba3b7cce9a607dd8af36a9044547b911655f62e3618cac733c12098af01
SHA512 04eb7241f6f119687a354d790cfe459030b3396fce2208b77b0ad183cb155061d5ba95e700d1c640bbe000d95b9af0b4a1ad9ed65ef0b8cecad7a220e16c7e3d

C:\Users\Admin\AppData\Local\Temp\PSkAUwUc.bat

MD5 9b50e9d49fd7d945d5086e34b7862106
SHA1 c01f9cbc1fd7c6538b4a53d00f51dce7dfc2f046
SHA256 44148c592b8bfb0d488a659878d503b864ce4249492dad04969915fe98a7b98b
SHA512 1fc4580abe7ee9c538176b018fc2a50931d7b1f44c06347ef34668f275fd8b4b052b2ec737c091b88c16b950b911ccfb49c2440a6cd3b97856a88d678b8dfce6

C:\Users\Admin\AppData\Local\Temp\HscgQAQE.bat

MD5 02bd792ba8561b6abd391d7308982450
SHA1 9a83ec8eec9807a77165aa620045cfe6162136c9
SHA256 2ca7967337f1892e02dd75d3c485052b6385a0e017b10aad50006bd16ca7dac8
SHA512 8861e1a0386b4f02091267fd41450a9da5fac5e7dba70f8198b336f1595ea5ea8447b08262ad8b14db32f7cd552c0b1af7660e90fd14d7cda0260ab9101de81e

C:\Users\Admin\AppData\Local\Temp\zoAcgUoc.bat

MD5 ab4c67eced99e089ad385a34df3df407
SHA1 8c6c613adf12747c5265fff19802fbaf3d80b865
SHA256 b2b6b9c5553144b48d6c1660241162a860ae307880bf97016a1a5aa0295b57a0
SHA512 a7d2f4e640b714e89dfef12450727a7fea65e4792fe69b5bb78830d7c5b7544813f330c7dc335cf095e610e39729fbd518a3e68e14c3cb325d9d29f9365a52e7

C:\Users\Admin\AppData\Local\Temp\mMocUAAc.bat

MD5 3d79884f39b4c98be4e71e2c94b0977e
SHA1 ac5bbf0e544f97e90a6cf338eafb73269dee3990
SHA256 3ad97fd1018ed14fa901953f0190d9b6aa1938f7a0aba8abe7667added741f56
SHA512 2fad8c183f8b230d0a1a634c50255be3a7f623f06879d18661e690177d1f9ad7ae93a564ec6f44b1c8d990a72eaa87d532a4e8c0db58887f09f0dd8ac4968309

C:\Users\Admin\AppData\Local\Temp\keAcUccM.bat

MD5 f03590735a9a2e7c1124a19cbeeed6e8
SHA1 95549a4ee57ac5b422d78c562f71c2adadaa211d
SHA256 7d97095ab7a8fc03f7525aef54174349618f77140d22597c8535cc2f0855104f
SHA512 7b80eeecd22b6b3744d1ef880188d8cf583ffc7ed94bee3f0890ca40b31e5f291452808d065cf65287e823971a0cf15388cbdfea3c86e5fde721277eb1bdb84d

C:\Users\Admin\AppData\Local\Temp\OyUgcIgM.bat

MD5 a2a4b4bae81fd328ff8da224a6fb1f25
SHA1 730167ec0c55edc1ea17ccfde837a9ec85b61cb7
SHA256 3af785cf491a3558dd3b912b439745e8769167f1102cb5e3de1e0b4d66607173
SHA512 794c677cf1a02406b6563e0df4a2229205e5008a9d616f59eec07675d9e23f08b68d48fdc594ad86f7ca63970fbaf0c236cf2b27b453baebf11d0284e07d93ad

C:\Users\Admin\AppData\Local\Temp\DIYQQsYc.bat

MD5 6cea5eaa818a17f0927a1b626e060456
SHA1 6a86cd0b411c62bff48aec2b1b2613137285e24e
SHA256 65390abc2ec06bacd70f105e6e47e9df75a63bb151b84f1dd01344ee230fd32a
SHA512 a8e36725693326503617ebdd67bfb6c03cfeaa34bf7d08080bf756035ee57d7682d699d624a1acdf08f5cc323569346772ace8f6282a42f4951028337afa706e

C:\Users\Admin\AppData\Local\Temp\hOMMsUgY.bat

MD5 dabb9206d69fce00a0327f92fd21b31c
SHA1 a511a99f3ae05c13e39f4bb1b38c084fed81cba9
SHA256 b9df765908a91464561832c051a85bd75b62a9d468ce48d912bd156c76c63efd
SHA512 71a50137236c5761222c99ea43fef8d801ce62386cada0274b7535f0de4cd051e816dd832f830613131a56fe05c90bbbe2b8347fde31f818f8492cea06478bf0

C:\Users\Admin\AppData\Local\Temp\fQoS.exe

MD5 c6bea4a45849b32edc87b03460113d8b
SHA1 bf2d7d340b2d3cccc5e51c201f330883a81d37d9
SHA256 a3f66099be940b83c78a0a1636f212d2a77a61b07806f59b179a4b61b88f4062
SHA512 dd957fd14d3b7e2348045e8da5b0d3755f18e2b4f5a8b235a0eb1b2de9d1e15ebb2c85fd42c917810dd7a79ab04b472753da96a8261fa3436761e2e903e5a65c

C:\Users\Admin\AppData\Local\Temp\TwQU.exe

MD5 722e55c95f0dfe6c648ad35e286f8167
SHA1 48df31918df835c65b3998e318875adca30f1bb9
SHA256 7637c6ca8aae16802344f207ac396302b8376535ae062702fda4b5bcf8938565
SHA512 63124897558542663c86a2f88b8465b9090a6014b3743edc56f57c790f3957dc1bff09e527a53f53eddbade04b21948f7f4a6c83b68476fcf80c0753865349c5

C:\Users\Admin\AppData\Local\Temp\ugge.exe

MD5 445f49149b359cd7c5cf7a2d1147bede
SHA1 06cb58f1ecda895b99a3079672dca735b44e6044
SHA256 7540bd3a6d61057d970dd7298cb9123cc598d808cc5903fe192c3975da860130
SHA512 7da00fb97b5e80004afd1578107b3b979ac30a4bfba86bfa5e760dc92826b9d21a337b70b29d0fe51f8d9ae0d3e6750f5156ab0a0ff975473f7bc34b48c1ae40

C:\Users\Admin\AppData\Local\Temp\Iwcw.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\pgYA.exe

MD5 87a6d7cac9f8505b140085db8711d24b
SHA1 80a7ee7c7058e2f16eb2e82684a7e0a7b27bfe7e
SHA256 2034d400864b50ad4e4bc6def06391d22a5896ac54bfbd62297f03ca8a8b9e56
SHA512 2cbe8ef9c122f755a37407ed8794b0519d25cfa841d400d01aa376e482e7a1eb141f44443aa639140ca0993b4dc4a5bc6535395bf2e323be1d519c3c0eeac887

C:\Users\Admin\AppData\Local\Temp\CUke.exe

MD5 bf143f100d49b4c9172fc1f6484534b1
SHA1 3d7841d3c0ea85926b23f96700726f831836229c
SHA256 a1ac283b54c8f26bcbfc7f163474a85666806a67411cc0c594c87dddda73b9ba
SHA512 c87cf0db1f1fe7b5adaea7b44d263fed1baeea15b08929592e28333d2b8e00789ef0eaebd7e070a90e9c2f76b3f96f53ef0c1dae826858235e33314fa042c493

C:\Users\Admin\AppData\Local\Temp\aQwYosss.bat

MD5 f32920369d113843e7d99c5479c92828
SHA1 99f56d27a3ad46863119d7a548f0f590a148f2df
SHA256 f8abb5598b3c961a5c961568c26daa8b61c4c0a045bb5df7e9e5dcab1add9c9c
SHA512 1600bcac1496332808b237ddfe7848d73d25d54479cf025e843d1c6f66298d898b86e24e1c5b93e66abcbb9f8b2f327e1ba9cf7806caf08875a5a7baa7558692

C:\Users\Admin\AppData\Local\Temp\DkUC.exe

MD5 88371aef1f130ca7f8b3bd8f5779c1f1
SHA1 718eb93b7e6caef6a7fff9776296e3d1e7fca476
SHA256 07b4d87918704bb29c574ac7a8740fadd96ebf6f5652fec897431d255adf33d2
SHA512 95ed651044e370047efea8e494ff325f2deed504f3b401bcb8371ac78f7d7ab555b6015729d07d27b1350965df42dbbad2e4144c3eb0eee274c18ab87c82ae04

C:\Users\Admin\AppData\Local\Temp\JGcIAosQ.bat

MD5 cd444d07e7c3fcad7058748f0fcd6e7c
SHA1 85575c3033de4c363748598b99194f9da17545c9
SHA256 9df76073c89a82c365fa6679f6c06102e71f57647f368032fa104ae33b2b048e
SHA512 c96324c1835dd107889dad84303da8ba8c4cdd10fece4db6b6c712615ae716dd2a157d41127d23373ea1e529dd99bc5c34c4eead68306161043543c0bd6c39a6

C:\Users\Admin\AppData\Local\Temp\towo.exe

MD5 a74cf536018ad2adb18d4a25efeb4f6d
SHA1 73ca3460e2c85d083f71a4653145a90bf29fcefa
SHA256 99262e11b1d62d9b15cfa500d0501b2ec28bf26ed05e51a78db706722bb4b45c
SHA512 5a94e507ba6526fad033c365f9b50a953634e6fd1f06ce1ac15eeba250eab05cec7f155e3c792706086fcda9d6277cc176995cb1a0e5cf36dd9b6f717ebbd458

C:\Users\Admin\AppData\Local\Temp\YEMa.exe

MD5 bb78913cf47efac060389e8dda6c3533
SHA1 47ce7a4f65080b12dff3030a784b52823fb3db59
SHA256 8bd97a5c25aeec362e8800a1039fc555c36ba2fa2f4af3099082b7b1eeba4d33
SHA512 927511767c0da23bd5d41077b8777e1e187bca3874649be025316a7c8af83dff2e5ec6c52480ffa9d29a34eeecd69486a22b72e180dbd4cff26ebb5c4c720523

C:\Users\Admin\AppData\Local\Temp\WIgE.exe

MD5 031d4b0f468c415dfba85058c2a01c53
SHA1 705d8ad552a24ceb25dd54d149b928d134d95318
SHA256 a62a80c84d4dd540f98a657a216999e58e50acb8b58cd01ed1a74451040b098e
SHA512 1ef746773c5d8337d3be571ff9a792d0f81bc04aa1451e341d245daae7a2364324161e4978a497b1fa3b956af0dace2f352d6b57ec369a0c63ba2f99d389a4a4

C:\Users\Admin\AppData\Local\Temp\GAoQIEok.bat

MD5 c4e7cb530b89944fe5fbb1010e0609cf
SHA1 45bbaaa03750d4f55a62bee3ee4551c497480cc4
SHA256 ce423318f49647c224b139cfa1b10923295f027f09344bd1512f1e190a3bc704
SHA512 e4bb0de7843f959384e67896d73d4df2923020534c7a366d9842359eac5e3938d524b8d323fbfd8973c25ad2647f47c3eb9e25358b7948bb73dfbef2040019ef

C:\Users\Admin\AppData\Local\Temp\aMMM.exe

MD5 ee0e2b6510bd1a0f941cffd25bbd3585
SHA1 39b84f33b9a428584267524fb7f3f635c400b0c3
SHA256 34e3454a21b1331250c7dd4bd3493d3d090dfdf08442bfb7a6b689421d1a95dc
SHA512 b80e226f5218596200abe9e75bfca56bb839a8b538538c44c84e11580096e900e767ecad881141e72229dac476093b80817359ff425c8ffac1e067501df11fb1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 83400072d9d029cff6c98b7d7e9a8f47
SHA1 d7240f89d5a4e1bc3d1acac9331da527520c2884
SHA256 d5ee66aba7a2ff9c612ee883ec790233e66b1a75af792001c34ed73f901b48a8
SHA512 cf3af7f8df0243184e55349d7ada31ce619c9c36264121341534a3082e9313cd97b9fe6765f0e7885120d5e8c09f80664ee81f140ff5f5f7e5fe64decb8c5d62

C:\Users\Admin\AppData\Local\Temp\qYAg.exe

MD5 6267f68be075b645fe3e1cbd13f39655
SHA1 bff93f96afb02ab91dc5a29d363a98cffa96da6a
SHA256 5f335b4fab5324c652738ddd49501b44ab32af317bf128932fec0cfac6517409
SHA512 8c4ba51abda323919a6cbc0cafef4f0433fe3dada9c5bb3ce291f11801b85fe52932d14491c2d050d542e773eaa7adf908ad7a55cfee2ed546680d065e3e04a3

C:\Users\Admin\AppData\Local\Temp\FEwE.exe

MD5 ee1ceea643fadb1e5549cdbed13b647a
SHA1 56d3d22f91ed4bfe686fe1d6e7cdb27445b533ee
SHA256 e73d0911cf7f88d93db4bbd8c54b808f1dec1698e8420c2d9ca34be665621212
SHA512 b09f7a1b56b37fec1873678e35b14beb88b794e91f6768152c529dea6da63f1bc4c2902e5a55eea388be6c66ab54116dfa6483317e6c478c368bda807db90060

C:\Users\Admin\AppData\Local\Temp\hOIMMwAU.bat

MD5 3d6e03d6410ee37992ca741228cefa4b
SHA1 7a40fed92523650943be1a83c8aad66677dffe5a
SHA256 2feb76b9c63735c152b9b2d71fdabbe0bf1732020d3a84ca2278ada133d640cb
SHA512 60369c26844b20ee988dffdd79728f04b18ed581466d4a3e9edaa23d36d494dd01566e263e867d0f24c118add5d8b9cad38e2b4d6b46d79cad61d584589eaf76

C:\Users\Admin\AppData\Local\Temp\ZkIy.exe

MD5 a0f3b48aabb050d250ac54e4e530cc1b
SHA1 e5247291175cf6342ccf8604968709905677caad
SHA256 8578693f1114be5a216164e7df18ad287ceeb18259888f0f13314c6d39540289
SHA512 0f0cb4d7b79aefe55689a89d3fd33afe709a3ebdbb73b6d759023b8697ba2a6f8ed6e96a09a59816bd9f78eadffe5bfe9e08a16bb690ccbbad9609bb8d6bd99e

C:\Users\Admin\AppData\Local\Temp\OEwM.exe

MD5 89a3f123494fa4a7a1c59d7e8c96a239
SHA1 23e44b8f8fb6bfb1b90396c61b69beaafa3ef9c3
SHA256 f0c514c6377c34529594cb7557143d03a873b42826e8c95ee5bcf7377b75236b
SHA512 73e71e0614b483b725916e6c9f4d9b7feea72fe256742d6b813b28d9b06826860b615e739598e4ffc84be9c9e5dd59014ad530dab488e442e72edc14e1feb82c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 060d5b084bf09bead6300bc8c6e2db84
SHA1 4e365e10f2a14c3f3d54225f90d25cc55ca419d1
SHA256 18d57291199fc00569b2f6b7586f7ffa1cc54fac445610c4158310d6e53a8714
SHA512 6ff8412c7e1cf9019b0c9ccb0c0cf6878dd52b40b1b15e063dd210d409ab963b17b2f5bf62bf503cca569932865846050d1d34fd484c18a86f3291cb0790273c

C:\Users\Admin\AppData\Local\Temp\HEMe.exe

MD5 01a999d49d7210dd10db0b6a439d4f58
SHA1 e88e6bb2405f8ff305d92b81397c268cc8224a3f
SHA256 59dd068a8fff2fcca1368c768758ee9fd831cc5c093a504874db2e824fa4817a
SHA512 af93176a99132eccd93ea11c3136a119fffed04e4583bb53a55552406ba5d48c682512f360bc6474147d105b04e7c934aa3551fc4391172de0f474d1ddbc7f88

C:\Users\Admin\AppData\Local\Temp\GkoU.exe

MD5 d3b158b33527bfa5415da96d6a4268e1
SHA1 33311342828771fc19e86b964a0f820d6f29d0d3
SHA256 cc8849cf408bc5c52d10f67f74072118b7a046a5573153dab753f7bbe240ff50
SHA512 11c5477f8c49907920e6816b79a2704f02403eee7c4ff22fb520e6535840a511046edf90753f9019ccb83164813befbd7d98ffebdf189a279017805ebfc3d47f

C:\Users\Admin\AppData\Local\Temp\baIsgkck.bat

MD5 0d8847eb441c2d3da22a856e35324f43
SHA1 c14b08e9adb932ec2734a2eafc67c48573bdbe33
SHA256 b3bb3a3ee019e1e6e4dc1463fa004512fc15977b12a00eabb94009646c8916d7
SHA512 06ed1a48e00cbc3ea6456e12c0649c1915fd5914ef634a8f95c6ec7f3fb6e1338812ceff8542706de7c69e1206fa5d4fcfbeecb23944eab6386a702bd8c92c11

C:\Users\Admin\AppData\Local\Temp\GEsG.exe

MD5 f7f80cb2bca8eef3761d2db7138750dc
SHA1 0ef2f4fa12402e1fa20556e16f8588d59ea91e75
SHA256 9b3b38bdc32cbc24fea6861f768bc2cdf62850bfb613bd570647bda5a5005d5c
SHA512 93f9381d73c53de1f726caeb1cbf829a911dbd4c9fc089d8c9ff806d827068c48f8f6d7b94d511774c891d76786512f16211cd7c418a7631eea33b0398d73c62

C:\Users\Admin\AppData\Local\Temp\kAYA.exe

MD5 e32dd32c76e4f7af0a60894e1b0751a8
SHA1 3702f3c872661f1515666c5ee411a857f58ade11
SHA256 fd716ec31a86d5377a057df041770b20ed401edd3305ad02588d156e68e54140
SHA512 2c1a0c834fa1400088ccaf9e04a0fd3b46bc43691b37fbbd071a7995bf777713194de55ba8a3af2f67a93b91a6e7d7085aee84302becda6767625238c9dd5add

C:\Users\Admin\AppData\Local\Temp\UwoI.exe

MD5 3c8af2d74ca9695d13c59bb524d36d7d
SHA1 ece525850f3fbc0da402eb45f3e6d0ccdbffb40a
SHA256 f0ea24e67b8712c895412fa1a1f887f5d1100447991bea77d604818d0acf6f0c
SHA512 d418ad745a36386430473d82a0df510401b7c03d750270013f6316ddaf7d8b9ce5005133cab67b50209e5c3e9c73983099a851e9014f5433e7d155980aac9bab

C:\Users\Admin\AppData\Local\Temp\OIMy.exe

MD5 ec079863dd42d7b1e4af8c5b27802c51
SHA1 e6d503659aab5a73456eca2c6c57d90130a1b013
SHA256 79f664bf4ab4cce9377fa4aec3965a4b94bbc1f4f3d2b6904dad6d53611b846a
SHA512 4f27de412d1d23d9ccbd90bfd4dedf83fb60cce36ae0724fc50ca7fa6b2bdeb04bae88197f68f9d3fb2fe01b09e684dbcafdf4d706a03df4f83f414159f6c31e

C:\Users\Admin\AppData\Local\Temp\UAAg.exe

MD5 39e1967ccfe91db635bc84275e24aec5
SHA1 83141e509d5755cdc78b4cb9aeb6b225d27e9f46
SHA256 ff517333ec6693242a479695c8017cdfcc6478930d315183f27c4183bfae3c1d
SHA512 b572a1822f9e86ec615a8cdd135a04d92c1ed4e01f5a6f776436d6d66d749875ce8dba09fad1d072fe565eea3e8561e14472d945d5f42593b22b9a8a19c2ca78

C:\Users\Admin\AppData\Local\Temp\bcAowUYM.bat

MD5 1afd334a8ec33a5539459667393d02ef
SHA1 f086c2b689c845bfe3794756bf44776f8990f67f
SHA256 dd6bfa164c107e104b29ef334ca3f786763b39cb7e2e0d8aabc364c35539995a
SHA512 2e110de48de79136738ca3459c8ace2bfea207b5963fa9874aca98abf01e4c5c25d3764af6d35e9f8c76dcc6bd1de548ba1eac8217e8facd6cbf975d4d0cb605

C:\Users\Admin\AppData\Local\Temp\OkYw.exe

MD5 006867b3c6fec22be671a74c8dcb9f43
SHA1 e9d8e1c9d386f832f500f1ac50f6849f342e1f58
SHA256 bed72abaf4966cd13feae3fe0df1778f41d267bea78fb6643e8a9509fc3ce0c3
SHA512 11f9a0d9e2cae3276e42974b4a01c1e244200e434c34c82af3a70b1996970cf9c92ef4006edd3c8ae392909d6b2b2bb01a65fbcffe920edaed4b8e665d716007

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 5f6ef639e95ff6fc58579e049a37bf03
SHA1 2b3c595f24c53091c28146b61329850acf3d103c
SHA256 9dae408039b66a9e000f4bf59ce41dff1d27edc42622c0db8979aabf32c06492
SHA512 b73060171b3c753c2db184be79a2d3c2f8e17da831c6685036fbf2c17d7acbc585135eb03be964fedc0addca743e5c9e9225337149fec08c1a78f10f42cec745

C:\Users\Admin\AppData\Local\Temp\hkkc.exe

MD5 2459c1a85653b4ebdf5a662989e09a23
SHA1 f1b064678d17fa6a0e4b5521b4395eb73397bcda
SHA256 588af530195ec1d50368f5e5dd2bfca21e614a05f76b8b41933fea7e1e9672bd
SHA512 ee97d35e1a2aa00d2012a5f5b102cd706273ae47d4c3e964ce7f213c792a309d6779217f5f393c3a1e5da4b9dfef364046410b1d9eafd54cb9a78901df8e6aec

C:\Users\Admin\AppData\Local\Temp\CCwMsQcE.bat

MD5 88e49b8e84db69c5a03d91156042d453
SHA1 32ae465472c6a23ff511690518d902c19e97dff1
SHA256 449777a5d1294ba443972a38ff8b07e56ebe6ff668652be155d98cab16849d27
SHA512 3b2ab58b2fd2ea67b6066f2e39bca08c878ae9171d3d1d3a6f3605b7b951bf30d1cbee7b72e0305f7443768ff7f1f5774401432663c23805ebd7cf267361e4ca

C:\Users\Admin\AppData\Local\Temp\JIgA.exe

MD5 6fdedc07d15114b06368a5bb47f0d694
SHA1 199d4806ec37584135bec60e73ea761fe9772df4
SHA256 ea180691c35e28c8c9d78d3055858bd3ee12f597e073ecf929bcd0ec0cf92469
SHA512 2c53cffa4bce4bf945420b1e15d044a3ba280921bcb9d61e8571d799e25157012760ac82c1d2a8c599ca0fda4f087552bb8aa9c47c00f486284fa8080951746e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 dc26cdb7ec48ca2028eb95b4bef95ba6
SHA1 23db01171c16554af8d43c3ccc5e83bc58a5aefe
SHA256 2bb26d88263725a63b0e01008f209c973e79a7f2e44ffba5d5c63cb26f8328f7
SHA512 263afb4f71222dcc09089e348435d82f5f6327980079239094a4efabf9f6e067f179689067bf126ddde371d6794e0f2c74e0f08b96bc0de1017186f344259815

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 d339305d7db251a889efab2f485d2963
SHA1 3c7d4f5275f54a401425103e03807002ccc19755
SHA256 d9e2613debb09913c28631c86dabe1309d46deb29ed764b199803b3304d998a1
SHA512 9d476b715c051c12820dd28bbc6e3ccef90a3e0e451f6180f2a5f306877d522094be15c7d9a2d2c136ff32a51e694a42a54343434991bb72361f03b6121dc93d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 615664d0e7ca6f290c8dcfc7045afc13
SHA1 0ee9ee8554ea49f3ba9723b512fef35b2af55fd4
SHA256 a5d1b705bb904f1a4c1462473f08f7f651c937e04e59965e67e348a01c3c4860
SHA512 02be078eeb03ea3ed53d4a21bcd53f5f20c888b9a140c55855c066cf4b976a676b2df8eb183cf84fcdf1504987b75a234ae68cf49fdd7192e7448a57a2cb3d2d

C:\Users\Admin\AppData\Local\Temp\igQs.exe

MD5 5b30a6aa8092a6287d0fbf31fd5944d1
SHA1 930f243c956817fc1c1d7334b4bde3876159ecf8
SHA256 059dd439a679d2e107f2d28221cd37c07843092d7937eaa233fd6039fe2618ec
SHA512 c65adbfb84df0a682dc88c13e0880f9f0f24da7457a0cb0c8ed1945cfad2c4137aa55d8041babd4fd391f6e9b2134819c68a49d1cbfd45c64b51af650fda24fe

C:\Users\Admin\AppData\Local\Temp\OsMW.exe

MD5 6ff44c9f651d287dc69af25d1ee57284
SHA1 ed8c57ff50ac0ac5449d36145b991e1571305cc4
SHA256 6566cc00665fe54bcaa28e3ade48ca19c4d1af93b7ee3974e5b1359b11725d89
SHA512 ea0f184a6c49db987d858445bbae498783b041fdd34ad5c6e23f5a26ed38024b8d0b713084690ee5eed957637770027e9553978823b70415b900d82b710a4762

C:\Users\Admin\AppData\Local\Temp\sGoMgoos.bat

MD5 e00ab987ec34652d69742385e1e9c8eb
SHA1 88aa688c9c45c9223d885649706f04809bedfa62
SHA256 60af17e8a703117e19b576f40b8601ad0fdd6d81799654ab9159050b26c78996
SHA512 a134d53ca1b0c0756d100a835c057f0e80de5d25e663e34bfd425f24fa0d2c99d7277053d675f721b33278ca0d6652acf2c01fd6d3aa4704c60a18ca8e6adde7

C:\Users\Admin\AppData\Local\Temp\bwMC.exe

MD5 17f4173fa21569feede05998f7c7a502
SHA1 f836c1edcfd0ab74515d6f81a665f2b390597975
SHA256 a0b1cbb6391d6868dbbcc3fec986304a7e186c4be67a32c4fb27ebd01adbdd52
SHA512 57c7afe0a4ede5f9f7e56982c28676255dcf5354db7be766b63cafc1acf635d7cf2dac91effa72212c08a6524b8532ffdb1bd22831fc194e7458342d608d8134

C:\Users\Admin\AppData\Local\Temp\zkIe.exe

MD5 82cec82008fa34e7f24d49446f3b2805
SHA1 9be47261164839f8e414f303b6a3b576c18e8aea
SHA256 3e13a8fc7dc1a5e368728dcf8bde312b266f9b67f50e6d84e9694649d551ce1f
SHA512 5cf06c60ca5acc50ed32be63f3936e498d9774c84f1d7d74ddad2a108ce6440dce9dffa655829c7a649d6318bf9bd14410d965cb03cd07ee76753660bbc649e7

C:\Users\Admin\AppData\Local\Temp\DYUm.exe

MD5 986da7f7e96333550f419dfe57a50ff5
SHA1 97fa08d0bceda616cfce9e36206f6ba444549fb4
SHA256 5de569a81ddb2d479383543f9b40a89793e597da29b707d1ac9ce977d4c4db11
SHA512 09c37892afb1b4103b29d5101105ff5d0a3d3c81bcfef7a47f553e8455236ba2e0ed6df35060aebcc29ac08f00bfb3e946d7ff26ea41d30ee31c0bf50f266efc

C:\Users\Admin\AppData\Local\Temp\rQoC.exe

MD5 5efef8f242a6564f007407e241f51f6a
SHA1 ce5a14670c319704165fa3ebfd3937e6a5ff9dd1
SHA256 462a55417998b7015663c879792483d37d525c718c28888c36f5f8661758b971
SHA512 cf53b24f16fbcd79c771eaa053a5b8ee1a01672d7f65f8fd3794613c585e8630efe479f1d494f7bf9a3429584a28afac807597c00d5d120169d17feb3af1313b

C:\Users\Admin\AppData\Local\Temp\newkkMoo.bat

MD5 2f6fbe95d2d256af467a79474f51c9a0
SHA1 a41e02c4c155a5d42059a91ed7c6b5a7a939d9cf
SHA256 3c518981407e37758bfa1fbcca72c5c41410492978d88c9233b8241a0de58ba1
SHA512 057a7aa40c0bda3165144945bdb48b11b0baed2cb8dd54e4b33f4d49a211e3c579ecbf042e5f3328c84490392888222977ff4e167adc1921f2781f42288fcf9e

C:\Users\Admin\AppData\Local\Temp\DUoo.exe

MD5 2842a81337c96d33c3baead583dc8cf6
SHA1 d59477a8b24ee6587542a0c0e556fd91ffc4ebf8
SHA256 80eb995ac62dceb03240b39693d9d1430d2cffd0d063f770fddff93d1f4d1694
SHA512 a54a6b2c990929f1028c243fd23105f163fde5dc45cdf4eb27f050e243d6bdd066a3315a2aa2106a2b062e0db1dd94b6494648a62e80ba0603160e5d414064fb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 effa3df7da45e31d60514adac03a03de
SHA1 9d5e18c1e83b0afbf6506a4207089fe56ca616fa
SHA256 ee2449484524932320874e2b05aaa20ffb4286a23d47a6922fd1b675237571c9
SHA512 606ca6c6b649693c3b233953fd653c5a78960847224a289bfa4fcebc2caec60595d90a843ab7e3180265bb4e11e174bbca0e27126905f58b2f61d753443a806b

C:\Users\Admin\AppData\Local\Temp\Cgsk.exe

MD5 e5a8a9128c36a2313ea4e1dc554a348e
SHA1 0612a1a2cea95f1803feed828e67d297ea311dc0
SHA256 ac9a7c2fd4b56cde9ebe7fdc6726ea396e44c50cdae0c40d1230f30723a985fb
SHA512 c47deae06cadefcafe302dbf5ec14b0428f5b75490122a8794ff4501f8bca3418cfb22e59431bda3950ae8f9e518e65aa6327961c9f1b5815dfa35707f5a2fd4

C:\Users\Admin\AppData\Local\Temp\Xcoy.exe

MD5 45db192f4b3f28c98eb17f7cc7b24763
SHA1 ae2c50a0bdc1a306863ecf5519d6606849742a18
SHA256 58e909778682bee617ba6df6901501fa8ce5cbf441bb58456e18d2cdb0746432
SHA512 875c0a9565192977776c6cb0a1c657aa60759550dd9f7cdc4fff29ef5a768c21d425fd3435e83f13ec74c056b207d90d36d751253ef003b3a3a818dcddf036b3

C:\Users\Admin\AppData\Local\Temp\ewcM.exe

MD5 77371a2c949936215f5dd85d626bfd4c
SHA1 43006a5d027df81190c45f39b625a9276bddda04
SHA256 dc0a30fe9da7abeabcf82cada7cc9f0b6b8bb0f412a67f507fd8a7ee5f2815a8
SHA512 4176f45376031391f3564382ec22a5b21f4bd7fc01411f1dadf79577e923beedb922986d3aafbec99b690b14958408a299c15aa8d6bfaef81c3009aba1b56594

C:\Users\Admin\AppData\Local\Temp\XoQIkogE.bat

MD5 ccd7b39ed10a0c8d5d3bf7eec1d37085
SHA1 c1514956f0106ded43905b5fd1ec42bd05a23915
SHA256 1114a20fd64b9e5ddb74bfe3acee4065fdca80dcefeafa3faa81cc0d5a2cb643
SHA512 932a0859c4acbab1b500da02432dbedb00aafb9cfe852f20546bf4aabdc01f56dc8446f52956b58afc73c4f3fe9041cadb94e4a3b8d7f45944bb770e1629931a

C:\Users\Admin\AppData\Local\Temp\eIUu.exe

MD5 009c9a5121e2f4253772995b043e117a
SHA1 58d3ea4177832ebdc34a0aec8f995a195fe5d346
SHA256 22fdaff246dcbb5fe242a396dd188bfe42d9bef80a2e5f9047a91dcec0236b55
SHA512 519b984d8641899745760b622b4204f0032b6da2455d70a034ca9ee1f0fbe7d2d77d887776a8fb2503ebf42401750e8d0f06f31c53bf11822ee73a12aef0db74

C:\Users\Admin\AppData\Local\Temp\CUkK.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 a83f21f48f43949c5d3b0cd26f8727dc
SHA1 c006eeef7c3e95d3e26d3436f6fce73b93913ee2
SHA256 a12c1cdb25a500a315d54ba1beabb9b816827e9eb4b5e59ca0c8e0d4be27152a
SHA512 bef13e445c1d6166635a1ec1bb1660979666293e2cc0bb8c03e34f470d4d985ac68f48a9f288582d1effc088911d0dfd7520d0e25dfb7c80faa85b57b26e159a

C:\Users\Admin\AppData\Local\Temp\ywUC.exe

MD5 a446de35d598a2c061fa16d5eeffb32b
SHA1 22a28c598853a1f5b76b7786c82d866cd8198543
SHA256 914961f41536b355c0fdc09d586e7a9593bf4f096726d91d1d6f5f39e0f08f92
SHA512 b82b6fa2fdf41d74632919b90baa11e93a7c97bc32433b61433e5645e742b246aeaf4fe5ec7f190814214f9dcf58ff47a337173d8bb6a8718c4be1a16629dac3

C:\Users\Admin\AppData\Local\Temp\nAoY.exe

MD5 d66b7b5d7fee0d8efb116c38d4fc386d
SHA1 c3651e7490561f5198bcbd921f9f23313f8d0405
SHA256 b6d08894a9139ddfa76eb32c7387a36fd35593ba86e86405c9f2d622a6f433ff
SHA512 d754d5dd0cf10099c6f8e7239cf7ca0f35ed82db77d4d97b332d28fb5e8fc324010a0a0401fd9646cce4d0fd5267c8265934070c668ca9d3d58e7967cdd7961a

C:\Users\Admin\AppData\Local\Temp\suogEQkg.bat

MD5 e7f0a1bc83ffa9eb2a5a0dc001babf4f
SHA1 78dd30f03071ff27f21ef3b2eba9bfc0f7b992a2
SHA256 60cd3439a6e36bb31dc85c1ee51a8f98a87bccef3f8155e1e243404d139a0810
SHA512 186ab3f55ced38821fbb9dbce579a95b889b348942f79f2e5dcf920c5929baff190bef61b050f9db047ba29d8c5bb2bbd1e5a667289ab8862ccf61853f571ab6

C:\Users\Admin\AppData\Local\Temp\TUos.exe

MD5 4c85000e4dbfa2cc788f4f489c905884
SHA1 c87cf3e34d85ad35e7894cff461d451b453c62c7
SHA256 6276b78ad1e9f2941440086f5c4ecba5c2f7c1bef6f44b066efc32164714a3f6
SHA512 410a337ec98717d149983e32f27098a9cd33bb9d93beb4e1c15cf35b5efebbf8dbcbe1d54a665df759e74b97ee91254c2b1df096ea720d2d89e5b9e6e8facdb6

C:\Users\Admin\AppData\Local\Temp\DOEcgUsE.bat

MD5 022e1df3e883b50a81a9a3db33e28601
SHA1 c8fd78f4e533071e6e00183ac874d2319278457f
SHA256 bb00a0a4c9fc2d900258069aeeb48d47da31bf65d1dd7bb1bf0c9478d16626ab
SHA512 fa6c03e49aeee9016e9c81dc0b0a51ce6405efa6c739586c42c012c9968a0cb1f985b360ff3b354c21b9fce0d36871dd3875e72b31488afc76999934d49a532c

C:\Users\Admin\AppData\Local\Temp\PQAgIAEQ.bat

MD5 4e78d03248fab16a3e6bd0c19355ea4e
SHA1 44400d5bed3a65d1258903f9d367945f784110a0
SHA256 2749c8c9799015af1f3ae7f2dcb18070a181ffa14a5ee0e294891c2af874fb79
SHA512 7edabab8277fb6be8b846293a0de82c785c5197d3aed3be6674a07fc05b624cf030667d28b2131a523fe41c3329ab749a2bb8e909010a85929ed33e6e08f805e

C:\Users\Admin\AppData\Local\Temp\EcIgYYsU.bat

MD5 b4043fab1334427273cf36f9d8115535
SHA1 f1bd769a3c9bede3d67be0ae108963d454aa2310
SHA256 9b08bb0cc613a1d820ed4e74e8ac943c65287a770c99e3643e37f261862f5fe3
SHA512 4f9442ee0aca99195dd73f4b81532d6ff08fcddc6aa1f3a4783bf52398aaf75dd2931fd3a7ad5a01da3a116b0cfa66107d127d7e2f8c3136eec53821be271d01

C:\Users\Admin\AppData\Local\Temp\ROMAscEA.bat

MD5 359b4fff97d2385035e8829084a1675e
SHA1 05cf1687ee49722826ffc2f60237ec25c3b57bd4
SHA256 3d35f0f05413d96138022230022223276a909edc4a45b4d45e83705b8d958cc4
SHA512 9dec520874382f1aa04dd1f31f32eeaa64ae011a78dde76e5c7a0fdface2e0c815c6caa6e2151b7dad22482ca9b557934b69232c905a4fd336d7b3cb656da8c3

C:\Users\Admin\AppData\Local\Temp\nEIQsQYI.bat

MD5 48057d9c509a721ee36f55d07cf479d6
SHA1 302f16ea15ded44847301230d0a509f983f89152
SHA256 fd771a230505dab7883a1854111ca5c0859c794f99e085fca6d2f62cb8245473
SHA512 c29af15c811a090ad3de3c586ef07c20ab393715e0ae4a5877c50ab65599309bd851f5dbe57c877dfce8b31b37639574201d84a4f7cc10ce44df0af889781b89

C:\Users\Admin\AppData\Local\Temp\SYkUcgkE.bat

MD5 19b003b2894cf1d270fa8f4a039606b8
SHA1 14d4a14c4cc2b9592e0de8be07d5dc63cc91f077
SHA256 997488922c3b41417b53f96efb00d58f7d9e5fd3f06b50deeabc21e399161653
SHA512 6b1d1f832f285e40b08358a7230dc429b07db6020ec9fdd317a8a8810233261f275fe7b45513fa877ab98ac7ecfe98bb935a03ac60f1b05c9a5b1bf891d02963

C:\Users\Admin\AppData\Local\Temp\tcMwAsso.bat

MD5 b161bc80041a5f8d9f8f2fe0e516b60e
SHA1 c079598a77dbd1e2f91f87e77c1d0de71fba34e0
SHA256 4407f4582b36b797bca17ad896ad134c7f7a739d7970651bb732a1cf690c3e5f
SHA512 0d653dd12709d108a2a33d200684b099db36902f93565547f248e7dc8c3931cc94849bfcd0b5ad7080a3ffc68430654a2f543bd49dc1ac553f9dd316a7233001

C:\Users\Admin\AppData\Local\Temp\PSMwYcgs.bat

MD5 c0ef20ca25288c581ea190392b43ae1e
SHA1 8f409f54fa10fe1a93d1cd4115fc45b9ffccaab8
SHA256 97cae2a73e5db8e5c085a468c9f8654af0c9a9200afe674da548894eac6fcd44
SHA512 f27f55a62b619142500e8608fed23a21e55abebfc1a169ca498899bc4114594477c9de297181cb726433c96aaf876d8b060b5bb25a7438536facdec323c22bc5

C:\Users\Admin\AppData\Local\Temp\yoAUMQkU.bat

MD5 a907d274e13cb62ce25d73c5b11a1748
SHA1 65db8865411e0b9162658fb1fa0568889b0ea8d4
SHA256 ecc13c6726bb1953095d238cd5e8c8360ad378e9d696a0c1ac603ffba16f0333
SHA512 815c1191a9bf353c293059ab4680b7f20472641304d5c49d9b26906fdb280b99599aa957054d31e490b9dd6d44a694caf0dec19136f3780020535f4994e3173a

C:\Users\Admin\AppData\Local\Temp\GAQk.exe

MD5 ea6fa38f9e0657db0e4421d06bc2524e
SHA1 30c70a3059d454efebb3aa7f4b37884b73888f32
SHA256 dba417becc838f14d431bcaef1dd79d2776a962630d7157ec7811725e5779671
SHA512 da0a1cf45de00e72864179c5c00ad034ff800edf9ff60c4f05a33aa9e392eeda7f468419077cfa491b1bc9b1c8622c1f87517f885daec9e4bcf42a698b1cd0ad

C:\Users\Admin\AppData\Local\Temp\tUga.exe

MD5 5aeb06d5d2f6b1de6c035dfb27ba792a
SHA1 78531e0b0a96e756b33da260a8918cfcbdd1f93c
SHA256 2d08fb9e06128c8593e5e0543b6ba8411536743c95d3c47dfec2d514b96438ab
SHA512 6e7df60035c2836d5237cfeea5300233b4d29cdaa8e468cb23ad32e8ebc7a2391d36e2f509622cd7e89497f9c05a29d8840e76ff172ca923ca71efbbc5d7e02b

C:\Users\Admin\AppData\Local\Temp\lAMMkckc.bat

MD5 d797d3210f60b2d47efb9c47d4f6f19e
SHA1 f3d7107498e9b6a006431965b8a9d13f9f331da2
SHA256 9ec20062381642aa354d96fa7b44d6cbb38c16197e55f4ca0f4a439c79e05b97
SHA512 6ade1d7f6b548a1abd6afbbbb59a9296b3ce28749ded508a38108289e11b68d5a6f6267435cae496a1befbf5483f922c99dc5f4a439c9b1bcb0f4c4fea19c908

C:\Users\Admin\AppData\Local\Temp\AMsI.exe

MD5 545e5adf38c8e1bb618323f1e0639b27
SHA1 f7d4bcdaa9474bda67b31963c916a0be91eb1572
SHA256 0073e92036d9a4b520311ae27a6b06cfb59fd42ae62abd1f94632969691a45e0
SHA512 0403ab60a0709c61ca12ce75ce496630c9b0ddce400cf46402a373c39a502168929160a860855dff5644f4ad462737b1e4714718e3c889cb0eab5106c36b3778

C:\Users\Admin\AppData\Local\Temp\foss.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\KUoo.exe

MD5 507b8ce05ce0a326bde72c7ec293f7da
SHA1 03610ccfef48ea9a30ff3e65203c8625954553ae
SHA256 bc7cb8306e01258b25f52fd33cf4ca055c9217c5dc3a359d43e053f15f07b8f0
SHA512 b5230c440aa2c2c88756a08d10ca4e385978cb4179592ba49680dd5dfb2932ce74eb154feb0965af331430af8def36a64dfae84f3d77f37adee8fed1f58ac2ff

C:\Users\Admin\AppData\Local\Temp\BAAw.exe

MD5 a054edefe0840d28f66edfca664463b2
SHA1 d1476a41df400c3b28e9f60fcb7865dc0af30c27
SHA256 61fe0dc6bad16dfe6cb026965c62e24ee14ad93faa0a2616e30b1b5e73a953a4
SHA512 489767ea3f69d31d7a74f40ca6e537bde5fb92e9faa785bf734edb6924d08ad1a18c70ac5965dccd6adf8e25b63ebf917bfc620db22b7c36ccb7a039cfff8a5f

C:\Users\Admin\AppData\Local\Temp\pukEoQEU.bat

MD5 25ba8e30ced2159058ecc555dfdcdfb2
SHA1 c2ec88c8b61b7e1020593f4bf9519a2e234ab0a1
SHA256 8fc0f54be8722f1b118eb86b50a4f22112d83acc2320dac2c98a552ae64c6d02
SHA512 62aa216266f4a91b8c61bda914878f4b9b945098039e6320732a784e7c2fbdd1d75841556e4cd04b9ebef0b99a937878e5cb2188b7ba4b221bb94c1ae47bb1a6

C:\Users\Admin\AppData\Local\Temp\kgYE.exe

MD5 1f0556036e87d05592543fbbfa5e78fa
SHA1 15925ef54b29df3621c572b3cd091e5edc9cfaa7
SHA256 8ca9aab2adec1d859b6da1a369d92db6657d97002ec59b2edb926d65130ed020
SHA512 7c41ea68b1b7bf5567a33838c87a32dd8ec9abb8397f2da26b0135da3da9a393163e77138dbaeda881450db0f55b8a80f30ec33356cf4216e4f147f7385e995e

C:\Users\Admin\AppData\Local\Temp\VIUE.exe

MD5 4ca13230adf656b081b8415aae341985
SHA1 3b68d0efacc609f25a006db4edc0731058b66566
SHA256 be245448a8d610fa44818d0ca84d5bdad063ff4cefab14ca906f4eac1f6e66dc
SHA512 92feaa28ccc3a61540b0daad194ba25f101c1462b424793ea9bb29c24f5c628faf991b314b714e346988cf232f4736acecc9c153ca0e6f6196cadea160feb6be

C:\Users\Admin\AppData\Local\Temp\nwEW.exe

MD5 b31dd27388c666a73bed3b22d9acb426
SHA1 791d8163396f9f4610b28f41ba447cc212c08412
SHA256 cc2b32c04b736b52c180cc10e5b3687b3d4aa66c477d9bbaa550244ff345c1b5
SHA512 4c0246d634d8d3193ace4ec3a4a7bb1b82aac686bbad0c354ba0c6133d506ec46e800f93d835a9ee612360511d928ec73786d0b1ce7be2d79d37ac781c8a4aaa

C:\Users\Admin\AppData\Local\Temp\WoMg.exe

MD5 e8ef7ec0515d033a4454618ec7cd6150
SHA1 8e821774fdf83b8bd9a3a91e48f70bed313c7ec9
SHA256 be5da3ce5972346075bc49af5ab2ef463f9dd813278a34e86e3d9888bc51fdbd
SHA512 6bc45d1759d938a01f208783f79f64a6a97763b0007f057588d219f0520c86ac5961af5f96e1245e7a4ca67c9abdf2b5d29131f4d4dcc33364d99381fb616f9c

C:\Users\Admin\AppData\Local\Temp\sqAMIwsc.bat

MD5 3d3a477b45b169838453a95be7b1454d
SHA1 93c2a76c2fbc807d22767d43ceecf9d72cf074c0
SHA256 4f65a6b8c63d330677f896e3ed99746d2bc61d99ea0635ea6ff18eb261d7134f
SHA512 1b5f387201871c27e6aa7c89e602f28384a2e51971bad85ef69e5e13307817dc1dcd63e13d3069635c13373999cf0d05a1eaccfb7ed79017e354539f8b1c09b2

C:\Users\Admin\AppData\Local\Temp\usIE.exe

MD5 d842f45c64d288a3d1e35d30716cbabb
SHA1 f21446b212cdfca6acc15fefb255dc7ffd22425a
SHA256 9a870c9e2c7121e72392d78fc6f1132173562b05733d35ac4939a2af148dd5c5
SHA512 23217707aee51be7e840e4fb9241c16bb823e106a62f80629bd68c83339b785ddb59541ce7d876a064a0c23d9f0012f4bb14ff6bf5d02e84cf3dbd41eae2d2fd

C:\Users\Admin\AppData\Local\Temp\CMcc.exe

MD5 25c780eb157f0edfae26be630dd52f7a
SHA1 e680ce030422e95e554a88cb362b57eb7f47431e
SHA256 b787ef3f0a9b50548c920e87015ffce8a19c2c2f9949f47252a9d16cf7e1f602
SHA512 59e459ef570fc5609f5a2087311d8799a4b11ca39e90f8fb05951f2f33e3904e585694e9176c5efd2476cf204edc17841ae8f9486268e27055ea798cff2a810d

C:\Users\Admin\AppData\Local\Temp\AYIC.exe

MD5 28f4568ab21d4e8b006837613092ba45
SHA1 a44aedf3d443f23149d3a82005c2dcefe0a21cb1
SHA256 0dc4c513f3581822454056829cd1b3a8b5c3bb55b053e247501d9b64d3318f12
SHA512 4b2eaac2965a5131f02f7c4125060810052df28b6f00cc05fa35380aaf783d46ce8e6dcce5454d3d919a5cfaad971b6e392975893245fa541196f395a61219b3

C:\Users\Admin\AppData\Local\Temp\gagMUsgU.bat

MD5 0d1f99edb54e5de06f73e293dfb3c6c9
SHA1 be022756f97c92c4436fe589b603d7edb4b4cf84
SHA256 cf39cd31f1e49c8f54f15f77883c1ae59c6c752443b9ef5dc52df6b385f6158a
SHA512 2610496bf1589bc56e47b5c60b69d99b3ffcc26ebb3dad90c6be4c72c7e1609e0941887d148fd53f0b69b4d4188a231ae395c014c224a66fc41193509bf35315

C:\Users\Admin\AppData\Local\Temp\UYME.exe

MD5 405100679244cf10f9770e2a260088a0
SHA1 778e49281d0b99f6566aa19e82a6e2971f8f384b
SHA256 2cef7e6e492febe4e6d5ad9c52dd04ee2f2239c6046cf475728157e94d356ad9
SHA512 7610dcc0135fe2974ccb73c64d8d5912c0d0b3daf5b86dde9be05ab97aed2f39da02ad3d3d36785dec2173f82a14092cd58cccab44cc5e195c300a102a839d0c

C:\Users\Admin\AppData\Local\Temp\GUIC.exe

MD5 c50369d3e841afe3c1b9d60b5bacd285
SHA1 ecf0b0c5ad24971768f46b495acdb6cd20fdd287
SHA256 8e4ba56ee4af2da6a7fafdaee1797de62cf547ff28dc6d3abae5f56a2d768118
SHA512 4fcb2ee7403211fd5c169bc0e4ed15d3cb1a4a016175adfff0dddcd78933f43c721846c27a99780bd394c5a7b209d28b7871e3de9ae6c753763fb1fb6da80f20

C:\Users\Admin\AppData\Local\Temp\dUoc.exe

MD5 b04493f0503ceecb3f175d0796bd7425
SHA1 7435b4caf6d75ee203f81fe74d69d8774cf5e79e
SHA256 0bef24391d59031ca427df41f7f77df357ca20740da4349c58e811621a26ac09
SHA512 198200efbd71e12de7174323d5fefff03fd30f6ea8c148b7e42b7d1a20a657d982196900125204a63fe42ec58fa4c2cb3b1e5381501db7176e5f98a7e5923744

C:\Users\Admin\AppData\Local\Temp\yUge.exe

MD5 932add24fac9cd36def4adb55faec445
SHA1 95a72d26c10c5f2dd525e5ca12549daaa538c135
SHA256 d812aa4b7cd48837f88f558f9b7796ad179e9122ba16768051b1a8c5a4c8ad54
SHA512 06ae88bce81fe5d3a0cbff355f23cb9a45906ee796b66a9cac80fa6b9c781096ccfc41d63a9bb66edd2a22aaa63e6b71e7feba5c1fb22d537416946dad6a1899

C:\Users\Admin\AppData\Local\Temp\iQAc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\zQks.exe

MD5 8ef72451135fe130ccab7ba8572fc256
SHA1 63be4f2e776f2f37d60ab56349cfe04d60226bfe
SHA256 07d46f9b000b620fed5a29bc1e3a5ae9cef357ffd0e88755b0aec5cde1d39bde
SHA512 340ad7fbade91b07f744bb25ca792f81012e95885fa562f6fb50f9de0d615962b4b4b062e5ffa500b32f23cedaa2d9ffa8baca0f5a00a21bdf5ff7badd29d55f

C:\Users\Admin\AppData\Local\Temp\lKQcMksw.bat

MD5 f66234f70a4491224659f4b23cac66f4
SHA1 50f060c3af6537728443c3ba9deca962d5d3f294
SHA256 2148a524b3bbbdb819ff9e532eb2e1123ec38b79c181f518b223256ea1b115d5
SHA512 0525985b7ca3f7f4a5cec072306355c6c65719e516664020b75b41ceb2c278b9cfa0d91e6ace3137fd2e12b46837c95eaa8b86e58cbf08c2c5e0f32cbbabc6e1

C:\Users\Admin\AppData\Local\Temp\QAca.exe

MD5 cc2de512c20c3466b787896bf47b8131
SHA1 1817a826c5950d8699e332df676972ef6582823d
SHA256 8a4c0a3f939a861c4a3f0da8d6217fe77693ddac38105f5bce6ca15504a970fb
SHA512 aecad487ee7ebb13d7756871990ab401d880c47ed69dac4705c0ffcc39d4deab123b4c9df233901f6e0fe121d21b3a8d2a1696399f191f312bffc1cdf591af5c

C:\Users\Admin\AppData\Local\Temp\swca.exe

MD5 e7f1a07eeb1d65cb5d775969ff59db65
SHA1 97d5df2ee8bfd0b99ea70c6c360cd71a80407882
SHA256 3eda2cd7d38746696d1daca860ce84524465fc20ed6bd5c99c4618c9620cbe58
SHA512 c9d4541a2f44f2f333f757e224c20e889bc8daa1060fe8ff894831d352ecbfec58d165cd41bfc9363c259f95fac00e8afc7ad1675f5c14ef6ec1e28000a12bce

C:\Users\Admin\AppData\Local\Temp\UIIG.exe

MD5 1ac4c8994930636de3e6c832d2ba9ec7
SHA1 a51523349ffb489bf86899747b733357b4e537d7
SHA256 6b6e789e3981ac702d094491ed85f9bec530eb355ed45ce4182b4b5bad535162
SHA512 e4dd3fe412f21028007c61e1be29a1aa47b569ddc7ba87cb4b55def3bc2131b1367694b864210e109f374e193014ab92843642ca546765a094727569a8333142

C:\Users\Admin\AppData\Local\Temp\oAQMMEsM.bat

MD5 b2a2d589ec662d02181a13a5e4f54f3c
SHA1 8cc9bf3d31c53c2f50203e63842d7a0c198c4986
SHA256 53fe3707f739a6295d5b6c8afc280de0f994486783b15f408b5ccbaa966ad1fb
SHA512 d9fad42d086db635c936ff6aa45e0fbd969227484d392fc7ee0e27e74cd530d987b580819558784a5cc51be2385ee4f631e0e632dbeed8bc4503c1557678656c

C:\Users\Admin\AppData\Local\Temp\oUEs.exe

MD5 61deb894e0e8777bb6bf2d0c4be595a1
SHA1 1af06aae92aad02ebce93d21abc1dbb2c5be02b3
SHA256 e421709a91c4a3954909ce6a5ab7d50033e9d0449f1ac90005d71804fc4f6cbc
SHA512 34c1c9554c6abc212e7cc46a8a4842dd46c9966dbfdd5999ab5ede2aa7b34ff6b2f00b0a8041f08c792b73c0fa9f07e98fe11d6934d42c506e461f8e9a30f744

C:\Users\Admin\AppData\Local\Temp\EYcA.exe

MD5 7e5e7b513d6ef130455438db72576709
SHA1 00c1580146cce9bee0786168eda8b2b223155133
SHA256 b6fa941cc14277fd4678cd33a978900d17a00b374ec76e12e6f2b8a8a37756b3
SHA512 5473b597151db1a83c412e9c201d9f29e62778d1114241a022d88f96ad0c5e9eec9570ea140be0f650ffaa2ff8a49f31e223b8cd619d26f02e5d0ad84286361d

C:\Users\Admin\AppData\Local\Temp\hcUIgsEA.bat

MD5 4658c84114fa345ebbc5ec0edaaf6a58
SHA1 5ebcbd487adb94f59db273800c487b3cbb963aa8
SHA256 ac5c1e9a4678616d8dadd99ccf9a8b3fa10a1e9b40caa157abbf0f774e5cf41b
SHA512 4f0e60f783f47f77d98c802d138f024fdf8c7d6f7dc3c084c4561bf942d33df5b5c0abfda2212828730ae8448b96ebdc11f353176f57073ab62d4255094b71d7

C:\Users\Admin\AppData\Local\Temp\IQsC.exe

MD5 839fba0ea7af9e974800fdf6ee262598
SHA1 0f32a60dc5239cef50c8cd08e77593d9fbd1390b
SHA256 505c4b3dc24a461de96ea14ec1acdfadcc46a19c5bfbb0b92e232727cd49fe45
SHA512 3f459cfbcd9229d1e556d0aed7bb512017097170f5f25924894bba1fd42c33d335000a1199180cf561ceed999313314baf5af9a5c9a921272a328786b8cd974c

C:\Users\Admin\AppData\Local\Temp\HoYi.exe

MD5 c8242183347b8f6794770faac23995c2
SHA1 e7d2bb87c6e0c161d60424f012f3bf96841ff402
SHA256 5235eacbf862417e6fe823587f84ce70ecb42d8c8d443cfda4c4e3b211273c6e
SHA512 c69d61a5fb93dd87423806a25e55f25bc62ef5bbab1d3b24ba75bc70712c454666512a76195b268091409697ddeb872534d5dee6aee3118512e66d3618971568

C:\Users\Admin\AppData\Local\Temp\HUMo.exe

MD5 a76cbd667d9a5c3fa6107f296bd6ebbb
SHA1 3a289d65cd3ad1884a736d658efb5555b071fafe
SHA256 16621be0c5ab325b7d3626b3c87034234ec5c67cca99b617153bdf54f0993b06
SHA512 412c39e610b136c243b679b6f5fa53564f6ea9a37dc8cbeb4307499c403f02b82509635db7c96a5fa53213347aab316fc2cdf467ecdc2630c75dad0d507ae0c9

C:\Users\Admin\AppData\Local\Temp\QQEMkwMo.bat

MD5 07bdec8ec410fd9ea2740430fd7d8f01
SHA1 8f01af8cde3cc9ab9417a240bc6203fd425e8e9d
SHA256 b1b95543c9f6445a9e93858ca72301d6b541d97d6ab30278e568bf7e9aac430f
SHA512 24ba45483a988b59c5241828f3f2c769382cc6b12be0aa485a420faa092b22ae45008f4e7da016e0be45d0cef5c4142c4e1422fc5afdc8e5fd69c44c513973b6

C:\Users\Admin\AppData\Local\Temp\gwAu.exe

MD5 2508d47cd8d70ac6875560da784c9593
SHA1 9adf96cb400869ca97dd0e6833dc0953f9604376
SHA256 d23a2cd88a9d1a2d3bbcc641a277df53c5ace047ddde36711402f31e3236691d
SHA512 8fc63b0e2c71f95133b1fa9c252b46bdc212f1ad74564b6a2a1b94acaba8e3dff2b5bbca1320228454ec8cc7422688cccd93586db22d11158dcd41e8e4dab47b

C:\Users\Admin\AppData\Local\Temp\sEEm.exe

MD5 dd38155f68f58f8640098bfbb0925466
SHA1 b2e39ac7f2fc0a824efecefbe393054e8fb2b16f
SHA256 e9f5af6146b4dce0c1a1e8edc86852d9172fc84571c26a08fde9cdb834856650
SHA512 4e8ebe5a830a432509071f2acdab3cce55f68f13ce16782bbd6c1b896f2a4f1462a28aa964965e2084bef267486eb6b4cd30b71947e162a10ef5cb001e024916

C:\Users\Admin\AppData\Local\Temp\ZIEQEckg.bat

MD5 8bebf35bacc6f852c2db4b50bcfbe7fa
SHA1 8496d564ee0d5012197996b8fba631a67834787e
SHA256 e1a1f53fc607765f3c798e816ddc6299bca1697407a833e48f82bf7fe8ff3237
SHA512 d8fe77eaab1bb24a083fe611c978bc1e643b9c3deaca810788dad7904124c62ae873d881c8835214b508bca87da7022a9312fe676798570760cd4aeb9f11e858

C:\Users\Admin\AppData\Local\Temp\VMoi.exe

MD5 910e007e7f73bff2496b5582ee7da4bb
SHA1 1309f1ccafbb536f9604b123673e900578284a89
SHA256 75fee20589694265281871dc10c3f4e1c01952c9ebebe0f234ee777d79902e0a
SHA512 1a743a6fa9e73a04e64f858960f4b64e5a193e028d33fc9f2b2ad4005e11521d0bd18964e315554caccf8ac4d053be4c40637db89c1536d64dfbb6ed46ca4ba5

C:\Users\Admin\AppData\Local\Temp\AAMy.exe

MD5 3e6fdaa1cb5049dd0d1dbf5cca5047d3
SHA1 8d80db294431ef86dc7f7766a2efc3a7c055a98e
SHA256 eaed1a14fcd696efaa80442cc86d3867b31dec5c32e43736b31a404ecae4435a
SHA512 5e3503dcd9058d9ba43ce590144d6d1b06194bd2a04597e1f121693f1e24dd67b979bd9a43b33a1c8d0d2ef19d48a1b339bd18b22e82ad19da5c4e43b1171b98

C:\Users\Admin\AppData\Local\Temp\XwwMwkwc.bat

MD5 2112c130baad4fe6a5b101313fe1935d
SHA1 b89c0f37f67d1dfc8bd9d337449ba19bcd4cf1eb
SHA256 58c8f464cfef8fd40ebc0b9ee8f77d28355210fbeaf86b73312e62d25cbfdbf3
SHA512 2d78d411903e67d2925fc778f23307c4695b43ae85ebbd7ad114716a091d71f2a52a8229afe262853282697f34998c83328b02e42de9186ab31fb5bc81d7d372

C:\Users\Admin\AppData\Local\Temp\XYEG.exe

MD5 4e78d1bdb17ef57311047dfba4d96632
SHA1 cba269e8e287970659f57c5991465353fdfba9b3
SHA256 81567ce87388e1ba5a110e50ce4546ddade094d9b828e43180e124124857e519
SHA512 4df8cbce300adf3146e222a0c7952088d560a944482889884ff3dc8159e1873ecd77e3aa317b20fa513cb7b319c43e2f2f954835442638ca8c42d53c6d9a80ca

C:\Users\Admin\AppData\Local\Temp\HIMW.exe

MD5 8302b96845b71b375b116d6d1038cf6f
SHA1 0e704e046f7f9607f013be020418863a4c752b80
SHA256 4c8ebe7f401d43fd0343f97308604ba8061d9c1dbde17e99f5e7ee1924afa7d1
SHA512 a4f7763e174cf8c3bda6b416d7d7037df4678ef29560a1175643c6dee216c7e43c00cfd1a9f86972cedda5347c36c454b67fb2f74422d62aa1e88cb527d0ff6b

C:\Users\Admin\AppData\Local\Temp\iscc.exe

MD5 dc3539f6359bdf8f78a32a16364c1062
SHA1 af4d6ec192a3a8aac13ad824c26aaf030a0c3731
SHA256 88cc4eee1271cb840ca9258473d7d9799bad8f29c82c6dbeb5f09062d265ee40
SHA512 c002e8627c1b468339f7050fde9055c7251a0ef1be58b36f5470ef8b5eae598782bc95a9292c75d69b79a3dce388f7861faf1cb60651e68bebed40155abf94da

C:\Users\Admin\AppData\Local\Temp\FkoM.exe

MD5 d1ba258162be453460a648eb1bb421d8
SHA1 04c89a5c9c6fd3e1885337cf50e077e390cdeaac
SHA256 eda350033b3a977090cafb09874fe11080b699bb6fe724112b687b89bc6f4987
SHA512 fa8341217e633a32f45ba38228b2ad1f02ba0fb4ad70e7b02fa1a2f23cb6df39820c964eb66d802cc95247d0a83cc4d9e37d46a39b6c0a39c912e369a4027776

C:\Users\Admin\AppData\Local\Temp\VucIQoYU.bat

MD5 d48de8ee351941bf7ceb5eac270681ba
SHA1 7e2152940b9908b380f8ca08451b307ce2fb19ba
SHA256 39da7b1b850daa32bc605f0b68b1cc46c248ae0f3bc92461ba618c541c375500
SHA512 381da0eb39da3cd0148b39cfaa18e0aba72893a9f46d6faa42210f646811fabd951ba2423595b14ea67e71978fcd351bf10890da3f8c28825e712cb88941ae7c

C:\Users\Admin\AppData\Local\Temp\MgMQ.exe

MD5 ffca7e70f16a8e95c90f5fa14e8a4f26
SHA1 a5a40619d14a222193c9e382ba644f88d406105c
SHA256 524280255bff4f256e50540b46bf3669859f813b24fe5f713cade31f4e13e247
SHA512 94f755c83cfdc593503bf393c80d5293357281875af8b3e6e6f3516205502efb2c9556b8b48705d44b2763abc99eb24f4b380942f18559fefdd815e2dff002e4

C:\Users\Admin\AppData\Local\Temp\SgYQ.exe

MD5 3a147f12624f3b3f0aae30fdc4b7d7c4
SHA1 1a0084187380c09e12abb556db933f194906b9ce
SHA256 6ad4bbb5688d1dd94f37f7f3b2b69a804f4cddef02e47fe7130633479bc38f31
SHA512 437dbf6e3477350ebb3e281b602d1481fdb31164596500e24b73dd28a37ffe4db9b8cdf9594edd515069997d1885215e3476ec0448c920d2291fe37ca31bd0d6

C:\Users\Admin\AppData\Local\Temp\asIEcUMo.bat

MD5 476994e86fdbcadd56c94afc3d3b2312
SHA1 74a0a317525d77e997a714ca9a378e7a86582cb4
SHA256 1962ad7493afc075f2c20e060891ef29f07d0278bfc00c165957eb04381594ce
SHA512 13735289428481482b839c4cd8572df4f74b8a55ae25505a73e4f9f89bbf286c1fef547c16d22613373a8ac204fb8321b79f83f61b60794654dcfe467acdcbff

C:\Users\Admin\AppData\Local\Temp\sggY.exe

MD5 b39dc8db133fe326c858f35b359d95f9
SHA1 d92f7ce5c503236f2ea493a481bcaf42a8dc4b7d
SHA256 324806dae988c72a4488b382d895d6250256e4023ec2ed0e9b9586280c57bf2f
SHA512 f5e16602e058a1390ccd94b02b05ef6d98f038145be973513b1c988631d0ac1fd3b9befae3890d52ee10b10a3cbb4711765e4019411b9a1ceac40a7cdf57cede

C:\Users\Admin\AppData\Local\Temp\uksA.exe

MD5 b52d32d76efb591f25f286f81ddeaabe
SHA1 0df108fcdfbf884c5c3261fe81b3882c527f0761
SHA256 14963639a013ca948946199b4e18de3053e71b779d0d98bbb0045032bca41447
SHA512 d5ab957ae9ebcf24b98fe1655d72b41f767321fae06d5e628a9e0dfdc415a5000c3b7aed022d61886024054de42cbed123d80e5b0f74f0dcff1cc934449f8064

C:\Users\Admin\AppData\Local\Temp\PMIE.exe

MD5 a81520edab8de58ca67fd5d5ae3b99b4
SHA1 52441b49c5321fce7a0c1bd478b2d2f271e55653
SHA256 988487c56b1f02660bc5398f17fad69efd2f92cee8ab12cf024eb618cda6d4e5
SHA512 1ca735a79238dca770447b79bab02dc1dab2da63956bc9c7b1f6b7769fbf6656bc14ebf9a342d95920866865b7620da0724c0a2ae88633809c2b75d2f26d1e04

C:\Users\Admin\AppData\Local\Temp\wAAy.exe

MD5 69f8c8b75d18aae05a28e23854de04d0
SHA1 ce018ffb04cce04b420f930b261024a6fcbf3b94
SHA256 982b3fd7457e03c4b5cb035efab5bf973c791aedf704c0ab55452d1db1c389ac
SHA512 ddab741e39e0bfac48b26fa9efda29c562fd332cd784bf0ca36b67b95990f1f52a0b4a36e1dda80c786c4fa043030debbba38e58c8a3ab279eb9c702a61f07f9

C:\Users\Admin\AppData\Local\Temp\BkkMkYkw.bat

MD5 f981fd4396482718e7dc8803748b9eba
SHA1 a452955ac1ac81db01a577573a23a84d389cc519
SHA256 6365b0fbd3c71c5d01fe833815ec6baaa09fd3a0bae2200e9aa3011ea542423a
SHA512 a2cd1dfdcd3c5a0947af7ff8e8351c1fe3ac9e0a1ebb13744263c934fb6450779fa5ebfda9529ff9871b31ce73f5f8feaabf7b27ab05f3391a0e635a1925871f

C:\Users\Admin\AppData\Local\Temp\FkQI.exe

MD5 c89be3e6c169e0687fdb9e566ab189ba
SHA1 a08f9bbf1c4596d7b741ecc8b9237cc338c90d39
SHA256 5225833b253c602a47f4454ac5518e14e32614db60faa8517157966af30b1bce
SHA512 eefa49ce64b472d6797d16a83bc216e4240ed284397d95bae681a8e951c6bfedc83b3839e51b658144ad5e82c4a755b2152ba282768e4bd9754b526fc07d25ee

C:\Users\Admin\AppData\Local\Temp\qcMQ.exe

MD5 748afee922fb5d7489d1ea13d9b677c5
SHA1 1161862c4f5ab43bdfd7ab6ef987fa8a944ae6cc
SHA256 945ecca60aafcbe7fbf77c66f38a4f7034a4be0ed1e7f1e620426b5fbc34c980
SHA512 01acf5c04b35094c9249b28d750c72550258cdcac4fde0cd94158853c9bcb02dbd34eac20e05f8b27becb7ddd4e829441818f24641bbf72512138d085c4fcc48

C:\Users\Admin\AppData\Local\Temp\PWMQkEwM.bat

MD5 fdea724229ea5b63c969fde8c46d8f01
SHA1 6f477e2432aded6cba759e9600c48ea63d9c1752
SHA256 42f5b7f286d0467fac757a70b9ff17f559aa87e6d464f82c0e98db79bedc7b37
SHA512 041674fc3959cd96f1f081edbf38fbb6639f92d4bfff04cb1d1e004a8f3504e887b80a28127abc746e175bda0ba80ff25d0f4f526ffb32a63a8add162a068a12

C:\Users\Admin\AppData\Local\Temp\bMEO.exe

MD5 37bf83984c7c9936b9ec690e6824508f
SHA1 a5dfd512b9bc4bade510b8c6cc4b40b62d8a3fbc
SHA256 62dcf7021d849924124436c3851306d82de8f8d72daa7c39783c3a3a42556b69
SHA512 020088f14b1753c73f277eb3a6fd555d26c0c3226bc17879a1a4765ac31ec48277fa05736a4104ee6f4b492cd05c01d3afe540e50eb20d056271835b7afe994a

C:\Users\Admin\AppData\Local\Temp\DsAu.exe

MD5 05b077043f151191e2f47665d9213796
SHA1 9a62824a21b1c942f5701862c772905d029d0fb9
SHA256 fc0eb9b9d9fd7370e66cf89d8885ddff797c444384a379b89892edf1ea014fbf
SHA512 d8a638c212e033b589e64ed0507a41b217c106f40ddfcc506b4e85c148dc4d4a125fce3025d2e90cd640d264d509fce7ea1ce4f11bea81cc663c5ac8ef8c6cac

C:\Users\Admin\AppData\Local\Temp\hUsW.exe

MD5 58b8aafaac51ef7d35d9bac74b529a4d
SHA1 befa62853e4416601d82a0a65e94782addc975e1
SHA256 749df7cf653fb51634cd7b34e001a777765fdce813f2783fec7d2a7abde81698
SHA512 3636b7404590f7d98097f21d3d2c31498a2d5bc91245cd8ab03e266141ad16079b1b11dbd76b9b1548a7d7579f07b426e97f4c35bc7295939c2e53ab3511c458

C:\Users\Admin\AppData\Local\Temp\UwUM.exe

MD5 54d727ae58a692d8d09144066d902837
SHA1 881ee24b6679fc2a331cec0f0c5e991c17d0e58f
SHA256 3db0daaf82e37917b5a5f4dfec637dd28c9f5cd5ac9db6882d618c9cfcd3c500
SHA512 4b43c24cc2ffb852903dd82c82807822335e6880edc0a890c3fd8ee316049d3c8803fbb2ddd8440af8ce9c96e5cd2402ac82bd46e12d4285b418ab6ad3a91bc2

C:\Users\Admin\AppData\Local\Temp\CgsIsYEQ.bat

MD5 c49b8311a2ea0fa955060b7d72ffee9d
SHA1 7d1b2af2bd21966f9901243fcf7c683e38e6fc55
SHA256 b0f14d803bd191a31b7de5b7acfef213f4c9ab97e9c50227e24baec218d10133
SHA512 4af33b74ef6c59ca9c525cfef05d34f32d0530d8d9f72f21fc1204037c192a86b2ada878fd3ad19225ee51e8dded8d49ec845d41eea659d0a919ca3deaafa710

C:\Users\Admin\AppData\Local\Temp\MUYA.exe

MD5 0efabe1f04600ae6712b83a7f9779fa4
SHA1 40d1282916c491ecf0a2a325fc35e8418c2a63fe
SHA256 30d1c8d38880fb05320435f814b47a026d304a5923fe536bba5ea318a5fc4a6f
SHA512 a28f1fca0ed353482a773ffa93f0d3215384af9d63d221dc4b44cc7339e2d199057a17188d5ef02d33a6b0d44da38d55712dac691ecf50878a527e28becab4e3

C:\Users\Admin\AppData\Local\Temp\oAgW.exe

MD5 346165b2229bd8e2aa6e692e80928139
SHA1 38a683360076dcc9669130200a2da2fe93b3109d
SHA256 53440d3ac35e83a069bfa105e5f1b9fd7f401806c44587ecbd51cd70baccd847
SHA512 7cfcf37eecc16d0e5fcfd38fe3ff16aad9f77fdf62d003e3d3c0e20585e2c02a060b52f9302606548dd171b552f31909f3432a498a1ab1cc6d5c074f54316269

C:\Users\Admin\AppData\Local\Temp\LoQcQAQw.bat

MD5 89b9b0fd00df407f87c01878f2fb526b
SHA1 d87b24e548280de64d6b9f411f6ee29c938d1b2c
SHA256 642e4f31874d6bbdf0a0505c020071e9e24f65765ede6f036bcf51ffe8cfa522
SHA512 a7181fb951f7292ca55c5a750fa7e972ef900bc65489b870da7ae740b90adf6069210d2ecdc3c31f50566aa5402793efbefde884628dbc63b2571e164fb6ca07

C:\Users\Admin\AppData\Local\Temp\oMAC.exe

MD5 ca4706ddaaf9ade3c4ce1a151c031f72
SHA1 3c4aead46af454ee22c0ad9bebba3e7b7d630203
SHA256 c4f075d227a25478ce4aa9fa920acf224b5c5f756770f485d2588d84a08aafc9
SHA512 c529f75120f95205a28dcd6ebcca458b989e08b9dde7bb21154c46a0602d5d9051fb64319b9ee7b6dbf398c97519891b67a133528668ffc18778645f83d2df19

C:\Users\Admin\AppData\Local\Temp\ZAgw.exe

MD5 bf999902befd7f7c00f89e4616131878
SHA1 45250dd70091265d244364bd34bd5cb8eccc13c7
SHA256 e40e8ba3fc296fe071ba138d3c41c06db8d5d06a6f17449679ac93dfcceb7a73
SHA512 27158cd72112e8f2384a321801418a2695eb490b3a26929769374a52c8c85f16930ff356697787b851d013774b8a8576adba75367d8cb4f10b7317d1e6af3ed7

C:\Users\Admin\AppData\Local\Temp\yMYW.exe

MD5 1cab6ec330212419d312754685a22b77
SHA1 12dd3ad2693ab4776623bfefdc0d086ef825dc7e
SHA256 92fe2940cb1e4ce5f02fcb77aa1f377aa38a9021212ce0888c4d2cb1409c194e
SHA512 9c5ea4c255f3d5b585ae8614651078c25a95f1b4d3ae67d195952ed92a2ba697774d96caf7dc5f797c3d7b03bccf66bc80efb7ab9b257e7f280fe3c081f5846a

C:\Users\Admin\AppData\Local\Temp\nYEUIQcg.bat

MD5 29ad0676b0a1235587278d807874e74a
SHA1 ff5c97615f05636d47f9588ea2350af6750ab510
SHA256 4f740c19ae161ab07cf2b890a11dca517bdabb327a96494d9b101d05567a3efb
SHA512 5a66c8cabff4262f5febd35b2b2b4a002792f76ee4a60a2d188ad54e75bf2fe19b93d29097cd429cd46d5ffd493d1bb8aa10eaa51650a4245783a709f62e363d

C:\Users\Admin\AppData\Local\Temp\rEcM.exe

MD5 3bf8b708476acec0843a5ba8d3e7ddd5
SHA1 7d1d64431b3f09d24a7776f6f07456bc395b7fef
SHA256 9644c637d535f1a61e827eb2cbacdf6c368569348fa8f7a9784417c0c74c8901
SHA512 9f584683a4f9fd14f9e50bbe8dd753a544a2daa4c9e8b6a9c3c1c8e2068cb3b64dbd37239a1c68d0f4dda6e48cee534d734b9af17dd0efa24e3c900211bd40c4

C:\Users\Admin\AppData\Local\Temp\jYYS.exe

MD5 2835c2f6eff6871a77c7374741fb79a2
SHA1 6d51e93459893b8a88ce5b8a9218627f216330e0
SHA256 cbd0f4835ac92f7e966c644bcab4c93be1716825d82e5f784ec30d14ce33082e
SHA512 7c416a0bcf8e1183fa7d055ce5ba34fa8e666212ce90d8ad65f5c85d8cf7d36d603b80dec24fd67820f94354c82354a6bd4a6fbec831aac0353ffe7d003d4b2c

C:\Users\Admin\AppData\Local\Temp\PcQq.exe

MD5 4a1bad120c5f05859f08f922c8a2bc21
SHA1 ba0b31b9dc4cb740aa09a4e5821907ac9ea9bdf2
SHA256 e751ddb86fa08f241a87309c4cce05b4ba6d2b7de089043b4fe435cdc35df4dc
SHA512 3b27fed75b04463e78e2981c3ef942cc5a493aa4e06d9fcfa955a2a3f45789652b4bd6c1a7441779b8620e5e6d30d325d88d56b39919621d086d50809f14304e

C:\Users\Admin\AppData\Local\Temp\zcky.exe

MD5 282fef1b7722e109874cb1a6afe52a5c
SHA1 537e8be80157422f7c244dcb4d2d12f2662265d8
SHA256 acf76b81fc8933b491dec6272a0d494eddfbe94677123ceeb2f4fc9336b3dabf
SHA512 590aa2133132bc2e82f213a2e2ae1864657e7c73cfe1e728f93e40c47c23af601e665ba5af3070a9b7312d61e53c7a263bac3df738b14baf2c4b0cdb6dfa428a

C:\Users\Admin\AppData\Local\Temp\PsgO.exe

MD5 474a58b8775d7c90a373a0411810b171
SHA1 0b1b5361f431b26b64fb7424757129dac8d750c4
SHA256 3f64c265f41fdb6a0c78bb3d3afa521c543e315cae8c98577c8852c40031994a
SHA512 2b3f0eaea13eec98b5306a39b49e8192162b1c82e77395fd31ba17bcaab88da6480aee19c334d1b78af3d72b2c8fe2d3b1ba80048c456aa3be6e1b3a3d1e197d

C:\Users\Admin\AppData\Local\Temp\pIwcQEMg.bat

MD5 4f9fe515ccdb4ad43c160f0cee1aec3b
SHA1 3769f0a0a27e0d6046470efe66cef4da3cde4ef3
SHA256 b0ddeeca49ea99f3fbe4a4ed2068b852dae6afee2d8bd98fb6b94c5962be158f
SHA512 095d64cda072f82ec9b585f22e62d33f1d7372c69ff9666397423f13e947bca20c1475e75bf92e6016197cdb1f38e130ba7fcaba97d173893dd8d9420fbc2768

C:\Users\Admin\AppData\Local\Temp\mMwO.exe

MD5 1dd0f0459036dffae5f996f8c661a5bd
SHA1 a1e393ab1a6697e79e0229a3e9c28b45e02706aa
SHA256 3d91bbd02da17f5ef702b846d4405b446d1e152023bac4f143f2103deee5049e
SHA512 29c2ba82c26db2139158d71b008693294ae64148fe3b767c9615dc6794090efceb7f76faf86c879a878d619195cd3e01e617c57260d6a9cc5187401e3f77eca2

C:\Users\Admin\AppData\Local\Temp\gYko.exe

MD5 1c8fbbc89f9e6ceee762d4b99c948c9c
SHA1 236bb0bde58f3f842bb8171fa1d625fced24e2ba
SHA256 7c2e67f42e422048e9c3852515567e72c57e4a8a1cf130623b986aed9c6d2dbe
SHA512 854f468452efc1bc2d10d06c2150aa65448ab30a9e9a8cf8be3551db0e0799af24a21fe1c4e57091ad5cbd6d7d664800ce0418572482ff40c2d125ace04b4807

C:\Users\Admin\AppData\Local\Temp\mksMMUgk.bat

MD5 b24380c03ce52314a37394292c0c7422
SHA1 900b193e9c0b5ff2f9ba443b8a8af2cebcd18c02
SHA256 1ad4459851e0206a97c06c8cf244b314bbda2d303352c27556987f0273428632
SHA512 810404415eb296c3d32cbc6004529337f8cdd051a8dfe91f4573fbb69f44c4a828659dd9f9b5ad8200787792f96c85aec33b30d3ab1180ddbdda5d5699bc44bd

C:\Users\Admin\AppData\Local\Temp\sockYAsY.bat

MD5 317d37b0edc7bd7cbd25d97f53a16ce5
SHA1 18c9667c2999cabf0f54d2a87d10ee9d15aef35d
SHA256 06efe37f5e983469e8609e7af8399f4bdc5a80d361247a3a732ce4bec4fdb826
SHA512 d47e006282580432edfca63eb7883fe28b304d7a51cf99a5b5dc85aad46963f2b0a514c3cc53983cc4a25a6a689adc85a20b81344677ec5ea66fe6af2dc9d95a

C:\Users\Admin\AppData\Local\Temp\VMUw.exe

MD5 58c6c94dce3f38771e9feeb231ca1ac8
SHA1 a75b1bb99b87a3736aaf8b8ab0e21da91667df12
SHA256 387f0d3fe094081db669a43eca030363fc5c32a6cebe9386d90712dc666b769b
SHA512 49493f1cc0de8f75048bb009fa705ecc9dc394592c67e7c431d0b7aa1ca795e364c6a910646daa8ec8601e12bf7eda0081c5b40dd0713177f717b0606ae96046

C:\Users\Admin\AppData\Local\Temp\lksg.exe

MD5 da2a371ecc1362c80591b1791566fee5
SHA1 8eab5f597e46242bd8fefd4f81089c5548115302
SHA256 397b6c39f0a4ac3fc12f758b9f61af9461a9872b763a5ac644fc803270b826ce
SHA512 a4318526cfafa8b97d9f082da850d1b82b9122a3a4a8d007995c193da38a9c681e3f1473ab43d77101d5adbb131f0bf62af6393d499d6999f6f2c42c80c4dbdc

C:\Users\Admin\AppData\Local\Temp\kmocYwYk.bat

MD5 db3262c38a21f5c1b48ecb03f379c190
SHA1 a87cdde6bf74593c79ecfff211ca94386d17499c
SHA256 4c8fda41e71cec4ecd3d2019354cc0e75acdecb5785ac469400dfe3ec56a4120
SHA512 20df52f1a23825b79bd0b6484f35bdb95a47bd7a9b0838160454943b749380584149dcf77e2a14f18a89252276db70badcc5939a1536fb9bc750b3c4bfc93184

C:\Users\Admin\AppData\Local\Temp\DMgO.exe

MD5 fe2a3a5bfa040089f994fa65e1c4a054
SHA1 39f50f569cc26d23f15e1bb1ca84f911e2cbf28b
SHA256 1083266fd788929558cd345c059db4565b9173f61124799066827b928adff5d6
SHA512 2f25e0257d5918206c2d2040788c559b49fa5aceda369cc71e26221707a0e9019cd29c7f5699d9348ee9e278bfb64a270c890a502392237981e23d3cc9ad13b2

C:\Users\Admin\AppData\Local\Temp\OQsg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\sMYO.exe

MD5 3ea865f55e848b4c1bab492fbeaeb057
SHA1 de413d4f72b3fd2506c97d50b52dbb56485c004c
SHA256 a76c86be8b5da84023d0af6776bed8284ee72a538db56d8f6fa316aeca012ba9
SHA512 01176ee4ee63bb77dc197b85550040952a1107d4b560285b5d8bd623b5f8e1d406e1f4e719a2ed4af81aae108f9993d73ca0e2312b7062aae8b6cf8c708a690e

C:\Users\Admin\AppData\Local\Temp\DccS.exe

MD5 2943b1ae7d403b47fc68d3ff2ec801f5
SHA1 505d9a06bb5da0ba21c32d1d77e8323807ffbdae
SHA256 aafb1f25bec40a7ebc4a3ee994fa3a00c5fad4d29a9eff677a80dff45bfa3da9
SHA512 1e15ec1bfa491ede55bc297a5463c83836380cce7878778d1fac4b6054f31c0d7ac25fd3ab301d2aac2871f645b31b7003d9643cd798eb5dc3481ce7cb7e4b1a

C:\Users\Admin\AppData\Local\Temp\ucMs.exe

MD5 9d3cdbc4bc66b58f84a311534151209e
SHA1 7ad96334f3503d6ff99487b19d85a6fd6f49e2fa
SHA256 2dfe3cbc60b19a18ab7087890c9530d01f297572770ea214189221540f2febca
SHA512 7cbc5c813a98a0ebd7b69763284f0f0efffe1428bdccc45bfa05d423432237232470be648f92d6c8820e745faf1be999afac998c4949f6473e0a4c56d209097f

C:\Users\Admin\AppData\Local\Temp\KkYk.exe

MD5 ad0747dde37ec4cda67839a393fdadb7
SHA1 b7c45a8706ca4e4686032a0a5d2fe79f0a28149c
SHA256 6be4f4aff6c5fcca65ca437dcfa67ce5bf516b9ea788cbb2ea81b3634dd58df5
SHA512 c218a6103b66059a8c40e4e90fb5b6584b887c545684929e5a7d548d872db50de1a3ab2b2ea5ba1bda73dce7d394995c45a41391a52fd61ddfac4c310693d4f2

C:\Users\Admin\AppData\Local\Temp\SQYE.exe

MD5 2c35a2928f8169dd1a607e5f393d353d
SHA1 83fe8827b268f8944e3e6ea9783773742ea392e1
SHA256 c187d67b50f35ade4f98d6d84824ab0b9d4152f1aa36aa047528f091306b0652
SHA512 9ac635a8d18e7f1a3d160305cd4e44197fff87f7e9852ae5ec1ac8a21fcaa3378f4852b379903eb316bf2faec2c5d81ff4fa291be1e6129b6a3a3e0cb186bdc2

C:\Users\Admin\AppData\Local\Temp\sacQEUMs.bat

MD5 7640f0c7d1d2d81d957baffc89d338ac
SHA1 d29d303ab7ba60be783d2ab5fe60e319e24294ac
SHA256 3982a664020ec3bb0ebddcc2d63cdc0af3c7b4a1afcaba0ea43ce92019273112
SHA512 39044f6fef4613f23b4f9df3496063529ab8209db16e56dcac8be468d60df4e0b6c0d44e59868641bf0ce15fa164cfe47d006ec954f1b239cb708dc09e186501

C:\Users\Admin\AppData\Local\Temp\nkwU.exe

MD5 8f0d86c30d36a4f3b798e6c5540c7d05
SHA1 e03b69787f68c696b71907055bb4621d3636f687
SHA256 da353309c369d10f8e5497ddd9d0a6e991a6ef60e3fc4d3b1dd89390dce65706
SHA512 5f8debff2dd94a9bf155658e9bde0a98c8226aea039ecfcea61ad45cf89a1d9e4437fd71c1d8843ce90a33bb9304039e476b008ed01422e70d7ba493c75151c3

C:\Users\Admin\AppData\Local\Temp\VsgE.exe

MD5 5f129be44a897fd3cb6416f7006749d2
SHA1 24595dab45a93957c9dca41f312de8dfeb315cd1
SHA256 d037d9fa8bd3a8d9279b209dc255623dbc224e97162f39f9dfdd5636ca1d1f89
SHA512 bab53c9a17fab8fdf2b6bbd26969dcb16607b8c6e63a2286cf5386be37a8e0f472eb45d931cb8e23aee9d3976671c9082fa0cc3fa9bffb774e5c089d4fc4866b

C:\Users\Admin\AppData\Local\Temp\DIcowooY.bat

MD5 0b36150471d46199da9828f4d0e20d4c
SHA1 ad03e03f5afccda54841b887bad90197566d15c0
SHA256 e404da1d222ed7543ea949b921f5c3bc3935b53934c9ca28c3e3ab43bac0edfa
SHA512 c87f45392541286b919de4835597c544ece00c2de0e6fecd1f276e520c19fd6ea7a7e2534d45ea34e5fd732b965fa1055d8738d8c44bdc7513d1fed1b9e84161

C:\Users\Admin\AppData\Local\Temp\nWcscIoc.bat

MD5 dd4b2215708e9fc11e3819fd74992e89
SHA1 41126842b41a66b1ac5ab58e50a795d0e12e5241
SHA256 1bf521f18f9812fdc63e6e780532f16d63610ab3f06bc9fcc48e6f9daa0fef36
SHA512 b4b09da3b9161dad4a9984855759b69f2111d0ea84c383c5871923d37ea9cb751f4258991cb0f53968ab4fbb8b888de57dcb15b8d7b700dc48a16aaee03a07fb

C:\Users\Admin\AppData\Local\Temp\ryEUYswc.bat

MD5 3995771670b257db3ae355bed98030b8
SHA1 3bc26275ae120873308a89bf0e9b1a1fbc49b398
SHA256 6275ee8b8100ffd32e4ce1e587b3718ee33e8c7c077f960097390275cef07532
SHA512 b96684baba1110afb60afa0719c469f14337e9d65a3822ca64b06c2bca19bb88fc452cd4dd532e4d8eb4594bf6e9320734b8f47d385a18e4f6a281fb13a1798a

C:\Users\Admin\AppData\Local\Temp\UUUO.exe

MD5 0c8380c210bf239c22c841134b1863b4
SHA1 50ca3cc1c1ba7ad7e50bbeaf63c3b2d2f7bbe94e
SHA256 e39309a6d071b61a2dbdddf8345bba7ac68e8b575cf3482899a7cdfbaf679a25
SHA512 fd5c9aeabf6c10ec74c051172ef72e59f056ae54743f198f339e7f11b5c9d67eea919b723b6b7dcd353fd3765e388836196ac9e0d8cb48085963890bfa75b6fe

C:\Users\Admin\AppData\Local\Temp\hQgsksUM.bat

MD5 8ad66dc550123b78d7496db30b171022
SHA1 84df444d24d1469728cfb398ded82f0238fd96ae
SHA256 597b929fc8aa6c0edcaa350c9a41bbb0b17fb0ec1553e3f576501e7395b94df1
SHA512 4e5c250715651fdfca2d0fd4dc204ffebbe850030114143106748710e6ac51c0c6d07f0046a0c2592dac107113fc9573ca59d81f2dfd5223eb8139cffcd0cfca

C:\Users\Admin\AppData\Local\Temp\DIgskcgQ.bat

MD5 7b9b8dde663698f985b4e146ee04355a
SHA1 82f4c18da5b5402734c3c8b0675a8a1743880fe6
SHA256 526545764d2576d051b34e1df71ab600c4a908499b9d797f5da4a40de18a5eaf
SHA512 aa9b8d5b17c141402e8e9743be4e3904450d2b0aa8df647514faf81d57836554c46e7f3768d5cf0958a6205bb0d115e6872dce289fe76b9ceb36ea4e314bf51b

C:\Users\Admin\AppData\Local\Temp\haQAAgcg.bat

MD5 e0f82a974aba209cf5375d988b13a57e
SHA1 e9cc9cf85671c16cb6d6eeb1bebd55a8861b099b
SHA256 5cb88f13ab3435891f98742297894e05beb0b4b3cc6ab7e3583f8d3409097003
SHA512 5716448ee701b2dd312aee7619b94e9316e7e049d121a21b1bbf21d77609fc3e0a728ae8d3de287599a878dea012e24026166bccd63c97ae5a0056a9f7a1cd90

C:\Users\Admin\AppData\Local\Temp\EcUQMMkw.bat

MD5 c8a065252781b54b806f21441744c66d
SHA1 269c0f56ea549e9e3674e21b295135165898780f
SHA256 db65e675b3e85a0ccadad254160bfb5739970a899adb4a4952c03645e87458a2
SHA512 a376f2122d6d0edf4226b9f8cdf9bc1db85c2ff8fe3ec6c99cc1a80501a1458901386d1849fe321bc1299605e7dc6c95c50ba12a39c51f6f7002d9563286d45d

C:\Users\Admin\AppData\Local\Temp\GYAkoQoA.bat

MD5 a4b6208c55774bc08bff988194417077
SHA1 c224bea22dada62e8b2c15c27e1a46ca3f497b17
SHA256 f529df0ca8f0a0fdf2044bf9c57217a4a5a4ccf93730615925b198a3d0f15ec7
SHA512 9be778131148fccbee9bfbedbc1d8beb4e8f4eb7ea6d57a82d37b8f191da8ff0800432fc2fa7f0e430fdfc26337e107660ffe2503c4287c4b5a3634c18837423

C:\Users\Admin\AppData\Local\Temp\mAwwogsE.bat

MD5 9f70df04b38acc5ce1a80b11a5ba61b8
SHA1 fd8c1296ca37817e3311f9d1f3575bc018fd2425
SHA256 f8a2793df5c524055b94a42edf277aef800db31d8f1c27de1dd3f727987c5f90
SHA512 78447c0a9dd138f65898c3bc0a6e5f616fe95cd3cadd978a422442e067066a14c45ff0e0426cf0143ac4f5bcbd5ecb0e3105e60d75b3b6eb31952be1c48812dd

C:\Users\Admin\AppData\Local\Temp\QYQAgUMw.bat

MD5 7d85942318257a2f25b20ba3746ab105
SHA1 9c9efa52c7ab4fee9a1fcb644d3dc832ca2740a9
SHA256 e2cddb5d3295c60cb5712d98d84c9d3b877bc1baa6f39a3656111b3d9be8d749
SHA512 67325b7ec08e096da08fc5d9c39f4e4cf4d7615a289688f80c65d82ab99c69315d6fabdb556361993d0f1ffe13413d874e83334795f3bdf221290d161a7a3483

C:\Users\Admin\AppData\Local\Temp\MwoEIQoo.bat

MD5 3656573464c31d285f5de4304c4d91d9
SHA1 dd444cf4f7914c34db66572b25416f6349fc2159
SHA256 a152bb833fd4c07aaff46f72c26a8e78b958a1503b16f806f16aec4ade1b4835
SHA512 7a7ae5564b9223aafda8aeef0f504d2a924aeb4ee2a5f93d4a68115bbf7099e6887e471340a62816863ac44f8e074b236c31550c6a8810db4ea6cada2ab8a951

C:\Users\Admin\AppData\Local\Temp\jkwgMAMk.bat

MD5 97842759cfa7ba7e7d80d5adfc135912
SHA1 378e31cc89082124bf49af4e0b6564d0167a2b97
SHA256 8ca9402a6ac9a7ea43a42fca9f6ee8fa32209cf30106e6e4f2506d1434a04c0b
SHA512 a1e95df3c43433c7ecfa4da7bbf99b5a540e05510aab44a3f560761ab672c280d96b36ac0ed57b579a28c4259bc049555ab67c305746ad3ec8067253ed6c8526

C:\Users\Admin\AppData\Local\Temp\xcwAQYcM.bat

MD5 98c6ba8e1bd7e6c95aa9a19357cf314c
SHA1 058b47ac5a58edbf870032eba50714434382b28b
SHA256 37230399b8e7947732043a1303a036889213c79819dfbd5a3219a23d67a2ffb2
SHA512 6ccfdf665de3c1f728c8aca5ed56d65951b4bc582bbc2ea2f30981703c658ffdb73742b0a0ac27e418e7ec9f45e258eb6af83c1cbac647f25de6e63ed4a1d997

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"

Signatures

Kinsing

loader kinsing

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\ProgramData\YUEIYYoU\MkAEMMUk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIAoEIcE.exe = "C:\\Users\\Admin\\GSAcYQEg\\dIAoEIcE.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MkAEMMUk.exe = "C:\\ProgramData\\YUEIYYoU\\MkAEMMUk.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MkAEMMUk.exe = "C:\\ProgramData\\YUEIYYoU\\MkAEMMUk.exe" C:\ProgramData\YUEIYYoU\MkAEMMUk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIAoEIcE.exe = "C:\\Users\\Admin\\GSAcYQEg\\dIAoEIcE.exe" C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A
N/A N/A C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe
PID 3988 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe
PID 3988 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe
PID 3988 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\YUEIYYoU\MkAEMMUk.exe
PID 3988 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\YUEIYYoU\MkAEMMUk.exe
PID 3988 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\ProgramData\YUEIYYoU\MkAEMMUk.exe
PID 3988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 4844 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 4844 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2192 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2192 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2192 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3640 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 1924 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 1924 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 3640 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2172 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 3028 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 3028 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
PID 2172 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"

C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe

"C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe"

C:\ProgramData\YUEIYYoU\MkAEMMUk.exe

"C:\ProgramData\YUEIYYoU\MkAEMMUk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiQcocUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYoQMocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgIAwYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWsMEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQswIUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkMgUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgUEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgAsIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMAkQMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgMcwAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAkkUAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McwAAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGgQYcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUEkYUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugYcUgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AasUscks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCsgAsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feQosckE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcUsQIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmgkoUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okAYcAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEckcgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGkcwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaQQIwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsowkAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HocMMgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyEYsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiMcccIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsgQgckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCAogQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koggAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWgssoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fasEgMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoMYMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiowwQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKkAcEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sgwwcogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NioMwoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMIwkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGgwcAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcUYccks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkcoYIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAQIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMUYUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAsMYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsAUgEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqAEYQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymskEQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuQwEQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSQgAUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeggsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiwAUEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqsUcQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAYoccso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIMIMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOgAswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAEgAIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoAAcIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAgoUEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vucsEYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIcAYUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoMgAIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kecMksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQQAMAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUMEYgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeEoYMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwMEgMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeEMEkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwIQMAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQQcMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAsQEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQgwIYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIQIsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcIskscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOQIAwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAocUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYsQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmoIAAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYkQYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmccEUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUoUYkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcwEAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiYMUkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSAoAIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGkAAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksQswEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gioooUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQIYMoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQMYoooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgMwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAcMIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwsQwUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keIgUsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOYoYAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCQscgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAYQccMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIYsoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkwIIcYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEwgwMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCoAQUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeogwckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoocUQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAcscAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqsUockU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwIEAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAUQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QysIgEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIcsAQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUUwwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juIgkUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkMYQEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmAIAQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucQgcQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUsAsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQUIswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgQIAIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQskUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiIMYQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dssYsMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCMUQcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWoosEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkUcQwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWgcUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAUAAsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYsUoAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGAwEscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEAkEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWggcgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMgoQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayooMkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEswYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoogoQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWQMMoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYEkkkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekwMIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YesgYAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiwkocIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEoksMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DesIkMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmUkIEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyMIQEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3988-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe

MD5 b13dde14ce4258e2c6a3e98d8a904f96
SHA1 947de0e02f8bb584be3086501978d85e194966ac
SHA256 0374c29503eea3667d3a18e4a12d5e4e5363a0f421c793f8277fdd01bf2b7329
SHA512 169dd85f16c23574f3f618c17932bb624495295e44263331687a5c067cd6bf81e04018c3580b5f966239456675418d47d7faf9f6890c4397a4681d577becc86d

memory/1636-15-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\YUEIYYoU\MkAEMMUk.exe

MD5 b006bc053155ac8ed460b74111a19f50
SHA1 58e05ae080037ca405e51bf714d2cabd84a5aee9
SHA256 5b6f05f013c12b2ba66426270addcdbaae41d08f1d82974737457a7e97586597
SHA512 24c0ff0acd14997fcf907054917c14e6464cf4619a1e3597c8147740d67fab1090b961201d9b8744d56caf94dbca35db5f2338f4f0f26ca8ddaac139cf7e901b

memory/2408-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3988-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3640-20-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PiQcocUg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

MD5 e0a80154e2c7c04bdff156ce10733245
SHA1 1c79f105e609481391cd58ee99339abd10dc8926
SHA256 19a3fe8192c7b0b9062dbd36d0223aa2d4ed15e571e2a16ff5090297b268cc21
SHA512 1fe4c9c18322fe7fa2bae34cee82dde8aa1d99bd798fca8486a2a5c857e6c93f645dc0780478a827574cd46492dc61a1b9044cbf8f101305552107f5f4c07e10

memory/3640-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4076-42-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2172-45-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1088-53-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4076-57-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1088-68-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2528-78-0x0000000000400000-0x0000000000438000-memory.dmp

memory/864-82-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3016-90-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2528-94-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2208-102-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3016-106-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2208-117-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4516-127-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2324-131-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4516-143-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2368-140-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1888-152-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2368-155-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1888-166-0x0000000000400000-0x0000000000438000-memory.dmp

memory/384-176-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2516-180-0x0000000000400000-0x0000000000438000-memory.dmp

memory/384-191-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4220-199-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4536-203-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4680-211-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4220-215-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-225-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4680-229-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-240-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2172-251-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1468-252-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1468-263-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1580-273-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2496-274-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3436-280-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2496-283-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3436-292-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4992-289-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3416-300-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4992-303-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3416-311-0x0000000000400000-0x0000000000438000-memory.dmp

memory/372-312-0x0000000000400000-0x0000000000438000-memory.dmp

memory/372-320-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5024-329-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3576-326-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3576-340-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4400-337-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2564-349-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4400-348-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2564-357-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2128-358-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4636-368-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2128-369-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4636-377-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4560-385-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5088-387-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5088-394-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2724-395-0x0000000000400000-0x0000000000438000-memory.dmp

C:\odt\office2016setup.exe

MD5 4afc366c83046ee5066e1cb8972339a6
SHA1 8e9c920261a186b9f9171b0b668eef956c886581
SHA256 a9089f078fe4e0debef149ef1345466b4ce7792fa3f76da08950083e397d89ac
SHA512 97ebb37e2692039bb3885f81c87b17c678c988f311e2f42ba2083868d37d2b9fc23fd22f31add3deaba2a198c3bd0f3547ee9bcdf53939a0b13403d15c3ba586

C:\Users\Admin\AppData\Local\Temp\YcMS.exe

MD5 b62aa6d5fd39438a40ca689ef75fa7af
SHA1 4ccffa9f521f5f88ef13fea4b83ef9fdd4adb55f
SHA256 2bbd0094e930027f414b809a51886afbfe3db08ba848c1acb727d4ba4dd63410
SHA512 2e15da21fa190a31716ec1cf94980d16d253f8c13af42b734d4aba7e2bc4ae20b3af58746302322f35692a28d7229daf713e9b5c359cf0926ad86b5a6351e9b2

C:\Users\Admin\AppData\Local\Temp\Awcs.exe

MD5 f88d1801ceee7f822f9467c4f8acbbc8
SHA1 5c6def0bd2b45b67b6ce8f8c989a6af08af62850
SHA256 88971970355db08a9cde9712b57061e96c809c04ce41b2114e987972d06ba8eb
SHA512 aa1022d25f4829b3eff7433ab7a8301de3c5f3f3fb6e872c1d096047b5654ec93c38746836f775df16d1803ccb6ff9a2ba10f3b7c83595ef31a4065e011e081b

C:\Users\Admin\AppData\Local\Temp\UkMm.exe

MD5 555e26179082d7d503ffe52bf6d65eb1
SHA1 60fe63fdb473fbd19bdd4d48637f2b732bc6f2ab
SHA256 24f08ecabed4a806fcaa4619000b372da43d4dd5481daad1158b41c658daa92f
SHA512 aa47ce6ba2a9cbf11cdc0fce0d0fed48432cdc44b4237649ef3e1f8d0b0e9f47ff62ee975388e0ec145f7a934f22074e3d020d4f1d9ee3c24b184c6801ce7c35

C:\Users\Admin\AppData\Local\Temp\cEEa.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iAMg.exe

MD5 4ce8b127f86317d5b21b2f78121c4123
SHA1 3d6ba7f61679384c960029095edba6eac5ba8895
SHA256 a956d18ff5b4a14ae49a09b39217f932fe68e8f541563632f44d12a06f82ec29
SHA512 f7dcd51e3db6346110e53943b441bc32e7eb3e11c52e3521154e350b67b43c8f71e3482414313e81214ae98eaa3f09de0adcf19343bc75d332f4758df2dce68b

C:\Users\Admin\AppData\Local\Temp\AMQo.exe

MD5 f45f739e6af88bc2a6785a9ea2ee31e0
SHA1 fdfe15c36cbcb7b3a40f427575d8791c5ee45d9b
SHA256 3633fc99053b8745669fabf4282d517a283b9c1b38ee1bf24ba05d14efd0c022
SHA512 9870a7809c9dd4f509f9db98d1fedc464f50affd8d1403907836411fc50d2d3af7ab65aecff01c4226a3c6cee75eef97b1a6aea8afff2283e12f01e1010ac517

C:\Users\Admin\AppData\Local\Temp\uQEy.exe

MD5 e51008224b7e59123326c5c01f5fc81e
SHA1 36ddbe2ee3f543adb467e4323cc8827bf53a0f69
SHA256 4d697618bf4383dbdaf87379e60efe310fc2be18071642b45ad3f79f8f18945f
SHA512 1ba8ca5fd0a5a63d8e5213b21cea3c206b743ac2ae6d73273fee9dc4159a148596ce4fc952e7f7d8638e40e119efd72938db128a7efb09c444a22fd2e30422d6

C:\Users\Admin\AppData\Local\Temp\gUoC.exe

MD5 970d5c7519ce5f55197b881976c67ba4
SHA1 cba355d32801538a7724a7fdb90a984d3294100a
SHA256 44ab6c40d340f828baf1f914199b4cf3124f951e7135f5a3e5a90b5d970e0ee2
SHA512 c3ac2c8a78cf7307a2eaeb357fb99d833f59ff27a1f54ac693ebdbf194e86eebc5d62ec8f8f1de2449b8093a367abc961befacbd62d2893f971696b1e78ea4d7

C:\Users\Admin\AppData\Local\Temp\swoq.exe

MD5 3ac5a437e9f263743637af5c1be38023
SHA1 5ef9be4fd74f888e757c71c9af27334af5b2a9a9
SHA256 50c5083f5d51d323c267c5c6d8017f457f231e791d2841ed5c8ac14797cdf8bf
SHA512 c68b7186ec252c28e9fde3cadc2004f90d96bc125e5bca6d0076d3572547925122443dfd002e7ffa54e863d1bdb2bba104925007222465245b866f7c8cc94915

C:\Users\Admin\AppData\Local\Temp\GUYa.exe

MD5 916af75119afe5d131a868e92ca22b5e
SHA1 e3c61e3aa4b4002a43ebd4371cb52010f5d440bb
SHA256 94c8dd9ea9235555c4dabbd76e59c5ce7a34753848a6df7414c4725cda653033
SHA512 a5fa3c538d30a8a04f82c338000c68ecf56845d4153df0c38177801f744dac46990b9a72324f8a0655e2db298fc6eb34bc8447b7fa17e8b468d42b10e61fd3f1

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 cbfca4f103a96f261ffa30692f6af656
SHA1 87113d8701e046862d666366773acd5fc8e39cc5
SHA256 a15df3e08fb239b0ccd92acd59f502492759a8a6ed603ce9ada239466c8b92d0
SHA512 57b47c26d746d65c4d7f357773647cc21d381557400b3f43e421a3dad184702fca03bcfbaeeaed1a9fac41cbbc0c5ce0610f45952fe0268e414bdb8e4fc871c8

C:\Users\Admin\AppData\Local\Temp\aUQm.exe

MD5 af02b00c29b5fc7b1e8d97d83d469fc3
SHA1 efa43e05bc3fd95a3df5b110381a42e29e648023
SHA256 563156df0434e1de0a26ba5b437c1bf94ae911db17d15b86c78d60561d078799
SHA512 ea495e36a24f7cb7563d44d2bca4f12eef83b9ebf6c36ed70a248db5dddf16c91e53bdcb885abff4b5b7625fd6ec84cb543e1cb9846ff5fa0064136dbaed43db

C:\Users\Admin\AppData\Local\Temp\IIMq.exe

MD5 e573d40af01179edd41d84a4119412db
SHA1 ba221f688303f6e221d2e3324db12d471b544a4e
SHA256 29229273d8081a032d2e960dc848caf99423d4814af2c256bec656e2e1e0b1b0
SHA512 cafca3c7843c875b4aefeb575a6f5e5814de5cdb770c92c948d36b6942564b238a32d7f95b07447f0a63d0bb700c8647cf110f2eb0b624a56e4713700adee854

C:\Users\Admin\AppData\Local\Temp\usQK.exe

MD5 2ffdf5b7d2d878f8185fc5eac02939f9
SHA1 54883f12d7cf2b3aee2d86c1bb26b71ed5494833
SHA256 63c2b595b3b803f32f6e76feef0a368cddb873d90584e1714c3e9c153b30adf3
SHA512 6864c433ce3ce0b08ca9bf2f1845d22188810c2973d5dafb16a089abb59ed07da434d3876729fa70c70459ec935f235b8aef60217cf9d87fc2747aef62bffb8d

C:\Users\Admin\AppData\Local\Temp\iIES.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\eYUo.exe

MD5 4237ff2159d87228eaa979e4e3daa242
SHA1 1ed577ab639ed6077a83b3dc71d169d19d889129
SHA256 6f04fe1164ca74efab9bf67eff8390423ea08dda34305a359b25adf3343f9b8d
SHA512 07f522eee99e35ec1ac92d5393d7fbab21366a6780877dbbfa786321bb865486bdd84bb55c7c3018a4ea29be93201bc10dfe8e54c6aecab9d916ef05181ad5bf

C:\Users\Admin\AppData\Local\Temp\WAoG.exe

MD5 7d8bb942382d21b4a7f96677a9c71ddd
SHA1 a3d9ca647dc3cdd5c44b37b88f42197064c861a3
SHA256 5b54c7548718daa5cc1cbe56a62d0b231d5a1e8e3cc05b0983b0b84b73bb9504
SHA512 c7569253bda56169cf952feb97769870e287abc8cd257fed284c6c4806b9780db32aaef233e9fe9b1b9f4dae6bca9e2e2ad19707c6988ada3df5eab3f701033e

C:\Users\Admin\AppData\Local\Temp\qYsQ.exe

MD5 90e333b553b61cb46b302d329f3f808e
SHA1 ebdc96ed01a4dde8f0f1267c9a0c711aa21c9c47
SHA256 ef52a5fd748fe61dbed61d856c1c85aa642c4d578011c252475ede555f9f8cbf
SHA512 d0b6ba256db7c9113a43c9aa27f121f9f2c05596fd1f2dfb07990ef6d9452cce8ba1e6a9cd9b130c3dc690660e989cabb5e411f98da5ebc7454620b3e111a90b

C:\Users\Admin\AppData\Local\Temp\cUgW.exe

MD5 652877a2d9ec4fcd3e93c49b02c2cab9
SHA1 ede8989e3e06419eb1f042a6b705ff47c933577f
SHA256 a3e6fe1f540fecb013f988f7a2566ab048fe315a1d5ece57c383853bf1dfeeae
SHA512 1a149cb0f1f148f28385818b77444a74cb656198fb1b20f71e0c7edd6ffdd786f13683794dab42b6721d8bfec3ae5638af8bf3155abbae5398cc5e91b1facbde

C:\Users\Admin\AppData\Local\Temp\okUo.exe

MD5 b602f78463ebd24d979af97f5ec23846
SHA1 3853da4f002df92b5e87e04e426ba263cb1209f3
SHA256 b7ad7df026184e6c4fc7df98410f08c8af0c72a1bb28ff6f7b8bffbc0175d575
SHA512 47b30984ff30498507d3103345aa38f3e0fa58cc294223a71ac3adefcc43388bc5630dfad03e4d0f87ddaa2f527b4f7c671afa9a2fd1d46198d15b19c9f870f4

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 f4e10578008ff5e0413d67a85ecbb15a
SHA1 26bf1ea4e935cefbaaf5b5325ca9a0e4592716fb
SHA256 032536f14f69b1cf4f9df767c928e518a92c23aefbd30fd67f7027971ea1fef4
SHA512 d9c6ecc9fabdf8970a5eb994e0465952b4bc4527f66e734422a65948e441d62d21da8592f37bcc7a3f522f534b6246adae4ef3db35195f1bb307581f63cd2c7f

C:\Users\Admin\AppData\Local\Temp\UgUi.exe

MD5 cd0029a52647ede682131ef0bdb7f54b
SHA1 b85f11ef72dc912b878eedd3109046d72de25b73
SHA256 634b7c8748825d0ddb14911d35120c5a275f82c8e24aa51cc9358a5ab6b0dfe5
SHA512 341bbf36ca85d88844000b32bf9fd026f45b0bf7c9ad08332db3a06be084a97f1d7266b8a859ca8a2b89873c96bf3c9388f758ceeb82d4d06ba1a23916add894

C:\Users\Admin\AppData\Local\Temp\kkQK.exe

MD5 83ad59a9a85193ff579c1f572007c38d
SHA1 82cc1a035f8d628be95ddd13454c21f81d82f754
SHA256 097c2c598042610ebdf46f7b9165762aa95a379d91dabf7871cacd715256ba7e
SHA512 6875e1433de1f50f48107e8f4bb05d6917ffb6a24885dbca356e1678c282d6dff9a1f5bfe4d592abbbfb55b8223387ce3930cb95e15dbfd962be5723e86ecece

C:\Users\Admin\AppData\Local\Temp\oEkA.exe

MD5 aa11e8c9d5843c5ba8e2641162d2f430
SHA1 47554ff4f9e61a827b57ca1f6fb074cbab46a383
SHA256 62ee0e4a021f0dd47a13a6393f3ccc89e10341cb93cdf321a1fb9c3ee4d1a50a
SHA512 844887965f2ccfacf360a61cfff60d55a4064b6d73b07bda47d531005f362ccf45a47abf30b6c5a40237cf75304081a45cbc93dbaa7a82eaa7f991149d60dcb1

C:\Users\Admin\AppData\Local\Temp\iMAk.exe

MD5 4404b94de400926aed9f51926cef535d
SHA1 bffe7613c362b34ada06f8d7891960d0195b85ed
SHA256 f68ba4d05b86c31f4532c9ab9fc82adff1ed67cf55481a382357f2837023c5e1
SHA512 15b63ad57cd23c20905e913e62240ccfa8969d0a76f284da6cf0bd8f2795c37f4ed3372a2ea222f2a0e9c235589ad36e374ee4d13f240dfe613e6a282c1ab9ac

C:\Users\Admin\AppData\Local\Temp\OIYw.exe

MD5 b845cbf812c4df401327a3849c01c6b3
SHA1 cee0a80988f45cf77510ccdcc3782ce4d22a01ef
SHA256 47ff670d2990bb20a99c30169c94e7915f6dd058bb50e219e29cde5fab7f9d4b
SHA512 59380fb465514730c5305136c86e0a1744a3ef21644d70e913cd012610ea49590361dbe9623747f1cdb0337ae829cbd19b638b69e2187d066cc3d14a46438117

C:\Users\Admin\AppData\Local\Temp\uMQG.exe

MD5 91ebb6cb44dfc04840f3e8ac3b0cdf1f
SHA1 f2f73a48258a1a87b9207f33e9c6c1a3879e0586
SHA256 7765f7845ce70c136ca3c9a02fffef9ef418442c057873f268a9c8d14e21e99a
SHA512 faf7df2a08f7e815bcea0df5a52db658f102d237aa8b4e2ea2c2478df8d76e41345a3d6c01ce83812f4371166602f3d76eb0793e5830343d68424f1df2c2c754

C:\Users\Admin\AppData\Local\Temp\uUwI.exe

MD5 4f0f4b2823eceadc1b0db71a77435bd3
SHA1 77a5fe78d02c04d5db79ab71ede5355408e2f56b
SHA256 58afbba5062698da974e2835296d6b07960e13584f6553bf5fe073a187163e1e
SHA512 d610b9663f031a884be4e75a0aefb49401bb7b4cfa77d4be1db4b99459db02b79400dd88f65bbf95158ccdac9400a015e91fe19c2b7e593d09ca10fffce7c5b4

C:\Users\Admin\AppData\Local\Temp\GAIW.exe

MD5 f0e0ecc1e817d25f313fca9e60b304cf
SHA1 8c1f32a5167f98f9271d7b218daecbcac90333ab
SHA256 2f12459bec87eed0541f7ce46d869f0f7d2eb64a0d521c62b13c047f0435849b
SHA512 5dae13f26435798d82a1fed055c2c900a3bbf5b6209f7ce17336d3696050f715c90e6adebb1fa6a18f5f2be748299471d71b7e19ada105736175a38b12d01b18

C:\Users\Admin\AppData\Local\Temp\QUYM.exe

MD5 98bb5ecb284e717cd3c5d8949075972d
SHA1 b6776806e1817e3a40ccf057513c23edae23a4db
SHA256 bf9ce89178850ded6457c3c0cfe77c4e8415ae806aeb0b43bcc569eea76f94e7
SHA512 7d90ad68c5883aa5f47369bea60438b8dd9816a19f9d60fa5f9b47444ca886e3f65a93b06f68c70cf2a110dd7a389ffd074840532bf8a967153caf7040912d9b

C:\Users\Admin\AppData\Local\Temp\AMIY.exe

MD5 84c5fb7461b56866def988703acbfbe8
SHA1 a9fd3ffadfcfc60d1ea16e742eff393cd895c776
SHA256 e2af7ad9b984e348d99990ac10921e2c94cd7774f0950a1f02b9acae45de046d
SHA512 d41af9d94957f88ab68f15f82b3cbbbeb88af903e759111c83190514d8befa00995bea19dcd8ccf80d8ad43711a364c328bab10d0ba3cd949284471844c97768

C:\Users\Admin\AppData\Local\Temp\Swoc.exe

MD5 d382bd9efdab77d6fd959c7faea010e9
SHA1 7374bce9361ca6173ab840cfcf50a9d0e46bde1d
SHA256 c205444387caf081e0698ab876bdaf2035458f1338eb7f90226cdc591167d232
SHA512 4ab2d4b517c5f8f58aa70e270258c140c712c52b4e17309032f426c31458966ce2fdcd1f23849ad8b6d482308ea7bdf618175fb87917197b5cd945db1dcd75b9

C:\Users\Admin\AppData\Local\Temp\McAM.exe

MD5 a05d5bf3f0cc55733354a0cf9d40fbbb
SHA1 a0f61464ffdd3baec54981db200178313798c37e
SHA256 7e080e84d725528e70c2cdd563143b77bc96267cc491816e9e389decb9dd8764
SHA512 692be9bda1dc490d7597e73e56c5a25252697d2c248a331c496886cce03cbdfaaab943dc022bfb1c118ecb51bde6e346e2645537d197c36894dfa9e309d75bd0

C:\Users\Admin\AppData\Local\Temp\SEYM.exe

MD5 1782f5025006a829b1e8e32a7c970af9
SHA1 a913f02f1570e291b5e1561e3b1144e7335f1ac6
SHA256 0b7b9a22404cffcc2f38d31428c954d3fd852e1507831abce5fa4c3853ab0a9f
SHA512 a7b1ba82aede5a3b063b37dd9261253d2e25d648e98b7e3296a7ba10edf59861e11c53ebb9f77bb4164b8b83197855ecc25caed86be3f4ed216cec7a49cb9d68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 caaa614e3b66b2d6f7ac76dc7e81411f
SHA1 6d9d16e152834d159613b7141937232cc74153b6
SHA256 169cf7f2cc949ec4c5742c8f0d9b55458a0ba146cc0093094733c1d7f820c2e7
SHA512 22ebcbae8fe6194f6188157889109ccc2e55f8e286ac89e930f9d93df04c31ceebaa5ba532274c2cd4d42e3def197af5ec4e355a4d2b540ba5e47dc2c9e41377

C:\Users\Admin\AppData\Local\Temp\YgkU.exe

MD5 cbcb813d1fbf5185213967be0837225e
SHA1 c9bb4952378c2a83610c823c635a391a91170e11
SHA256 d8ea58021f20413aa9266fbf34bac4db37c742ca6d1630a08ab731372fddf82e
SHA512 faf3f79ff823877bb418c2a3ce240a7541fb9dce2949feb85b944166265070d80315ec5a7b9ba5a59a680c1f9a46876cea6491c9289069dc4fe3f6edf8bfe951

C:\Users\Admin\AppData\Local\Temp\UAMI.exe

MD5 058247d0d5206029651e73def633472c
SHA1 5a0cb1dffd7b500740229fc58e93d680c2227b78
SHA256 8d68f097057020588d8e6de3e0bd87ea4cdab91ad76b70a05d90447779181021
SHA512 a279dca6c3d4e3692aab4e1c623261fb9b7ca9deace5a1c7757830da8c50ddbb116341ce894d6142032129ec9403e08c161f2974647b3ce214c1b166906e2610

C:\Users\Admin\AppData\Local\Temp\ScwA.exe

MD5 98229b537cb739915192566245e9e656
SHA1 3f0b916432fb07abfd70a4013bcc22ee0992b826
SHA256 98381066c76b1b83f29992a2239a8562c1d5c9b1616eab3231ab7bef8e89565b
SHA512 c724dc89dfc02390cf32adf94d47ef754536825cb5a59b5bfe066de3f978a29e9223835ea2506a1986457d7a3994fb2b67bf6f2822a69bcb0cfe6e1d92fb11b5

C:\Users\Admin\AppData\Local\Temp\GMok.exe

MD5 6f72a5ad74790827b3450a2d7d5e0c48
SHA1 0abee5045c02db68154028b84708803c01732e7c
SHA256 462387a54a0b0652295dab3b735528a52ee651ec093be571e9315e729bd77f4e
SHA512 5db5f0b5ee72de4cb11b7a585dabfb5193bf8694f6cf6d731b99ee4fbc1b7b32152a138d12e43aff771a5193687ec7417a7664e10a0f5d7cad73a5b1d83b269f

C:\Users\Admin\AppData\Local\Temp\AYAK.exe

MD5 06355739b62fe00ced6929490fbf5c6c
SHA1 617ff32c6edfb8248c81105e04972f1aaa29a491
SHA256 f015c9b76dffc6aa023efa6bdac91a954da9f60c69edcc3f0b272d09a707ca03
SHA512 09f57c69ae682d29e1675fc9530db918f651498c6680e0258bf71f236171d5d61eae532ed2f7301a135b974de1f327a9657412b13985f89b0f643ee0261ee774

C:\Users\Admin\AppData\Local\Temp\GEsc.exe

MD5 e6e784a44bb01bdc8e4391fc02c43c76
SHA1 3856b5682147cca7cd2d865eb3e3e50aad17a58a
SHA256 659e8f6d05e3e3490fb911ec73bb0b82f20434c96e948a4ca555261e05a90a49
SHA512 a6ad393b9a96c2071a963d228bfbf1f523ea2792727fa795a1a2159a96333b5bc02b79598a4ce5de6b229ec4548d4248de006c32100c4c7476d9a8f0fa8ab1f0

C:\Users\Admin\AppData\Local\Temp\WwUq.exe

MD5 13be1d0c5d3cf5de7e1d1689acda64ce
SHA1 079a6a74e1d70b90d6f78351b2736443ad2ac691
SHA256 c57554aacff10fb5b5fddb529ae57c25e6d49c4def7629341d3f806fd8094d50
SHA512 ac7c69d142d00c1ba926992d1e6b9aac739b3013655efe6160b9835071eb93bf0d7233a97985961c1eee958f7a9e10afd58b0f21d0de973ce57a6ede3e0a6ebc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 1039bd96d403e27529b507e6dfebd7b2
SHA1 34c74c1a72dc6f31cc33fb9acab25432b87c3b8b
SHA256 c8ce30277527a1235b63fa011d1cfc2bbb657124dd8578d1a0c36b6650a2150e
SHA512 22828071b5afa2c5afe184d69f2afd17836bc9bcfeff119ae3252cd97ded09d09b0a85de98ffe2e5e9323ee0e4af3147f1609ffd166afcb989c128b1de265d0b

C:\Users\Admin\AppData\Local\Temp\uUow.exe

MD5 ccd3d5f4b1616de4b9a0124eef939c2b
SHA1 822a175bf6ac2b426186f56b2a54a2ddcdb28a4f
SHA256 893ab76e0b31148809bc2164f7401ab27b4957483f4965b2e0ae576159aac465
SHA512 eaeb1a515ca21b0f3261ef5d29ea868268d5814ee4a49247668ec1add9cded6394897795b82ddb349581dd5a70b6d311e63321ec38e60122b7cc0f50fdec6ee1

C:\Users\Admin\AppData\Local\Temp\UEMi.exe

MD5 fd354c2d6ee7f75bef406a474dcbce38
SHA1 0ea7ddf5345db5b25cb25fb088137d1712552f2d
SHA256 2feb502ad92e4123700ec2a5267c448cb075addbd4e083583d7fd6c5a295003b
SHA512 c0e5455b23f98e641ced9e2d74013c1bd440db5a1cbf502aff9a5b71acda3ced4e5adaad26848d44825c91980109f2c2861cf5a0fafd801bda52f17d2dcb18da

C:\Users\Admin\AppData\Local\Temp\yYsm.exe

MD5 04e999cb842954f36233cf085cb9893a
SHA1 365b474f4d0508a96aa049b08d78e3fe0af99443
SHA256 73480dc35fee10cc1262cfe030463bfe6df85b73fb3d588315a1b3ae49daa57e
SHA512 aa9d19ccd3d6381dfafc5d8e5acc1b7e76b2815dfc7d94d97dfd9fb6d005e0d734964882a38284f4106d4d7074b791711d75d061fe62a0f4b93dda01b8a5255d

C:\Users\Admin\AppData\Local\Temp\oMEo.exe

MD5 0f672c71bcea5c5132928c1a3766bfed
SHA1 7d02065188dabaff63ce0b2716c2e001fe6dfa1b
SHA256 3213a7b3a8d82edb507d949c385bf64adc00189bcc44f4ee1072711efad97cac
SHA512 198e263fd620cf7e4ca43f592a11a8ca79e6f0a64c001580c9e54f0900be1d1f35a3efd87f51e29874ce20df8799af049aad49cf78f1d7e79a61e22c68155f17

C:\Users\Admin\AppData\Local\Temp\iEkW.exe

MD5 269eb452424dc1792735e159768862a1
SHA1 ac75a9201929f2ac2e967c191ca5f335ad338c27
SHA256 7d179f4c50eee2520efbe0223600404615398c3a5cd3f53802fcc6c24e08422b
SHA512 be33c71f3d783eaf51d08eb19783d977b0984fc0dbd0601b236455ced5e11750ece9e436f9de1436fc6daf660ce791b83be32f9c18f1495a246c8d573ddcb29d

C:\Users\Admin\AppData\Local\Temp\mgMu.exe

MD5 cc7846f07c09781934d9dabc7cd86888
SHA1 c79f7e0c15841fc4b52f9d4c449b60a95a563eb6
SHA256 7ea13df782cc4c64795a36f1a8ef75d4aa7d5a82ad8aaef9f61838da17a0c21a
SHA512 a14a7fc55a04c24629372190beb8b019dcc813a3ed6a8ddd742495eb470abefa5336f148f95c3d3cdf06b223be4642ee6e9340ac58c9d1d01a6ac114d39eed7d

C:\Users\Admin\AppData\Local\Temp\YMAC.exe

MD5 ba13e41dcfd3ad49ca4eeede57c692ec
SHA1 b98f16bfd99f1ec1cd6251e6ef1cb92841695e8e
SHA256 0736fa6475839ccc7a64d7436792aac326edce851b31a17726112cb675d1ce79
SHA512 4ae59158fb392288f1dd01278ffe12c1d0b5b0c2b8ea65025015412e179c84b228557ade191d78f8385b5dc08f3c1f6e318c63bd606de1f256172ebcaaa2eb82

C:\Users\Admin\AppData\Local\Temp\IEQY.exe

MD5 41d0b1a0d6fdf765edb181383d18526b
SHA1 776b0407ba558949b5f10d0e65ed1475a17151d1
SHA256 9d6f7626ccbf10c45fedccc2c4db121b910b38cfc3d2331e8a5ed32627e6ec3b
SHA512 060b211fdad93b3e3b35e7e1f10e2cf9fa5516813252da1bdcbb21a47ffd100364b59437f2b8353b11535e937722e5ae5199727cb05489c6734b8e09837b626b

C:\Users\Admin\AppData\Local\Temp\iokO.exe

MD5 9671673d930249865826ff94fbb8020f
SHA1 b8263f03efad47e74292b01ceb6c75b63f95a88a
SHA256 5455b5f2c074f54fc9e089779ad52114a3306079143b320293fb174d60403e47
SHA512 b83ed464cf2c5dfdc2cddcf2c1520d9a737109765e3f6ad99cac3562aee72cff4ee59c2d2003b80adb42a8b3fde609b3d04856d0873607588e78b684edb99317

C:\Users\Admin\AppData\Local\Temp\iIkA.exe

MD5 06e9c634b45d5576eea4c1b028f1c95c
SHA1 5a2d3d693396758cc8d35ea3fc6e6ce8f4133c90
SHA256 c8318b62d9baa3d0e0a51be67dbe6a9724f81129ebf69dff134d9936bab38507
SHA512 9917cc7111ac4c8e6f3fca83deffe67affaed12cc0a7a17909a036a50477f146dcacd32745c8d569718ede273d557ff835df437b08a0a894ff221769b36ccba9

C:\Users\Admin\AppData\Local\Temp\UAwy.exe

MD5 a2c9107e3b4e85cd08f023948f145717
SHA1 64872777e2cb8ee146321a26cec521feed375d29
SHA256 b7c297d0f5efca1768ae814865d6a0aa9656978193e541d1a9a151aceb4135b0
SHA512 023686af10c92800f469ea7cbb973459f902776aaaea1e54d120bd1ea3096d92ef4cd79f82d1bd91c5db50034c3f4d8a7f8ade80a0e324c1d4830641aedb80de

C:\Users\Admin\AppData\Local\Temp\cIAa.exe

MD5 0e9753f3f1e7082b8235ed2726c7e76b
SHA1 48d8a2f3e842259bf84932271ed271fac6859913
SHA256 7162dbb0695695d50dc2588280337d583ea72cb506c84b80943856728cca989a
SHA512 c503a0ffe20b7684f3abf66d4270e98b6f7b081239760b4ba9b46099f2eaf7c513eaf743c99c45bcf1ff6e834531e415e5045978c702c34b80890ebb5a4da382

C:\Users\Admin\AppData\Local\Temp\Wkoc.exe

MD5 deee2ca235072b82bf0aff5e90c0bf27
SHA1 8cad4a9cc720e648b65685b0faf20de9b6a9d6d5
SHA256 030340fd280dec3fa9f76fa36951e81e92c7743d54f0732be3f332d6f851cd20
SHA512 1f6f915931500d6ebbc76ceb4319c1fa09c9aeaa8dbca6c23f07e26a50d5a7176a8ef068f4285f6e56d5d6207a60d3d6ed1391395cbf3ddd48b0f91575272c06

C:\Users\Admin\AppData\Local\Temp\QEou.exe

MD5 58023fd41b5e9eb552793d7a0e81e174
SHA1 c566541c7f45767ec6cd54d04d0ee6f536f82758
SHA256 0839caa541ab1e8bc05c94513cdc3b8292030c022cb420c718cfd4ab39b6df85
SHA512 72d5df06d0bcb42a43d8db00f28e63d20d1ea2a79910fe84ee3f0d84628df9efd7ecfc7a26b082bb0a3b73ef6842bc01fde2177669e2088cf589c8854f41fcb1

C:\Users\Admin\AppData\Local\Temp\YwIw.exe

MD5 1fbd972e6fdd0d9480ef6f7ea4fc67fc
SHA1 d4b697c1b99ba70b0aaee8694f2a7c4795320305
SHA256 865e14d0ba357f4965d2f4ad24bdee0c8424b4fbb1b82d38733d56956d937c33
SHA512 7c51fd1c1988104458b4def24c2099922363dcbd18b131cf2a449c4ba56193634302c34f94c43c341a379559e9ae9aff99caca22777dcabb57e2ab19e4e34ba1

C:\Users\Admin\AppData\Local\Temp\oEMs.exe

MD5 34b404ab6fc841f874a6b4ebbceed8dc
SHA1 88d6400e8c46abd4a360897ffe7fff11bb4e7787
SHA256 eee8244bd644545e993982fe11cc07b36ee2db8a1c2bdae8b42c43be22e942d6
SHA512 ca5ed2f13771c44fe9031fe2b775e8ed08feda78dfd85b8521136dafa3bab192a2080b87bd626f9a8cec37a94c16fbb9332bfb57c1b96dacedad6a45fffc57da

C:\Users\Admin\AppData\Local\Temp\KAYc.exe

MD5 7e662eac832a6c1fdb056a98c00c7eb5
SHA1 bce91c0af16c8bbdb3e24d6aeeeb27af880de212
SHA256 415eedb0c58863cf6f7ce39ee565d39b5d1472e3f72665c8a7599f38adb4087e
SHA512 b9a5efd706c0f6a058328017bf9932bc619064ac2c1e2f373fa04a2f09e8d3c2046a4ceca14fe50d04b838a61d9cb9920aba4b173b6e0770d4388555c9fef63f

C:\Users\Admin\AppData\Local\Temp\oIUs.exe

MD5 9264ded5a8d7bf3c31c9001c890b459f
SHA1 4195343cf4ccfe677e0697885c27bd487cd5c5c5
SHA256 7b2cd29e3291444f1e99a915597f0a7f77a06a31784b4172a979c7e87f545510
SHA512 ade69acd2c8e28b112dd65bf8350a7e6deff52dec0c1b78d0b41b5d94aade3f404fa16e60b5384959a69ddeb919677ec2761de38f161fce26e68415d6c04a7a4

C:\Users\Admin\AppData\Local\Temp\UAcQ.exe

MD5 4935d210c02fddfd5ec6f2dddc816af0
SHA1 428e8c7dc8116c873643e711555b701c5608fa15
SHA256 17061a1d80a3c894547d9da98d59188d228f98954abd118a62426679fcb113ac
SHA512 4466ca24cb9fe19c7f2de92bb48b6ab75d0caf53cea4c1e40fd387d881228725dc32f8547a54644e9d333178362653160db396e3c67b57287fcfbcf52ab5854e

C:\Users\Admin\AppData\Local\Temp\oEkS.exe

MD5 e17e2c1d98a1ab541613c87ef91c4320
SHA1 5379d5dac499d035264561df3ce5f9a891b9491e
SHA256 59602dd4a1050dd84cf76d8359e289bcbe2371e622772d28a0ae7c3d21c08532
SHA512 b9a27ce5d8d02ce5fdb67d50de32b0f91dda7e2581ab7f9b3142594b530de0bd02ff4116ad021a909a1ce2ec76b79783dea1ea97eecc96e38ce93846a3e05282

C:\Users\Admin\AppData\Local\Temp\aMIC.exe

MD5 e30f53442e635bca5ef9bd64fa9b327d
SHA1 cc1ccac8462d043e6913dd28f47ab94e4cf78695
SHA256 6161378f6a83c68f7077ac84f26fd51543167af7343697a816426b11737a48f8
SHA512 2b5b98b766b9a8ef2b4b5f0ec49f4ad7561c1adde95739f2c9776a15153dccf8eea371a6a829a7e5f3b5002b1fe1c51f196601bea6626971b85df45b1246ecbe

C:\Users\Admin\AppData\Local\Temp\EoYc.exe

MD5 1c67794c925fb5b5fc6343627544dbd2
SHA1 ffc9ae0fc5781dca5d4d9fe7dabaf116bdb53bd3
SHA256 f0e8b7605bfb23e5e495c5760d4ee3baaae428ae4ee121327b960470a0350268
SHA512 716b26248b3840c37f083c345d58e44a7eaa08645dd07391a1d888f8f17cb33b94b4bf456e9e775321375a77ed6365e6768316724027125b1559aca7e9954415

C:\Users\Admin\AppData\Local\Temp\yQcu.exe

MD5 6a5963099ae5f3dcd3bbd9ff059b651d
SHA1 b52dfee2ae6d491241271ec379e0923e64aeaf77
SHA256 2f8c17aad7b293cdfa2025dd260894e1b54fc4450a0756f2df09ac1a140c277b
SHA512 82793467100e61a73713c7282a1bfefaaefc45b40f6a3b427710a3eab76109293d81c9914d3d21c85e9accafc2566b39b76edcae8b75ecc275f1f7657f4fd441

C:\Users\Admin\AppData\Local\Temp\WcQy.exe

MD5 30d60ca785c857afad81d3cf8de03d90
SHA1 911edeb62cfe73ae40b1c1557ef05b3a2d841c1a
SHA256 b90dcb9c3bec73d8b3a3a7790a8640c272cfaa95d51fe45305275cbaed794322
SHA512 bea3746859317bd1499bb4ba991b0774f16c511cb51978dffa0b0c0c8b32a787e3028728de14af321bc5ca63e07029cf62fb669a26849166cf6ac6288004e5ea

C:\Users\Admin\AppData\Local\Temp\WkAo.exe

MD5 da4374097fb1ee64bf3bef7118d417fe
SHA1 61632cc7af90718087fae05d6d3dd9b288940b53
SHA256 c5cbbc512bba374a66936e8a779ed03607a3a9e9a5b3495718d2efec6ae87915
SHA512 4dbf2f5d74909d082f36558af99d60627d8430a928a1489365d54dc2091ed2b22221b2d8885cab576ab26ec65496c33044d8d6c34efb0acd44465b850d4e2175

C:\Users\Admin\AppData\Local\Temp\qUkS.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 071583b30a0db6636b63d108c330b7b7
SHA1 705f28c39919093d20ebf391a55c634bab2e3bbc
SHA256 88c5cdf571feee419c2cde886c2b08d984bf7966b2bdafe58667841986cfada0
SHA512 79301210c7faf4df5458fd3b3d6cf18ec742cde0cda13cb716b227cd35854b2f231918e75be34c99891d86446607d1d60474facdb945090011cf94efda162236

C:\Users\Admin\AppData\Local\Temp\EAYI.exe

MD5 d8c7c5d38cdcdfeb1383b3ce11096a21
SHA1 e7d8384d14fd58a498d2370de7500669c5a9b0bd
SHA256 184c0cc9c4fcba453a778b025de31395a7a3c4ff1286bcb094dfcff90d471784
SHA512 19db7b4b064a1ec782c9607c8e33673815aaf51416794b20d7370e5587e5e7d9e6b489c23711b33183cfa4e059000d059046142e223f90f3913171b98fc54ee5

C:\Users\Admin\AppData\Local\Temp\MAYk.exe

MD5 aac92578f033317bf7706a165e4fe557
SHA1 260b787688afd260987596caef0ca0c34b53c8f7
SHA256 31b18065f9ba4da5810b0d208bc2eb4db4171877ae7b62d325e8aa7789f2a73e
SHA512 38f1c276747739c0ebcc4e55aa71897a21ad3dc57be8555f088646854c59e8ac68e238c5724bbf10fa7f5cdb4a4da23f67777142999c171fa2c50f11948055d8

C:\Users\Admin\AppData\Local\Temp\CAIo.exe

MD5 e63419feb4275d596e625aa1d7550080
SHA1 198350469beacbaa0d4f04ab40f31834354f4201
SHA256 e78712bbda19b0663e9d3e9ad870c35b8538885f1bbd553cbc20f93996befb8f
SHA512 a057e3eec8b335e6069b1dc30fe73c8f413e71e96c1bd3d94819b996ad7971a841f5e7d99017d07f08ac6a0696e6c322eb8cc5edff4964f1310d6a7d93d7e123

C:\Users\Admin\AppData\Local\Temp\mgAQ.exe

MD5 6c11646c9f2e49f68007b6d0d697af69
SHA1 6b50d58f0e7481f1e54e39b67a0757ac871acb95
SHA256 8076ad4e1f24c6db6084e54fb331004f78b1ddad3ab0a6580bca109cf12bf400
SHA512 562c46b4e79ade98945797c294cbabe709c5646f7756f21dd8c779ba1475297e53a614daeb075aacd1e0aaa5c9efac8688a77912a6710a29dcdb26864809b963

C:\Users\Admin\AppData\Local\Temp\ogoq.exe

MD5 7115f6bb22b25d78203ca0f5e6cf7ce3
SHA1 302ee32813ebb661acfccb8b65e2eb43bb0464a6
SHA256 92f930610a57b6a35b5be7a55c930c33bd9daf2d0e9f2613dd40acd112b2c085
SHA512 f485bb7a9e860e3e56e3616c4064193159d568fe1f5b546e0252fbcde758aa10b12973202659d41d18548cde585e3a163609a3c5ac1f6fa5a3299dbff9a765de

C:\Users\Admin\AppData\Local\Temp\Ckgq.exe

MD5 63b049534fb730e772f8b127c569e7b1
SHA1 fe2ab0822b270630a85f2240486e02d39e3839dd
SHA256 60678f90fbe348b0442dd258fad801814b87e093100ba3d41a9eeb001ebc7436
SHA512 2d226c37ede7d21d5c2524a333013b36f0b0b1a22bd3277e2b221ed81ed777201c9c3ff1c1b20955a6e9a2a42a7590136293af93456c123c2eb0f4f3d8995c55

C:\Users\Admin\AppData\Local\Temp\WUIw.exe

MD5 36da4080b2843f0dfa2325d8d02da304
SHA1 66f71adfcf5980b5742b0ce10f0f8d4102606519
SHA256 ef82835b688225727d898bdd060e2d3bf060a0c55f24a427814af723b5be2576
SHA512 3f12c7f7482f67abb1a8c5de6875b0829502d3cc7246fe9f3f6a19dd01755fc773f66b5edae7344cdde19ed149a76b2025a943a50e1d66c78947f7ff9d59e86b

C:\Users\Admin\AppData\Local\Temp\Skws.exe

MD5 0d3cb57ddc9cd4b6be553ad773e9bd9c
SHA1 78345c54fc5744a4d774399126111a53a13d51a4
SHA256 89cc25246672afe958a47cfde89124c384263384bf3dc718ec8a012df6c1aad4
SHA512 291738f1fa00329af5d340ee0573280cf607cf0cff428c4021a563acc9d076eac57d963581de343f194e8ebbc683385d790cdc2fdbb5560eca4b1dbcc1e220c9

C:\Users\Admin\AppData\Local\Temp\IEUu.exe

MD5 575e9ab711d559d45dc7c415d68472ac
SHA1 339104855f4aea7353791ee342a1981a245fe247
SHA256 ac12b5a94398c7d94d6ab6f9b2da7399fb3b3b4c20b7a8f419285e3532729ad5
SHA512 0f731e78c8e8bbe4ed9655e6be1ee56beaf95841cd1bc66a1c6bdcb517763e292dbef389fd027657d4ec3ff2aa1a66e95b30ee9de43ec6630eafe78831a32250

C:\Users\Admin\AppData\Local\Temp\AEUc.exe

MD5 26ab53427872872a62af282536ac4207
SHA1 4012cd37219a9343dde2c29b59ca46721209ce8f
SHA256 c370993a08bfcbd87ab753c913df53c930199b428d5f13e2001131c7179314d1
SHA512 3adfcf9a11d266dbf0d6be7cb42c9e6f451fd2ee2af6ba80574d1c4dcdab126053bc3e0b6fd31509b5d22e850d3ff1e76504cb6cb39f33e29de839cbe4bb2ddb

C:\Users\Admin\AppData\Local\Temp\uIIK.exe

MD5 2613c7aa414aa20c2bd7d89f7742d279
SHA1 740801ee61b313f2acead142f108c5bf7ee09f68
SHA256 0f466c9f9085bc4311d781fd07b8ee58c520353e1e22237666cad864b228c08e
SHA512 1194b3875e63f09add2dbd05b3a128d4bd403fe004f6f52b77282373079a8a37cb8d072408cee501dc389fd347be9f187437c1b667ee5a5c73d367dd7f88a0c0

C:\Users\Admin\AppData\Local\Temp\ucsM.exe

MD5 1867af1ab1bbcc7b1c905b0433400f29
SHA1 a1452959cf466c962e319f3591a312b10a8b6113
SHA256 a6b50eabd465900110976d4b19c2695c3d31b1dd99b56df0f9226907784158f5
SHA512 7d70873c0372fd534c41ca5e8b26f153e0e5b8e64c74e229c33f7b85709b6e9064a1c2a7705c940f7f1742aa0825bcd08065d3ca637f5b7170d4d8e766bf848c

C:\Users\Admin\AppData\Local\Temp\aAEI.exe

MD5 4335f54d8fdac129d2f35aafd0dee1d6
SHA1 5d1ea79387e03792e9e969c3f72dd64ddd0067c1
SHA256 531c40e55c116e753763a20781ec92366cdaf9f6179ab974b78a3a970f695cb5
SHA512 5662863bbc2736e3a76ae17c7773d6fd1b3335f3d8296cdf8ae043ed844b68b3f971cf82dd9d1c2aa5b8403f8fdca764d63b1e3ad012a6455444faea8e84ab8b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\K4803NMA\th[1].jpg.exe

MD5 8eabcb02ded65086833c78b7b2d02898
SHA1 0eaceec4855bb8a8f4c039c1f1747e3096b1a1bf
SHA256 8e4b50ea7fc7696dd831c492a8be9d084e6b9abc6d7a85edcb0e19c61c68855b
SHA512 bf0b9f31887ece68f1f92bdd57f46734ce4dab81a4a782c4b0525ec75549e8d474669006e445af7696ef168ce82823ae79301471111e7cd7ef911a18a021f1d6

C:\Users\Admin\AppData\Local\Temp\WwIs.exe

MD5 403acd1e12cb97db04f986d3250b026b
SHA1 41d88403ebf3e0bf92f81005f64ec2f7cf89d83d
SHA256 90c0248eb2c39f57c0a79ba42a12a1d1a409d680318540829a72fd3a8b61573d
SHA512 58b2ded6ac5c6e5047042ba814fc02037873e8b9646218292f1993ad02f8729996ef149f5487fe3b5b18f359208dea1faa539ec123d114a30f2ed3fa277e66eb

C:\Windows\SysWOW64\shell32.dll.exe

MD5 26c2da0aca7462aa1d9322c07bdb9fad
SHA1 644c6c6c4bce1ae8b36f38974a2a1a2aa38bf186
SHA256 66c87770a4fd24277b87dc2881b25596d8737840e96a6223c6a182a1031f72cd
SHA512 ca472c9dda942fae6f4f73ed1c0029caec3c3754b666b6fdbc86c16a413a9d1f30ce1eb7aa7a0e8126f1fa5d7f411719987ae22022ec45be2a9938eae5b71296

C:\Users\Admin\AppData\Local\Temp\MwES.exe

MD5 1b247392bc01dfe69a6ae0c9c7017138
SHA1 dbab8f05bcfdd1b7acb2f38ffebc04ccaedade7e
SHA256 dde42abe235992133f6dfc03bb3704414c11ffdf497fff12458b2ebff1c3845b
SHA512 72759775603b8dd5ea41f836c47c36f95f8ea641538e46fa61a8ac655c845f56d2ce6c38f9b99a164aa76ad293fdc21acbcf69a0b82e7eb179e59737de2e1d13

C:\Users\Admin\AppData\Local\Temp\WIkq.exe

MD5 d682d97b472760508a44f8fafb7b38dc
SHA1 0969b62044e68750b1d0829f851974bc8e6284e6
SHA256 8a97736abc8ad033af4ee62d6470fd60ad3024cbde97e5c4658970a012ab4bce
SHA512 c29498b0b2d5941a52400458d2572806605e63dfa14ac99b6d8a6a05f7a8841b24715ff379e6a283f56d99173c438cb108e3e6688eb6cc1e6b9c6139d463f2cc

C:\Users\Admin\AppData\Local\Temp\sYkg.exe

MD5 cd391884e1f43fb76ab5e8cc00435d49
SHA1 7c056c02a5228bd4249545325a0c76d3579c0d4c
SHA256 d47bbb06cfccca9e43ccc4c8a42308147744d613cd9717952e6b583d42fc4c72
SHA512 21ee1d8c57aba93ee98dcd932e501575cfb2b4851aa14cecb060e434c82418b86c898829e87f47b6887a68ade5c162645a5926d7142776783ee8693a44da1e79

C:\Users\Admin\AppData\Local\Temp\iAMA.exe

MD5 431c244dd84154e054960ffa03f80ca6
SHA1 725c07810866d66b2a158b6bf8a0e6a9771a0332
SHA256 9760a9be6dd731c2f071f2f8a16ad2ed4e7c5e1af62625c14fcd0a0c0e51e0d2
SHA512 078e15a7f9ad63fb7a130e4ce2444a0a83672bdcc1704e594302a16651f9eaf86361dc0b64ddeb528e4e3e3b49cd90869712e6f1bf3842c7070d23e7d9e32ab7

C:\Users\Admin\AppData\Local\Temp\ckgI.exe

MD5 d8baae1e26a68e21333b46555beca9db
SHA1 23ebcceb42a12080d32e8ac94e8146d39290c20f
SHA256 d55b5e395b04a223f7194a1ed0c4c7b26940f498db1530d5a45af7e632d9bcf2
SHA512 5ebd6fcdb87ac11bde2f6c3b74671d8bb9a7bf7ecd772eb0aee9e0f49b88f6fdf23c5dad01b518afff9765773ae66ca60009009dab61e9705c5504682ad547f5

C:\Users\Admin\Downloads\ResolveAdd.mpg.exe

MD5 875c6165d1646e673691445a5feb4754
SHA1 dbc150dcd3c8f5f7b4db6b05a014922e9ac97f4f
SHA256 230c027d609d14c9012cc4e01dd8c0618a04c79c3cc2167753e180dcee5fedf2
SHA512 ebd3692c3e37418c52fc63c8655d5a29589f3c449017ff0d5e9e595c680bd1d77720d59a01e707d34dab6fcb8f8910aa38ca3a51a5c5d02de28c89cf49146a0a

C:\Users\Admin\Pictures\InvokePush.bmp.exe

MD5 26e91cbfe891d7119be310eca19c86c2
SHA1 20fcb7ed0e8c5f37d5b2ba51c3eecd3ba783310e
SHA256 ec2fe6041584578a4bfa7c19a9254b4f74d36cb6d436b98985cf9971ed6bc637
SHA512 53954ada87088ed5a8c5049bec9adb1cebcc8e669689c0e4603139f5f48262e500b17540da9015f5c10b70ba425da0dc4d86d5fe2aedce3f6ddc1ddabf9eb55d

C:\Users\Admin\AppData\Local\Temp\asIy.exe

MD5 e1992b6e239a45511e2c3b29f4fcb485
SHA1 1778c2ab08dfbd21ffb4f244971eedb6417aab51
SHA256 559d77627b2b5bf55ce6bfbdbc9ceb6568722e1c14520761aa3d4eb7d173e463
SHA512 c4a120fc5da20ec3d09f50250c62b4ac1510a9d41e51ccad1a4865371aa5b7826be0adfef432c03fe2f839872e0e5e8eac947c2eb60e437da2a473291e4e5e88

C:\Users\Admin\AppData\Local\Temp\cgwY.exe

MD5 4346a704cccd9c71dab9ddd6710b5e71
SHA1 0a06cc15545c67fb90cba4f213b57a2d42095d68
SHA256 1d5b5321de839878a828d52723d73fc2b8a799753db11368899df849249153b5
SHA512 64ab4cf20e5ecc5d40a1d9b0ac1ce2217ed4c628b405c3df62af5e90b9cebeb7232958306befdf7ac72b43800da53be3b8c2236baeb9d9f8a552733ac0cffa00

C:\Users\Admin\AppData\Local\Temp\KgYq.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\oQsS.exe

MD5 34c00c155fe40231c461a2f155d68f34
SHA1 b0354712778c162a8592a059fe620a49181d6a9c
SHA256 d5191fd482597dcea5620fdbf583efc495275cbd203deec187b9e8b176a5cbc4
SHA512 528e6a7990140dd04d2afbde6a98077676334076c600585801588b1a8eb90c135d63c3a93f62e3aa63468cc0aebe67ad3279ff4aa7f77367fccfd0f3256d7c55

C:\Users\Admin\AppData\Local\Temp\IocA.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\agAC.exe

MD5 df9d27b1140eb507bb9a3bb37f998720
SHA1 475125fe0beed68bcb1687d5e63dfd4b7982a99e
SHA256 5f36cdb365b39a3f7b3f441d3a31c5acfc8fd8ff11b166023a301bb87e5b3bb8
SHA512 104d4b28275b7413727c0afc9122e67fc2b2aec0f0a2d78a40d76caad2c7515f8a3e7adeebc9eec6cbb05ecb0e3e3f25b2e44abeb8293a233fb4964e4572de7b

C:\Users\Admin\Pictures\ResumeDeny.jpg.exe

MD5 c7663e6103b582e41946126977a511cd
SHA1 9cdff8a87c2d76ea3a9091d3a4420f9c4726061b
SHA256 19294096100f474509db3593ba596d86f6d50de0f4ee9305a1964b5bb0ba2b0c
SHA512 0a1697a2ee7777688b3b656d425fdebc4a3bb01d121ebc8c231bc77548036b62991862bee34824c87651b1a106391fadd128f811b8025e47485d2908d83e31a5

C:\Users\Admin\Pictures\UseUnlock.png.exe

MD5 d87c6e8ac4473d7505182b63afe4449b
SHA1 77067e886ec22d9ce835032cc6e23189df9f6305
SHA256 09e34b9dc50ae36a868d8dd446ffff4eeddc60fceda06bce8b8b91a823544c72
SHA512 5559743814c9f37f532404c441732b48c6e4c419d0069b657ff9216bf2a0213315ac6f487f3445374ec732d53c41fc224ad7af6253b95795e4f9fdc27dfb5645

C:\Users\Admin\AppData\Roaming\ShowRepair.mpg.exe

MD5 074d4e44001f17f354abddd609d9b92f
SHA1 18bccdf22472c570823f0629e55be09e172d78c2
SHA256 30bb798514ae65354887da4ee83d284d32fda6222d2e9a7d7b73d2690f152698
SHA512 884fac50dc6b65dfeafeea17f0f11cd171c8d39c2d372aecbe1d2bcd26a6753997eb94094231e461bd9fc64d77d13f4385b358433f4e097e08eaf3c0b27efd69

C:\Users\Admin\AppData\Local\Temp\IEQA.exe

MD5 f5583fe32224b4c7d8452eec7a4f2ed7
SHA1 d8caf356bbc436015af38f1bde80db89d9e28cb0
SHA256 624c832aebfdb98ce9501a8832e19a8459826ea17ad2bc591b038e52cd8b9a17
SHA512 18a627d54de906daca7575a9336bf0ccfe1c33bafa0364f5c74a85c745a7f10b04e86565752a4c2936ee384403cc28a6fa6029f3593c04d071fbd4197dd87a36

C:\Users\Admin\AppData\Local\Temp\CoQK.exe

MD5 c8eac2f7ff28fef90e4c91b42622fe58
SHA1 636d8c85e2fbc573a9b41f9b80072ab370eb16a4
SHA256 d32a80cf5996fefd8d4414d2eb77be8295d2118bb01f623025f2bbd20ba5fbb1
SHA512 a0ee00b075f29bca83d67f1ac419b2b29a27dd2b63b1ce1d77fae7703838569b26e515381ee00ddb2b9aeff7a2249f0d4d21a6104e994605bbb89a7d687032e7

C:\Users\Admin\AppData\Local\Temp\ukYk.exe

MD5 98d55f0a556b3bdbc60d9861a3ef1aaf
SHA1 09044e6dba65dfc5de415a751f065aaa998c8280
SHA256 91e58c9967106b139728b084360c9ef3fc28e6b9baecf428ce30469685a0e145
SHA512 3089f31b4423fcf716ec051c4ff0dc0d7a7fca1f699476d7097cc480b75906232b7ca1d88079144c2b9c61fa16061ae63d9814cd6af4f6ef9e253d721f53791c

C:\Users\Admin\AppData\Local\Temp\ckQS.exe

MD5 c01179bb73d8c92729fe8126a54f6543
SHA1 78a9737c28fc864983ede7dd182048e80b4a3ebd
SHA256 6d7db65f33026b657059804a0d97a984e1a3e9b6651f85d5cd7827ddbb72c8b9
SHA512 d3bb14a362b18cff67c49681dbea8e4a277c0a143ea10a0e4431a3038e44c606eba674927c635369d1516c77a80a13038258ee7eff56ff68e77669b770d7b608

C:\Users\Admin\AppData\Local\Temp\owEq.exe

MD5 83ceda5066dd1a989961b4756a90a9bd
SHA1 7606320f56107d157b585a7a171a9ea4cf2d39be
SHA256 7d5737b4d6c7502ce15028207a8d2658e578821cc7065fa99d50499181fcb820
SHA512 baaec16117aa46ba3d46bea1da7912936ecda4b9f9f8056e33d744d65449d7a061dbc48e6e63c727a959299dc64f8a73cd09cda8de582537b9b8c3cbc2ccaae7

C:\Users\Admin\AppData\Local\Temp\cMcI.exe

MD5 ab78674b41a450c711a49bf156f3db73
SHA1 c34c6361c48431879f97c51aa7d9569b60b8ad96
SHA256 f6253eaafc9a9752bebe4dd61985a6e4ccca6494d09234d737e0eb02555a0346
SHA512 c22ef4a437ab9b0a7d8b2ad5cf379e36553ac2d2724d0d6ed25bdd395ef9d661bae37353510a98615928ca5dfd2287c23b91b6b015d19e78a7b23a97b5e30802