Malware Analysis Report

2024-10-23 21:11

Sample ID 240125-v7tqeabha4
Target 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock
SHA256 8958c5ef0084947311bce1141434b5f3159faf3a60631845d86428f0c7aa1673
Tags
evasion persistence trojan kinsing loader ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8958c5ef0084947311bce1141434b5f3159faf3a60631845d86428f0c7aa1673

Threat Level: Known bad

The file 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan kinsing loader ransomware spyware stealer

Kinsing

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (81) files with added filename extension

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:38

Reported

2024-01-25 17:40

Platform

win7-20231215-en

Max time kernel

64s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe N/A
N/A N/A C:\ProgramData\pWUAIIQg\iccAosMU.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MUoUUcQo.exe = "C:\\Users\\Admin\\ZAIQUwAY\\MUoUUcQo.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iccAosMU.exe = "C:\\ProgramData\\pWUAIIQg\\iccAosMU.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MUoUUcQo.exe = "C:\\Users\\Admin\\ZAIQUwAY\\MUoUUcQo.exe" C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iccAosMU.exe = "C:\\ProgramData\\pWUAIIQg\\iccAosMU.exe" C:\ProgramData\pWUAIIQg\iccAosMU.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe
PID 1644 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe
PID 1644 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe
PID 1644 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe
PID 1644 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\pWUAIIQg\iccAosMU.exe
PID 1644 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\pWUAIIQg\iccAosMU.exe
PID 1644 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\pWUAIIQg\iccAosMU.exe
PID 1644 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\pWUAIIQg\iccAosMU.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 2736 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 2736 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 2736 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1644 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2884 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1440 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1440 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1440 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 2884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1092 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1092 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1092 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"

C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe

"C:\Users\Admin\ZAIQUwAY\MUoUUcQo.exe"

C:\ProgramData\pWUAIIQg\iccAosMU.exe

"C:\ProgramData\pWUAIIQg\iccAosMU.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmIgkoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGIgQgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSMcIEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qecQAIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQgoUgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYQkgYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YicEAAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaUMYUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWoocYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEUYEMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkMcYEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaYwssYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIQkQIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWUIQgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgIswgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKQswwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUIcQQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUwcwoUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fawkMggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyokAgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAgEEAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOIwsYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\skkwEcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcYYUMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqcwEYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCQMoMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgkIQUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEoIYsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMkcQUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAwcUIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOgEUkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKYYoIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyAMwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCkoYcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LQEMowcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncAAMYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEoccoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWsMEswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IusIEAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEQAQkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bakkAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGkQYgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWoIMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcosQAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyUIgckE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lksMIwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsQMYQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeIcsQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\imEkEocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKgYoYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WGgsEwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkAMsEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiYYkcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsoMgMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkIAokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEckYYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKsIMUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgUwQoMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HukkMYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESQssggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcYoQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQQUoEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGogoEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmEQoEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mucQUEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYYIIkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGsAQUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1644-0-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\ZAIQUwAY\MUoUUcQo.exe

MD5 3e44e4a2d9bb42d20dc82015c4d9a997
SHA1 e5abc85ec8b6acb3b2b9da526e8a612addb0a140
SHA256 61d71a9adfb4fa03014d48467ef80209d4ecada007e7bd210a0caabfeb41dd7e
SHA512 62bf877c54771ba53193258e29fdccdee7312325e5accf148a4b11d8dd848a1274757e7edc61baa41ef176c504a2dfff133cfffa5455a03ea7e1cdaa1dbbeb46

C:\ProgramData\pWUAIIQg\iccAosMU.exe

MD5 bae91630833ecf2a78e0904a575fa047
SHA1 b980f74036891def589d7373283a7391d83ae1f2
SHA256 e339c87700885dcfd6204ef180ab2e413cd68f498d736aa91d334747e0eab790
SHA512 d31545185325a6aa10d0a211945fdfa80869393d3b6b446b61b48817d0348a5a963943ff38e27ee75476c2a11bcca23f9ec5530331c7dfb222414f220c00258a

C:\Users\Admin\AppData\Local\Temp\dAQQkMwg.bat

MD5 3af1b68de04fbb4340d970e269712cab
SHA1 d4d47283dbade3b480a1394f6b9e00a1e1e40057
SHA256 c88e9993007b02963b8ccc6416ca36818c8faea579090e83bed38fa039adcc02
SHA512 1f5e22b93f97d4561cd89919948d7e76369f05eac78df1dd2732ec29c59ae80772d68844ac04a884a03c33083bd9cc5faf76ad9f6baaee5730f8f7d795435d37

memory/1644-30-0x0000000001CB0000-0x0000000001CDF000-memory.dmp

memory/1592-28-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1644-42-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2736-43-0x0000000002260000-0x00000000022B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nmIgkoEU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2884-44-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

memory/1440-59-0x0000000000120000-0x0000000000174000-memory.dmp

memory/1440-60-0x0000000000120000-0x0000000000174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huUYscUA.bat

MD5 c640fe01e80a3595191d0f3ba165ccdc
SHA1 05cae4a4bc8cd553ab764cd5fa29aaf4a212653f
SHA256 d87272fd9000e7427ecb53b10792706eebda883b97b9f50f998a53942a6ee8a3
SHA512 03c88b0464c7161bec2165c72bf22705e848fe5df95b89e4aa545236a6715b2cd3504fc92ed2c0a018033c46b6bc77ea7c4167624e74bac80873e2f154a8ed01

memory/2736-34-0x0000000002260000-0x00000000022B4000-memory.dmp

memory/2968-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2884-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2924-33-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1644-32-0x0000000001CB0000-0x0000000001CDF000-memory.dmp

memory/1644-14-0x0000000001CB0000-0x0000000001CE4000-memory.dmp

memory/1644-10-0x0000000001CB0000-0x0000000001CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rCEcgUIc.bat

MD5 db491fb43d2c29122a6e6dab8d69b392
SHA1 8d9b3fa0c5f67feef9c218379eebac2df725ae7e
SHA256 9fe0043e7e5716892adfd0b6391a7af96633c231bcf9a27bf6955fc076a4d7b4
SHA512 ccad427b081a88141616a1c4971ba9e772614572abab223f1f3078dac1e9a9ac85ab2563b9af9b53ba516c53df6736714765e83766a122e2b27a97d389b2f3fa

memory/2952-83-0x0000000000470000-0x00000000004C4000-memory.dmp

memory/2952-84-0x0000000000470000-0x00000000004C4000-memory.dmp

memory/2936-85-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2968-94-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEocEQQM.bat

MD5 6d07fafddcb059032c1b6b56d4dc0208
SHA1 1f9092917c928e44002f6160f69bdfd1f209fde5
SHA256 95e8392d833b279750f62195b38e3947f966723530e0167a8483966fb710820e
SHA512 d6fcd75fcfff96c96b82b9ceeaa8c9f34ed904bb6ba0fb8e01993cf17537ea76a816713299ffa7aae60a9c564daf0d392eab172ed97df4fde1a29db8e7a6353d

memory/1808-107-0x0000000000350000-0x00000000003A4000-memory.dmp

memory/2108-108-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2936-117-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MOgYMYYI.bat

MD5 802b1738fa6d05536ef39820cde843cd
SHA1 963f59c5574c9f2d643b055359f967d2c2e493ef
SHA256 5bd8894068b5b4ee743a4322010dfabea69843447be0ef1ddb5368dae265f980
SHA512 888e349e03a5a8d8aa7eabb9d8db34371f498986bc4fe761c420002d9338ca80956fd94f4e314dff92baaa8465d33a1bb59eeaeb48114e840f71d4bb75d31587

memory/1312-130-0x00000000001A0000-0x00000000001F4000-memory.dmp

memory/2400-131-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2108-140-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GAAocscg.bat

MD5 2e0451f998ba3e739d22ce80eee7c52b
SHA1 4c4628eb66def5f295c3440712010ce6964057f5
SHA256 41e9dfb6982c316fdbc306252125fb256562fbb24fda4e95aa03abfc5ae47535
SHA512 a62b328d896dacb15b5b07c4898354584c48cca9a20bea80ef349c896ad9157226718e1d1d51961f219e171de119126ba42c13b2ef9f637d76ab5266e4fc87bc

memory/880-154-0x0000000000110000-0x0000000000164000-memory.dmp

memory/2176-156-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2400-165-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkwUkgoo.bat

MD5 cba557b6bf4808d8fed91a08ccd7b642
SHA1 b2979f1bea3206f2746c80fc61003ce86076954a
SHA256 afcf07234ee8f36151840b3e106c0568b80aa5f3bfc706d61d4e7102a21486be
SHA512 f30c925eddc4345dcc6c8b56b3c41b586e7293648f6d5f8edb96ab5cf95d2691276acdd76bda4e1f4657e43d745bba7d482ab9c93f26dad087cf5f3eefcfe2f8

memory/2612-178-0x0000000000170000-0x00000000001C4000-memory.dmp

memory/2748-179-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2176-188-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZokAQgEg.bat

MD5 8654c727c9ee0a48bb758bc30140fabe
SHA1 f4adcffecdfda43a97cf8e787fde7c147874ebe2
SHA256 ee857cfd45e8109343501332daad0571625a926a87925cc77fa6224f645a30d1
SHA512 e1c7f2b310358bbab44469d78c7bfdde9ea59c05718a8c8b8c82945a3978316c22031032204d9dc9bfe5ce7f3b6b09dbf37321c350c2ceaa766747423e1d88b2

memory/2884-201-0x0000000000470000-0x00000000004C4000-memory.dmp

memory/2736-202-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2748-211-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bwEUgcYI.bat

MD5 361e44b626172fcaaf7a351d37fcb7a8
SHA1 da2dcb2bf8c58f8d97010adf2c3b545d37fd7d71
SHA256 549f1dba07714828ad5845dbcf89245262cc203747ec82993f8be1fa34e8de3e
SHA512 e465ab7a97f69a226a047da5bf792dc067b8db3f091fd69c5b6c1b0ae997b735f7be9a100df5dd03468de4d39e18139555778cf8d0439e9180ef0dd7c585d51a

memory/1200-224-0x0000000000130000-0x0000000000184000-memory.dmp

memory/2684-225-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2736-234-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TgQwcIAM.bat

MD5 5941beb940ac67cb58742dd491fcce77
SHA1 8929aa416fa6f5372ec855ae917e31ff7b3be337
SHA256 540df1c9114302f34a91ceeed41d2d2033da290a28cbbccd59fce5ed3d58f6d0
SHA512 01248a3b385eafea068daa054fb89104155849cd90698f2750c2aa478f4135d91376d6152c926f059a9735e9abcd9559a51f29c898e24ca0a6e58d0e09f3c9aa

memory/2340-247-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2684-257-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xaQUEAMo.bat

MD5 dafb5e7dae3310936144eac664c32336
SHA1 ea7b3094edfd3a21b42d5e26d0faf44dae488ae9
SHA256 c13c401115c57d3890b5613ddd8b9036debf04b541c49d716c75736022ddaefd
SHA512 32c76daeae8fea059c2baf903ee7fd74c2ec5cbb5fd6524687fe2c0d45108b5589739b8fa4cf2a4c6fb6bb6c4858b1979f5b6b05c6ea47083488ed6f1a2c946e

memory/1364-272-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1380-271-0x0000000000350000-0x00000000003A4000-memory.dmp

memory/2340-281-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCEIEAwU.bat

MD5 94c95b4e64898078ab24a064be9c981d
SHA1 45abbd3c936cabce81c6a14a948bb636f943e92e
SHA256 2d5482cd83897fc62a8de1f34e1523324c8b5e831ba4021bfcf873abd5f5dd3e
SHA512 9a7f88b644b1fbd73d82ffad8d3f86108e32c991909d6cc06264a96e26be9c770a5f7afde8cf2f1b4d2465bcbdfa3c70db92a4e2c6e1a1746087ffbf96928f43

memory/2416-295-0x00000000001B0000-0x0000000000204000-memory.dmp

memory/2120-298-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2416-294-0x00000000001B0000-0x0000000000204000-memory.dmp

memory/1364-305-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oYEUgYAE.bat

MD5 4c55bb2a723a6a5fc41d9562fb95800e
SHA1 8968040fdc60b2bc9fb3255b813dc30c80815111
SHA256 1d1d663211b4092686406a97e2d1f61ee7ec7c202e66fd249bbad21433299cea
SHA512 ec843cf7b9b24a4341ab7a2d7696be07f4a4466e81c2f1439e59a19cf3fc6a6fe2c3d87949f0d4eca7527b9f42b0e54b66bb4e12e6335594e2da8790aec49af0

memory/2768-318-0x0000000000260000-0x00000000002B4000-memory.dmp

memory/1904-319-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2120-328-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GkYgwcok.bat

MD5 61df259f6b5d9a878383bf966fdc8e20
SHA1 dc2ebf68b846c8612ede1737970e2d8f15c6a4c3
SHA256 9a6dd6187a8e7f602c90f9904ba7882152e16b61703448d4aa8a16a7f6840cb1
SHA512 2bf13eeb5078f1bf222b47ca8444f9f5e79e6a53dbf1833b278445b2eb0d91b1133877b485a5738f109520c7126a67937220578c6345cad76180d6afaf501231

memory/2788-341-0x0000000000190000-0x00000000001E4000-memory.dmp

memory/2788-342-0x0000000000190000-0x00000000001E4000-memory.dmp

memory/3008-343-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1904-352-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oewYIEMY.bat

MD5 d88322a3dc55f843d6484b81ed1c5e5b
SHA1 c5234960d099b0ca11bfc41f5789acfa84443907
SHA256 bb05734441e47131eead725734f3933b8e3de9218b2600c81d3e53e9a27ca36e
SHA512 8b0ad666c0338709fa7788cb7b284b68a5e27740e0dd7c37392a42c6b3a584565549c3743f1918d09adca072bb7032b63714b356aabcaaa6d7a241abd8a8f8b8

memory/2272-366-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/2360-368-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3008-377-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uQQEMoso.bat

MD5 7421aeb0d17473e5f9a78c4199d4a078
SHA1 93d8c0cca0bb02fb39c518036542b6a91d8e19ce
SHA256 28183a7ea51fe7fac6c8a04cc1f843c0b57f48773df543f01cd870566530963e
SHA512 db8504d12976334a3c52a36a2ce6f4852736fad855d80975c166cf3fd521c570f95515517ea7f42840f91da1cf82a2f0b1bce34ebab59bbeeeb24b02bf01f7fa

memory/2952-390-0x0000000000250000-0x00000000002A4000-memory.dmp

memory/2568-392-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2952-391-0x0000000000250000-0x00000000002A4000-memory.dmp

memory/2360-401-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rogAUIUg.bat

MD5 49b71f90c02e0c8fb077cd3a15f82676
SHA1 2b04c690f1efe18ba9c5419edc227528613e0441
SHA256 cebc90fb06c1f669a5bc166f6e450c592b09d7f46b7aded310e15b7d27417bc3
SHA512 1c4921b41d99f6e58cd633bd056356e5d43142536d611092232cbd8321992147a96d173ec1a8c79bf7c4152d5b1979b035bd5661ce2e779db75a491649b3cf22

memory/1868-414-0x0000000002330000-0x0000000002384000-memory.dmp

memory/2568-424-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1860-415-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pCMMMQAo.bat

MD5 284b8728fdc8a62f36a2874fa3754a34
SHA1 061fe65bb13b1e9c74691dcc92eb7aa92e09646f
SHA256 34f393e0a2a0b34426a4dc5fc33bae41ec6964a0dd26432993e55ccbb57c2826
SHA512 c1209cbd0e3d9c23e82b032c6cc8892f40777503c6834d35662d043a65846f44f696354f87175c0ea435226f7b6b2e15183a9849a0ea74650b80ab72e8169898

memory/1600-437-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\puwEEoEE.bat

MD5 430d5b57c48e73cf8e7e0c7193d6063b
SHA1 00a778f1ffc2d5ac3983c13285192939b7be0ba3
SHA256 d70443cdc3f0a9deb6b191dfc30de094b6e0d6c5f9108961cf974972166eaece
SHA512 e5135d51e7e91cd21f547289795e8fd804dc0f03f48b3756e7ca1dab0f3e102429180e0d233c3db606dc3a9781a27e35e1241222f8d3210c99762a9f3e62f524

C:\Users\Admin\AppData\Local\Temp\PkQgIsEM.bat

MD5 2bf6b7aa838afbb6a04846623463e7eb
SHA1 2bb91871d38a1448658ac35cbb1cfc0106fa90d9
SHA256 ee079661cbe5e024de9112a71c0e3a6ae51113ed01cefacccb1556a66ebab88a
SHA512 b4c7b3b424d8d85e6934c7ad3eb1e4fa2b66c70dcc947375ab54d1a9ef6d16b54c27c8bbaf46d39a0cb90805becdb2fa81d0bd40111fb857f48b6fa6839a3cd9

C:\Users\Admin\AppData\Local\Temp\cCgQAsgc.bat

MD5 015450acb559d511fffc81339b971ba6
SHA1 90e9ea3f30423d2d1888c4f752f5abbeb86f7a3f
SHA256 b0d3c9b2abb1332f8d4f59dbabcde431b18783a452075ac4d5b8109c8f3dd468
SHA512 dda23259a7174918e936e4463cc5feb694980c9002fdb720b156bd15e6a859e369718e7d3da2c34fa45b70b152dbeac36092ba449c2a5b94812c023a28e8c919

C:\Users\Admin\AppData\Local\Temp\iWoEksUI.bat

MD5 39bef25fd30c8792c149c72c74e7d12b
SHA1 4940095dcf94b239137768db29cd413c2d0dee40
SHA256 9401a33bad08474b53c6c4b4793a77086ba9430c97a24b0d43bd6460fb149b1d
SHA512 ea76c1e30fcddfb1ac181ad0fb775b7c1606a9aea483f0165c7de3077fedc5a03ab8572f0d2aeedd4dfa141dba84d3433b1efa467efb3bda8aa47fc749bf0435

C:\Users\Admin\AppData\Local\Temp\CasUokYg.bat

MD5 45c536503433596f813a0c286e2ab9b0
SHA1 d6e33dfcfde9eabf5f45ff00bdbfd424f067aca9
SHA256 8f08b275db578b0cee67b8ac122ee864b6ccc58b7257ae55bfeae3b324fec78a
SHA512 cd9c3d1687689a511bff06e039290c7ca4528d96438b072bffcbacb6ddd19441314b6145073979e4558adff2f872bef71ec0f0cac6eeb2eac29b6d5ba7f5c58b

C:\Users\Admin\AppData\Local\Temp\koUgYkUY.bat

MD5 d14718e3ee0dca9916dbdabc92a1d652
SHA1 8dc26b16e5338dc46937d74f3efc365daf945c65
SHA256 fd9ef18e6be0c1a1b85fef3d02e11f98529352e9d77e648741d130163876ef3c
SHA512 a53cd1552f6412744a7c8cf19db04545d406084671a377da93a605e524a32086107636689b71cd8b3569dcc4666b9cc174afd4dc30bc4f1d2c98e11f3fc6d330

C:\Users\Admin\AppData\Local\Temp\KCEwwAAM.bat

MD5 6efa763eea07b68408ed6a10bd0ecf1c
SHA1 f4084fd68825105b88a745c7f1ea8e5fbaf10583
SHA256 23e951ca0457774d285322d307609e8204f3ff8b517a3a5dc7b3becca0d3b16a
SHA512 96d81aafad1a31c3f50444ab104904126f347e3905881cbe46f84e975231d6df598bd5908f5b3340d85fcc6cf36b44c51e261682950c18c9f9e973864a57139a

C:\Users\Admin\AppData\Local\Temp\NUIUIcsk.bat

MD5 f398a6da02f49efe93b7f31d235adefd
SHA1 2fd8af194bef078cb59114819ca8d7cbaf0939eb
SHA256 ee611f9580d14122faaf2119895aed45bced3afa5b6870b2d1d438d9ac6e19d2
SHA512 65abd3e4e39d9059d6f07b0814563940d37775941eb547c95ff561ab0b86b1eed588df85675df98916fe2b957e75a5fbbaafcb10b765bc408ec90230418169fc

C:\Users\Admin\AppData\Local\Temp\LyIUQAIg.bat

MD5 fa98a864b7258423a6cf3d867b44aab0
SHA1 64ea2cf46882aa99d10d2d69859f72a6e726d19d
SHA256 49679e797af4db10c8cfa0afa345c037148afd51b21dd0678fae5d2f1a910f0e
SHA512 1e996cc62cd7dca4ca423c861fac90b15d096bff3dbd3e22150e0279ad1c0cf529108a69f3b3a1984818292e6a70ba0651d99f1d38ecf1c9650379a2c01d2624

C:\Users\Admin\AppData\Local\Temp\bYkYcoww.bat

MD5 2c049c1d1f9ea750ae225e98fb43a1b1
SHA1 3613f8ff6d4d7bdf8ebe155724c217b4ec330111
SHA256 bb0c96f281d0d39126b9e11c86f94bfd593b2a8a45f28a8a961d4ed3b9b886d4
SHA512 5a47312d4f7226f87411b12d88a2c018eb67a40823acf539dc98b9bba6efad0cdca27b7e6703f3c0ff2d068d47a52009f16d4401fa5d0934acd88638af966715

C:\Users\Admin\AppData\Local\Temp\XMQAIEUY.bat

MD5 0a292ca594e86e33f64c95c2e1605659
SHA1 6fec363b679dea06d90a3a6f1c3f282d001ecad4
SHA256 f507fd98fcf6351974fd51d507ba7a7f6765a42d62d61b4f8ad4ca20c1d1cfd8
SHA512 5f5254c7d7ae1288c03df296187423670e574a7816c9323ea4304e2ec4da4bca92d156b6c7de7ca178a90d439c82016b4a93a9da5ab2ca94d4917c98229fd10b

C:\Users\Admin\AppData\Local\Temp\iecoUcIM.bat

MD5 497bdcd38c220b9bcac03d51c48479c0
SHA1 840cb1fa3bbce81f1d2f1d567974aace203f34fa
SHA256 760509436e6b57309a428704153ac50fc9665a5f9335385d72c581286bbc4d38
SHA512 cf592d132e2f41b9808a6f5b42bcf881c09501c2751e26a4a141c913698f360047317bf897ae86b31fa582e0d6b5ebc99102ce6c18c5beb1548418b169db3321

C:\Users\Admin\AppData\Local\Temp\WoAYMsQw.bat

MD5 b512a5566c2b9506e2dfba3a2346e38c
SHA1 134c498b37b42a379916c5060c50f3b5625983c4
SHA256 94c9855c37b36e7f695fdf232d8781acb63da216dfe52abf94495362916de517
SHA512 59f073cc1d09de067e50cfb2efe9890e16645002ff2c923d2208a2b999b749eba65631a130a160c5230eed1124cecf5b774683f327bc7512df28e9e6972db041

C:\Users\Admin\AppData\Local\Temp\SugYgUAg.bat

MD5 da521c76e7fad466fddff4a94cfec1ca
SHA1 4e2aadf5580269801d86b1ec38a165b0cc2c935e
SHA256 cad94f5b04607db3f52b5e7722a258c8e0bfe2fe1f70f2e803c2d61ba7709040
SHA512 9a6aeffefff895b722b766f13e7cab637ae0ac4527d67576f994fc9897463add11178f25969b10dc153522b175be321810cc3dabb7e87173124f7790edb039c9

C:\Users\Admin\AppData\Local\Temp\awEo.exe

MD5 4942b0ca14d2a55d925bf6f64f44d914
SHA1 e76783e85b232d149a68f36897f3bdc91e988a51
SHA256 172ae466459477f968a5a28abc17ebab471d5408ed322c45dc3fc77b0062d803
SHA512 fbe2a13dc2e57a249a28b7e14501f077b9dc5fa6f97ce46d9ce32ce30e856122bc8faa27f837b2a8bb387f406f99ae38b448d0049ca677b607f63c7bac2021df

C:\Users\Admin\AppData\Local\Temp\oksoQQEc.bat

MD5 202572072c7464f3f761cec565cacd99
SHA1 6e64dbddf05df0fbc4aa985e6a6d176599cdbf17
SHA256 41d1fb492b4a03da78b6ab2f4c43ed95d3393b74b3ab5f90083a2e10a7bea8e2
SHA512 0c8520d2045323ace59ed102224cc1a31137ca893dbcf4c42c93944fee5259ae50e2048a811d6c03defee00bd85929f9a0acc2d04d839ff9f7b7d9d252681343

C:\Users\Admin\AppData\Local\Temp\MUEIEgQA.bat

MD5 f7b9fda9d301ab509384f80b5a62b1ed
SHA1 eced908e243fefd98cf0d2abc6de824f6ad1f1aa
SHA256 946b056fe3def9ab6501dbbd3d37a5904587ff5d0491a76a70ea8b54dd9beb15
SHA512 45ae8c36d8c95b2973b0667f8a0560478efe016d01ed64861230ea9069d5cb6ef43a85227331ebe48a563617727a57cb05ee7bff238eb5947bd9b9dd95a5d13c

C:\Users\Admin\AppData\Local\Temp\xCogMIkQ.bat

MD5 c1d2cb2f7e58f05b7876ed94ead8483c
SHA1 d369dd6cc5fe446c2000b26c022d191618a31861
SHA256 44507028d77eeda0098631efba3486510b79827a6ddca2d390e86199fe3390d9
SHA512 fd4ead608eaabd8341581ed5cab0296382acf5313b512898acf15cb043898ae413e721560f5d80f6feb3ddf0b5221e5cb1145a373dc5a451e2f717beddc655d7

C:\Users\Admin\AppData\Local\Temp\zmoksAwA.bat

MD5 4e6149cbd42ad6c80cfbc03a05d09caa
SHA1 bb108e6b8c7925b96482b8f4f340dac98f15f996
SHA256 53d2bbd655bbe7767e2543fc1cd6225dd117af509c981411932ba024a9faf098
SHA512 0d59c9a7c949d9e1d3149cb2e3aae0aeedf95dc44cff3ebd346a8a8417887fb4f5099a7a73814172474d988f837fd54410893abaa011f823917b0fd1deaa268f

C:\Users\Admin\AppData\Local\Temp\VsAwYMgY.bat

MD5 9e51fc81f7dd6413bbe4bbff79e80ebd
SHA1 f9364c8754b95cb1ffdee1198d96952887e2ef8d
SHA256 336168bb852e83c85129022ed914b4e4f7814a417e0cb22ae0ab6ea6c894ee0a
SHA512 e4750695ff82136e0fa8c5cc834f08a545ec318d3ceb4d13c9878a4be98a205d4d03eb5a199a1bbfa1cd301cea68979a84ae063cdf968e335bba6ca1a520733f

C:\Users\Admin\AppData\Local\Temp\zyccskcE.bat

MD5 6f16158c7323764b39e50740734a6253
SHA1 67e76488738f6142b96b95ca5d32e1511065f7ea
SHA256 f53231ab5f24102e2ea986275a8f175d1b3acf0fd8d495efbc6c280471c81e5f
SHA512 b6799c9048bbbf6d2375605ac916df9c2a6f5ce8017f052e9eadd85308cf3e99a3303572248b4b21b9f437573b999eee29ea6c95dbdce9485061cd9914aae86e

C:\Users\Admin\AppData\Local\Temp\omkgQoMo.bat

MD5 9e8cb23144059a87456f7e9b646708c6
SHA1 923879d5f9c356fc33e0bd461a454330b9d31a50
SHA256 bdbd40abba0eea153f66c7b2e15499ce1b81c008de9ec46f6c91e0ce93476cef
SHA512 4040448e92cf4138ccb2fdddab80417a8f4e722a8a78a1130691f3ff5e63ffa2c264a3460cee83249f5097ee9b2ac07e8b7197e3a72b18b130d6b9138f2290ba

C:\Users\Admin\AppData\Local\Temp\Easocoko.bat

MD5 74bdecbe3a46d093b7844fd6d0350b15
SHA1 c338fab512914f2c825f9d3cd3cecb6bdc6768e2
SHA256 8f44418623e5c1213fe92a29551545957e323c532a5cfa01ac3c117e2f18895b
SHA512 203e7d36430f75a49993905c98aaa16a25f5b8419fb2babfe074d71708f409de0ada162f4871634b6b202f205f341b7cc9d230e12ec07bc23afb17433e2f6fcb

C:\Users\Admin\AppData\Local\Temp\umAswoQw.bat

MD5 edeb6eceb0ce498ae12989ebfb222064
SHA1 32b112f706e5418742dd6aaffce73bb3db90c067
SHA256 aa01f21a8fa81cd0fd18ef8d38b3160fba73121a49a8ab605e954e219f73384b
SHA512 2787a55bf93e630f0136745a26f0edffc028772a1624ceb889c3e1e3ee09a8a48bc179190b8339cb22480b1b20afeaee0a7aeb0dbd25f1dd1cfd4b73c8fcb305

C:\Users\Admin\AppData\Local\Temp\LgkgEksw.bat

MD5 21311552654022c73b8b54c9eca18d25
SHA1 3047c6683693f1dabcc25f83833b83c717d54215
SHA256 ee6eef3229e3a155bd8355208bc25383064a24de5e71f5d58fb2de6b88c3b541
SHA512 867343793c81743785c938c54d21da27b468adb45ad82c339f65373e93ca9299453058e82568b231a527ad4cf79ee0f80d5a69f2e6db56d16559f1edc7657735

C:\Users\Admin\AppData\Local\Temp\HiQkAAoc.bat

MD5 689acf8cc0f117616ef8c248835c1f51
SHA1 5db32fd5383409532a5b8ea4d69841b00e60b55b
SHA256 b7cab92e9ec3f458edc6683226bdade9991556027d661ad8f2fad4fbf7f6a439
SHA512 1ead875db8b9377251efbe66016b93c59393d1446f1de5b9a0340657da52371079a7633f6af2bf56a4342817d458c303e100641e46c31d6707c9789bc0d84df3

C:\Users\Admin\AppData\Local\Temp\rIIIkMgQ.bat

MD5 3e2058dec0bd67cd5e80bbce04a35bcd
SHA1 dc67c681338dbcd727d5fad9586eb03ca496a608
SHA256 0d67494b75c7896796ab0782092859df929f6f6577e8b9602c2d1519499ecb95
SHA512 e558a0244c013639289057a13ab989b81ef71cc90409fc4e46d4ca0b993b72adaa70d2dede6dc0bd9811e5a142d8ff2d30028cbb4d20f6b52a5abb451a0ba148

C:\Users\Admin\AppData\Local\Temp\higcYskY.bat

MD5 b66a957cea9c49277fca16166031ae0b
SHA1 bcc0fe6284f745587a9940b937865cfb337cdf89
SHA256 c97e50540e30edf6407a73871c84b27223252978306f964255e78e5cb0c3ee06
SHA512 bdc205e5be804adf62dd04889af234da0b9ce8a8db4030285f5cd7d5b184f7428d28ba2ce60e37ae1decf9e64fe169b137c30c7dd62ef87dd84a30587300d0e4

C:\Users\Admin\AppData\Local\Temp\SoocUIgs.bat

MD5 a34314002861beef3dd5f291696b156f
SHA1 c0372b7e5dcbb023a6b4919d5727f066ba90cdfb
SHA256 427dd75c6345d9a97297795816e1b452b5290b63e07b4648b5220dfa5cb5377d
SHA512 5d19dcde4a89a09361673652c5ec23303620edf2ce09df8099d8ab0c4fb2921abc54a094d27d9e720a4b97d9c2532bba8f9e1e90a20db5f9c4a801baf05df6e6

C:\Users\Admin\AppData\Local\Temp\PqssAQgM.bat

MD5 2eb1bc176d52813940f7f0697356d50d
SHA1 51a473e33a88bcd1e28844040df89cc1962006d0
SHA256 2437ab832743ba1d4b694252e93d7c97231dd342d1e0e176460cd6fcf805e19d
SHA512 9f99fc2142234faccd00149a4f01153a8efe4d4ebe3caedf4de390c9eee45e38fe9587318697c02c338d9272ccdce8097d15717dc14198747b029c12146045df

C:\Users\Admin\AppData\Local\Temp\MIIK.exe

MD5 7be7d8fcc1f3013151c3d9172606be1d
SHA1 facbccdfa04cbf529e0f5bcb5bce7196ff7af154
SHA256 227bc552b225f58cf858077c0d79d06b5c0ce248c6d708b1b9768cd4cd123fc2
SHA512 704207f866ee1e30f3f8b169ea9df3d6bd2e64f959f5b61990b868f9c608fa5736f074de2e51543a20f10ca18fbfcb86ed47a37619a327cf511c5cd21c66c27a

C:\Users\Admin\AppData\Local\Temp\EAYq.exe

MD5 694c4049ca72ea13ec9617268e193f22
SHA1 bf0080aeb8012f88eacfab6f1f6b2554236dcc8e
SHA256 0ba646775a816b6386275671efde61b54cf3d5ccb14bd6abe54018f31680bee2
SHA512 52f0817a032519598b49e589d41f815424235268d1b670d681afc96d1552100c98ce35f4de1f2c7ede3129628fcd2163dc7fe52bea1dc825fe970184994b6f2c

C:\Users\Admin\AppData\Local\Temp\cUQk.exe

MD5 011124553838dd95a033698e677ffa35
SHA1 1b7a29bc300e1b406ae7d5f94b452100702f7ce3
SHA256 9323f97a151762e8798f5c947f92e53adb525891932eec6cdd7281e1547a8f42
SHA512 61238c2f50bab6acbc2506892d43844b05c64e7875674ab9fa4fd45f22d97ddd0cc9ad362fe48a50a61c9ce4757d255949b70ded3fe40273dbe229cdaf0b889f

C:\Users\Admin\AppData\Local\Temp\UmAgYAcg.bat

MD5 3533769ced165619a157a72cb6f47057
SHA1 32292e9f4aab3b3d163528d55c4aa554874ff326
SHA256 cfeca41703cd84da2ace055a239500879bdc9767a73448ef4b0ac28bc7c5a723
SHA512 898eed1d83438c7f3407f3e7b03b78aede8a98410a98e3b0b4a3477c9ada4448f02c9ff7fe265d39a0a48007e115ea2da11cdc555e48c6fe946664c420ea3922

C:\Users\Admin\AppData\Local\Temp\ncEcAMco.bat

MD5 7e279b54e1925a315a7d4836d6b8193a
SHA1 464412a1b0b80e4d9cbebd98e3178979a88892b1
SHA256 a364371cbacf08912d63506fb19d9896c22a0defa258c6916f0fbd56e087ccd9
SHA512 d673d33dfcfda447531ac8d3e6ab64e9367b1495293f205501068f850504e63b9cc18fa78caeb65dc4477e89650deb7ba394dd57a9e79b1e3630ca2ae328ca6e

C:\Users\Admin\AppData\Local\Temp\MIUMwkso.bat

MD5 e8ed91dbea0e340c78976cf5464e4245
SHA1 e510ccec2a997b1b2aaae34a45e466217cc63294
SHA256 aa8967402425eb2cdb6ed89d2270e302569d02768138d599c0a15cdde5288d76
SHA512 9410869d57ca92c92de8a8dad19f94f3b884269c7a09bd685b9ba70ae5ad77f5b0cf15219a6f578fe6123c200f9972e69ce671d637dda0b578467dc9942c9726

C:\Users\Admin\AppData\Local\Temp\MAku.exe

MD5 beccde4c7f6fee45fdf9a21feeb435a9
SHA1 f2445af1b18e56129eb10c358e43c8821f2e556f
SHA256 76c54211ad51242ea7f4538d8c903ee2e6ead1a4ced427ff20bc912fe7d6096f
SHA512 145be134874b5ff9a335d90c52e727c90698d6007baab031d3170f216b7e597504a63b80043b915ccea1a3ecf60b1b8fc2d9fcf5b9b8ec52cb92866e12debdf8

C:\Users\Admin\AppData\Local\Temp\OAAc.exe

MD5 248882a18ed6aff583f071a30d077e5a
SHA1 e6e0975c28fbcf179529f8a0443c25c100ec907e
SHA256 b611f1580729fd831f6a3122e584495d359189236971802f680dfba8450c64cf
SHA512 b4bdf036c1ec5446c068bf3c85cd213f118a7d8939ac0c1c1072eb1c324a43c3e19ab8610a1be9d00236a93d7beaa298b1a40621cced5b4fb3c0dd6c223e194c

C:\Users\Admin\AppData\Local\Temp\gMMy.exe

MD5 9cd893ce37c9e1d2aa6d3729bd95e638
SHA1 9ef4275481665769aec2d9527379b421d9b3ddc5
SHA256 614a82eb37957803b3183f392546c5485c2b2cdae1e2d2b8ece24212eebc3b1d
SHA512 aab301acb3af7ef98d8b7f29b920e646376b87a3faae6f590a2073c1d81c8095662f1dd7e629398d00bd1150d086e4242390c9cadd0d3368c5be74ada01d2d71

C:\Users\Admin\AppData\Local\Temp\QWoIYYIQ.bat

MD5 c54e992a7c3bab40753cbd428cb1ce45
SHA1 b8e16b46ffbe1df7f3df87f6b2bba2d7cb9cd993
SHA256 c8beb1c1d1cac4fc1fd4597036d057a68d7cdf2b703196f7f0574671bd7f550b
SHA512 40bf6c362f0d05cb6f66f60d3b13c9ac75898a66834357e4d08f49ca126c5fc58bb7497016b75986313c2debdc7488ccae25b3486f58b07bea60b0b2801cdfe5

C:\Users\Admin\AppData\Local\Temp\qQwi.exe

MD5 4e2fc74599bc04f7485cb4f9a005f8ad
SHA1 a70ec2149a4e021ea5c87c7d33add0072cc1e367
SHA256 0c060403e4a97996b6bcb87b0ff43b310e3ea28f1a4f4e57ad8e3cc1f5804f6c
SHA512 2402c9dbfed9bae9012b66712688a8e646dc31c9ca1fe245c3ba4627f88fcc2230b61a537898a57882cb5e5e504fc9789f5dfad6004ba10f9a341645fb06b05d

C:\Users\Admin\AppData\Local\Temp\ekAg.exe

MD5 94d4f71488eb5372385058d471c82fa9
SHA1 7e10a5b76c1f7f1f8e703948357e32c5d514a3d7
SHA256 4a87eb25e17b197c50a246c25a292dbb499fdb01185b8f9a6234554bf93e79eb
SHA512 9047394beb0a930b2108c1392ffad59c640927516ed7849968c45613ecd75e71515b5d07edd7d5b4eb633a01bf31230adb6242ce9ebf32cc917141eea0e7f7cd

C:\Users\Admin\AppData\Local\Temp\oqAkwQwc.bat

MD5 220ff21963ca3b1ffa2100c3a99eae4a
SHA1 d7fc5afb3491c5840e8561d5d9daf7d10b2357d6
SHA256 3d389f790f8d4980dc487cdc3f28d16bad190fa7394bacba9991b82bdfcbac7d
SHA512 384d5fd3ce9ee3ef1a6bb908ca5c579b4e76ac345f1d4f0ec5aee8f1c7c64a99b0f15a2e46cb23e2fbecb51721f5785a493328ec1d5d0e0244c12f4b68e58bd8

C:\Users\Admin\AppData\Local\Temp\Gwoo.exe

MD5 7d89fd196357b7d7f2b4fd2fd76ebbcb
SHA1 362b41457a87027e5c7ece2b92e1694cacd358b2
SHA256 45e63fae2c70fb72211d8716b60a9676651c96e6d24c7936dfdcb5033796d030
SHA512 e2ef276e274e9136a6081467873387478907ac7e3aa02326d45cf69350e51c75000fb70f1f7a037d0a5accdbfba2f773bdccd94d8167fc30ed719f3ab2150a94

C:\Users\Admin\AppData\Local\Temp\YkIs.exe

MD5 c339efb8a25799a7885c5b270093e2fb
SHA1 7a399a1cbbf8ee79373f36559781d33dae5efe90
SHA256 e68e77f6bd175014b7351ec372c8704ae3cf81df43127f6fb1f88e1ffcaebf3f
SHA512 a72eb98911842ed45f59b8a6dd085d6c1a398d3e761e682b4cfc8c135bae18120e6f4a7a082bf5a5263425c37dfefe213c32378d108cef1b9e98bd3d690eb813

C:\Users\Admin\AppData\Local\Temp\UUkMcUwY.bat

MD5 1617b81cee0ae4781a80f12846682373
SHA1 539e5ccd20b1d523dbaef0a9afc705e6dc5c9f0b
SHA256 e0816a5c4b0c5e7ea9dfbebd071f1f0e920d17e39e5391244c8a6b27d4f1b386
SHA512 8e5b15aa29701a472efd9061dff87372a9af11a1a88ea16717e5089d49bc526de080109b34e2b645e37a1b173e4eedb5c46e56d87ebff9d4d255aa696cc955f8

C:\Users\Admin\AppData\Local\Temp\YIwW.exe

MD5 87e25a00a1f225244f0bb17d710be372
SHA1 855d5bc296f2064a3af2b5c5f4718e2d70e15077
SHA256 d53e29415e1efbc89cda282c4cda62446c68b765dbcf16b81da1b224ae06c367
SHA512 6792a067c60da03869dfba7d3ef28e1e685e90418c1a84b131ec3d03a8f299364e7c8263c3124bc5fe3c3d08903ba874e63ecb202ed7eb59a72bfd3bd77fe2ea

C:\Users\Admin\AppData\Local\Temp\isQm.exe

MD5 1695031fefd50b4fbe1723926b588d4c
SHA1 223e5cba02623543e13dfb64d7d6c72755d4bf01
SHA256 32ac69f53d57317895bef261d546e5f0575781635aca1335cdf4f53ab411ae23
SHA512 f73d209c2ccdeb28e72bc3c0fa4507844401444b7d6c0e54de99d905c414eff390cc2560bafe7c32e51f38ae37e5bf6b81470b4e6050bf70db7e799dc0738f50

C:\Users\Admin\AppData\Local\Temp\Awoo.exe

MD5 bd65df17727014e1ec6b8ad8f70ba76b
SHA1 b5052fd8f928dab34233440c23f42d7c5412afac
SHA256 3d5890e3517e7369f3ed1fd3e81149e10e90bc08df7f2e0579f7596bef3664a7
SHA512 94fc8f190518e036574428b42cfcc969ca5ee9c76fab6f5b197745a5a10b49a9759ba39dd779e7e7118bccbc9c4f4a699b4c475bf3f9fefdf7ff85eb17151e2b

C:\Users\Admin\AppData\Local\Temp\uEsa.exe

MD5 8c1f311dd91c88ff464802292799b3eb
SHA1 2daa69f364ab6c105d0bae3700b564069fd1e4fc
SHA256 6acd1a49989e5ed03a6853e879f3675be3c2b48d9367b5bdec6624b62ffbe883
SHA512 183841eb34ed4283cd35640efd1d9df74c9ea976541f777cc6bbcdd0eedec392e16d380a20f0f146ae7003699e33cf4cee9b408ed26d5a78eb817a715fdafdf4

C:\Users\Admin\AppData\Local\Temp\HYAcUEMo.bat

MD5 81e36e113de5ab91b1302154a8fc26fd
SHA1 413694d4536b6abab9c43d7a18c3f4e22a3a4f7e
SHA256 1bf46030b6f04488c80902c5a2171aa2756f59982233cd77dc7be0ebb62e1d72
SHA512 c76db15a1ce62b0119f78ac41773bca8ea919c5472d3b41426dbad587f003c1c08aa1e506c8bfd5bf2b9e7119a61010502f1ef365052def313e0ed99ae5bd5ff

C:\Users\Admin\AppData\Local\Temp\KUEQ.exe

MD5 899ad62d574389d6fdbc4b9aa93c54f5
SHA1 7f75dcd8181f56f12c72c3b5be50e76fd075ba2c
SHA256 e743dd6dedc2f50b280343d2ae75e080d8cfbf5fb3f6f7f5d0a8903321a70f40
SHA512 18671186308a2c245d3f4c94dd3f10c7738d946b23f4a5c0514398b4f29a3897ba91c66bde220f6f19c7b089c38a6702996f374d02f9c93cdccbe42a5a346d69

C:\Users\Admin\AppData\Local\Temp\cUAY.exe

MD5 a00dcb1048c5d172bc9e5f0ee306dc7f
SHA1 3fd012ca7ba8402fa77981126651b21edce52352
SHA256 2d620d081a29bcee2b2c64d7baf0426a75cf39166821267d43105da1ea6b1055
SHA512 15e6c3eb1ab64d8fa4a5e0dc45dd81e556d7fa352ac866b27dc92a793e6d18ab384f3ae12aadb2737e587cec904d2818d268c755b20d4f854ae340b8c195e0dd

C:\Users\Admin\AppData\Local\Temp\okwS.exe

MD5 a933c9aac80385bce615f0a29da68357
SHA1 6bb3d627a0a82016543eaba2f0f4ad22348b1b99
SHA256 e812fbf241b8e3db1622d1923f9f08419ff09dfff3a76683db9468562cc51acd
SHA512 f7ed70400b79cd114e22c65d2a74c8b2363bcf4eba778072582109d7a7b8947fd665801d730506704d974be920845c90cebfc029618456538edf4435b04157c6

C:\Users\Admin\AppData\Local\Temp\UAog.exe

MD5 ca3323c0fdb4b958c6c72e36bfec964d
SHA1 b831835378593b42c2eb8ebbde0b60953091c213
SHA256 881ce704f9783576dec0ba261c60d98d35b8a46d6b416d75dfe101a4fc4a00a1
SHA512 fa6189e77a837277b0b31d4d9c9cf4c3483456d7966c44346b736e78e908974ba4d7967c7bb3bcb220026383627c3516f7ac698428a4eee57c1c2f3341648e7e

C:\Users\Admin\AppData\Local\Temp\OGgIsEok.bat

MD5 b926714f93ea4170ff508ad56c90618e
SHA1 d9e0cf15af79f544ed336f0b608c0c4bbaa51c35
SHA256 646b8693b8c447e1df756fdb37946c913f8ac02e32474e5f4af96425758bb872
SHA512 40b2ed3fb0ef3b3741a7f031b95878ca02981559a05838c48464ee17cbc0ac2e395760398fbd3d46c8e96e937af08c9d60b7337f8e2d22665710fcf1f3a709c0

C:\Users\Admin\AppData\Local\Temp\SIce.exe

MD5 6bab71d4fc44bd8c3a5c5110968801e6
SHA1 a31226d8b5c16dcd2281124a7d52d500d485142d
SHA256 5eb891a3fc67d026c7103195bfb5f8ef43f75600645bac3626d2b213792219e3
SHA512 db2d026ff0e15b21b993e51c9f7c79023bcd47c4ac8bef1c9fb79d727211c40cb638d65bff90b05d798637e9c1a6db9abb105385007b88304ee6bd5e5c64f3fb

C:\Users\Admin\AppData\Local\Temp\hsccQAwY.bat

MD5 c8072c044a892abb1aa63fc49be5d823
SHA1 4e6a9b7dcd8c4c4c9ef6ab682e5060a8f3818aa0
SHA256 19ebf97c99b7432406760fc7d596df5f46917a7241e7e555317c623dcc4e1664
SHA512 78c50cb410e558a345b5aedcf294184aef68d76dcc979fd3ec067009b079559b42dfae6858fd095d9e4c3ece6934786c93664974eff7aa0abd415d6ffff9f0ed

C:\Users\Admin\AppData\Local\Temp\Aosi.exe

MD5 d9752acf690d57570f33487a015c8175
SHA1 32fbef1e3b904b5876224bb1b2d127eb6a4561b4
SHA256 0b519fa80e75535a3df4192d1e47560bac3e78d679461f04230e748b8a329da0
SHA512 13fe750c99ad131c46208b1fa8bccabaf1cfd946eac939ccb6840f659818a7dabb0778031dd07ab08ebc45d7428a57cdd873871198c5750d7e0f06addb6bdf3f

C:\Users\Admin\AppData\Local\Temp\OkoO.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\SuEwckAQ.bat

MD5 a342e6d6c38b1c91d92bb68c285d2182
SHA1 a5b6eb83e094b143855e2c88677e483550631423
SHA256 3b5d6923981dbf7108c8bf2c60fc36e0e7068ba48696f73a5c01b237659f5bf7
SHA512 5ff269d3d426df0c0de962bc87790cb41d037fe7a5412f9893b82c76032918ee4d82a1afd2f2cf19c2cbb632de916bbe40635ddcc5262e2d5bab10fb1cff26cd

C:\Users\Admin\AppData\Local\Temp\KAAs.exe

MD5 7f7de690eb37768099d17acac633e159
SHA1 e9db840c5b0d1fdf1683d2e56cb8f0b1eb91fd46
SHA256 ee1dbe0fd8096d60ee5ad958eeb2c5b8970ebaddc2f1f6739825cb36eb192aec
SHA512 1170fa0902b106e9079722a8426445cf7ef9cf7d058ec001711111a90fa9f5c58e2196a049e58d64fae0be9fa48411db330dc277452f78fc7482805c4cd38744

C:\Users\Admin\AppData\Local\Temp\ukIa.exe

MD5 cbd98eaef542402625089d12a65b7347
SHA1 b50047309cca1ca7983599ca841e9cc759ae7f64
SHA256 275f93d7923d10cc67f7466e1febb79edc10f18411f93377cbf435dc9b906228
SHA512 c601d4ab6d64546a78af6d6aaae5fb369aab1cc52d61c52bc1b3dc6088edb3a8c65a19d1c0c837f4941c08f42e08a535f852d0c5e6a16fce63d35f215ad3fa3c

C:\Users\Admin\AppData\Local\Temp\OcUS.exe

MD5 cebc5f50733c26e3f2e81a8cbf75f3d2
SHA1 46d5de272978683c8ce2690c3cca545adb691fda
SHA256 9baae463f52940e6dbbd1cd419fa8dd9b55e4f680eafdf538166ba4bbf490a99
SHA512 110516094c66e43d9f98df47cfb11846a65a726d3272e947bd53397f8c09340c5dd65fbaa7f62934d9c21286d60879e5d4c23cc98e78bb25bc6719b5a1cbdb56

C:\Users\Admin\AppData\Local\Temp\SEEE.exe

MD5 f2d98a07eba7d68e6fd17b3be7762384
SHA1 8c2b6202c71ebf3c9bff23347735e669b336a64b
SHA256 f321ecf736119d74567b91b8d9010123ac993cd075f7f8291cd8d2d20b4c4d80
SHA512 5a7ca1dd9ec10b8a79f285a305b829bc90817f27f3085081ec0abd331469bd85aefcca456de4c498e6f872e1bd180a50390920ea5a6cc422dcf1d80ca9b703dc

C:\Users\Admin\AppData\Local\Temp\sMQO.exe

MD5 b7efb89c3619a64e33c76ad528aab67a
SHA1 45f57f58288171cd51fd0730b118f686a25b0d2d
SHA256 d723a7fb74a61c0c435f98087d7c774343c49612cf9e43f67bab152b7b278610
SHA512 b686a60ba84a092702d21aff5cf72277a1fdd62ae79bb0f9b334665686269b1b796748dba81dfe0b8deddb6500c19343e5af61e515654ff6549b61ad17770733

C:\Users\Admin\AppData\Local\Temp\IQMI.exe

MD5 16923454394b276096a872769a84ab45
SHA1 a66cfe3314ffd28ca63614b194c456d9210631ec
SHA256 cf033ff54f0107933475cf10fc4b080d3f2d6db379a498d1eafa0c30f1f36576
SHA512 1d5717c43538afbef75edfb3f9813c9a98e9e50a38f2b9fd50197cd6f9674d7294c19d5aa2e89cec7ece21d46de5dc9a5f3ed013be6fd0c64b97dd8ca919ffa8

C:\Users\Admin\AppData\Local\Temp\UUEccYUc.bat

MD5 6d6aa701e2ca2a748cc6c94011c1bb02
SHA1 2ad8a037197486133a0de8cf1a86519ba5e0459b
SHA256 257de7de42232dd88aa9330604ce8acbc75a97fbcf9d31e3afd1278ee2917dab
SHA512 7b8677a67a7e07db0c33df0026c19a44f589acd5c2cf9708baabfa8c786e1ffcab0207a29aebd76568e85241642488a6c3ade93abff5ed09d5416726dd4cf4e5

C:\Users\Admin\AppData\Local\Temp\UgEIEwYM.bat

MD5 e3d3030560f6a570ab925c3958b5eee2
SHA1 a1f4357cdadd7895b1e5d455837ef40edfcea650
SHA256 a7c920ce91e130e332ea2bbe1192c9800c7a1c8f9af441935dae9ff0d92063bc
SHA512 10d3eb1474fa739486d35d1826c138c0be941598d2b73d59fc7c584dc18a43a6acef1d7330a08f4e6108ac5f6b5f42956f959d56a2fc5b29d8d1fe9d6714fe8f

C:\Users\Admin\AppData\Local\Temp\gIYs.exe

MD5 d0af85e3c1465e6afd673bd0cef33300
SHA1 5e51611892acca9bc34a4f98cd85daf071a0e70e
SHA256 c88b37f04c0d086a34c9878132b2fd24d5620b47d90aa5549ec4e14b71ca94a5
SHA512 dad81c30c2434f97bf63246f03300fdc258a33ff30085fb8e80cf24e9eb53249750ab0ae137bb6946b9f5ea023f3802c6b5679b489d9de7797e595d3eb84f31a

C:\Users\Admin\AppData\Local\Temp\MWoUUAYU.bat

MD5 c31b4d5aee5fe17b2b44b40985ac60df
SHA1 a55f7d996187a254b187ab12be85a94652d5275a
SHA256 71a7f9c52d757782cafa1fd91c412739600ce1fa139f44b701fd6cb8ff8c9d44
SHA512 4e5bc7f97d426a59fdc5ad407ad3e7bc9f32da75c708261d7d98886b64088749f4e5210366fd134fb781508b8dd978a9ef7f0579ae22f1d264b4587bab628877

C:\Users\Admin\AppData\Local\Temp\iAwS.exe

MD5 adb2138a11c923bd67b8c78c21dbe772
SHA1 e5c305a3682b9e6504c81b5bc715cb64ff1cad05
SHA256 89f7c4b60414a858e27a7fae4fb561ffe08d6cd1bbe32738c2210756c6259939
SHA512 4d0c47c4c0415392cf00e1bdaba51a8f1390f4718e4cf6703ac35b0bff70eb618e98dec80d3d39034a6b77c907dea3d911a312ad0813cd4b322f33c80857afa1

C:\Users\Admin\AppData\Local\Temp\Jkgwgkog.bat

MD5 2674a9b0b5bb732c2d3d04e96a7eb7e8
SHA1 c709ff606637f7019c5c6da2dae4ba7ab62d1747
SHA256 b9d0a985c9a8551a8b460f5c53f4912cce65f5e58aeb44f4809eb0d7cd320a47
SHA512 a65af5fe5317d94b254f5656878161489e9e6b8c159978accf66a0e1db93a5726fe82aa83ff8dd312e8c780e231c15eba57e2636fa3ba74a36b9b6d4bff85ce5

C:\Users\Admin\AppData\Local\Temp\YYou.exe

MD5 15a8e48f9a471999c6fdea45be2d9c43
SHA1 20a4c20c0bb5302c806946648666939b66aeab2d
SHA256 2e8d24d7bbdb9475b40d2ef9838271df7aa16f60875a9a558742e9a4dbf26e58
SHA512 26750c7ac3eb09d0b4aadca0ddaa13e0ddaf006406973c5f143c676c59563e12ba4d28403b1b51b1b2fa5898c65ea3bb3276c4bfdd7d2ab27581c28236a51892

C:\Users\Admin\AppData\Local\Temp\qsQg.exe

MD5 6ff0975a6ef7152ff3e8ef5c74733f17
SHA1 56d1d34a44dc2a1e4c080ab68bd74a94689e56c2
SHA256 d4652390088d6e75971d348dc1ba68a03756cb39707e74e19236a0c60274c837
SHA512 f8c67ad9710e534a14914a16c591362c4ae2d553d248dd352c2e3f2802eef2faa9b9a9c4d70668c28fa109825afecc7e434eaab4d6610a494c177384b45654a2

C:\Users\Admin\AppData\Local\Temp\KcEY.exe

MD5 5a2b73c49efc8df5a4c3f687f4519d9a
SHA1 74d08dbfa7029ffcce26b8829fdd4308c18dc922
SHA256 53cb0be28e6575c91a98d5afcca1ef8feeb22f24c1f2e819284321a96219a573
SHA512 4b656b08e392e353336ebb56bdd8f07f5038c7c95d389fe64ef3945d4ccc05b1c9d120a20f82cf87e8ebb2cffae5aeb5ea60435ec064af518c62c7e1d2e0cd4a

C:\Users\Admin\AppData\Local\Temp\qowy.exe

MD5 1e06c9649a7e7bd45c2fa2ecf02d5b33
SHA1 8c27580026ec85ed80c8ba0e41fff7f4a33be203
SHA256 cf017a80cc265229eed70c55738913dc16dec38286a69f19951375dc7a2035a8
SHA512 217419671ea652de7d7133350621fa5d38cfdb7bc57d457ff46a1f7b4fcaf7fc76176330f5f8d52f2b69e101e103773ba4896e494486dd1c13b7b733601640b4

C:\Users\Admin\AppData\Local\Temp\kgoq.exe

MD5 75046b4407a6b1247330e90a80193c83
SHA1 7f75f19278ae8554519d6b53ff175f951a462712
SHA256 afb23e109fd400d94640239cc4623365642cea053924b41d36b59be9e6bf3037
SHA512 22805944706972e82deadc668600304897f357b1bac2e366937d8ffce95ed56d0a30a87d24d72650e4a128d961814c87bf7102f03503f2142567d158b5d32e0d

C:\Users\Admin\AppData\Local\Temp\scUs.exe

MD5 3d9530d3fa02ce57e68832b1f6702982
SHA1 465646c0ab99f04473b88dd2241233598880c9bf
SHA256 869a2105a58e94053958454212c87c200894295dff4efe0fa7c3cefc4de4c008
SHA512 9ae05e7c35693af562315139f021bb8d73353962ae646a6f17966343971de63d00eeaec786944870b8fe16b4d53a31c44b994390baf4affe9129298af08eac5d

C:\Users\Admin\AppData\Local\Temp\Okoi.exe

MD5 ed126c0f27c48a1a820dfed7c0fc6a79
SHA1 21f18a0c8e5e8ff3c23ed5abcd083c11a6a991cf
SHA256 10f885b8181577f0c1fdb64658d4bc09f85ce49a4ff29990944006dc9b0540b4
SHA512 89c5978be35dd44ca01457ef768724f4cf7b6f3811fb845b482bbdeb5f725ab344251efb96f9cad85456151b2e9065c3deef55d28887d81841c6e251bc2cac19

C:\Users\Admin\AppData\Local\Temp\AmkQQoQU.bat

MD5 9988cc86de0318dc8bd4a0ffd2939e8f
SHA1 ef34642507c83c853c16f026f9820919a88a7496
SHA256 5cba72486e6a20e2dae57869d84dbf01708aad31e5f4516f5f2e2cc6166d06ab
SHA512 848e31ff76c818a24dae8b963db9bfe3e0a0c5783715cf54af55cf6cd4f1ac706dd01a55de4796d5b30193c9af991cd8ad1e51cc8ad8815860b7cb8139e528a4

C:\Users\Admin\AppData\Local\Temp\KAcu.exe

MD5 0008de0ffed43fb102af1ef781a06827
SHA1 62f7ac855c111d669a2a66662dd32f68d6041c58
SHA256 9e96292fdeb139f02889b74636af465354484b01823576f65fe264a060ebc5a0
SHA512 f12b5fe9eaa779f2681bfac8f21e726c0fa522e5feed0bd38be4b956d5260d892bd2e3aca41f7054d95ae30eee85ba2dde9c9f4b7f536a4bfdfadf8289657eb3

C:\Users\Admin\AppData\Local\Temp\jwkQQAkU.bat

MD5 261e503a408fd4fe3d44035684e9fcd1
SHA1 d13bc058f3e34181bab9ceeeecdee5271e63126f
SHA256 edc905bc9e9d55b5da50310833b91810e7434ec8054281854cead06ee904f4e9
SHA512 91a895b78c6a1b8225be7aaa51a7c8ade5940856f9e8b6cb7f3cdabd3d862e5ae9bb80a311eb7775c658effb85eb8a01567f6572b034514de44bde936230e931

C:\Users\Admin\AppData\Local\Temp\GMsK.exe

MD5 c83258cc6ca567b8f93548a8df1e3b63
SHA1 ed8b02a75fc472151033cb0a365bcffcc0e8ce93
SHA256 21bf98fb7ab60a7a55682e061bbc9937c2efbbb1c8092eb41db98b89057599c2
SHA512 db23a23acbe7d147ce48493cc1b336ef4ca76bf5e33d1c2b2e1d9017511d7bf0a79e4fdc533d9ca4a12703280d9b008d619d548270ae4f8806a93d952a89ed47

C:\Users\Admin\AppData\Local\Temp\AkIY.exe

MD5 6207ba9d54fa83b94b5fc25a5fb8f4b5
SHA1 d88077826db67aa244ee434e6d76dd99b221226f
SHA256 e7ba4d09ee4156c3d6d8a74262b2436773b1fe2d76d86b37dd2adbea622dc27d
SHA512 cf707940a374dddb00c56b18197245828edd2281d8c678a6c1a5610a4121746f1a320c20495705501b0296ad32e0bc24962150ac8822369494a8cd18f99e80d0

C:\Users\Admin\AppData\Local\Temp\OIcS.exe

MD5 7fc9aaa7a856d2a0566c3433bb1cd4c8
SHA1 1572a086a9b7b13f89235fc4e276cbde7735d8dd
SHA256 52d8c27c03b657a856223a234fc125cd7938650b1aa55a5f5488492b1c53384a
SHA512 fdd998839d849630134b4fa67158d8dfcf928f10b6d89abcc6c8c8b05c44e8e9cf6bf56d5d25dd8275dc6de30f8337c80ec55daf728115a6b8f0e661e73e58c7

C:\Users\Admin\AppData\Local\Temp\eIsE.exe

MD5 94530ff366bcc1409e96567bd71d96de
SHA1 f255c2f1b3c00742245c5df973c8dd164789983b
SHA256 418622bea801ce593ffb0950fdf7bb86bbaa4ac1ec8836fa42db7126367d8459
SHA512 96f2241a74223444a4de7d3a7437d59d45ee4a7e146cfcaa5a663eeb2da897487d160c5c82d2104180c51c39fd8e569676cba0d1aa6d016e2303335e205a9ca7

C:\Users\Admin\AppData\Local\Temp\IIog.exe

MD5 f76f88f0ca7e555fbf5da3b4ea5335a4
SHA1 eea3879cf6bef7e78ecbdb4f7a39e4d31b091a19
SHA256 88c66599c5a769dc0cb2ac61d9344d64a8fab75d95583f02083470e04cedf8a8
SHA512 4b09ba93915c4015d233a9f3c49d0d9222cb0dae21bdee9b38209d4858e1a2aef1d5e162c62c403054f1ac093360712f219f88d7b2a8cd5359066ffde098a772

C:\Users\Admin\AppData\Local\Temp\UEMc.exe

MD5 6176adad89f37444a72b39b3779c5e26
SHA1 51e81fddf787d31b5a7394e6b9a6f794f8b22cf1
SHA256 7892e2f474871c3a27dd321395f3f1a80606d0e8a5210c284a37e4c95af2e201
SHA512 b96795b6bff6b4c243babdf208cf3ebb2b8db9bd8d7e8e43a57353d206c7e09a983d4ecf2ed258c4570587deb02626d63a5cf89dad700335c5f06c6d53d946f7

C:\Users\Admin\AppData\Local\Temp\gcYe.exe

MD5 cdaf31d5dea7984ba63c2d016f2c2169
SHA1 2ffbbb718719af93c08d1b43981692cc026b73f4
SHA256 4b7a8eadac98c47b0eb0c9685fef203899ca13e834b5e7f2dba5eb7ce607a2a6
SHA512 7c4df24d24ac20f3c3afb562a6f19fd7b62b50830c9c61d2fe393071a4467d704c28595e1f490daa93f786fbbd210df4e1ea86021f6bc9bd21531fb02dcb09ec

C:\Users\Admin\AppData\Local\Temp\okcy.exe

MD5 53d3239b3e977827a17eb612999499c5
SHA1 ef43d294dc0c17c73817603a7ace4b6f717a4e86
SHA256 591b7dcfbf1981e5a40dc6436a3578825e2eb935373fb1ef837bfe542a8664bc
SHA512 500dab79e6a4177fe275ef3d2b4a260c1fbe7cce0e7327c9775b9e8a8764b09e2a88465cecc91f26174591d5d9cbd187ed9e06de0172fb65ddcb3b528ee48c6a

C:\Users\Admin\AppData\Local\Temp\oAMY.exe

MD5 90c5f2526b577fc7b2f8f723ce153046
SHA1 197386ec3ac6b759837a4bdbadaf0441ef4b74f8
SHA256 0b4c6440f1c4aeac01f2315d4387a0befacc7ea24e87c5c1ec6a91a8dc568ad5
SHA512 b898f449bb8eb98e94dd940e18d8cba1cfffd27465cbdeebb8d017a47fa8b59eece9e5728fb4836cbe6637533b4db6e51898b4b5807badf66da556c23b3597e5

C:\Users\Admin\AppData\Local\Temp\ywsU.exe

MD5 3a81284a88616092795722bb901e4df2
SHA1 e8aa83f93d0149d3f3a1c716fa87dd5143683eb0
SHA256 e0e9a12af102cb571df4a464cdc791330127d8ef04559fc19df2502758ac9431
SHA512 7bfb5922928fe707b6c7df9a77c7adaa637ed2678d586cf760c94a931c55ab07bef2deda8e76c8926856248fe7c878107c83935ca627f69945a7ed50614962a8

C:\Users\Admin\AppData\Local\Temp\YwEo.exe

MD5 b92d68c74441808f2dc0a10f7fe06c41
SHA1 7ab3891692585bbb1b2cd8d01b186011f8c98c1e
SHA256 9cbbd660604da6229680e66fd44f07025eb87ad3b0461bea1fd0dbad42120d48
SHA512 09312eb2462cd099312e55e0e751fa04532984b8b950f9b85b8e99ba8fed69f3340e66d65fdad9e9b5536ae30f7257e5d52b7578e38e2235eef13dc97ada1262

C:\Users\Admin\AppData\Local\Temp\QcIi.exe

MD5 e1b3769a0adf1612781248f972a3d532
SHA1 8f5e9fc48e9335e18ab10b4b529b49ab8cd473c4
SHA256 55107167fbf782bbad1818e69cf40fd332f249485250a7c350d9c2a2d98fdf32
SHA512 50088f1b65cf2ba8ee2ab805507bd0665fb0b506fec0933b0b6df1d4912b9ddee9178212239c9d8a3d0e9dfd05c34c396be6959d0e4474b7fb3043f34d573231

C:\Users\Admin\AppData\Local\Temp\gQYgsgwg.bat

MD5 75e9fed9418ac58651ef506f72535d9f
SHA1 07f2bd85926b47161edd9b012172fb1f0fccd247
SHA256 8473da535fa95d48be85e6b509c3c91e58c69c095d3f5d7c648be67de4f4bff4
SHA512 6b6a21e44ad4faf2bae20b300fa17162a3ddeeea799d7e3d0e6675873cba5d11e65e5b44997301139d1d3675dc1621653ed248fffab573c1e7f267f37b4f1718

C:\Users\Admin\AppData\Local\Temp\SMko.exe

MD5 41ad091d03f6f73261d2987d83a41410
SHA1 29537625cde8a38214b5e8eff291cfb983c0bb63
SHA256 90a291f924f50fe31fc89f1e65ad56c1e561d80ef93abf556449c778cca70af4
SHA512 fab8d9ee49dc7a4561d98ad86074a541e209caa32c0bbeab5b4d1d14ae362fb72d070c2f59c11640d40d1f7756b815c85b07b67b4a1afc437725d92b06238478

C:\Users\Admin\AppData\Local\Temp\gMcM.exe

MD5 1067ed2007818107016ef4eaa7dad6fa
SHA1 e0504fde2591c653078051e39358c8f4c792289f
SHA256 2835352847a79a676cf85941321d258268dc50346ab9fa663b3b735d83978866
SHA512 ffaffd6b1d3859d17b1220c6cc06780799bae44719f2d879b7d9d004696827f94279015c6e1fdbf2229d8e35aeba4a3ef6408806c547697c10629b2f62619d5a

C:\Users\Admin\AppData\Local\Temp\xaUoYYww.bat

MD5 2af16dd20b51e5b7f6726c388ad8e0a1
SHA1 5848f3dd46dced38dc037139cd17158a60238ce6
SHA256 c23da2c67af4aed25b80655c47cb12ad03f0cb7e0ec18875181cf869745f5db0
SHA512 28ef91cc1e751266f5684dc2559476c33e3241ae2b809816e8638684a439dc703b9b8df8310fccf7396f6c4625b17335a871fda25afc57986461b8f614990dea

C:\Users\Admin\AppData\Local\Temp\ocYE.exe

MD5 680d859a5d0fb43e9ea904e16543af7b
SHA1 f8e02ed0ab8b2d77a981255bbfacc1711bcfbb79
SHA256 c69974e5e1c5abae4471ecdd0c7b149cef07b390c57a1701a56126ee893b0341
SHA512 ead1c5da2189d84d2dd6259dbcde02d6f28ac9850108adca10eab9b45019c666408d39477ed7d05e4b3a270c31724e31099f3b2001b9ef5c309ea46e71029b04

C:\Users\Admin\AppData\Local\Temp\IgYY.exe

MD5 c92e14c3b4ad093b24c80f62b8d5e259
SHA1 4c3f2cc98e07130863d548be944c7f5b4e714e82
SHA256 932ef11fc56ef178e648f100f06a3330ee8e91838931a7c74e059c75f34a0358
SHA512 65a09346cc423b355dc813cb6be04128220281a4a2eb77270eaf856832b6b42dc61c02fbf63e2a0dea8f62300186ff8b98aeda1d5330e816117682b1081961b5

C:\Users\Admin\AppData\Local\Temp\iEcC.exe

MD5 970b2d59a71b570d41359e09403744bf
SHA1 0f56fef08c272318d007d8d1af5e7015bb11d2b0
SHA256 558044afeb20a40d2964b31a5f5b3850e2212614a44b58e01d149e215bca8b30
SHA512 4fd23e1bc2488a564a4b5d0a732fecdd4451bd1763abbffbb5d62d1b895a453f44ce99a15855a8072ed3107a665cc7c5b90d6505ec407052bb24fa328c736699

C:\Users\Admin\AppData\Local\Temp\AIEC.exe

MD5 a77af1d63a2e614439b98c4831ad3fe3
SHA1 a39cf8cf5e9ebab6e4417c373ae398dd71f21eac
SHA256 55a03f3c71bc9a643d4d4fd1c0dd49891430da4ab7667ad72903e90019b7ed12
SHA512 def9684a21a73433bb870d7f9036f7be29a5f0adc6128ee236429abe2e9dc5a52381b2b592e8578b7ab1144fdda1b6b104be8a8253fba363b6dea60cad933c3a

C:\Users\Admin\AppData\Local\Temp\AYwg.exe

MD5 1eb77a6feb8655d639d05558a65eca98
SHA1 e523e1eca447e505778410e4e2bb9a9942c04b6b
SHA256 ac7a9f58d57f99e6df3c8884c734512a5dedfaff7f9b9155667fbf7c4689504b
SHA512 d11c4de124549e6a1d80ba262425c9b406322fb7d2066a995d64aa787d76efdfef3949151bcc4053fae90b902d5198775802bf418fe68b375f15ab13a58353c3

C:\Users\Admin\AppData\Local\Temp\XmoEcMUM.bat

MD5 1ef8eebc2f798854b85ee7504ffdd7c8
SHA1 f3d09608cf6755882ed64dff68f42fb983ec3317
SHA256 1520c72d54eac6a31c6cd39b690cbc2a5bf78863ab0bbc152980b48441ac8563
SHA512 325811f6bd9f31626558d29540bc1c3f8c023a00487b34ad080075c740d5556b6f90e9ab9e25d92b0cbfc639f613a3011263ffb7e6565f62494ccd5923985594

C:\Users\Admin\AppData\Local\Temp\YoEQ.exe

MD5 d816afc0382e9dbd0452a72a698d3a87
SHA1 028436aa3cc8fff2eeea8d8d051ac5d10f6097e2
SHA256 7b9983ca10244e872bc59d0b801f31af100e70c37737d073a50297d0d5bd134c
SHA512 2b12c8a8725d6e1419311d641edea133c4e1d1f98740760f1edf54adef2a578ba7175f6830c472614efc04517598d5c71b2825695d03476051bfeeb1ce2ec9fc

C:\Users\Admin\AppData\Local\Temp\UMgM.exe

MD5 a53f5a84efab83ab433589275b0d1f74
SHA1 255ced479f94bbadedc541d555d6e79e85439cd7
SHA256 d9fbe8aaedd3e4cc2fa6885c2c9f13ca1b0fa0f5bf625e320545410fb2a5801f
SHA512 048d331d0f83780372090b4a72bc536ace80ba6379446fb138b23a76249b951bfbab39a5b2a6901a02feafd457171f0a6b6260fdddc54fe8cb7aa44cb7852986

C:\Users\Admin\AppData\Local\Temp\qgEo.exe

MD5 bf54e227266f398332a74e3ada724d36
SHA1 63a4b7a98a46a0684d6c2c45bee3306069371732
SHA256 eada2e5210d3b630efcb1a46438e02bab6483461328a18898796a1cb9873505e
SHA512 14a4d66fb1f1f12cbb0a85826151c5a038ae913e013f9c4e644596d2fb104fe4f9d8bdec2e9a09d8bfff936433de5f04fd32ce2d8256b5080c94937569bdcd4b

C:\Users\Admin\AppData\Local\Temp\lgAEQgEI.bat

MD5 ebdb776b385e9279884ae54b010b49b0
SHA1 c834c161f68301f0c96abed0a8ce8ece82adec0e
SHA256 fbe31d4a6e2a230e607c6c5011466d7d776255c6f87cf64f6b5f4b47f0b6b2db
SHA512 578a23840a3660a61b9943ce8103ef5fd92cdff462c1e31a6b109942908ad1b849331e0bb0b9df34963d4c043ddea34fbe487392b0275ae5cdb975e20991c3e2

C:\Users\Admin\AppData\Local\Temp\cYwkEYco.bat

MD5 2b8aaa5059118ebfbf16afebf8a59815
SHA1 4c92fbf9571b934f59f1dd626dde2fc69692a808
SHA256 9b05891ecf1af3cb5bcca78b0c34a385bd4a5ee7d355c5cb7e0f1d2da6b02ecd
SHA512 54f98710aa494e1e2f542bc8802ae12feea83c78f5a041886e0172270647b7328633640545d1a35a9d67b60a9c08f3e0dd96071f1593469587922b3d1e7143af

C:\Users\Admin\AppData\Local\Temp\VecEQgcA.bat

MD5 509919dce39022c8ea9141d946196e19
SHA1 fc9bd5f5f4b0d653865a26fefe2c5d53fe43de8d
SHA256 a4da864844475047ac9c72ed44e1f70a4d25d8d16e12628c6bbab136c241355f
SHA512 39a43f462afa1745c14157b8a4f9afc75fecf5da7d2694cd6170e2609bae5205fc36ae1664b4d47ed0cce92e5c141d190091eaa6b9c2b44c4a43c268ec389a29

C:\Users\Admin\AppData\Local\Temp\gasAwIwc.bat

MD5 02b9fe178293fc358170954a91f5740a
SHA1 1e85130e737bb4e7d4a9063deed1bdb8c939a514
SHA256 af8aacc364b92004d1354f60688d304bc1da6cda0d89631ea13537adf57463dc
SHA512 9fc6d63172717a9d7e17a45375925484199a8f432d3611c062c299415d1276896911d67f0589ace2e1e4c48d346c88e2197271d68845973dd9a74d29bc896713

C:\Users\Admin\AppData\Local\Temp\vEkEssUU.bat

MD5 d3f0d732ef0f214c62bfb8a6d09ee0f3
SHA1 adca9f7fe2846d0990ddca4e5182d1fe650cc23d
SHA256 a54d0f70eedbcf72363c27de81fb73d1b62110cc6179c92208dc5416cffe9b0f
SHA512 96db782a4457e106bc0afcbba5bcac404fe81ff24fe671eb96703d17f70b00e146f0f7b28db12f8c25514549b0624fbe987f86628f131668cb956f1a5d5b8c6e

C:\Users\Admin\AppData\Local\Temp\vGUkMoAA.bat

MD5 2e7566b28045b43120e4132c924ae2a9
SHA1 566e3478654b3f2f38baec843211956d86488e18
SHA256 e48de938f04ef4a7d464fe7437f7b9b56d713645f1cd553955d2c91c662b3533
SHA512 2d0cd2a04640be7c6c1db478b25fde0b6dd4619e34db7b02175fd87fb5273e49f088221126e2a3edbd4f2ca96f16ff6ed93409550b3eccfe3be508eae13c05cd

C:\Users\Admin\AppData\Local\Temp\mKckcooU.bat

MD5 b279cce4f9c854fdd6b890fe75c06cec
SHA1 7856eb5d4033ec33b3bd283ac28c0253a730d023
SHA256 6432a1ba7352bc9b2673ebb55a97fa0ad622041a726e943bb3caf5fc241df711
SHA512 2c1fac5f7da4994746219c2d06ebe3b8ba86e55372ee44933ee7c0cd44475d17f078846b2c29841d89ca616993acb3d9a3123bcc6e5acffd2f2d2b45efce4a39

C:\Users\Admin\AppData\Local\Temp\YwMgIkog.bat

MD5 f0b69a80a9efb168d94b6cc0ab463697
SHA1 7d0ad23857b54a529081cbc00a86b41dc9a41dd3
SHA256 5b27ff6fd7227b4330225d9033b67a2f205f6ce414918b9b37f91748fbb3065b
SHA512 da41ec43c787e61af96a3aabae24cfacaa921a67d847327d95185906f09b123bb00e315b12a64562d34cff79571e85de17f0b02612dede3a32ac4b3091c84963

C:\Users\Admin\AppData\Local\Temp\cYkK.exe

MD5 9bfc2f3634dfc0fe5eeb676642e63cbf
SHA1 ee3a112236b76849ff22ef90a9e8b8dfa613371c
SHA256 282f85a8b6dd4de787fa552082ccfa3ecdf7ba453cd56a4a2d9d18a58aeb7d76
SHA512 9f00875f664bcd4623cfa6a0f85942a6a70bb0da6b803aa37f6126d13b2181b5ea52a0bdd95093292ce605374e5cb7eb8cfe6ec5aaee5b55c87a667c7a96bfa1

C:\Users\Admin\AppData\Local\Temp\tMkcwwww.bat

MD5 44de745e609b8d4b0b09b628ca040c95
SHA1 90283cea3e6a3986b0b1095de0cf050eca9a363f
SHA256 9f61d6bd6c74b2be4b4a6efcad5079a55a05abf848e9c7c5002ba3cc3978288b
SHA512 d9bdf6a761d7cdd86d7d3f622a741fb50e4065e6a98a854b1b483feadaf6351fca0978bee9f1c99d334790bf762563740314b7515ede6165575bdbfffcad8860

C:\Users\Admin\AppData\Local\Temp\sgUE.exe

MD5 9468df0e5cfc2e9c0159e05092ba04c0
SHA1 ded1d8b2716535b277e49b4aec0f30fcb1373874
SHA256 64458373d0bf0126986597522a61b2c55b43a32fd4683b88f8c45a63abb904d3
SHA512 55f9e7d598db553080ab1658925a1ce510051eecef31ebb75fc8d2256e8c1313f8bb54f55f598d18801344102ccdfbecb34efc72bd646dad39874c7b45726c3f

C:\Users\Admin\AppData\Local\Temp\eEMG.exe

MD5 48c9c3303b8b56c315ef8be327278389
SHA1 3d7e3f593f163537db4296661b1cbd3463bbf3e4
SHA256 6464751fafa76cfbf7d5fe8688b35affcf81ecf941c54b2a93394682d4c9912c
SHA512 49fbc9479e0011f323cdb9aacd00d042c81e3eea5c3d6badadd5b11983cca18bbeedffe5e5b61f7668d29575909d47adaac19ff155c42d8010a96a14c604d278

C:\Users\Admin\AppData\Local\Temp\SoYM.exe

MD5 f40a31bf4e521ba83d4f4d23eac4c42f
SHA1 afe94352579ab4d795ae1a7e0ed1f5ab3c20b2e9
SHA256 e3cf722a693aabc0821d01fb43f6d0189929ef3165d15784a457670ac60166f8
SHA512 5d734745c4ae868ca095924769b1c1fb8352830af4ed97419d9cda800e69239e69e75c156ab597ed7e6def94d103759cd55350ea8d97d014af573ca3abf62d68

C:\Users\Admin\AppData\Local\Temp\Wowk.exe

MD5 a0369e43f6e050c87511cd1c8edc0be0
SHA1 a30e31cceca2d20a643c35d9cf13bd6a410bc391
SHA256 f51e46dd4e4632db392e2621a9ac7c6e7cc31a856009a50019e49f1d0946d0ed
SHA512 f13d00aabf9983e38bce269def9870e23197a2c0bcac8e322c83fc21558107835dee14fa3d122b0c87e38da381892dde6e35fbc33e6a34b74d05b6b1610a29d0

C:\Users\Admin\AppData\Local\Temp\IsEA.exe

MD5 48d0e0bf76b406a5468f6e418ebd0995
SHA1 c135ec0eece36fd32fb4155c7d56051fffe3913e
SHA256 fb10068dc94e42984fcfacc49fd8b7d39b91d5532bd10d6c9780f53ef79d0a35
SHA512 500bb9c8ea0a2d5d9082f06f326af66a76279986d2706572616f2186ae9e013301c16aa2195e6785c77cebf7bcba799ca1a7ba6be382603da1e1288db02e1790

C:\Users\Admin\AppData\Local\Temp\sIYM.exe

MD5 b019ffe0976f023382c4dc7d36fc4b08
SHA1 876a76420b9fe8e7ea01274a5d3fe6c239a273b3
SHA256 fb2092be6d857fa211ad49540ded2a062825f2c25396a773a1540f5f8d0d7c83
SHA512 041158528336339c30e6533d09d780c8d2a8d6c9ee690bd0d955e54b6a46e8c9cdc0c864b4b05902dae0380dbbcee5c94544bd08a763d31862e3061d082d8841

C:\Users\Admin\AppData\Local\Temp\wwUY.exe

MD5 c3711dcfbdba27aa2f4d7d730073a431
SHA1 314d72461d94bb13f6fed12b5d17bba5fcedde8f
SHA256 aac0ccfe937dbdd2378e042d1b229a30594458a2163faf351773663a529e9617
SHA512 6160c2ae5bb2f9dd7064e10c1da3879be2fc77d95b86977440d23a94d6b4bb0f4687a3245296c8d494247899754e6df3ed8c478e3b05475f9b2e47ce0d712bca

C:\Users\Admin\AppData\Local\Temp\aYwMEcAU.bat

MD5 8041180c15b67baeabcdf35f16040e2e
SHA1 66a7f9aeb085f56da5e1c4e1ab0c42d8c0fb55a5
SHA256 3704a9da428bd00f1eac7e214e4f22b09a25c6ad765e7c3a5bbe6f914b348e9b
SHA512 9d8f9985815ff9d380b0a5d9843202d069048e314e5dad75c58a04d7d7626b24253ecda577f5d2aff2d82099532a5c9d7aac7bb83491f21a703b4a4c4a601872

C:\Users\Admin\AppData\Local\Temp\uwge.exe

MD5 c0f7bf4f62239c75470d9451766555c1
SHA1 4cf7fc7a574399795eca48528cf3d57c12d0a4d7
SHA256 528f15d6f66e0d527d29a61e21e44457cb813e3be2233dc8fad96adb846b845c
SHA512 eb78fece4d7528b1eb7b63e535467b61680f5db5c466b87754ae8f9bd5a8c05579bc068cc666a7e82b84d4172b96ff30cae0a7bdf584800fa36fd2616d13721d

C:\Users\Admin\AppData\Local\Temp\gcUw.exe

MD5 7e8e9774ae595e91ba8feb55b2ba12f9
SHA1 a2bca3c2070c53b4f621d036ab9756cecb8cf285
SHA256 7f605f4b24ff601b7bd77f706f3ba09f96b58f0a17b05821f18ee59701d70d74
SHA512 9404cc1dacab30422e3a65198cc9e58613be3c35437934ed7d6837a482dfdb054c96394ca7134d8f45762759861bba3fa1ce8f5c11daedf037a91616b3870351

C:\Users\Admin\AppData\Local\Temp\kIoC.exe

MD5 ec3ab03ae65890eec431a61d632e90f0
SHA1 f389d3d49cdcc3c93dfcd55ecd24eb7754950854
SHA256 2984e37fdd0c1022583ae723f995b45d9ed7fb9ade1c948bd6a269cee6ca612c
SHA512 8aa617a81f5fc1a418bd124e202b359fb4179d291351d154d01b180f2fca59908e0d1e2211bc9f3099dd743ba65e8a4a1a31fcb6d73e1289b950ab32b497a5a7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 ac0a0d49b25519fc6afc89bc8f123222
SHA1 a066c16fc36f35900bf9349a995ece142247eebe
SHA256 a7c972a2295eaa1a5edc216836cba37a31f0119c880a8e9543cb021dbfce0405
SHA512 f4dfd3de1c03a2409714071b7ad2d07ccb447de090c78f2d9250e6e65e902c9bdd2506bb6f43b21b11c9747b74bd14cb03903e13d822c4333444133839365d19

C:\Users\Admin\AppData\Local\Temp\Cwsi.exe

MD5 feb488d181b8fc8868ca15bddfd69d92
SHA1 dae7b45a19fbb6a06eef88e8e36508c452f7c052
SHA256 cf26b2237aff62694d95e71d30323a43f8f7433aaa81be3c0093200d0111dd18
SHA512 285dd5f3d3f29055f35c661fe94466ba280ccffafd72348734f1faa54579035b0df06fc7874685e2cfb9aef2cc206725eebeab225098dae5bca8e1902e0a1e9d

C:\Users\Admin\AppData\Local\Temp\osYG.exe

MD5 1baa71f614b3ac844af56f5e0349b165
SHA1 c0aec1cbfb4dc46af9e30b75e930ee74f2342287
SHA256 11b96972187035a1ceb74eb70edb468603a24fb53fe0af295fa09f80b3257f8a
SHA512 fe63afa678a5bc8ec1b2d8fd7fd22dc11e5166a4c389b6029d5200dcfc5840ec2783a5fe222f76271f5d52eaca6ea3f511cab70e54d86c0480a50fe95ddf7af2

C:\Users\Admin\AppData\Local\Temp\UMcc.exe

MD5 2bb6139914ae5d57570a3d06ff35b6a7
SHA1 6635f92258ba9b2aa34d108c4e5c3cadaf49d27b
SHA256 6d03dc07f4fa20e677d6a427a2ef83a97ce083accb1ff278dc26291557dc5b41
SHA512 e45608a855c1d6a6cb960e531f174b945f585a70f53449123c161faa67470e17da4d94134793fa7285a8d53b49cba978c5068a2e1c43a742578f3c2df3e7274b

C:\Users\Admin\AppData\Local\Temp\wkQW.exe

MD5 e4c374c577cffbafad568ad4d5b76e55
SHA1 46fb90b740ed342000cc7eb9182e9cf14693f386
SHA256 8c4f8970e12047d69abb4d0a64e8945695e5d9f32bebb17f9ac8b83c2a564949
SHA512 ded4ae4f6db3080e45ff29c1ac6a0f095d74d1ff3102b1b98788d0c3bfbaf15909d9321735bb74a3510a226ecf228501e1999c67e0028001096d3479917e65f2

C:\Users\Admin\AppData\Local\Temp\Gosw.exe

MD5 004e5113e641d08a2e2203324f5fedbc
SHA1 b5c224db5e69201eddb61831034311596d2038b8
SHA256 f45f0bbc213de1932637c13fdb346e073a5ce26480e51b2bcfa48a6f3e1959f3
SHA512 a188f1a8c8ea11c5a675496f2e01274c843afff4a5719a065c3e1a555abe2612bc6f15ce5c12c3ea2a8bad8268d81ff3583b412ce2f48182d274698f1ff30096

C:\Users\Admin\AppData\Local\Temp\sIAE.exe

MD5 12302c4fbb0168fad2e9d95cf6dcf4a3
SHA1 cee2cbc9002363a84d632d8e1a2b1bd04ac8ed13
SHA256 dda6e828c3a41e2e2f3a0e860926c544f7972fa046aa8917def20a9b8b72755b
SHA512 dd1e7076bf6b81c1f11f47f3fe605511fedce1107b2549a016b181a70d6816beb6ac993d1f08cf9c0557215ca7f5a489213b8f2c3d724112ff73d9ee16d5ca57

C:\Users\Admin\AppData\Local\Temp\SYYu.exe

MD5 ab60d4af299c68f9ed44bedab90f9771
SHA1 32c484be370716098c03bd156538dacc316bcbab
SHA256 3787e33e69ca758143f9484b6521180926d3778fb838ed7c52bfc79f42ee65c2
SHA512 569d36e0b0acc5c00dfebb62ee44ba606049abfb7f2b53914947da57849e61d4ab5f054a40850fd740d946e53221326b0422780a2fdeb9e9ca612a58651a0ab0

C:\Users\Admin\AppData\Local\Temp\gkYU.exe

MD5 df690062139d94fac2e44fb5b1103ea2
SHA1 00e48ab9f9fe974ec63ce47aec28bc34ed845f7a
SHA256 54ecb816efcd7bcde1abcd4438f112965a88758dee815203304967b6e4458408
SHA512 f34a705c0f9c0c8d83eb9033bbebebe8deb47566743e893002ab9e526602bebf7331f484c9f81f86ccda499a35d62c382d4ab32a734a76b37b7b559368751d29

C:\Users\Admin\AppData\Local\Temp\YQYK.exe

MD5 f909340870428335884f3e1b30bd66c9
SHA1 fce7779f8e17b8dc4c985355ca156d7f41c4ce2e
SHA256 bf41c509cac3db3f6ef1547c83903190b3b1c7c86a09df015bf340292bc48af6
SHA512 227eac2fdd341512a2e8fea599ba78eee400c3bc9c752b81fef53e812b3f06f326dfc1b9cb98cb88b7112203ca497372d51060f9145ff39b203c1a880078a971

C:\Users\Admin\AppData\Local\Temp\wAom.exe

MD5 62c2a4238215fd5e468b42e00080faeb
SHA1 644ac43f4ea1281d6c5d9a2211e8f107b1ec9772
SHA256 438f301a720f3d840e9a4fede240da9a05380d415fcae5ed951956add2e1fb7c
SHA512 8f1d4f65bce84b5388ba9173337669e7b34106a47f1aced1612992f0539c303d580ebc9b26d22ead0902be0bcc86dd19035054d10f8e5ff424051969c8a37169

C:\Users\Admin\AppData\Local\Temp\WsQi.exe

MD5 0e09512e1d812fec588b034fa661a88e
SHA1 e204012009524463b0ed6d23474910456d2038b3
SHA256 35c5674c3ada29f0c0160c7f0eabcb6a3c6331953bd28630b9f54c1047f39de1
SHA512 7753af33d4d4afae48bf1aa33a435ea8dcbae3d9acb43acb74ac88d2e6c3a5662288e7c098266b0ff39569179ae17b902a87f65d607b7eae4b93c197fc0e5113

C:\Users\Admin\AppData\Local\Temp\OgAm.exe

MD5 b635c5461c9e988ecdf61f668b2ad8d7
SHA1 b4e9bb2433988d601f97542b003c06e42c84131f
SHA256 f3679a0c4043a6a112c650537c7d990067864ad533fe878059efd53ddd55464a
SHA512 cc5ac595a85c95ee3557ea8142c02340e37277c3a4318176ee5ae5298471cb7c6e17e69c7e27a623f33c0bea7a40572eb25701b158778ff528083fe5df671100

C:\Users\Admin\AppData\Local\Temp\iIwu.exe

MD5 c681424deee0fac343a46623938a5d55
SHA1 e9caf53c9787dcb35439f7f7f7330e5123041bf2
SHA256 ec2d63e50da9832ccb5cd9ca18249192c037e8abe401ad6355f5bbb9c13f717d
SHA512 806da8c117dc74adabf8a39ed4d8a32222c824f2ca48e25a0ffaf8d481790ce8b2597b41d2070cca830f3f9b453508576daaf5a142af033956f034e3aa483501

C:\Users\Admin\AppData\Local\Temp\gEYG.exe

MD5 88fcaf3f454b9d716ae5037a7ef5c097
SHA1 57998c937757f087165f0b4c6156cc8f91dde20b
SHA256 a87c97f296c507dd1ca210cfa759b9e204eb0aec0d1d463f6bf0bedf4228ab26
SHA512 d38618997f6a9016858972462420109dda34d656c5c6597a0b7354b0768d7168ba1c6b034d982ca0c497f19af276081339b9ad325688da6bfbbca82bb0ff3c81

C:\Users\Admin\AppData\Local\Temp\yAQE.exe

MD5 1e925cb8779c168762deb15323586bed
SHA1 d3e9f2372dec7aa9488ed0768b2afe334fce731e
SHA256 06dcf72ca6fe3606c4ea615b64e2ae8a22e2f2feaaac159c56e8b0837ba41de9
SHA512 7576e605e7e5b53ead0fc4d442ca026beb8259df86c6f0f335c1ee760e88d00ca760ee2990b8ffc71bbeaacedb0de7bdd852357de80d35340045a0f0f0d3c738

C:\Users\Admin\AppData\Local\Temp\UwwG.exe

MD5 e78954377c4f8bf95c789a9568f19279
SHA1 dd43f2f03dbc1e3d50f13204ceff78a43bcaac01
SHA256 3185cd3f3f4e6eca2ae04ba922e7daec0b4039f3b79f650971ef36b978000c61
SHA512 2c75e0ad02e7be9a9010f76f8f12e0c8456be4afdcaa1794544aa38863d27fc2fbd7f074c39c51982c4335a66043026f240a898d7040ec7e47ed7b6ee8140876

C:\Users\Admin\AppData\Local\Temp\aQIu.exe

MD5 ddd880e5ce4432fe911da0906843a6fd
SHA1 b9c6026ec9da9ef8718629c89bb3ad4e6c8fe338
SHA256 dd340740112e660efbbe7ca088d30ecb81082b23d0acea3c92b4c4f8f85fd246
SHA512 4f14eeaebb50edb64a00491aa429cf044c8edbce39e1e47fa5dd84abf3a67538f50aeea66e9ad997b4275c0ad4172ab8eddca52091d7287185d1ef6065a75e1f

C:\Users\Admin\AppData\Local\Temp\KsUW.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\uYcS.exe

MD5 fbd511c70098ec711199598be01fc956
SHA1 b10984dcce6e7f5bb21f793140dcd5444387efc5
SHA256 7d188a3e98f377796406017e3cf193c7a9a05c09a41eec1c00b602edd4d7321c
SHA512 9c85cfbcf03a2de498c92d8908fc914a81e94a7f9e631fce1e80129089c676f3755a8423033b5fd467bcf5296672ba4bded968ec481aad760e950ebebe6826f0

C:\Users\Admin\AppData\Local\Temp\GYga.exe

MD5 a73675676f512da07f252ed82d23dc06
SHA1 2b4d1230502473e17272e2806526cd8d1c2fca93
SHA256 134ba7b55fa61f76043c7b4a80d3b9d26fc3eacbcb792bf4f0666e39d181f9ad
SHA512 6b25d1b187c97ad087b0000d044d18d96f55368f577bcc2772c45d877fcb308e5c0688077d4a4f241975f33e7dad925d25fd61b17211c49a87c7ee93ecb51c69

C:\Users\Admin\AppData\Local\Temp\aoAE.exe

MD5 359e2dcb5c1a709693b20dabca028fd2
SHA1 521b1094ce9522ab38a3e11d34fad8c38263f129
SHA256 002f1b99428829d514b2d297f17de7f2fa49df2b6f8aa4e79430b9c41ed4ad83
SHA512 29734bfb3587fa016f8807b74a65e45007d54112018b83d920e2dedd5c91605d41003db5134409a60760e2448fb33ed0dc7c936c7875d34f5e1965b149cb4660

C:\Users\Admin\AppData\Local\Temp\QwQm.exe

MD5 b2425c41dfeda69ad0aabae1d1b7768b
SHA1 c7e9e10479fbc6fe23c617732c761c86814d04f0
SHA256 20ddebcea34997118354ac3b3a8810e61f3a52140afdaf84f1aab28de4cf5827
SHA512 65f9a86f5581e75e087b42fe467fa996f34390db5947e088ef977df8c7e2e5040a724464d92d1bb5b618e27f9e16478edf4b2dac7977caeefd938cab756c83f0

C:\Users\Admin\AppData\Local\Temp\sMsY.exe

MD5 9e466da3ea45921da361782f6a34aa12
SHA1 36b457850f5adecedd2f226addb44dd7a718e6bd
SHA256 c337f04868aafb1d8a8385baebfc914d1fbd0b68ad720872b057c2d2c3e6f83b
SHA512 f41102cc3bf727f5bda25ea16b400ea1ce9c72353345282f953c305c8b5dbbcf16655f4118d08ac2245cbf0df38d7720781b5f8057176ae55ad36e7513a817e8

C:\Users\Admin\AppData\Local\Temp\usws.exe

MD5 c6292855f98777cb6247148dad01e96c
SHA1 e653ce4b17ef0f93ee87f287a25a5a93c8f7400c
SHA256 588c52156bd13246616c3abc69dc16b0d22959e027a4f3d53fd9ad84df9deed8
SHA512 a1a67a07301eb519d8af129361978240353e49f25701df06f315f482de521763c947a7c179884009fab77b0060034df2acdad0df90d8aa53653856d57a757edb

C:\Users\Admin\AppData\Local\Temp\EYoQQgwQ.bat

MD5 5335abbaf26a6df9c709fc6a72da3bd9
SHA1 5eb6bf7e82af89ab173436bc41b7bab1f7a78855
SHA256 de74afebccb9147ed84b65fcc828f5901ffa779c0e858c38db735b8f13332fda
SHA512 1e9e5720d08f07d4ae34c8e5c35c2dfc4d927655214919ffb2f9cfefeb3148487529683cf08a0d9eefd3762ca7172ff16cf6689bbdd80fabebcfff53f480c977

C:\Users\Admin\AppData\Local\Temp\AsIm.exe

MD5 ae5fad0b6eb1650d4e2c028fafa9cf5d
SHA1 2cf2bf09228a0b3e6fbda19e5c6e74552d2ab17e
SHA256 39d30d2a470a185874786335002beb87830ed32e0d861535fec9956df7dc5f47
SHA512 2536832010c54e89fff7bc83e895401c050e4b292894f12bca778960f90451e6be6245dc898855b486e5d868b72ac55bc012ddb7a2c2570d72eddc579a7822cb

C:\Users\Admin\AppData\Local\Temp\KQEE.exe

MD5 67741690492429f08698dc84bcd7612d
SHA1 7a2afec03287b74cbe29531b1a415fad5aaa9043
SHA256 0ce11f65dfa993f8105b20df557108fae7e75b198f1b53d8d8a9a8c7277243c5
SHA512 07e9b7121e7cc30ac4e6e88d75f6e3c138bcd241c651b42fd21bc93515be5cb5ff071c694b8f328c15955a37968fe48d4b15fa11be5f5fbe531acb9a5e3032cc

C:\Users\Admin\AppData\Local\Temp\eswY.exe

MD5 859b3466671d8d676c9dbd40151f0cc2
SHA1 c542bd7724cbb9e24899a0f8920b6699202a37df
SHA256 f05f19bf880aaf0ab8437643fa45faec501dae1a8344401c3d7ba96554466604
SHA512 95be732fbc72b0c1fbd0d85848921360124b93d8c336f67e203eccd1a58973964e5e95726b3a2f10aa28743442141560e111092d66a672e2e699b51b52f97053

C:\Users\Admin\AppData\Local\Temp\QcUO.exe

MD5 de2034f1589147a402b609c1772b5115
SHA1 263a7c35acb3fcbe61a0178d6f168003d643fc36
SHA256 4d854356e8417d000fed27efbf2be4b8671109db9baf12dc359761657a8aa328
SHA512 c8fcf75111868d7874153b815518d0a7974e3a0ff67db6ef8ffe0fa6674620c8e2ebf4837cc552120afd17f2b0c939b262e7d79f3c4a1a85586485b9ff980741

C:\Users\Admin\AppData\Local\Temp\CAwK.exe

MD5 c38cf5da7745a3a794e64ed4f4bfbecb
SHA1 f35c11d1a121c8a13dd8414210733c106a53a5f5
SHA256 1509c4dfdd16202ee0096300f4294b4832c34d30949ec1c5d6c3c552a42ec9e4
SHA512 78728e7b95261031b581d68800fd9360c7f8a7ba2da0d3a537476dd26da9f58c4f2b885a16cc3528f31dfe0254789946475ebf675c30113a21cc7172bf20ad26

C:\Users\Admin\AppData\Local\Temp\sUgW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\sQoY.exe

MD5 533981f0cbcfb02feeed2efa443c372e
SHA1 475303010dd34f799b220627166b197fa6ce579d
SHA256 da3dd1b492cd903296476939eaf5c240197a662b885ab46c67fe91e4442502b1
SHA512 888e9266108dcb70fa374b2a6354db0f396859029e408d4b0a4ee6c15220d13f326837f6b54a9358e303edc54cd100f1319b29257502f4691d02f4d1366011ff

C:\Users\Admin\AppData\Local\Temp\oAUW.exe

MD5 c4273afc06179a70cae0c03a7bdc1ee4
SHA1 bcb2f36325394e4e4f220d405efa3116b285252f
SHA256 52d953e61511a05d8adb580a1b524c643ceda0eedd288103479884e0ef60c08f
SHA512 220f8a03b60c9133b91607bcf53f847443bba2d131b995ebb5d431ec8dd538bb6b707a501ab0999baa684d57053909df5fc1216dc4a0993ae075afc3f6c117b8

C:\Users\Admin\AppData\Local\Temp\ukcs.exe

MD5 d85ca17121f5c4405f21d3d6efec3b1b
SHA1 a1745a6101e91348a15e5d2d2469ae86d0852b41
SHA256 121e1325057a96d2350f37ad9114f9f791a4f2ef4ad879668c677a5aae206700
SHA512 79fa5e3b4c83f8892beb1fc64b89095c44cf8243b3d374b32befeb5d01ef22645794d4cf5f3a202b234838399351cdee59e05d28c48b1d777bb28d36ce3f7e8d

C:\Users\Admin\AppData\Local\Temp\aUAM.exe

MD5 190891a7d7a0983f09adbfdb3b47ea1e
SHA1 ae3b30308b4899ee1d89fdaefcb6f2f913f4daa8
SHA256 dfb4fff64ba3844b689569a26e7ea6a1741db432ffe2e160e129bebafd2b84d4
SHA512 1636f461ce882bb01854807ea7c273a6692da29346ec9abb070af98838d24f547045c3238b5ff605cde5f3395dd3d75dfdeece9849ddcab9207f411cdb0afa04

C:\Users\Admin\AppData\Local\Temp\hoUosEIw.bat

MD5 0d050142b5735bd728062109a839882c
SHA1 a60454357024a507b15575d769efb2b29f50f3ed
SHA256 026693d1060bbc7ff546946c022568721df1f3dce42a006269b868c078bcd2ad
SHA512 190fcb44f8d8e1e8464647279630b181a2b0392c096649e116f11927f2c4789769df7cbf1403b782925dfc2a836bb66904ab8e89ae930d661f8ed1ba67a56cc6

C:\Users\Admin\AppData\Local\Temp\IMAIscAk.bat

MD5 7b0a6d85fa9847dff1218bab16def274
SHA1 0c0b32cdbe5380af8a502de3b4b812661f9522d1
SHA256 7c9646cc3f0e9fc93456fb6e602692f77b364e91b09cf533efa9d7194b9ec3b2
SHA512 cdd05ff56b592fd284031af3d82c8b49929251c58ed3367c8af29cd996fc5934fc3016243f4f5f4e1b65028ca1319287c5efa6641e3edc86556da81385016708

C:\Users\Admin\AppData\Local\Temp\QIUIcwgg.bat

MD5 8d22e4ca96ca922942d98432a091c741
SHA1 13e3864255e54c22ad1d7d5a2d40d3fa42cca266
SHA256 f5bdb5e8d4dfd8a144aef6191740d16fc4b90c114dd25de07539b4e1002cc3a4
SHA512 9695b1858127c8e3b7255c7d3ebb352b9257961d832fd8263c4646429adb650229856e9700f97b76dc11f0d9493939fa77cd4f05787cc3e0f3665abf424e96f3

C:\Users\Admin\AppData\Local\Temp\vCIwwoYc.bat

MD5 370e55425383f01670f9dcaccc9a6ada
SHA1 a9e40802baf76339f0c63c9ec1db7521675d0975
SHA256 5c15050d039f10c6ddfebd5c10562734b8066031a810141c56a7428bebbeb40b
SHA512 2d0818746d4f7fb41145198c132f6a36edf19655b0e602c726de57a9f50ea4c85114ddd52654a5d37d4ae52d75f616a62a90567d806117b8cd586ae0f3fbfff2

C:\Users\Admin\AppData\Local\Temp\iYom.exe

MD5 267dcda39665a6bdacda9a311dc5a14c
SHA1 a233994c279a29bb53aad769e83aa836e0758502
SHA256 e3ba0b87974f50a970a23c0c48ae5987be7825b9c9152d8da1722f2a9c134039
SHA512 7a6effb32dbe9b1cdd1b7d745e9cff05c569b2c892ec2a009d6d286504101f5cd3c38ff17162f703947a46998d470e7a2f32408300400305fa129f26d5f3f205

C:\Users\Admin\AppData\Local\Temp\uEMc.exe

MD5 f13d80928bcb4a6896aa52821adba436
SHA1 cfe0d37a14884866144df99257f47a0280296a60
SHA256 44ad860908afa4a4190e5ca06cfd92055165d64145f8335aa4d9d01eb785fa5c
SHA512 a2c489d5e736380a6bae4e36d9a4d1dce4c22e8e705442debf45e392ea1ce2accf85d401dcd58302849b1c8abd500e804ebc92deaff065e07f8c95e8e8b7e97e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:38

Reported

2024-01-25 17:40

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"

Signatures

Kinsing

loader kinsing

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\FkQAUwEE\GIocUcss.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LgMUEkoE.exe = "C:\\ProgramData\\WMcoIUoE\\LgMUEkoE.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LgMUEkoE.exe = "C:\\ProgramData\\WMcoIUoE\\LgMUEkoE.exe" C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GIocUcss.exe = "C:\\Users\\Admin\\FkQAUwEE\\GIocUcss.exe" C:\Users\Admin\FkQAUwEE\GIocUcss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GIocUcss.exe = "C:\\Users\\Admin\\FkQAUwEE\\GIocUcss.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A
N/A N/A C:\ProgramData\WMcoIUoE\LgMUEkoE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\FkQAUwEE\GIocUcss.exe
PID 1468 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\FkQAUwEE\GIocUcss.exe
PID 1468 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Users\Admin\FkQAUwEE\GIocUcss.exe
PID 1468 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\WMcoIUoE\LgMUEkoE.exe
PID 1468 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\WMcoIUoE\LgMUEkoE.exe
PID 1468 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\ProgramData\WMcoIUoE\LgMUEkoE.exe
PID 1468 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1468 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 388 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 388 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 2368 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2368 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2368 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 8 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 3116 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 3116 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 8 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3480 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3480 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 628 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1364 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 1364 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
PID 628 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"

C:\Users\Admin\FkQAUwEE\GIocUcss.exe

"C:\Users\Admin\FkQAUwEE\GIocUcss.exe"

C:\ProgramData\WMcoIUoE\LgMUEkoE.exe

"C:\ProgramData\WMcoIUoE\LgMUEkoE.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYUsggQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQkUoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSMkkYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGMMcskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokcsQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgEEoQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GswckIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOUkIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWMsoUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkMIIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOcwoMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSsIIsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAYgYAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQwssAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIMMoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCgYQggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWkMkYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owAYgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEwgoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMsEYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAMYUgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUwokowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcYQIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAMIogMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkEoYgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIQcsQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcEMEYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSAIMAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCEswwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMUwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCcgMQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWswYcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgYIgYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMEwwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosQAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYEAwwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiQIkowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okgkQcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUAosksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqgoYkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAkAkMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgcUMQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmUUYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqAgcMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOAAowAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgAIEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMgIkII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VokckAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQkkksQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmEAYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGssMIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AosMMMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMgkgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWkAMUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcAgMEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiQsswgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiEUUEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWMwwAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsIwIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMEAAEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcAkYEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYoMIQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMgocggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUoAsEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKMgYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmoEEcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIUcEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQUcQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcAsMwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nugYMkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWoQIQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgAwkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WegwAUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQUEokso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeIAQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSkcssgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkcsUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCcsQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIwYEQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQgsUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSwcYsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaYYEUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAgcQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TicEwAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIIgYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckwYUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYAAQAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMUcwsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIYkwcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaMIYgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEEooQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsAYcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEskQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYgwoYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkogoYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xokIUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGowQMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsEYIgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuMMQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcQAcoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQEMwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskUAUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv uxCLKlW2z06qm+DqSDmTag.0.2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqgMYEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOMcMwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuggcAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgIcwMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYkYUIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMEEYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asIkogww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUUIEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKwckQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcgUwkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKEkkAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiUkEEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miUEIMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEMIQUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSIYocsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMMcssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIIwAMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkQIcQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocQsUowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAMkIUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuYQQwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umsUoQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buMsoUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkgIYAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TysEogQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USIEQsEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emsAkMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwgEkQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqYcAssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeQwUgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1468-0-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\FkQAUwEE\GIocUcss.exe

MD5 392bfc2ee95d0256dff31576a7d4b776
SHA1 a80955a60f886ebf66b4feb56634c2309fe90745
SHA256 5c9c953b78179b46d1e3f1189ab6802e001521c0bd1c181500f88db00457f144
SHA512 ace4f632fc04de688e9a232a378b6649af38838a4102a792efcf84a74d0ab87987b6e8914c26f894610e9884fdf153876a4120c541539e160dd47837b35dc88d

C:\ProgramData\WMcoIUoE\LgMUEkoE.exe

MD5 baa2ff1d614ee330aface8408fec8995
SHA1 55ed08e2712151ac45cf1e354cb9aad8fd19d821
SHA256 63eb82b906b833d861865f780ea487f357b07f59b863491b41546ff20e49793e
SHA512 1e5db1cb27e120d4c9ea9be072d3a39f6c37ab7bad1dcc980e57dacf3549acf4a4cda5cfce3ff5a2cbd18c54e8aeed993e1c31c53254975774436d1166436b84

memory/812-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4808-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1468-19-0x0000000000400000-0x0000000000454000-memory.dmp

memory/8-20-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sYUsggQU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

memory/8-33-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3304-41-0x0000000000400000-0x0000000000454000-memory.dmp

memory/628-45-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3304-56-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3500-57-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4252-65-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3500-71-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1124-79-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4252-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4696-91-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1124-95-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1812-103-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4696-107-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4936-117-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1812-121-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3752-129-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4936-133-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3752-145-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4632-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3496-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4632-157-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3496-170-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4532-178-0x0000000000400000-0x0000000000454000-memory.dmp

memory/840-182-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4532-193-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4824-201-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1044-205-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-215-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4824-219-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4772-227-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-231-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4772-242-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3792-250-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4632-254-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\FkQAUwEE\GIocUcss.inf

MD5 27146e8092ba01f097e01503cbd0f5dc
SHA1 e5eb9a5e4659e7af2e2531f1305978be0a5b0d01
SHA256 d955139199d95fb0fe4bcbb5edc1d6f0a3dea94ed03ee510491939e64f953f02
SHA512 67cbe819e76af6bde0a4764bbcfb51f9b5bfa12243fc54ac952401c104610a92703528a7e455e8ee08d95f34a9fc844af26d1a6fd0dd5c29761a12ba86dfcb52

memory/4244-264-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3792-268-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2064-273-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4244-277-0x0000000000400000-0x0000000000454000-memory.dmp

memory/116-282-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2064-286-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1556-291-0x0000000000400000-0x0000000000454000-memory.dmp

memory/116-295-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4168-302-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1556-306-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4168-314-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3744-322-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1636-330-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1404-331-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1404-341-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2296-342-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2296-350-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4416-358-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4968-359-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4968-369-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1556-370-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1556-378-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3708-386-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1856-387-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1856-395-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gooc.exe

MD5 3cf3f6cb817acd082dbd569034782562
SHA1 dfc3ab3a77338f5399a6b7de37874fbc2b6e3c00
SHA256 c87d881f4ae87a9be069d12318d99963778cc20bd1537c54cbbb369cdd0030dc
SHA512 cf3fb57abdf3d086d3034cfa3f41a9f6ec02b9ec7ce8301badb6f91d5e6aad8943f595edc7e93dead851ae0c6decfcd455958c2602b1ca5d8b90f167aa02cced

C:\Users\Admin\AppData\Local\Temp\YUom.exe

MD5 b21450f68cdd9a9e5c684abb953bd3d0
SHA1 835ee63bf08cd6d254ad578438f13be323dba1fd
SHA256 a26cbe9649a3a3e60757f0d7ca31bd9a470b46aed82ff98a674c027be7ed9e70
SHA512 3db54518d7c13e440e1267b2acde00c38739c7bd2a88f8f56b723b9b63ba0c567b889199f0fd8c4a8cd4f2d678b35376c64e618c59ca1b505db215e8b5111d80

C:\Users\Admin\AppData\Local\Temp\GEQu.exe

MD5 d92cbf58086418b8c8109662d13113a7
SHA1 598eddb0f929c8de107c0562305260fa4a765a76
SHA256 20516ab7db5877011db5c0258e5c7ac6bdf3b7a553db731fdb069d86b8ac374d
SHA512 de96c7dc70900d597e6ae5c850c4292a2f7f7907ef074b85baa5b02c0bae571f72e8e1ab18e88e9fa6e7d148069a595cbdf19bc287331b6b03eb122f5cf3696f

C:\Users\Admin\AppData\Local\Temp\aAIo.exe

MD5 fe3949424129220be8aeeeae19fe45f5
SHA1 1ced2c9f4b9672f26e3689319512a193bad80762
SHA256 f66536b7c6edbe0f090bf3e7015e66a4109d062bd832a509d3915815e299b4dc
SHA512 029540b54b881513cdcf50af1215cd67c6aae7d73fa19a5c67764cc2cd0c2e3133690af75e50c5e562e340be6e05ba942ab0e5737ebd9c325d25efcc0eddbf8c

C:\Users\Admin\AppData\Local\Temp\qkwW.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\EgYw.exe

MD5 3d879083b85fd312c5c16b6eeb350775
SHA1 4a44b597360e02cdc1632f9c6019ae7a66758b3c
SHA256 0d55c19bdf617dd7db14873441e8d26986a761eb6e671e1c6e01052696ca93d0
SHA512 c0f5daf2d25f00266ac86d1931863aeec1a5a0de9c255f3e893ede1c083aac612db1b214fd1a1b345a9258de9a2ed9af225e590ea9ac60217f55def5733bb8d8

C:\Users\Admin\AppData\Local\Temp\eQUa.exe

MD5 358169dee32b1ae05fe78e3f7075f5fa
SHA1 204b15146eae9a6afb996d9fec36f573aeb41562
SHA256 6880147c72c177ea6f396b4ff40d9d4af8b6ef7c188fd7f51d30f5c9d565090f
SHA512 053ebcb046693548106fde7111e8173d9d818b1713eac7fa14fc9225558b93c65e73be079a794369f026bc7af281c3afbcfdb15f3286a907448427700d9a4933

C:\Users\Admin\AppData\Local\Temp\ekQM.exe

MD5 fe5acc5f7d7f96ae2c0062bdef02693c
SHA1 6255fa045e217fec406f332dd6061a0f354e78e6
SHA256 ebe10ef698be975303890f151a0c60c270cf7c15e743e4de3f84374b744ce2e2
SHA512 90e306cbdedbaf33c29d8a11b9d50ba5b9d8c84baf4d374ac724486a71ea46f1ea65abcce709d122d4cb6c3558b8aa59e74b764adb8fb7c75ffe80c8d05b3d6d

C:\Users\Admin\AppData\Local\Temp\OoUQ.exe

MD5 b1b1a914c5e858223b1dcfb6b3314ed8
SHA1 45c6dc44df765826bcc773366d28aacf5964c966
SHA256 3daaa77189c70232c078bfa1d77d14318117287c7d3cf21b8266c940d546da56
SHA512 b1a543d8335932ec838d4f5f415b0962421cef9ad1020073a3be56d1b82c910f73855ae827939086d5ad33a07ac3ca88efd92a5f362f9e85d0d36fa21dcd8e77

C:\Users\Admin\AppData\Local\Temp\GkAm.exe

MD5 3c8c60779a9de8e468f745c166c292ae
SHA1 11ccbdd50758b8fbae3d93311b20d38f387704f2
SHA256 3a1bbf23f35f4489de8ed19205b65c45120e6d336f3a02c817a765aceb2085f3
SHA512 b8f02ecefa2cd9fcbd907c80a1071235ee2d2504546f40cbc61f1db703a8080cb3418b90f533def9f26b6223d08e8954b46f634bc7527a2c4940f4d20a12b452

C:\Users\Admin\AppData\Local\Temp\CMEU.exe

MD5 72e05eebbdf9221478dc2c90c89a6359
SHA1 898dffd83684778bee368f24f1ba3b4def99447d
SHA256 95a46f7288d9f5051da47822f5f4b97493e6bd13a62c70cd37a0f6afc2106860
SHA512 4f53433add3d53822b76041b821fce1808bb8e344d07cff4f5d5cc55e0f6ce4518a5b645f27bfc10c86a3cc9ec64013f2bafa40a199218834a944d7892520cf7

C:\Users\Admin\AppData\Local\Temp\KwAe.exe

MD5 4d0f969c38d42c1f974b2dd5a44651b6
SHA1 a902ebf27841a09fc7404d0166286c5b545ccd3c
SHA256 5d158f1df954038183c1fb1d2462fd81ba01adf820f0b8c393a9ba5cae06a967
SHA512 f81726e34ee1c03113e1303f20c05a51d33044ac8d415222524ae69121bad168837d768474d3781bdc417e7bd669694fa8334fd56b6bafb7019a31ad6c2b8717

C:\Users\Admin\AppData\Local\Temp\ukkc.exe

MD5 cb67e3f2a2b1dbd9c900d92824329985
SHA1 d4620bb1e5308a0c0665ac0338eb2d196e1ede25
SHA256 db032515ec0d7ba3d7885f86a03c262cad98e02cd6ffff3c510fa9a6866d7113
SHA512 0a46fcaea31ebb9e1622ce01f70887d991a73388767de58245bf8f92256cf54b2942772d58d05219f382221c177c09115d7101dc9c35cf88584b63c99daf4612

C:\Users\Admin\AppData\Local\Temp\KEkO.exe

MD5 70976f6f843167c2680225d8c56b1aa1
SHA1 e8b1b1a1487890a8a802da188a9ba56bad8760e4
SHA256 0a5cccaf00e176463660750ede912de3e5b1cf7cb9228d6e8230af85595a75af
SHA512 a126400652e27673d1b176526763f4fa56d89235bb65f2c9278f0511684792279c05ad42018cb022ed4fa0e7dc61c080883724d9c747730e43dc03ea68de84a2

C:\Users\Admin\AppData\Local\Temp\cEUy.exe

MD5 c0752b19c7e3cd8806b98de64cbd1034
SHA1 05eb4c7e26fd4d1ff7379fe3951f527bbac27139
SHA256 4dc938d4b7dba6f1b436493f6bb50be3f01a534e5b8c33a3b7da4b237a7cf446
SHA512 bf1926700f960f6ab0423adc65f21de61174e6ddc23d515d68eb91c1b92529e3238984f2161507f4007c04e7d01c3597860297da5824fec04dd6aeb0638869a0

C:\Users\Admin\AppData\Local\Temp\YIwA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 5620b88b71da37271a54428afe4090d4
SHA1 64ffe6df6d04e0e3e00b3c4cc84ab71c0da5673b
SHA256 9021fff046eaadccc75ffd8534b0025fababe069e59926ef5eebff623406c1ae
SHA512 65c1e56b9f12bd69c28340377cef47a25475c998e8919d38647b330d37ae56831141e691c78d5e21c9813dec1987d6b99e8a27d97bd7bec4d305ff750c4127f7

C:\Users\Admin\AppData\Local\Temp\cssc.exe

MD5 e88bb9255f806c48d558d8569e6d055e
SHA1 327cb9f03cdcd7c4764313f01c384389ea172bc3
SHA256 ad56148a963d5b89a283c061ca3a77080882df5a4c8cc296aa71a2fc75a52c95
SHA512 1a8fb0d2f3f2ad446b0a6cc412fdc0e367b78a9d78797cc90e99fe0646363ee2694dd490b983be8385b33978e3826beedc1fbadea4e78807060f128e5578dd5a

C:\Users\Admin\AppData\Local\Temp\AkAa.exe

MD5 f96920e6b995efc764cbe3dcb7ddf3fe
SHA1 3c6e5b2a0c60809442a51e2044d9df4d685f4aa3
SHA256 b3df55e154d664ac679c9ff2ec14bc2c1b09b5126bd2d37875269a1800b2253c
SHA512 da4c8c2a585e9310c55938dcc29e9873ded6f2d7bc1039c1c069b959588a2e5dbffcbd58a58cca66a44d1da882b47be549b63f43d8ff9436dc95a6d0439c2bb6

C:\Users\Admin\AppData\Local\Temp\AAwO.exe

MD5 e8565d41d064d9e603e26d1bd6459b33
SHA1 d2b154c1a07fba774cdad8ab225a2b7bcc9ec3cc
SHA256 93d8c02f515c0b5866af9838a5742cfbc702c0ee3c8aa4bc589093f43e9e7269
SHA512 b0c6bc105724b08b25464b847a01735c6192bcf1e71d188958065f780d2c7d561c95ff22f33ca1ecf7827792be879bb840eea7f9ac3a111113fdbe85904b1083

C:\Users\Admin\AppData\Local\Temp\YwIU.exe

MD5 1035ea6df342eb9fd20461c8124182ff
SHA1 102cb9bb8b6e1e92c8138d439b39741488078e9d
SHA256 1505df6990bd5112be9e9711cb3b8ec60c68608966464e90e1d93bdf78eac64b
SHA512 eee24085b8337b2b1bbdab36ebab265d5de4e56a900cd1c558de45f307611f67f906d70e56627398f27e79da955c5d084637ac86bd56a6c25f2aa5a04d6660c0

C:\Users\Admin\AppData\Local\Temp\sMwi.exe

MD5 8fc6c63f9456f444e6cc521bade4dd32
SHA1 4bc01dfebb2d7b422440f244daec2f9cf5e6ff8a
SHA256 e0b1ab526ecabbf68f951a0f7a8076d300d31150b2d25b34f904b6e7fbc07365
SHA512 fd326f359d8a80458c48ccfb11118f5c721b24c89648c871541d3e32ff7493fe87a01f8c13d59c2bb351de49297493ce5ef00517df3aac4c255ab899f766f26b

C:\Users\Admin\AppData\Local\Temp\GwME.exe

MD5 4f199d9b013889200b6a90420ce5011d
SHA1 9f3277d0d5d022c9ffd86c7052dd626612b0dc9f
SHA256 6495f098bcb9b74f1f4dffa94d396c5460d0cc759130fe41f762a0e7bfdd502e
SHA512 0376fff85273b20b40dd2d8d32fbc6efd72c0741bfc83bc8fa95f9e83ddd5a306014ddc1fa2fafacb81f4976be6ff856d5d2934a6dc8f24b8fc3ebfa218d1358

C:\Users\Admin\AppData\Local\Temp\AcwC.exe

MD5 ede609fabdf03d562dafa081c10bd6f8
SHA1 5dee8c931c10e997b6694ce6b643338c859160d3
SHA256 298c0509768c7549ab70a071105217302841991a2755184f387ddb3f52454f3c
SHA512 74ee72c53d715e676b947363e3902a66e25413d887dafc52dd5d6a65d362b3f89d2362bfadedfa582129d8e9b1439b1fe2e2a4183830b55efc4a79015f370cf2

C:\Users\Admin\AppData\Local\Temp\GUEM.exe

MD5 8be84e85399c8cb3092266e85d880988
SHA1 c8ef2dee21bdd57110dd65ff996e5d024c789fca
SHA256 43f1d2083bbc3a0e07f7b09a2f1be0c6b8172d53d13d9e8acb401dc33120a2a4
SHA512 8a9ecbea49751e363a54b0021f6075635b6058f8d702589fc9f6ec154e911a568e3e2c083688577772dcf973891728840b3964169d8d3124b626db02cdc108f5

C:\Users\Admin\AppData\Local\Temp\gQwy.exe

MD5 04289a55f0d2ace587b04f3b070ca439
SHA1 97f4339afd8919e7e60a45b11e848b982c70203c
SHA256 2d00bdde507d34f4709fe308dc23622b89bd0795a76ca64673dc7cdeddd258c5
SHA512 26f7b3939117e33d8f0b77b24f94bd6e9c822fc35020623018ad182b5b97b0698ca13360d52452da72e9ca3408f5905038e580fe991d9099e833d0436af6fad4

C:\Users\Admin\AppData\Local\Temp\KcUm.exe

MD5 5e06bcf4994ce4c7232e82e23910d484
SHA1 0ab379b821675730ee28b374775f465843b75c6f
SHA256 dacaa1dca3649ceacfa04e0521bd6492859516da6ecddb4a3249abe66c0a652f
SHA512 1c2f4eb0f2a7bfd2bae88ad02f51700bf7264cb7461bb97c57284cbf430bb5ea142cdadd9e6b099a50785f5dc7949ef5cc819b0df4d201e028286542686cb796

C:\Users\Admin\AppData\Local\Temp\cgMW.exe

MD5 c36969f2a470d5ad6e14a582c8bd02c4
SHA1 bfeecef8a6d7f8d05d99d3aaaf52844d4a828f87
SHA256 2986fc855db1f922c4e247c89a88bc46581e5e09742e2af1637367edb540a9b0
SHA512 1d2cc1c61feba78cba0d2b0be0e9c5ad20f939b946ce2da528776efb97830e564b96dc5fb98e6d6cdb1a44153579e7388a4f843ed7e2e8f3becfc4a8ce5cfe05

C:\Users\Admin\AppData\Local\Temp\ugIo.exe

MD5 3f0a7c269ec4289c208606a14d0c3a78
SHA1 61b8693ad2221ccd52ce4fcf1ae520fbe1b927a7
SHA256 60954b0358d64db7c38bc1b23d4699ce3359fd225b5b22cfaa8df8ec8b82a5d4
SHA512 09a7257c65b78a2e07fd5fbb9c697a478d35bb3b764e8c2e26d25436c93f66cc8bd1e69286e18a847d60ef4adf26157fc1db50f1b84a159e84ec8146a25ac58d

C:\Users\Admin\AppData\Local\Temp\aocQ.exe

MD5 d751f0efb6ea1a6553ff6487f3f662a3
SHA1 24ae6c0d87cb129fbef4410814d136115ef9849e
SHA256 5e588c86d9fed0c31974afc19d728529dba3db5c5f2474f263cde4038081fde0
SHA512 49ea8ef3eb7040c6d65a2f2fb90167a3bb791e4592b6fd7abeeb8568b1f33da1ccf303d5b427d4a33993fcde33871e4694ca44a6e664c7b1cabc7687f348407e

C:\Users\Admin\AppData\Local\Temp\mIsw.exe

MD5 fcf22d2791b4d2f5d5fa6b0244786ac6
SHA1 e011f637c1f13daca65911d5e46d56060b6088b0
SHA256 2e6c4fe1a48dfc030e6a0a7a95a05ca5b910b4a5537d4d177a5752e02e8cd4e0
SHA512 39d0c7520f3205329edfde81cbc4222df5d309441641b7015636e8b20a07ebdc3091636f8646da9da0c004b025be98d50eeb06395a3bad41445b300610e2e0f9

C:\Users\Admin\AppData\Local\Temp\eEQs.exe

MD5 496f9e85fbe18e4dcdede016551cbb53
SHA1 66d46d8dabe1ab6f50588c1bd6a6a0b641a630d3
SHA256 577c8a9413160eba9b3f13f89159581ff1a9af46ab3e2e969504ca43265d7488
SHA512 fabdef5f395e18b914879e49f273c786273257bef317f92c83d0a29baeba3ab0dca29ee307bf9eeaba5d5b9c5978752d986174710f3295829b88f4be7ce5ef6a

C:\Users\Admin\AppData\Local\Temp\OcoE.exe

MD5 f03713ebafbe9e356c14f87416ed312f
SHA1 49c03d112a670bad9e8a019068f131efb1dc04d0
SHA256 ed3c528457592519ea68303260330129e8147ca3902607dc01dfb687938c4627
SHA512 460e7023ce6fa0bf5b95e5609168f9623b24276892ab115d5d9e8218e42c7faf4e59abe9ccc30a0ea7a7aad20c9acf7286022979ddda447b5d71f6138ae5c819

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 37c4646a64334ed5a3faf9517c182cd1
SHA1 5f9946278cd6b2cf46769ca8f5fcd0be83ea9ebb
SHA256 f82cc289b866307e07dd89cba94635e4ed13e200968becff6bb4fd57dec7a8ab
SHA512 62ae0f6a46d633fbe20d60662312359f5cb1c37d1127565bda1e873d51a871b4ad0ade0066b30840dc3e0ab5fac071043c52315be41be24242603c19f97fb26a

C:\Users\Admin\AppData\Local\Temp\gggS.exe

MD5 981835fd3e37640bb23d27896302ff74
SHA1 7bf5ca4f0d927caeb25fed489135b8c05e25020a
SHA256 28aded3031e85b441456a116d3deca714bb1ad858c425f658457dfa25d509cd8
SHA512 fcf6b9fd67ad069a180a5610ee38431d8c856c4c6bd8976f1268bbcc60296b1ce34d6777cb2ab6424ca198397ca5638cb4de9f74c197177b8e4a6288011d698d

C:\Users\Admin\AppData\Local\Temp\qoIk.exe

MD5 e9c7bbdab128cca7d79f67f62590e308
SHA1 304e2fe096c358a278766c68ab50d6eca8751106
SHA256 d490f6e349f272f835baae94240f5821cd4a4e270402c6b1dabb579e63bcc22f
SHA512 35e7c3d6f432c32f0a569f9a30669591dd414779bbe29b2afe85e89a145e6c47e6bccf6d674683b4d0a693eede84ade6111bc0f5a09eb667a5acf2093582d22a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 7860eab1f8717e423c72c340e5cbf719
SHA1 24b1523336159a55d2e6672dd494bc20b696c2b2
SHA256 dac029cec424749e58caa120194f73a88400c5077b8cf0e52c043b61a83e8e8b
SHA512 6369244fef612059659364166230181a2c81dbd6aacc67367c910df7802bcc2c9898e22d202ad8bbb6c3077a5e15e1dcff7e8b27756b640929e003e1719efe4f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 72c232943b6c79181a3971a502692963
SHA1 0bf6a3c7a0bff320f83b44c5dfdceadc8abbf280
SHA256 84052475de9d6f309967ed10e6d437a6b25e05e0c034d1d57158e7cf239561cf
SHA512 d4327f35e27e35260be36b54ceda67afcf600ef65594911f6315e70265cf5a26dc19cb94553eddc578d9d23a6bf92c962a5cc14115ecaeadbad9d1f21a995929

C:\Users\Admin\AppData\Local\Temp\swcM.exe

MD5 81fcbbf1cb6b293d78cae691e7c7ac15
SHA1 8fd9dccf94ea26712ffdbf2ab1d7ee97181df12a
SHA256 deea2a0100a285c72bcb1f3a6d4486e8dfb620312a33273d42bec5c84558c8af
SHA512 65b487d966b3b431c09f3e080164048a0df877a5567fab506de5d7f3f29e14a3dc098de48c097dea711287068b2bdcca9c334d682bdf89f35f679993a84089a4

C:\Users\Admin\AppData\Local\Temp\YgAc.exe

MD5 5463d9f4d0f8574456885338113dbdbc
SHA1 3d7edc14de2dc80bc7c43c5340c64879490cce5c
SHA256 adcf968ec2bcf9503ead5d47acd4717ce28ce1c8167606deaea46c79417d650f
SHA512 6ddd84b281e1197912046682a2706ba50500fa45be3c735bca79a7e425ab4390ee816251c5f31f9e4b92ec4177eb14df7ebea4ca50c766620cc6ea02da75da0b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 535fc98b189bed5b71153aa9469fa8e1
SHA1 8da3ef8c90d7625dec60afb478ed3bf4e04bbdb9
SHA256 c9db565dab322ae2fde1679fd0f1c177f9dd6f7b8b71eff7142ed733c9c44f59
SHA512 782d37d8d9abcd5e6dd1f2e5310565ce824462ecac2eb8422768e726b8e71fc32d707bfaab999db030cc304bb3ed8e6cea6904b036b4bd04c547a3493ccad55e

C:\Users\Admin\AppData\Local\Temp\uQsC.exe

MD5 1ece54c20afb029931e7877a0c0d3da9
SHA1 f15ca562ab912a05367084fd1923c1406f18d796
SHA256 57f60a0789bdfb4428464c7d0e0a74be659c941e0990f18b3e9fc6b8cd2fe872
SHA512 b3223c9e0af9527eed7df20e8241f6c254ab10ad0e9fe25040dd703a556aaf1d95f5d8798e88d35dc68c34f28032afee7a2c998c5050b91bb22d2a901dcb3fef

C:\Users\Admin\AppData\Local\Temp\ecgA.exe

MD5 b4c4fa510ef474e33c581742906f2b01
SHA1 0f90d32d4334d87ae3166be7ab7244397812cd9a
SHA256 ecfc6b2e7a09df08d22e8400439f533311213ebc7800d1579d3b4bb89dfda089
SHA512 4a02644e029359b9ca68c9d72c7de0f40e9bb5975e3180d1179221dd04b8bf3705d1394026c0afcf1facffe16e6e9d547baf726e5aa1b5d07d9a0d634482e80f

C:\Users\Admin\AppData\Local\Temp\scEM.exe

MD5 ecaf579643d346693230f7a1175f4705
SHA1 3ee04b234176c854c4e41ca060a304f3a2fb3dd6
SHA256 813286e86d70fb469a6437f62c37a9fcd4a0eb5283a5aa973616b114aa01fe29
SHA512 9f8f640c3a9c7a4768d900fe7f66c5a017c7d7e00ffe9acca22ab93bd4a04972642fade37faa2f9f38f87d43920d6a46b32c6b69af7a4c9ef437b13116f38f05

C:\Users\Admin\AppData\Local\Temp\Asoy.exe

MD5 3f5158a434bacda61eed05e2e65d1656
SHA1 a6862de8ba6c2362236ec8f786279af2a3beeeab
SHA256 883769e39c7ce8675e3290a29aa0a2a1d31402fdad3c83ff0024e24b1ad2b17c
SHA512 f0262fb075fa75677f6beafab754a64d0ce47fffda9887ab2827b54f9109bb036f1cee7eb7c65829f72a8bf9931ee346f918620d00f7c69ec7e4364d5276c5a9

C:\Users\Admin\AppData\Local\Temp\swgO.exe

MD5 65ec0c0a9642d7185d533fbc402d0527
SHA1 c29edd560c32129f930c4e5651906869cd25a3a7
SHA256 a3b293b333f5cc89e6ddb12dae57eea1bc00280752482d1c0a811ce7ae94bc9e
SHA512 4df05ebd84b9b39b5994f83dd3649fa743aac04f6f90bc67d7dfc9149c937bc133ec50d097fa1bbc9baf4ce7ce61cf6f012b798435a614ab0feb150d8a393013

C:\Users\Admin\AppData\Local\Temp\Ygks.exe

MD5 0197fa13fc9274f3929123a4d5b9be0a
SHA1 9797a724f4842a93186762590e150e8f52557e76
SHA256 196b986008e5a873ed48bfdd4ad0e751e9ea251070e9802ce6350f61c8fe5724
SHA512 56d32933411ac61cd88caac3a6bdfcc98c772a582a56fc041ed431e961046d7e2fbdb9b857818d71bec7c54e9f57c7a13c64ce6e9c3237b98582e0ec78ea043c

C:\Users\Admin\AppData\Local\Temp\KQUo.exe

MD5 96028fa2e10863934160fc7ba70c4438
SHA1 798f1492d1b7d5555eda1d4011593920c72e501d
SHA256 6da095eb72a3211b99c2efa1c1ea46547eb4bf80c8161d26248075a6ad90e69b
SHA512 96072dcf632df4551fb6b77d83d7fd7f6cd0ddddec9de9b1c583cc08b553f796eddf6cfa2c5061fcd3d59ec89bc833163a124d1da8e0caddaaf31d9825cd4237

C:\Users\Admin\AppData\Local\Temp\IEkq.exe

MD5 a5fbe1ef332ba261f8d2bf8ea298a9b9
SHA1 86a069c3ae612ec8483b87f0921d87a17644bddb
SHA256 c5531119c617a02a77d08f629d7eadacd5cbf136517984aaeffadf113dddb7fa
SHA512 31936ef6885b91e1c91fe9b7087e50dd001e9b37b22ba84e51582f453df243984d188de4fcb0fb2fd1d463f38769075de948803751e5a496a53ec681770cd155

C:\Users\Admin\AppData\Local\Temp\eccO.exe

MD5 1ef4861e149fa030f96e4c4c875bdd9b
SHA1 8426a4db4a61e770582f1e4825b0a421324f59ca
SHA256 2d71f89f02f33b0512786dd2d7616a2ed94930a065bf2cd45be5edc2cf6bc9dd
SHA512 348f93b08b34999e7c55c67350b63bbdfcd5d2de966bc54941a05ee2685cc6c5f763e96fe6fbe5d90b7680c380e83900f2b0a90c6737ce31de90327a19668bf6

C:\Users\Admin\AppData\Local\Temp\wYgG.exe

MD5 945d10977f89a1cc922fe863737981ae
SHA1 259c7dbdb6e36044c4e7d551d581c7f4be216dbc
SHA256 f84bc71a91d080ebbd085befa48fee6acec68fc04561d5f4f0d2c7d3fed4b129
SHA512 cbda93e365992480b23b9632f7b76500bc3d7e2dd22e7aba760c310d5490a44c9dbfdba7dafa39333676796f62326f6b9511ad8ff6f80cd851c8588496fbad93

C:\Users\Admin\AppData\Local\Temp\OAYK.exe

MD5 a2f854c31a7c6b4c2d57a2c3ca8b0490
SHA1 24116c59ba3adba7bcccc908aa76d7886885f664
SHA256 e4ea100a34cbbd1e76129ef39226956ada094088d9db7b5c7db84107225897a0
SHA512 6ead955c710bd380948cd1ca20a1ef026f2d7d8d218d2c3e652990ded5f5be7ba4563421634b420388a6c4e44e63cc352b3f05034b5965784e84d860c88f1d2a

C:\Users\Admin\AppData\Local\Temp\iUcO.exe

MD5 5e73c33678461ff431b508b96939e90b
SHA1 3190a9e1c0e03014587c49cadddc06be7a25a6db
SHA256 d80095f981ca0fd82d0908bfacb38dd789872664e20839da7cc6cd8945ba783a
SHA512 081e7d603877f49d6de7ad92fc0882ecc53f28a419baa8256bce5d000d14e8c41a368cbf36433489fd08622f4472e296c7d9998629b9c0c05e62ce5817828f8d

C:\Users\Admin\AppData\Local\Temp\mIQq.exe

MD5 c7bcb0416ea2d3fe85f01b4a242636c5
SHA1 d217feed2e5ec427454d78e24b78c99b80c955b9
SHA256 ef7f6cc9ba9d6d5d6f119414cab67fbcc731917dbdbf7fc07a74b20982594bb2
SHA512 9adf45b765d5b5c6d1071c22e7dceca4ad9a579d6ba724cd81832bdeb3451923db732b7278529963dbf2b6c323a55bf16ba3abcff0cd7c3e5c75200753dfd1a6

C:\Users\Admin\AppData\Local\Temp\Qsss.exe

MD5 2ed1001a8c05766c759bad1fe0ef44b8
SHA1 a9668123a6c856372fcb749635e84668e61d2842
SHA256 dc58993089d4717dc9c94d451c2800dacf9bcfebdcae0814092b4205db7ee9c7
SHA512 a6ecdd0324e2e7dbd8581108f13b81dfb409646a0e7a9061cd535cec3fa31fc26b5db4b46766b495f0f5e12221a09ba4fa8414bd6a382d0b6dea3810ef0a323e

C:\Users\Admin\AppData\Local\Temp\ggsg.exe

MD5 8d8a5aa3469e9ac9a900fd6513681d5a
SHA1 d1d2645c5d2cc7d2d98254186ad36eebe3f63caf
SHA256 951e3ea004606920cb88eb79e6512c0d9f3aecd60ef80e75ed6a099b9654f229
SHA512 9d2b3d4261b4c6c00955c3a76c261c44ff6571577ebefbc788b32a877804fa767ce440b7671f65a78597f7f4b4c86c7f4f16221b6c8ba00a283cbd0ccba55a25

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 1365289a416533cfc8ab539459288689
SHA1 1af219345e0db4e7d9e62580f2230ced3d1c745f
SHA256 946ea57c740e73faa3b2a51b15d184a77ff88e60af1b8c38729b7341552f3e0d
SHA512 d55e00fa1419d65e90a3d34de82efa09752d34e4a6c90198aa9e871a90bd2c83ebb64fc0ac7f38057b93c1bf8587da0780df7f96c94cb58cdbebe6fec6505f3b

C:\Users\Admin\AppData\Local\Temp\AQQk.exe

MD5 dcbacf457ad5ca3f0df49cd6869d870a
SHA1 1fcb5b4ee07a23e622e1ce2ae2f3eed078a2bfc4
SHA256 11a40c4c32276a38b7caf858124bdfac683892f1a45834968e096e4f19092ffd
SHA512 d51aea6764224b51433d754936bfb64fee3ba3392f688f255f3c36d0d62ce72007db91713b72e4dbaff45b838133920f1a8312234e37b1283a829e5d99c6a447

C:\Users\Admin\AppData\Local\Temp\GgMg.exe

MD5 1fc43b06c79a480b0c7ca24e9d9a4bd0
SHA1 af5de494dc526d3e45fbb646a3a9094856c079ea
SHA256 207d6db16b6f6a85f1acd60066cd31daf8c24f8046ab37b2fc5619b0386c6517
SHA512 8cbace0958b8c9b89e47cf1cfffe3f6d55870bd193819edc59aba8bdc719312e0dc4f06c2816fd7dc47c45d8bc4b9012f81132c1aafecf1a0747c802ce256f0e

C:\Users\Admin\AppData\Local\Temp\SYMq.exe

MD5 e08f1c108ccb74f5109e3f0cae465832
SHA1 5d2f04d4c84b95c7b7e77e2a69a77ed6bdfd5d1d
SHA256 ef626a75e0ebcde8b5c3ae29fdbe7b3bcac1050f693872aa48fa94383738bc6d
SHA512 bc563bff42afd55edfff17e25d87a4deb84d74ae14219462d4dda58068a9d81f3b5543e65ae402ac8d9717de8389c342141a8da1875d6c55657ce7b1e0606e72

C:\Users\Admin\AppData\Local\Temp\UooM.exe

MD5 c362067937101b1dc0b5250f6b7b7b8e
SHA1 65378e05d96bc0cc2d6f1059f2d85531169cc876
SHA256 4b8882c883c28cdf978a0adee7ba7f344d58aa8c1e79b00324ed283a952cfa6d
SHA512 fb2cd45a6941fe3b24d31d3b0077667cda77071b65c2a6a578341e7f28c77ed8ec6cd8b39f0ca1ab5ceff061458b8ed5c10c1c2f1bd515559838545cbee5894d

C:\Users\Admin\AppData\Local\Temp\EgcA.exe

MD5 52c6fa501e69de5b2a65db0e70d848ba
SHA1 16b03d873f2ed555c20b942ef7c9133ff1a6e2e2
SHA256 8c396f23439264d82b8cd1f8c2e699c5052126e476d0a14d102232b468d6f445
SHA512 137e2928dd62da354ce5628ae3ccabd25e8d5f558125fc3805b46913bcea8547bb585c78c46d0d512da617b70f478081ec374645a8663b89b7fdc6744c281806

C:\Users\Admin\AppData\Local\Temp\Gckc.exe

MD5 8dc958d90959e1b69413451de2077f33
SHA1 2a01a48d2afff94f80e61359ab0c61238f366529
SHA256 d57a7ef57869ce38b34b66df511f0627402987809e451d4eb6575c68ab5ec2df
SHA512 da4768faffb8a792625519ca391afaa97417138cfb584bab782241d5e35079985e9f723f90ee024633c26fd0ec0f0271e535bb6e1469a6add51ea7df6f2ca6fe

C:\Users\Admin\AppData\Local\Temp\OEEi.exe

MD5 232da2cc8ad09f44ea517c3fbdaeadfd
SHA1 f45df1bde8d1d25231719542fd0b681558740cc4
SHA256 09173f93689d78fabb92b549f68d777cf73f838333b53e0c1d2ae12a7c3ea7bd
SHA512 b7d7c53aaf4e65a922a3ffb9164d75638191ebda0deac5fb44ba337726e440f0921de5cbd5789fb4a66bbf4ac352692dc9835bf5754e91d712f9e0281033a5b7

C:\Users\Admin\AppData\Local\Temp\WAAW.exe

MD5 0837c485cab608d22ff52a0439215551
SHA1 0eca30b7e1bab3c2b863b2e2924d756ade11d03e
SHA256 e66f4073debbe50a85c8877e9223b906539a208d6d9f61440493d153deee2fa0
SHA512 9e9daf374cb2cf72b53c0780db8e3827cd20eb5eea1508dcff2129bec46893b5bd6ab008425226a2ff0198b95f932f1ffcdff64304a0b34bd6a97d99e7a80104

C:\Users\Admin\AppData\Local\Temp\QYwu.exe

MD5 378e7da43979781e35e9dd3d3f9e1f62
SHA1 6969e218927ea7229322cbce51152a72c0934a1c
SHA256 abd001a396885f0fdf39a28360574d0eb051fabb6c897c5f6889e7246131c25c
SHA512 0e8f367ffb194bd64c0f1e7590048ebd1c90dc116f0e166380d2db0f3664b19dacfe24a6baf67d905124ea691cf9575f82d8af4f76688c32111d5355a707299b

C:\Users\Admin\AppData\Local\Temp\MsQe.exe

MD5 cab95a432902074e8df652b7e927d59b
SHA1 0b5f6fd03a702cf17c8a32858bfbe46bccaced82
SHA256 1f3cbd65e321e2ed5a2f3a9cd9777849edd0c1dd966cc316563f16992deeed0d
SHA512 704708776efdb56e49eb486b2d518c6e31b835f888e9b1b79835283e2dd731e3558bbd980c440d7642f0e23254afa5bc2985b3e26b2be90e0b18906f4aff6bde

C:\Users\Admin\AppData\Local\Temp\QMwS.exe

MD5 c680313b10db60286e32adec49304c86
SHA1 ee73bdb72713ef0a8fa9e5345aaeced8f60ce560
SHA256 ec1e2a7c8c8a2ce4eb9794a0e81b8fe709c0ba597cd8bffff4f7d7ab211ec78b
SHA512 3455081d4335a57d6ac70ca781e9293a7bec38e47189b664cf23a108855948e1b9229c1dc75898215d434e17991a98b9759f674b63cb1c53e63a506014ff6c1e

C:\Users\Admin\AppData\Local\Temp\QoEW.exe

MD5 cf36e434d83daa65453a369e53f92cb1
SHA1 95f1a85f4618ba692bbd63ca3cb30207e93545bd
SHA256 d1a050ee62ef8cbd45132ec37cb02ead486e71151b44f12c9576303534c83deb
SHA512 83ea4a121274adcd46c932875816e514b96469b885ac406a0a66768ef3ac3b11f4cb849e9a70516bc46d96b35696816d7a5d40a14293666f412ebd7be4b40018

C:\Users\Admin\AppData\Local\Temp\ucwS.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\OsIu.exe

MD5 f9651d138232d148219decaa25e9ddb6
SHA1 21822f4f190e015a23b4018c0de4e247f1cc4f21
SHA256 bcf2692c0c37ceee249df97669000a09caae55206f4cd900c103eeffe4cf4d87
SHA512 13b454181b5ebdabec01ac02d74a6f51d43777804ef17de0d7c54d52924ece17c008caf62cbd7ea28a2a8bb6a30d5d5ae81615e7e5f67b62734794581a9edf3e

C:\Users\Admin\AppData\Local\Temp\aIwE.exe

MD5 62581923075f6c221e92656aa794c0d6
SHA1 3046c41737f9dcc31817d4c255b77783407c63a8
SHA256 daf631c59d33a227245f925dfef7bd1e4704f155d93e390421599a29d8f4f124
SHA512 b6b04266511f0b9cbfe2a4e900b9c8b2458fc210d31ffdfab33c191e68631d6e9154bd03fd8bd7acf3c43171326890de3edbdc43894431dcd8a40a9f56e6467b

C:\Users\Admin\AppData\Local\Temp\QIUQ.exe

MD5 8bc6527259dc6075640609cf15d674d0
SHA1 40d3e579dd1443f13fe3680f03389a8f0d42bcaf
SHA256 a07a4412d58bb47a3a57f098339f0fc5d22afd0252e4a5b5fe617cfd3ec02fef
SHA512 2368f918278a42751e3dcdf487b3e488873795311f28bd9e447b67c90b3347c5196a9fee4db9ecba814fe378ea68ff28818fb33ac3293889569fec4bf088f3b4

C:\Users\Admin\AppData\Local\Temp\aUsy.exe

MD5 055231bcfa38d8319dd07a0fd321e689
SHA1 1d5a24a0f57079b5fad8998afbd987a087408cb8
SHA256 c52654373980eee23687b2cb0bad7a5143f6c24c7ec8e7a15c92a0ff07c81a1b
SHA512 0947cc326edf0214d1c7b728f2e80a14169f6fccbc538ebe830bd0f71af87800b2381d9d7417a45de60fdcc18a75fa78f240e9837b41f065ae77fce8f74a6335

C:\Users\Admin\AppData\Local\Temp\gAYG.exe

MD5 0bcf8e460b1eebeba25f6e2b8a04c6f6
SHA1 7525ebf1e39c580f92c0d0239ff38f8bc3fa1ba2
SHA256 c16b88278d8dfa808c7e3c2ffa5b83111f512b18c8580684ab9e17ce20ca8ec2
SHA512 832dd776df45ee01b1c2798d0549dae5886fa91117a122fcadb2d6ce851a9c87b1aaf70be8f44790d0e28f6949bfa6227ae327018086899137a663a41c2d717a

C:\Users\Admin\AppData\Local\Temp\uEoQ.exe

MD5 7bf949dfe6cee543261cd492d1b0c729
SHA1 fba15b3e7e8f22912c4e7b8a390e21082190124a
SHA256 bbc58dbe99ffb54ea6ba22e814816b50a033b420c9372e689ca2a0c48398f9d5
SHA512 13a9b8bf245077f1dc20f4490bb771d890909c49d833855cc9cc53e11625531ec34f80b2f67c3796fc9487c37f1d03f3f9c90422381557b094a0315b9940cb4f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 2df2443d8670d89f2e89ba8c4300d07b
SHA1 e4ac95fb354fb5249959c98d7c5dd39a3576462a
SHA256 42eb650301e0e18dc3a285a12f86662bc8634d74361daba88b3a382752bc21c7
SHA512 8b0fbb3843c7ebac5870956addbcfeff04d10fb79be7585d4b092fad1e0676aa561d4de1cb32d1cbbf3f02554bdd1f6adff20492379ea96fcea0a0f4b5a44f97

C:\Users\Admin\AppData\Local\Temp\aAwY.exe

MD5 7eba3e19fd1c5f6999f32b21834c9590
SHA1 7c959d3fc0104adf4b8a23750b4e8a96bf85b001
SHA256 bb5a5e6ff516c5ab47f9ad0f4738776af07d850016cdf85848ff59dc2bf7cc5a
SHA512 c620a42efcc207c14e1a1af0c6186960efa5180f4c70616c85a403f7cbe9b16c818c9fd6e080cf3f3d5d310e4ee8dd37ef71a001b181caf8de3ad9cacdd0e572

C:\Users\Admin\AppData\Local\Temp\uUEu.exe

MD5 1965135eaf9628f15bdc0d355c6f1302
SHA1 ceb9fd23a278c535b14981871e287053a62c2049
SHA256 0953514d88a7dd097fa7c5c680cb999b9bf9d9129f1ee314fa60944507426214
SHA512 17be1a382f22f2a2c041b9cd2c6a6575856704c7817a52c9237eb8a3259fc05459496b2500a092815eea35a8cdbf78d7dafa3d6bca60d099dc454149bf9ff150

C:\Users\Admin\AppData\Local\Temp\yAQW.exe

MD5 679b007cd9f2e68949493019020084d0
SHA1 2d551d05eef45b087c7579cb7c8e3f9b0b3f53fd
SHA256 2ea6f3ac62dd33ac8e24accb128806847d86f4ed9bd692b2a1721f5dcad5d896
SHA512 11d6bee9346af50333951584574f1d1ae57a92bd897a192ef466d114a716cca6cdd65c6dba95c29fb58133dd7abf7c420658ecf688e58dfdd2c8a563feb72b9c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 03a66860d254735e0d7cb2e7b9894553
SHA1 2add6a1633f72b26b370835425834381124446a8
SHA256 27fe629b365f1a3923df5e59ec527ccb3da39ef13e550f0888803d08fbb17015
SHA512 b1457f895b8dd1eaaef0436f8708b927211f4aaa78041efdbc7621278694b2add611e935362bc36e85bda0a2a2b37d9e31e1d51dbcb8cc654d0df0487c2e743c

C:\Users\Admin\AppData\Local\Temp\eAYC.exe

MD5 78e922c76e6ad582b428719593dde99e
SHA1 ce0c8b1cf3cbf10b9d5efe52fde993cbad19bb69
SHA256 ab921086d39dd6675b40ab5b5bc86516deac10e0082dcee18a984359fe8fe3dc
SHA512 73a0abed624d25731cd84adeedabe0794dec95061bbd722c4fae5fca5c833d05acca2ec77d59183fb13484e91b54fff1cc15ec9dd9249b16fb15cc03366a6847

C:\Users\Admin\AppData\Local\Temp\OsMy.exe

MD5 7b4264e8724857aa2210e318bee0318a
SHA1 60f2326eb292b29f96d85ba7b29dab5e7660beb5
SHA256 e83bb0f73ae06e99d02187a4882f46fb082cb457626750e942dec471e0fd914d
SHA512 2703444a8be37377401776d9d3c8a19b087f73ac3e2da1a871fbdc74405c38d15c5923e5d26968b4c778b323bde98a0cc5c9236ac41818ad24dd63191b76009b

C:\Users\Admin\AppData\Local\Temp\uksa.exe

MD5 7b77c525fa7b463f87b1b1bf45b06f84
SHA1 2c2d981bcc92946fee0f58cb790889690a82a71c
SHA256 174f9cfbecaad8b77a83dcce35d412b33b2be593a0df0aafab422ba6f0430858
SHA512 de155182b0c7403faa8f30f3dc859413dbda1cdd46c9c7618712d2209f59005dd86c4e0a84f8b41fe5e49b0bd2032e755a758292f2b275a501dc07bffe2f52e2

C:\Users\Admin\AppData\Local\Temp\iokq.exe

MD5 e03fe6b54833c6f63c88a5ca27c2d36c
SHA1 29c553466aa7d1fc428b5bc2774910fb27d41035
SHA256 a91c460053fc9321dff4cc7d39805e81543189d2f76544ea657ad030cda1ddd4
SHA512 576b93d4db8f154eda6aa0b53eb0c04bbbadece417fbd3a70a06966d914bc15bca31b546b619b0010294088b6eba796e0ec6053019d5c1f7fc83336728277148

C:\Users\Admin\AppData\Local\Temp\GcoG.exe

MD5 e94085bba6b002db96ab2ac1d5428e55
SHA1 ca68437edb78212ca7f479660f7562a038989687
SHA256 a7d52ec2e36ef69c8c6a3f1fb45a9cab1966cb5dcddb54820dd9ba6c98a4d545
SHA512 f511927fb50fdf71e017bbdc6874f08ed43298133a47b63362cc6db13200b02a2805b992e1783ebbbda0fbe4f72bc257c7aeb21bd766abaee50d43f9fa72b718

C:\Users\Admin\AppData\Roaming\SwitchTrace.mpg.exe

MD5 496dd926a7e806319119aa0d6d64d5aa
SHA1 912eebfa0437529b92b9baaf4328ec9db2704e4f
SHA256 6223bace5ca91c324e8a6f02e27b3d09fe453b21c096c19a6a3b015cdf715c46
SHA512 dfcb4158c4910150b3b792a2dc9bcd17e6377bd97926dc6a139b6e961e23d0251f5ef07f2e20cdfdfd91cc534fd84cdf0408c49f0f78191fb10134e434021722

C:\Users\Admin\AppData\Local\Temp\SYgO.exe

MD5 3512e188a1d49cf7aca2df3c99a31a9a
SHA1 065583559882a176f5f7e1c4699efab6a802c341
SHA256 369186f02bfd39b140d289926233ad6b40a0089fed4e7dc1838ce63abb384076
SHA512 d91dad117a0f851a7de0ec13fd8ce24d1f970465175c0fe0a1dcd72609aff432d3533ff3c547eae4eccff72f693add4e4571140e0fd1da7c1b44d3b636dbc492

C:\Users\Admin\AppData\Local\Temp\EokQ.exe

MD5 dd9124871691d8fd79523f2fceabba47
SHA1 d3661daf590ad915e45263e27e5ac3213fd45ce8
SHA256 28da08b465f2698e2cf1411020428c11338e9a1c4c7d4efa7587da7fdba6c1b0
SHA512 e91f24ea7d9def67e75113acafd3192a5d60bbe422fd6ca84594c4539f1e95377062b77621a094b39067123a82bc21b968bffebd2a19b9385b603e311306e0e9

C:\Users\Admin\AppData\Local\Temp\UEQC.exe

MD5 8b82f18c130882f3454851e22c6186dd
SHA1 21bac2091d37417197997c53bdd35274e91ae481
SHA256 9d679cf84ea65663f3c76de40fad4fca8d838da68eaf6129d4f2b76b3abc41b2
SHA512 fd1b15ade2448f1e449f65103729d642da65887963994369622c6de161701f5b62de646d6f68ed99be61d16efefc47d85a694043bb75b51904645b3aa30d6d6b

C:\Users\Admin\AppData\Local\Temp\qQMu.exe

MD5 810d6ba9215160907e40cba69e3bfb8a
SHA1 3e71d5ea3db3b8bb718a708ff91a7a4dd3f27a9d
SHA256 0fd8a34355326fabcb5b00f98200c647ffe046c5da38b36ba55506a56d954389
SHA512 5fe9d491ddabf8b7b93d2dfcf8cd16dc29f20f82368fe18460d9579e81161d675eceddb8e0dac06fecd0baa6839f0fc2b29d31e359e0c5d3cdfcb2e0b021f08d

C:\Users\Admin\AppData\Local\Temp\QoYq.exe

MD5 a2ea56681c19b9bdf29e5fe4ea4927e3
SHA1 c40625a2f99961c3fc11778ecccd8acbba59ea00
SHA256 a852a0fc32d362dbcb73a6d90e73d8b41221b28355c448ce871ef0990210bf82
SHA512 6e99fc3d2624dd906abb2e8c7c6c031e39408db84660a064bade57ac7c3e73afd718604555b72a96b59633c7c23bc9f92c54704fd04163d718cd467ba2cd7382

C:\Users\Admin\AppData\Local\Temp\ycEq.exe

MD5 f552bb069653e2f0153c2013a1d914b0
SHA1 925ce96e910cbf2213ebb334714e327dd1bb3e40
SHA256 128e21e8de5fd829311da1b453b4e646f49614157bca105b9bc78f83985ad570
SHA512 0b2cacf639351f818498299f6d7c43db2227daf027b0bcdd5de67cfa6c37e62ebfe9226206adfcb85e636755db13ae646aaca95047316fec0c231c9a622d7744

C:\Users\Admin\AppData\Local\Temp\Cooa.exe

MD5 41c8ae6318293168e8d76d6939d47ae1
SHA1 dfac682d99b6cffcbac12deffffc303d465448f2
SHA256 6b18d674faba7b01bc45b7a0c53388897e3b33b02680644b0e66f81ad9353a90
SHA512 7ec09f82f84e51c3cde4ad66d40c896b69fa5c1ad96d549b8662ddf831049ff1913f3ba56db3b76890b585e6fbc9a9198e2251c40110da066aa019355fdb7501

C:\Users\Admin\AppData\Local\Temp\SQIw.exe

MD5 b470709e97830ec61528fedcfda37dfa
SHA1 1ad2e04674a70dbdeb50b71ce3c45346a6412fd7
SHA256 02c874de904b4a5454f88e1f22c646c8c8fe308aacca48bc57eb2a528c3d6e8d
SHA512 aaff532545b8ba36fcdfa3b1c33e15b0d70b309ec8754b10f1c550943abd3f1308cc40918c2a535608e756b3acc7caefa9bbd576654653a199b93421e3607af0

C:\Users\Admin\AppData\Local\Temp\Sgcs.exe

MD5 949bac7b3b840cf1fdb8bd94b0f951b9
SHA1 fa247f09a58ff9bbc31eda48dc4bddff68d1dd51
SHA256 8dafd473f6fc1f1a98bd47b6c2ad7d4461cd4d52af83a9a2eba091f6b2bfcd1b
SHA512 1b9652061a55e6f1c0f01837a847cb6291ff262361ed85555aefdf0a553fed12d495e8d7e69036ef9e95511ad25784e2cf76c88bcc712e9a0faf346ef2725135

C:\Users\Admin\AppData\Local\Temp\SgoI.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\skYA.exe

MD5 f154b9a4f0a8422f4150e230cb6fc362
SHA1 15a9f7029f91b8ca35494be7683ad2fd0a623e80
SHA256 2ab30be380222d96df35fb15d8f3a82069c5b716875033abfe835c72eb2028c2
SHA512 8304fada0d40ff777e2ab3ec004c9a92212efd4938d638f64ca405feec1898b5017fdcb863311572ab31dee9cae159cdf7eb0d8b595370f0c8cb1cbd2973ad42

C:\Users\Admin\AppData\Local\Temp\kscC.exe

MD5 d6c840c638fb27ad136fe2e6bb3b9bb7
SHA1 2b204f1109812ac1472d24604e97163547fd9773
SHA256 8bb58446aaa4a076be38fbd4616124d4b29370aae805c85f3ef6101b99fc41d4
SHA512 2d49de6d249f6911cf140e0e8a54324c69fc441c9affbf5b3da761671bf81269fa691c3e75049d123aafd7bd7718eeca9a772e88e36abfc6090912c8519181dd

C:\Users\Admin\AppData\Local\Temp\ggAY.exe

MD5 a136ca4ef3fa80bd06520dd1fdbcb4f7
SHA1 705a837d4a46d9bc395357d43f3b40a867b42663
SHA256 01cfda96a5ccc1acefc14368afcce48b3d876582f9f55822927089c96ac5fe0e
SHA512 604e4403858f0b7322c0d0a443180f5882c29101fcbbdfa6f1609c12a6e7c621ff88d4c75e610da60a4f42db5f6f750d7e755c227d3f69ffa28d7548d9829a1f

C:\Users\Admin\AppData\Local\Temp\uEEU.exe

MD5 b0a0c3e152b1f80cc99ba52cb17a4fd8
SHA1 0d92dab840b2ebf2787dad570b0b804251f37cf0
SHA256 c8fc7033adb48a8187a4c2e6332a5b69cd0f117a5ae12fe3cccada5baa253e10
SHA512 3c20c6d517503bd50a255edbdaa02f6edd7dd6dbbcd5ba97f410848f0eceff8ed1b1bb8f19966f38d459f935791f8b97bae5ac88fbeccd81a3a0fd080bd8ea88

C:\Users\Admin\AppData\Local\Temp\gkQc.exe

MD5 4d2c34f3a474a49974377bc4f327d812
SHA1 63ec6b1fee0d1cc0f2e99bd7a8fa60508ccf868d
SHA256 1e1d4d9f5418f32589bd012e448787cc4778fcaa8e4dd7359e92c81bfe1bb20f
SHA512 44ab238422535bf303dbbf149d3c7b2ccff37e95d171b0bf3d8b339143b1294d1b2c2aff6832d1e0b5c491f6ba4946b5c6a725b84b4382f63d63ff3d210425e1

C:\Users\Admin\AppData\Local\Temp\SIsc.exe

MD5 9bb630bc40f236bfd896cb9e6b38a64f
SHA1 2ea70712f2cb5e40eb0f65bb7eb5504968bf8560
SHA256 abc05a18d6de86af07beae3544ccbdc1b6752215c483b4477215319dc428899b
SHA512 6636945e4da22c2d19c1cf2960b2dfd89afbca7ff7645bcc22271e3a5b48c3963c0959d3b7490a888fd40f6101028205d3041be452ab24b4a9ffe8395f8f849a

C:\Users\Admin\AppData\Local\Temp\YgUm.exe

MD5 7ca056671b129ecaf5e467c3775724ee
SHA1 64dc92d2b84451efb92dd3fc58fe53bdca2be1ed
SHA256 e674cd548810d7746886063a0aabac6447ba26a5767aed5689748b5083498594
SHA512 7d29827a1f826145ca7aec904f06e5128a7878a9ea50b080f8013e1b0216eb3043befb687378643cbef9a033f8fdd2e48e680922570e50f01037673ba669f303

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 7671456add01a464db67e06232c94e31
SHA1 9e28c2206a93e80ca2151a3bcb942e804e07a3bc
SHA256 60fdadce0bed6225c23424c9f8cb66210dc1a7c70c2f5bfa23c29c8252d8f17a
SHA512 f3663913e2fa6e4b3f3d78a25d463abffaa33b8d78e2040695c13a06f18c314a6ea81854242ff442a49d7de664f741355ac7c15bd63b293f2418799edc517019

C:\Users\Admin\AppData\Local\Temp\UsAq.exe

MD5 5496fef629fff4bf66f731b9c2420165
SHA1 8bdf3060424c608b12079fd3514e56a18537efb1
SHA256 dee243324f5e7b3f758bb269dd8bd6f4f5b20cdde90c210c44ef05d2ec063838
SHA512 f0af383201cd2fe75d1682371239d27f36c42622eeb5bb818a86929b7ddcd65dc877ba8519094891550efdd797c4c425dc31923a966d068db0e81de9edf91155

C:\Users\Admin\AppData\Local\Temp\WcMo.exe

MD5 0e3852e160bf60d54c3bc25f1594cb45
SHA1 78a62c52fdb27ce040d85bd745487964c1faa557
SHA256 b2fb4d82e6ee6338f0d70be1b18062a1c1423fb4c05af471835fc3a043d77571
SHA512 0f7dbe53068695af4ddbcc3618482ce38cbbe5499c5b20df8d31a63dbd38b0a77037c5f49785168b9c30574b3d959b173cfd3d0dad1df0200cd66ee2ca3f84cd

C:\Users\Admin\AppData\Local\Temp\ysYI.exe

MD5 361a62885b9d72b01895dd64c3257aa0
SHA1 351b6ebe422935d35533d56e595b7a0bfce85de3
SHA256 054c478c48891f6f76b5c7595e82972d8aea6dc348e81fa3b2e256619697ffce
SHA512 510934c974c448805b338e5a7083205bc5f67cff006d54c43c22cad833c5d58039ecc6a703054f2f032d7eee17a63fedbe783dc9411e7de6011e84cf3c72ef3a