Malware Analysis Report

2025-08-10 12:33

Sample ID 240403-nstnjada98
Target 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock
SHA256 0a948418020958101baed862d3f0f1d1db28567cc58a8b0b9a40d689aeb15e8f
Tags
upx evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a948418020958101baed862d3f0f1d1db28567cc58a8b0b9a40d689aeb15e8f

Threat Level: Known bad

The file 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

UPX dump on OEP (original entry point)

Renames multiple (87) files with added filename extension

UPX dump on OEP (original entry point)

Deletes itself

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:40

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:40

Reported

2024-04-03 11:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\Geo\Nation C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\ProgramData\ECYYoIQY\UoQwEEIM.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UoQwEEIM.exe = "C:\\ProgramData\\ECYYoIQY\\UoQwEEIM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\nIkwgQgg.exe = "C:\\Users\\Admin\\KugUcMYI\\nIkwgQgg.exe" C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UoQwEEIM.exe = "C:\\ProgramData\\ECYYoIQY\\UoQwEEIM.exe" C:\ProgramData\ECYYoIQY\UoQwEEIM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\nIkwgQgg.exe = "C:\\Users\\Admin\\KugUcMYI\\nIkwgQgg.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A
N/A N/A C:\Users\Admin\KugUcMYI\nIkwgQgg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\KugUcMYI\nIkwgQgg.exe
PID 2012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\KugUcMYI\nIkwgQgg.exe
PID 2012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\KugUcMYI\nIkwgQgg.exe
PID 2012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\KugUcMYI\nIkwgQgg.exe
PID 2012 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\ECYYoIQY\UoQwEEIM.exe
PID 2012 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\ECYYoIQY\UoQwEEIM.exe
PID 2012 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\ECYYoIQY\UoQwEEIM.exe
PID 2012 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\ECYYoIQY\UoQwEEIM.exe
PID 2012 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2520 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2520 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2520 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2012 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2412 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2412 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2412 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2736 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 436 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 436 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 436 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2736 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2712 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2712 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2712 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"

C:\Users\Admin\KugUcMYI\nIkwgQgg.exe

"C:\Users\Admin\KugUcMYI\nIkwgQgg.exe"

C:\ProgramData\ECYYoIQY\UoQwEEIM.exe

"C:\ProgramData\ECYYoIQY\UoQwEEIM.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReUkcgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEogIcEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\msQkckog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSUYMwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YasEkEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngIsAYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UcwQoEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAwYQAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hioUYooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13049230491699223443-1534842780587935857-20660286321453587969-1008503816-295019298"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1387502174-1809383503773113780369651906524637295153864835216159688531256306737"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1690861738108166748534812822-1637751843-1629837362-2026801901263688041-2076603899"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYUYQwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACUEkwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-552611793-1042887880-774240560-18085289281475922683161618989517368255661643700606"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaIAUYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2001515542-1630881160-6666113949129084134711870431717165140-989100021-421667768"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\piQoogYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncEUMgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-598236359-17215523161496414196449690018-14910377656562281052125075043303767801"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcEkAYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIEYQMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-116044673613480677151161828265-785252581-142791030-7661412313780374621789980075"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1907384248737199082333269269124622077520392532982738678403123276461003419126"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmcEoYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "727745580-1859909793-1281666379-18021219901267761737-1595812777-11572413661832040752"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ayMQYkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1457707918118777919481274292-960760263-1120058800-5773257052000348749-1105968352"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nosoQUss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQoYIgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQMgEsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9216068071707711488937419187-1595772917330052304-1098944966-224630667-717748089"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqswAMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1116244869-1261105237-328821897419725192-10821589871077798313457306736-577229753"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgMAQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16360815752040769532-1317041449-1654603551-18975761331950420045-1386842500-978310695"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWAEIEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14249641652058381148-133423365110255627748203409771151664948-19270988201638190473"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOsgMUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMckAwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "337105382-590698994-1782279060-105052335560925761740735941-11061369781460139245"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-338620193-2009763348-1064201970156230785425128572620206355372052986053-1683103896"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUoIMIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-317497873702186015-1250560051-1664611719195485515-1869567497-1479303305-561703719"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMIIAcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-182444573019159715502092003097-1251939625-992726107-200389861113853236191395403427"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2012-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\KugUcMYI\nIkwgQgg.exe

MD5 50df4e9cb20c8965b0796a38e2b72c68
SHA1 31c61c7799c8d09e727db04074f65a7e662d46c6
SHA256 69e578677cca0c6c16190daa72c9f3e9771e628d146fe6cbbfd69d3b37599605
SHA512 92aede80f0d14138439cdafbdd0368fff3bd1f42c4165e6fd067171a7cde897a1b32782989f2ea76ca7c28d1e602f0b9398a70dfcc0cb5cd8392008146d91420

memory/2012-5-0x0000000003DA0000-0x0000000003DD2000-memory.dmp

memory/2604-14-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2012-12-0x0000000003DA0000-0x0000000003DD2000-memory.dmp

C:\ProgramData\ECYYoIQY\UoQwEEIM.exe

MD5 3a43ae110d8bdbf1be9a54d98d3ed359
SHA1 1e60d8d1f8a8b1631f2f11b183f70047fbbd6e82
SHA256 3a742177a145023c91c08da114bed39c25079316b8e452b757cfb96626d301cd
SHA512 607a7f9bc7b0dd27d909764611a298fcc0377c54884ee9e7d56e9c0d0e6993e2e30067e93bfeb15ffe55bc18fe76fd9c7cd9e5b8321fafdcfc07b0bbe3d55770

memory/2012-29-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

memory/2544-31-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rWocoswk.bat

MD5 b0cc491e42d1da2b7b98553c3c2ca0a5
SHA1 500459590851436a02a24e6a4a7046f73b8d8bb9
SHA256 dea0c44ec0b907133f146a2091016064635c1a95ac97c2625d5dbc3055bc03d6
SHA512 314d9e32e9158e858b9aaf5df2070a4f4ad048f791a1685ff7b445ae26afcf085bfb197e302c519da610d69f081595269cc9abce0a7b64eebf320e05d9351da0

memory/2736-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2520-33-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/2012-43-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ReUkcgQM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\QyIUYYsk.bat

MD5 f03160135653d60399c48ba0719e6310
SHA1 cc59fb24131b136a2d4a4d17492ebee785ba95e8
SHA256 90239bebebee64c0da96d0a02e0d44e0d1a7233ea4f60477183891b2fef0360b
SHA512 4cb7481afed5696b72f99602da8ecfb1ed945292d96bfc431832fb935ffb66952234b51923660618673be642da7246bab3442c0998ab9b6391c438e5add042cb

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

MD5 8243501c8bec7c2fabcac8cb47d98048
SHA1 f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43
SHA256 4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd
SHA512 5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

memory/2736-64-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1180-66-0x0000000000400000-0x0000000000436000-memory.dmp

memory/436-65-0x0000000000120000-0x0000000000156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\WSUUQsgI.bat

MD5 e6ae5c26e51f2155d8634057677d287a
SHA1 eec810c433375890220d13a0498847cd9673c8d0
SHA256 c8db120f6453e06a4dd6111ef1f83a21fbfddefeddd8d33f354c407cb4f2ba34
SHA512 d1825ec4781a9362c316c9f99d7decac513559dab4af3b27be5ba0c20a151eda6d617251e71377f8d04b9f4d1f1ed9ee20831a942c28a5bcc8d76a6d02023dd0

memory/1180-88-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1660-89-0x0000000000400000-0x0000000000436000-memory.dmp

memory/840-79-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/840-78-0x0000000000180000-0x00000000001B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PkQkIIoo.bat

MD5 148c8f5f6faab9663fa97fd245d2620c
SHA1 9490a34144f8a189a4f001f861f19175dd85baa2
SHA256 5b3e080e3d2d558cff7ace1bb5b909a977625723afbdf67cf94ef62cd55eb21c
SHA512 8dd7640f68dfd322dbf68caa4f53e705a08bb410a6ba5fde81c398405cef91083c97ee7f27823014976f3518f3c415ba02935286035b5d88861305b4c340ac9f

memory/1216-102-0x0000000001F00000-0x0000000001F36000-memory.dmp

memory/1864-103-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1660-112-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TIUIskcQ.bat

MD5 2ee80b78aadf3e5459b9dde7be0a5e90
SHA1 277a3553a61b3269f6aa3679db7d661160b536a2
SHA256 3ade4ed1c2d518480907cdb4299560d73240a13e66143a09d19a39d2087aa155
SHA512 63ae02aacff22ccfc6bcbc7c72e9dccbad0373539b2cf6a0b2e200f0427c18437bcadbc973278dfba6db0db0a3ab06e55f6e6d42a324d48d5cd97113a5e12e5d

memory/1724-136-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1864-135-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1404-124-0x0000000001FA0000-0x0000000001FD6000-memory.dmp

memory/1404-127-0x0000000001FA0000-0x0000000001FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eEUUowwE.bat

MD5 d55dd76918a3fbe917a7545bae493337
SHA1 3957f185aa8db8c91696803576d07e8cf62f2efc
SHA256 35b511e14809576be6c2b10ef935017fbc8a1917a02386c9cba1dbb33063df02
SHA512 e2f6b32d7d093e9797521f6085ad8be4089e3a0f420e1f6f81eff03281259336c95fae66de33f9d9590ee393907f47fd1c81195530a2f82424a2e3841f05778b

memory/1724-160-0x0000000000400000-0x0000000000436000-memory.dmp

memory/576-152-0x0000000000440000-0x0000000000476000-memory.dmp

memory/892-161-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lsYoEAQs.bat

MD5 7cf05ca735b81fa30cfa98a930096646
SHA1 28b6a25a85e5cbf6e2206d35625e7e263f9a8f08
SHA256 74207468ad1e7e1a262d8ce8f423664692c47896279a6b542686388ba6f4f73a
SHA512 770dee0eec1e3615076ff027837a5d94dcf9b54eabb933f7c2233e22d6b8c1da191dd7024a25aa0182dd7e8f8b6e297ae522d650852e9cca82aa4108b94a2faa

memory/2500-174-0x0000000000410000-0x0000000000446000-memory.dmp

memory/892-184-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1704-176-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AeUoMsQk.bat

MD5 941229c0d83e1e2a98e88ac33db8904c
SHA1 91e00b917b4ca872524189f7b367959f11625168
SHA256 92514d84977fc6f396ac9cae4f607ad9a31d93a551dc3a1a1865e0987bb5ee93
SHA512 6431c25425e38bebeb0b7130873ff9e0d6e545406363f5667711d05c87918ab94c2341089584dffda60cb866b3b508b3d412079f305fcd312e7b38d678d030e5

memory/1704-206-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2672-198-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2660-207-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xWUMYsMQ.bat

MD5 c922d79d51b2730cd8219088d8fb203b
SHA1 6065b917d702d5454002d297e0481fda80d4f932
SHA256 de87e0d1e00fd91335a947d74ebb6daedac1a65473dbf4065dc40e0e8248ae00
SHA512 e22f7f1c96092c373b4f85908a3489cdfa8c413ad7051a967d05c999b9b158e791c0e3114195db7c91c3888a39c3f6a1fbd18486e603174c9d8b7c46c69a3abc

memory/1760-220-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1096-230-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2660-229-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HckgYYEw.bat

MD5 2642a9e6ab8e939033bfd370faffebd0
SHA1 3b8d20631857afc82531378e298c6a152a03a28e
SHA256 7f91836accfa15a57584b125576d551fec915cae707b16fa7e84b128dacfecd6
SHA512 83345b60dfd20574425b97b50cedb066a302b1388749f8ab8c9722fce6e10d4955c7e229cdb237de411ddc3cea1f2456681b6affef514e2616c9cd62d0b415c4

memory/1620-245-0x0000000000430000-0x0000000000466000-memory.dmp

memory/1096-255-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1620-247-0x0000000000430000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tGIogoUE.bat

MD5 7d5f3f0eb73ea1cb81dfca44df2327a7
SHA1 e07c086371f3073e4f289b0437a72756a78534c6
SHA256 fc5bebcb6ae52bdc8f7d8cb52868f77c6a0b5af5d17e3b843a9cd3942bda13ed
SHA512 445fbe552992e60b92377bb805bf55678d95d8242110c7efe0367b71a44144d09cee6c855ac65e5e0f5bc38ed2e8fb2879b2f01d8472914e4b36c6f8c5793f24

memory/2972-275-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lUIAYQEA.bat

MD5 2093734f153f16def6ae793e0445461f
SHA1 ca17798142c8b16b36838222b8686833207457c4
SHA256 bbf537d6031d1d15ce27007a6de3add2d86c7c24a099c97ca6433ee7101f9a92
SHA512 3b7fb8871bdb21dfc2f1aaf2460dde25f91529d00036e23922c6197fda24355909c8a4f449a34eeb540286b2d3ed1e44102ed5d4f4d56a209e19a9bde2e18505

memory/2900-297-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2788-300-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2128-298-0x0000000000160000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAcooYAw.bat

MD5 0f2e2eebbf09a8b0d5f8bb9042f5fac0
SHA1 f5258c105c162fd2a8173a004b7a75454c37bfc3
SHA256 99c296dfc14caf7ac895b7db4d9844f108548650a678ee491da56315c5857d95
SHA512 cddf5759f71d01ef6d81ad0ff67e30f55e67fc4bb76e613e7f6a28090f69d2f5d3320573a121f85d2fb10b74167629e920f9e03073fe9f41de871c43255d053a

memory/880-313-0x0000000000160000-0x0000000000196000-memory.dmp

memory/2124-315-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2788-324-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nCooookA.bat

MD5 09e7c9d34c9d85eb4c9ffb43daade0b1
SHA1 2a1c365571eef14443ff8b051e5e1f3c4448960b
SHA256 ad59c38fc950064a350f67ca79c516f1727a6453b356935fbda9a5dc06ded2bd
SHA512 d36ace4be050db15e4f42a7b039285332b3c69a594c73abd44b1c46e237c53acbe8fbcb0735e9154f9f903ca086637c87fef2093d7f13089aa1b4289a745a775

memory/1704-337-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1112-338-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2124-347-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ieoAkccY.bat

MD5 3ea18337c73b710232b348684e88b718
SHA1 cdd07d48f2c77c0ffa8f82a0fa954c3d2cf67f02
SHA256 89542ebb78c8bc73f21dd7c4da3a653f51fd666ef5f63be526b609a25279fc53
SHA512 6fdd36faa29414bad1945b8487b38984826a3ee423cb5475905e596a9d95c1a2d1c17ccb564b84c049244525d6c7854a4efd29ddc296e394b87776dd5e27f4a8

memory/1676-360-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1112-370-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1424-362-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQoYIEMs.bat

MD5 6a88077a164a3df03bc8ef74047c42df
SHA1 791a15064488a522b563df3197aabfc1e5689e17
SHA256 cdfca94fa5ee76113978d238aa3ca01bd8ea8d76fba82e9319f78c42f412b97a
SHA512 0b4d6fc19a5741adbf1dea778b8cec72acd1409cb6e6df5a4eecaf8599853cd8dec0c240cd619e432646d5dce0d6c58991138804f9e2b8990d45f91d6017b331

memory/2340-383-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1424-393-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1924-385-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EwUkgkkw.bat

MD5 a1d7df73f1b47968271f12bcef5cc17e
SHA1 2e5b76fb8b61b74b083b0ab66a03fa0bd33c99ad
SHA256 ef5d4e1247821a4afbca3df5d2b5e3ce8dd06e236910062ced55d261c0a92306
SHA512 78ea341fc88dddca3441adeafa5cfedb8bc4c9a2b27aeffbc5334b5e092499ead2b05c1d9bbc5ec1437e926a1aac7f5131ec059592766ddeb90b83a3b7e98d42

memory/2276-416-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1924-415-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QwkcEkEc.bat

MD5 732927e6a19ea9947697e5408c26123d
SHA1 6bb9f65202028a93a9ea2e51f7ca2540bfc8ab3c
SHA256 2317350387253cd50f277de88e12818474d54de83fd3a4cf879342745fd623d1
SHA512 428ca2268d4907c2dfe7821500dfa78aad21b1d989604950d71d40fcdab82743a313657dd32309f57d269dd406011dfffd3867b5495097d5f51497ad3e1c76d9

memory/884-430-0x00000000001F0000-0x0000000000226000-memory.dmp

memory/2072-431-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2276-440-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KqsEYcso.bat

MD5 cbb1fbc6c63363433a472890aa4029ec
SHA1 677c64b9ada1cae93b7a5e1dbd78e1491af32d2c
SHA256 0e29ce581f35274243d6cd0361b84c3f9cfcd354a7c168121777646278d29dc2
SHA512 6695ae7065ead9d42bdedac2def573bd6ee9836a3ebfd3745120417161669232f28486dad90a8191017eb414120f9b964206222aecf4e996965b8c763d4fe609

memory/2332-462-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2072-461-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2400-463-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LYgIwkgk.bat

MD5 70d33e14612544f0b428c96e61aef0be
SHA1 542c4f8fb5ab5e495fe3aa9e1746ebb0b56aff7d
SHA256 4014390b34e3b5430696f4271b34d3319ba5bff28c6215812cbdf43dd6b83150
SHA512 ea2ff72e49e18b9ba930babd4d9907d32e43596b381745c38023025fb43ea115b8b7949879f7bd33e7ba87daad0943a4a0a4f19976122015bbae4c3986aa7061

C:\ProgramData\ECYYoIQY\UoQwEEIM.inf

MD5 1cd35cfebcdbd44f5d9062fd7b59e802
SHA1 59d22e97c3cd1c79db81628d1c6d3d200e7b1ce2
SHA256 a558e3861610590bc41b973d4578c5229b6e047392626456994b00588d9500bf
SHA512 492505806b63ecf7664535dff0b16a11cc5aebc2b9aaec7c32ba7042d583c526391d5a03dd87dd84a4245f58f1b3da5ae84ab6317b3219d9b9f52aa093303624

memory/2400-486-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2644-478-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\KugUcMYI\nIkwgQgg.inf

MD5 800adc6c8fe093fc8676508ee0f21fbb
SHA1 c84afb0248fa02cea56faa44c6a5f6677fb244a1
SHA256 007e11480edf1786b58e72a62a95e9cf1ed201fc1b9d708867f51b8e7d8da6a4
SHA512 6d6c2ee5b54db7b8731347c89b1a73ad8898cadbbf779acdd57c188a444f9bf0f0401398a83f83c9a8ceec1416ed30dea07ebe67f4f17d837f8610cb8c11efb9

C:\Users\Admin\AppData\Local\Temp\JgYUUgUQ.bat

MD5 3bc2efa63ca740547729c7c1ee74905a
SHA1 9b92d53bf941cca4f1f77df293e51824a7f33811
SHA256 a8529c0ae73937d93cc0c6506c242757171457e10f1ca3438bf24747b7576298
SHA512 2f5749e1da905a8cfc6229dafa848fd0d94c3f3a8b5fbc1898c8cc105d38cc8ea171e266f3641a7f00fefe34ea70c2097b4d3410c0a85753c2dbd750ef9c0083

memory/2060-508-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2644-507-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEscQogM.bat

MD5 a739372226833c023b6440f448fc6589
SHA1 998c1560f6f08dd0ebe0ec3ed6540e7c24a4b24f
SHA256 efa613b821c340def1a617ad9a5ac448a1eccbda3c9c5e9d8f335116fb854866
SHA512 24a58abad9eea49b0578b34653ed7a4d26232d398985c13ca4c8d69e29be5072d676305f5e14a6ccda7d3336e7306354b6805a01e13858ba11e9d3319d9425ac

memory/2036-518-0x00000000003A0000-0x00000000003D6000-memory.dmp

memory/864-520-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2060-528-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QSkcsoAU.bat

MD5 481b1d448155983b588fcf3fe415a48a
SHA1 785ad78dc8ab4315497d155208e2f590916d381d
SHA256 73b126dbaca9a9f20e7849f2df6346a440a459d579cf9d8db8a1b8146208a9eb
SHA512 016dc42a6805d4d97da8c8b05a56eb7164539f820b5784f3423ad3df5e8d4ba8b128633bb085a9d69a3da44ff1b653f8113c5fc7f5658234a4d8be8fd7e5f2d9

memory/1660-538-0x0000000000280000-0x00000000002B6000-memory.dmp

memory/664-548-0x0000000000400000-0x0000000000436000-memory.dmp

memory/864-547-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LEcIYEUo.bat

MD5 3b31fc03d603134ee5f1a58eef617c46
SHA1 f34e35fd107675184ff7474fa8af1a72fab7074e
SHA256 4c1f82b1e7ca170e07aac950b384abe742f0c43052b27455d9a30de23e655c73
SHA512 a4fbb7ac8cc0453310ee54658d709b04f1e564183737132ad98f2bc2b5de7127fde4ed56532c6abb0ac032b9499c1068c5f820dc87b6a885aa32618b203c91b8

memory/2784-558-0x0000000000120000-0x0000000000156000-memory.dmp

memory/664-568-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1552-560-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hkUswwwY.bat

MD5 a22f9e18ea166f752dc3c8d333c13007
SHA1 c93cb13f028c801f6b86f601babc7f82b4b5537c
SHA256 cf8c56c02b563ebcdea499a3e364e8d28e78f034d004ac29446a3fa28b3c15c1
SHA512 cbe32d849ba0bf184511d8ab54ac857f603fd2fc0a015f594c07a1157c57516d825c5ff7f185608f511bf78553d05931bf7edc410bc56033d4a4dcdb9848e46d

memory/1552-587-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-590-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2448-591-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-588-0x0000000000120000-0x0000000000156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MawUwgoo.bat

MD5 0689cf24ba9a1d08131420108486cdf4
SHA1 a2fea3fb06d3b2e510291fe4be08ac75edd19a84
SHA256 84882943991655770e2f7a1a0f8752162c058f7f8eb003d7ffec0f5efd9d2f99
SHA512 18781ec14ebcb50a696bc5976f7ee23d5a3a98618350d87a6556591ef1dc00e9f9c1ded7a4047b26fa0a487613c56e7572ea72901b108587074bd7fc58bbb146

memory/2208-601-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2208-602-0x0000000000120000-0x0000000000156000-memory.dmp

memory/3004-610-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2448-612-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jWMEcYYo.bat

MD5 bad53446b216d5dc0055580fc1213d02
SHA1 1afdd7d6309f8c661053c52ec50f793c297a2bbf
SHA256 dc207f88047d8a0fd8e1645df0922963ce487985c72971fbb77f61b6c3854987
SHA512 0613c9cf03e5c0fb756cec0ad5e6cd888f63ceb0169286bd49a3c4ab51e083d77bfbafb3ccf267ce5e87264344aa24a83bc05034971981dc2c9676d636bd6df9

memory/340-623-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/2088-625-0x0000000000400000-0x0000000000436000-memory.dmp

memory/340-624-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/3004-633-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BGUgYAEM.bat

MD5 3fc858468a67306a23ba5dac27480475
SHA1 d2c007edc76bc600f01a155a48acbc7646a3be46
SHA256 b652ddd2431c4948a94bb5ce7829ee33d828df9193330eeff7a430639f06580e
SHA512 b26e086c442f7524cee80e9a9af2c1ef3baca5fd3782147688dfa04fd0873e2e7fb87c0e34e824a53542e0b241599cdd9eb72ee0c486b7e1e71eb8c7a9ec8817

memory/2088-652-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Twka.exe

MD5 39b9b48d0e93112efdc17650ef05f673
SHA1 4186a5c6d4e2d1b828d351ee1c5e86e603ee6dec
SHA256 0f53f35051a4dfe49833baddad55a75dc70362ac164dab8e70392bf0f4d364f5
SHA512 5fb81b3249db0e5b0f09152e6f97ef1d74d2b757f93ef2c0a61a11521e8b68554be7766ad92f31b06f8cabdc890a43c59f48fbae5739580075618d795f2b47bd

C:\Users\Admin\AppData\Local\Temp\nogQ.exe

MD5 2474c6ae312e974bb7c37ce4edd7318b
SHA1 316abe0010b29b9e9e83f76b9695eb9db4d5fb0b
SHA256 b9a13cc77d811b6e07337d42465e6a7311c666ca762e7dfdab0606d64b67743d
SHA512 61ee3501cc04c3d3e967fe728fa8f05f94c52f7f911d7a3639fe4ed8ad76983d5451a293cb0dc3a5e55ed3df0880194800d01687c57f12b5f11f73310febcb7f

C:\Users\Admin\AppData\Local\Temp\MEIk.exe

MD5 bc64f9c811c12d6cb2fc509457f83e3f
SHA1 7ff196dc72f82f22db96998b9adf5e09aee31483
SHA256 677862398727cf57dcdaf454f808cb851267b563c0f7e7cf49c4cf4d9ccf0051
SHA512 43d07b07022bc7ddf07c213b44f9b8a253e9f932e014a18ca78c0a0a0ab431e1a83b346e2a280cfb7ac49b15df763f2dd145c26cc38c0358b8029c8bc3582ca1

C:\Users\Admin\AppData\Local\Temp\QQQu.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\WIcA.exe

MD5 df42003d55fc5aebc01069ced901008e
SHA1 bb29d270ce890c67f244d1d7a4b7d2858828efb8
SHA256 12ced3c1ba2c779a9662980f321306df17d27061789bfe87e0c4e4ee5e809c35
SHA512 22a2ee28fdb18acc451420a3d08801e7396196e97244226ccd30904339ace48b00905ef5c0db65cf766da261088854859532d33d947ae21c6e05613df15b16af

C:\Users\Admin\AppData\Local\Temp\JwEi.exe

MD5 27c34b0f5af6a9d5e2f30c96fdd232a5
SHA1 2621f7f80266c063d9ef0c040e62803f5ccf7ee4
SHA256 ca063cffd4af89bc4882de3ad9503c8157afbbcf29dfbc95139fffd0561fed0f
SHA512 f36e0705b571eeddc5a02181a53baf438c08e31a597dc4883e71dd2f0ce7e44ee3105254c562232234b2222612a4033fac3dc28e57403ae78b71a9d75d2454e5

C:\Users\Admin\AppData\Local\Temp\gkEo.exe

MD5 9f50a8727f25c3e1e145b678d3eeeccd
SHA1 05e668fd408ce678d8e316c0f65130679eca7250
SHA256 a1c77ff0076f88693ba0c6212c96f17a7b4dfaa84de7dae21a987406fce4a7e7
SHA512 767587a3b53663d1a2ee7523f2e7d82b58d462abb4e3b938caa1d2d408ec0e31e9c087a43e65716cf0f9231ea27b0b7651768ec61bb8d7d400791c26f518d0d6

C:\Users\Admin\AppData\Local\Temp\AsUC.exe

MD5 1bcce6338814c55cea0b22f2f6257efc
SHA1 406bdd092f65cc0eb5fd3c2aad00ee61862fc043
SHA256 8b293b1573affc26cbfe82e67c5528c704730dacc5a89de8dc00912402f26983
SHA512 59111c6aedd678d8577cec44253963e0b6e047bf8c31d6a4073ce62881563b105219985310e4855493e89cf30f8792785c91d06cbeb7eee7369550fefc6f78e8

C:\Users\Admin\AppData\Local\Temp\nUAY.exe

MD5 a41599b66de999ddf580a425616bb198
SHA1 59c9192da5d0925d7f1f5809c926f71883eaf3fb
SHA256 14d164c8e2c0e6b134891b621d67a0df13ac67baa59d54e373f6cd6961b747e3
SHA512 765390e9c3f79a14c5f83d26022f377931be75fa83c10b0e1435df61ad5f7177d960b610e237094f3c49142d04f2dbb7fdb9f66e07f890e09298656b70ffe2a1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 e436e6554be1b3dec28b7ca5cde2e3d2
SHA1 1e1b799ecbeac3b0ec34fc866b2af4afbf5c76a3
SHA256 d797e45778e20ffcb24ee7a67181a3e43caffcbc546bbba12229c89529520a76
SHA512 607a9af88f5d5928f8a4e6ee6b7327e33989266b2c9882f7b8d4744054afd896abdb17af67202b66ba476ffe291d843d4523d9fe490383669f07a9b935a98c01

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 11193fa5392ff7513b0ac1cf0f04a10b
SHA1 d4eedd8b928750eda5f38fbec0491652d9c94753
SHA256 1a4c8679775a58e47544c3ce77a6b66a30144e012777b33c40eadb4d3d67489a
SHA512 fe0533dc9db33665b5fe308bb78ac4e4e5689a8254692b3c951295bbbb423431f0bc9557dabf032c58ee492561b441102f710b1d2d03f9433f5c4ebfd2ddc4b2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 2f1c88f0b1555ba9eeadaff661e2b0a3
SHA1 a14fa929f589658134c1b89bccb3ed619eb4bf87
SHA256 184a1968ed46ef2040e4242f13063a79f41d26d1c05519d6610041a9bb93df32
SHA512 6355110ac8cfb5d99542cd71fe840b64bcb1bfa131f744aff5b9792ac50eea68240963e43753c15f6188896c53c27e7feed9eef139e853d555a52e703b916855

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 a86d6f040be4a8402ac0b8a277074db4
SHA1 60b692fbca2cf6d1160b1ccd0b30cc5eb72f84bf
SHA256 21c62475a3137201fbb5e04f22c55c3bf581500ddbff4fa4a38b4c886681f881
SHA512 9de5ceaddd16b229505e6310d67cc409d29eae4b59c63e6d7d163b2f01a38870a8ec7561ce06d503d7a7780b41d88a73863a6cc1500edc00d9bb744894c6074b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 bcc8bf3201f72bc40e5e3083efd33cff
SHA1 939e3dbc4d8e1720b4544bb7804efaa563402428
SHA256 f3825f27ded80d790632fc2dd96cd4874d2dd5496c5417b4a2466bdc046d0cf3
SHA512 7d1ea9150126e1c2b28846a1972e1682ea8ef625e1c2bb0b99a0d5f60f7b041e017aa4a9153edfc338fba45429b2ab5e221273eb9265059a5224cc6747b309c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 ce1509e9243cb5fd32b104759c8c3f2d
SHA1 77067179e0e99382ad3cb0454d54f8e84e0072f6
SHA256 bd29ddd4da80717d2d9cb637f367092f99fec4607efa51c4236b1c61d0fa7a01
SHA512 97c349681ce2d3edd759e313152b64dad491ad69489df2fc040ca6bde2ff6711a9226d5bba26fb513e4f6f647a9edc9a5d8b961dd874b4782eb0f3c12528d3bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 1a9f066f8fb033556ef897792346748d
SHA1 26ba1b87d3b6531b3ab41f8b18fb506e3b45c3ea
SHA256 7b9fed9454896eb9ed6fe219c94e2fcdca2dfe0242cf66f940a49d90788d0f4c
SHA512 083dc959fc45111b4004d01a4f81232110234d2b3a5fd194493cdcff27adea8380cfbf77c3bb4fa03c0e76d3445897dbfbbeba54e085ee082586f4a30ff4a614

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 38ee9af9e5b771a5be8f5b6b17882df6
SHA1 f9bacb9d61e23a0df6bf107197e64c823bd5be76
SHA256 88932812f3369b3c9b7db55a4948545d238b0102a9202b6ee7e4da325ff67f15
SHA512 443736d7384b57675312ee729407f6c455139d3af2b515b379289c5da0fa4df37fe46a2eb570d6c53a12b6d71ab7173396af9e95c8292e95353329ba4a2ea283

C:\Users\Admin\AppData\Local\Temp\ioYK.exe

MD5 1f5a74e8e867d8e7c634ef820a16abd0
SHA1 846da91362b16302750ca1378ae25c36cbf1d98b
SHA256 dd7aa8c912bc330695e08b84527f2759288666299c558517e05ad34bc4450fed
SHA512 06b72bb3102b71062e33af0ebcde74fbced3fe2f2d81142f72cbd7a813b4ddd2b11d9d7c74bbf77d975eac9078f1ecab00aeb5f81683e62d99c9b73ef0dce70d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 0b181a6d09f59d075e092d742cd1bbc2
SHA1 a6cc95269c4d36fa79bfcdbba19bcc455df495ee
SHA256 47f0b07bf93f5b7cc52a17aaf591136384f1f244f789171fd259b17aebd35419
SHA512 07e37ffcf11c0e933f564089a38a576d4922fcfbaf1ba5d45c2b503353de783943606db9822258756fd76a322b720f1f8ff51740633a4f012b6ff1f66686a1da

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 38f81fddc56845263e36fa49856f54e3
SHA1 09adb804c1f93b6ddf4b4997772b134ab7389d88
SHA256 1ce4307fdaa9ed7210b5a7b209f9895f84708392ee3047a7ececcf0706d59113
SHA512 2ae1361ea8079e9f0bcd49038432153875128e3beebe415931ec4a4a8fa92c415e5d8be64a2f2c158218ef53b735191b687a517df035aefa68fead509d3bdf55

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 067fa62daf1528b73146e936307b7f31
SHA1 984cb705eb8ad1bd8373e70fa8b9b2555f6e912d
SHA256 39889b5e86e10aaeab53167a35650a843892748374ad4791bf555ba0e276388c
SHA512 1b57043a306b0c45a46239518ac01a053299f370c2fc8dae581de8c138482cbfdbd529e3288fc2056f04abef526151eaeecedb44a0a20f78e58bdf32054b3325

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 38338652a47674f361765933f6257e0c
SHA1 db2b974d8cfe84353b9e689daa9c9532c8063a16
SHA256 3a5ec970dcc44a4257ead0617462aee47930a4e3eedb92208752c96497569a44
SHA512 1be0042687af689e31757cc79daa6ab3ca2c9aeb6cd746469ad342f28c91b08e38722e0e62d310a6f77746e2be3d21481e83c1dbb3ce0af6468efffa9a40256e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 87a7f84aaacf4ef73a2bf9ab731a0f45
SHA1 aa495426a51748fb1e26ab1d8a3ae80e779abd7a
SHA256 39b710e2ba459b9900162346bc13dfe01d95b8f57d693191f29c5092ac55a516
SHA512 e3c87e675a82f323b65816972ebac7a49da2ca788cc8d26575f1ee3f2fb76bfcd8d343f995e6decde7f474b48cb3abb548b31c3a4914f1d982bdc3e1efd22432

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 37300cff43e16ea07e27eb9f1bf1bd6e
SHA1 7ddf201b543e8d37707c62e536a9d2712b063f4e
SHA256 dcabaaf2f8124812df02081776488a929ad2def1aef2084f98a970a2251a944d
SHA512 0143b85964ccf548b208aabef35e8980d57dffcd9f4d7b27e895512f48f2c70ed0b431125f3f18d09071ae528313b5fcf122eea4edbe0d2fe39b694ff7b063f2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 b426c0b5f65ca891097c201c0006bc53
SHA1 5e29b12fca167bbf8fc796d81576b8a9c8591da7
SHA256 f03a4c85bf03024e47cf5a0c1a563d1e0e9458ccad322eaa793621376c1eb7bb
SHA512 102d4cd2fa79f3c7a27d6b1f4eb4556e42720d76ceec8c5356e69a300f55078688e4351b458d02b7b9d4cee98b044b374fdf78d35d3a51c32a1cb004f9a5404c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 f7ef95ff67689a76399daef77013d1c6
SHA1 1dbe165e3f67db233f9711e07e5a0b33e64fd42c
SHA256 cf3720314cb961b3773ee1335b85497de86865a5fb05e9eb11228c436a76be48
SHA512 dc67db77ac4b3b23efe9d5ee12f1def7611f5d4e929b0fbdb0b21172a0ce3a1ac8687201459ea21a0e1a17a8468962a3a3b306764b20e73a4922fa8671384e0a

C:\Users\Admin\AppData\Local\Temp\BAoK.exe

MD5 15cdb1c448955b8f6d810f9c29ec1ad9
SHA1 ba448ef71d5dd4c99443f1de4da620379b12cf06
SHA256 7fa3fb0cd9d458c8cdadb36136624ddb7cf56780378e9ffc1f0cfff0999bb3d1
SHA512 3b7d743d8159b64b8bf31e2489a1cb5c497185d4400f3cd3092101d42edd14ddc4c5f8af50d566f9bca90b98fc2c3d8151e4e5d14f2a276542def0e12e12489f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 9f38a5777850db4231d4863bf314ecb1
SHA1 09381ceb0b4411fc631784cd1b151e88c6bc9dbc
SHA256 695e6dc01c5e34a2dedd1fd3f1ac82c32518f102479f1cfcd69bae5dc9a470f4
SHA512 c3b0c5cfa5cda18b37fc4f1434f8a5440465513e62d3148cd1aabb5c2cf8843d183c42121fab629c95451a812ab6bfd86a9d28d151b42379b08c977bb395d473

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 d1d88e30393a40cb76d674aa5ec0de25
SHA1 5ada43c738ceff9d6c0656518830c9509974066d
SHA256 3a858850c0a4d6eb4bfebfca19b1824c40afb009503b68e351bc4b84a6a7cba1
SHA512 ad8171c274597390b13afa573bc16494bbaa2386a3a3f9e8180bf92540ffbb5ae59a4312d3d5ee5c5ac150959ce72c42aaad2f9ce5acfcef683bd3ae033444c4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 3530de910ce34bdacce92e12fca2ebc8
SHA1 848516bb40c62fa71a0de36d77774d76b825fd2e
SHA256 291e843d7e7ab6d995a605d0766c5dc8519cfbf762901452f89cf596c33b6e1b
SHA512 1483fbf4a8a53401349e0d978c043300f9c6bfb5e919ed4db17dce6ca9cfc5ef99c999e3a169220c5918d5727641ccf7db046f68d2f2af4065f43d141cd18970

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 fdb70cbb1f337b0c09c4dd9309df7afb
SHA1 8dad3afe5910ee58b759347cfcf5b20df95c1228
SHA256 3b6ec3211d01d34c3b54d1fe357d862f4d5da850467509f364c86c87047aa48e
SHA512 fdb6ffe097a33b65ef9b82b437e23da37cf404b475220a719800c7661e90e79ae183fa2091006f4e2e9c2e1c2ff6d886801760f12dc660fb8d05d0bfa2af3d65

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 eba9beb99a41107b39a142f004fde359
SHA1 2d240aef1f1f907b39bef967edda929be9b28d66
SHA256 69bc4f01faaad05fa6d782cab8a6f6dbc5953df1b4c7dcd8ed0d9dc4be22aa58
SHA512 ce42e619ae496f1b1be29b820511d094e01db34e4dda269c41cb494a04382c98baf9ea5deb597e6cc214e18f3c0eca49bbb671266fbf536bbbdc231f5124b065

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 2de18eb5571e18f4e3ef7228749336ce
SHA1 da3c71a3df959c344db3d53f569d1b4d87bb02a8
SHA256 40b175231a2e148c79f44a3e5601d2467541c093dbf97ef2d9f1036df41ec2dc
SHA512 9076b7576ae63f8080c8cf6f069cb6482668de40783ceafd33f9d21207047d933ce2c92739faaee53593ecd688f91b94e4bed40541b27b0636365ead373a06a7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 e3b343c3d2dba15ba013ee5ac12ad7f9
SHA1 6c41f2eaf9b816463e8963aa206139c1898877cb
SHA256 63499109a19683130341f8a307b8701d3eac21fc4c85498128dd8e232ed77f11
SHA512 ef59652fbb2232873d4af07d3b9a19a93ab00bfc82db2ceab449401b2df33e0700a4aeb833d6f19083738b2f85fc58332149bcab489bcb6dc697269be58dd4dc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 574f06c1eaf65c39ad68b7cd1ea80bf3
SHA1 eb72e93e9832482ca54a158dea09dd47596c26b6
SHA256 dadaf6fbcea4be8b1c7af6011688b648d7d5506cf736a95b638dcb3f2f27cb62
SHA512 e803582c9af29e862fb9ca340f492278dda91e66237a8f4838661a555fce4406c0d4b20c90ce67901186e2b275315d3abbec7c163491dc5ff757856d41f31e1b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 5252643fcbb3a218e64f137eb9b059ab
SHA1 093467ffec3bae604370b473d1ff9d7c37d1f2d3
SHA256 44b5f1ca2e3ef800d35f865e281e2f6d8435055d29918c672c55f961d4f6c74c
SHA512 de30876658f4094dbbad40b9a214203b8b9929c951a964a2e391635168c5cc8b3af2a251e20d15227f9cab9c85cc1ed0c1970cd85a3dd9af3b8bf6a80b3ba8a9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 0e3631651882cd276ceb8ccbd77e6abc
SHA1 2fc856d5c26adb26587e4408f14eab98ac423790
SHA256 aa30687d140f234009c953c6ee6334d46608242ca3b9b8de2363bba235849fbe
SHA512 60484d7f932b2266cb24fbe27afab1f365c693396537c91278c0fce1435ba9db9d53ac49166386b80fb4aaa9bc9117fa8477b4ea66db3d8c6b07cdbfd431fabe

C:\Users\Admin\AppData\Local\Temp\hUgC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 108c146f90e3de9aaf8146ae3c4307a9
SHA1 2cf8b4943d8696b20088c1f6f1e02b798c12e84a
SHA256 23946e23e06099ef6dc0687185e7f080b35a2e21f46e46ad802d74b24e301a6d
SHA512 99e53d2414713316f00fadb20bcadc6f31b69e9fe51130c4d60fe792636705cb3baff068ae44141e311a3c8c3607f2dfe310c3c3b2eb1209ad59f71b6832a1c4

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 43ff740a272407877b574ceef85ee252
SHA1 be3039d9dcfa0ccd63bc7479b400a892757f5183
SHA256 e50571a85ddc369dfe165359e7f360b03b348e1d422d6f86e28ad6908037f81d
SHA512 92fe4f1683d9e2b51f620339864635b7b9dd1b86987160a7c53c89ea0d650c2eca9254b6bf6234e8f4329136f456f43d64c6d4f009e29b3aef10855b65489f36

C:\Users\Admin\AppData\Local\Temp\GQIW.exe

MD5 e4f2b467fc987dea52ec877866057149
SHA1 2f19fd0637bd1efa46f80d8eff22edbde88c0ad2
SHA256 9719d9b214cd0c4ab898c0d2be365c1f2292221ca00afd952ee6a1191b833b94
SHA512 98405645fb10e20cb0f2af1da7863707c4a93fdb389bfea86313dd302f91142558f96f37999633968cf99799dc1da858d071e358cae49ac513cf435398748ceb

C:\Users\Admin\AppData\Local\Temp\HUYG.exe

MD5 b3dac3a9a6a68525c284fe2c7e5b80a3
SHA1 7feb07e1d80bce0312532dbb5f72e6813ee9c99f
SHA256 c2e4e638db9937be7dc379b236786c58a3f2a97cff3b47229146f134089c9987
SHA512 ea93b4ff4654093d01717f5fcf9840edbbe06091381541c0bd55ff0fc220f1c381f6bb73e47a3a1fcce05c95fcd78b8c69996a48b93a1c7b0f14547663071fef

C:\Users\Admin\AppData\Local\Temp\bsQO.exe

MD5 af2e80e97da9bef35b9d41009ecd7898
SHA1 8c16935daff8d4ab934b5b02d32a017dcb5bb9e1
SHA256 f5c2c4584eb17400b27bcfc0440f0befa20f0f8751e113670263a149eb8f4251
SHA512 cd43835b9154275a3f9e5fa8575f5115193a160909317dcbe212de1b9761a89122d15074b8b49308658b1a7189a41ef0786520c5faafe303b8b4e9d3e6293af9

C:\Users\Admin\AppData\Local\Temp\KYog.exe

MD5 fa7835f2726f1891019774f6dbcfc791
SHA1 3011110cf454af418361644a647a1b5d08656de0
SHA256 1648455ed329a6f4dfbc70058523a0ce832a69226acf95ac150a5f55cd71d1a6
SHA512 ca27c366f127675a7d27c7af62a5cfc933ca7b1d4734eed587d49d82bf61f75146982f1a4a035b030e70ec4b6d1c51ab511b5db978a7a6bc495c629413467cdf

C:\Users\Admin\Downloads\CloseResolve.gif.exe

MD5 83e5be002a404447633d52aa758e6f70
SHA1 88b025eda7cb0866658939ea0ca0b4f581ae2a49
SHA256 bd6d3c00e0442ccf898a5be5e2b661899831e15a51ad0a4cddac11f09f5d97e8
SHA512 61346a7ff5ef9bafccf67efd0787d9a33d0c239ea898d0741d4949dde2d352bb5d7168f42edbaae19b63b2b28c30b478a8cb6ef2b79356e2b45c0ff16f7139dc

C:\Users\Admin\AppData\Local\Temp\SUgc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\OMQU.exe

MD5 d027f29ea94ec5b34b245127b5ad4faa
SHA1 ff3bcb9e1355d05bf5d6ec474f532aeb76f269b3
SHA256 398d4189f3a95f0839394f04852a2974d1eb0a6944866c38a42819ca034a616c
SHA512 d2865c98f59481ac4cd17816b4117809d9e4ae47fdce4714b1e625a7e639dc37aab3fcfe7579cc912da75e225c3f0e38ef3d6977ac12f17b4541bb385c011c0c

C:\Users\Admin\AppData\Local\Temp\HUUk.exe

MD5 578f3e44b2d1c6286e19eb31f17d0a67
SHA1 6a59f01753a782ac83eee7e316416d029f36b1e6
SHA256 76bd9655de97809997662f3ba6e6d0e3a2ddf5eeb902e07933683ba3ef613c3b
SHA512 2c708b8592c739362b0bf5f657b643f54c3050d7f610e713b6d4c08d48ed8e6137180745c101af425148a12100a0181747c2bb98d3dafa3a9df2f4dedbe39bcb

C:\Users\Admin\AppData\Local\Temp\egYY.exe

MD5 10ad3aedcb0d72a1c450678cfec4c1bb
SHA1 d6719c6eefbfb792e0df2fc33b81cd37cf230646
SHA256 73da4c26c2d9b243bf17723c2bfbdaf6a189e7cd52e1e0434306b675b91f68a6
SHA512 e658a121a279da4ea751a4fab42d2e38449a7d943b689a226ef34176c9ba7288b99e70878377759dc90ecddc21125a75894d041b2b5ff3edbf2d9cf35585c2ed

C:\Users\Admin\AppData\Local\Temp\akIM.exe

MD5 377f12bb7c94720210df95e1fe77a2d2
SHA1 5fcaa04d805c2e6f24c7aa05f6ccaa28bcb256d1
SHA256 6c2b136dcad6e82f5fe0972086ab9fbfe52578f25aa5859cf6fb99a30b4a204f
SHA512 f8290625dd4ad78eec216b9e87a810f63a1b1f8fdaf3d3c82bfde65270598b5a1a8e02a5f5e66e2b74f418c0db902cffddd7379cf04679a76ba6d070fdb73799

C:\Users\Admin\AppData\Local\Temp\ZIYe.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\pYAI.exe

MD5 946b642beeeba57b0b547e083411cfa4
SHA1 af6ce9b95faec69091f9ac9f021c3049a2e2e6dc
SHA256 3f60b5354c4f0ccad9665197459e1a93621da5adeef5866471184b9b4337449f
SHA512 4d1e63a7ef2cbda5d9d0503869bd50bf851a96518dc59167e7494b09206b30681cfd0bb9e07e750db7838c485fd2ae95b22bac233811677a36d7d6038b0f53d0

C:\Users\Admin\AppData\Local\Temp\RYUq.exe

MD5 d4a26408ff79ab5917a9e4a3d74efabe
SHA1 d348f033aef3380efe7933c77d8e87facbdc8dc9
SHA256 5a893fe22e26c0d1c3f8dca03f2a2daa1d3f7e7a8f41d1664dbeb5ecb86dec6d
SHA512 fc10925b9e3a0b3146f473865de9f203b814076193e73f5c07cc06e32b6e86cfb03e428c0a14f4830c4a7541135283c93b2e40c1870991d63cbbffe5f14de6f8

C:\Users\Admin\AppData\Local\Temp\lccI.exe

MD5 2b2eb580ec1277edb264e63e5e2a9e3b
SHA1 c37bc905d4b815661b452767ab909c0933d3e782
SHA256 2d88fe6e2ac1019935e2ac68470e94791370c4e20b0a077e70134168cafa3f7b
SHA512 7bd3e675f250737cd6228ef5c363b4283bb6039fa2ec20e44ae4b97715591a188ad2a70b4ed78077445808a1f409232faec4d7a5a5674378ae0ff6ef3bc0692a

C:\Users\Admin\Music\SearchSet.mpg.exe

MD5 27741f060465e8add7d199b0d63358d2
SHA1 b615a376fa4e43baf8dd022f490b5ade588f290b
SHA256 7d44169ad6ad2b9b176780a5b6af87dd6d9459b0469acc6f97d8855eefdae784
SHA512 0b59b5237f411ab7a9e30773936a5ef69421ee0aaed06250dcc761272c94ff0b618ee0c955b8536f93651542a9044aed79d4ee9fb81e3cce8ca4959b7cf21b15

C:\Users\Admin\Pictures\EnterRemove.gif.exe

MD5 9929f142f7c8561f40d13c1a213e63e1
SHA1 95515b68708e0a41a95b79f4a6c8a39adc9db507
SHA256 ff42ebda684f969a50244bdc000085c5c436c12f3c13708f4fd930a6edc425e4
SHA512 61edf15e17d586bb3a6f4ef95ed0bc42c0195404db3e2bb8e1f41da2de4a88cecd5e473f0f7e59d609cbd8db806a74ec6f856d30f6e0b14963588f2dfb44831c

C:\Users\Admin\AppData\Local\Temp\QwQY.exe

MD5 66cbd1ed92fa2d771aa430d95a46bea8
SHA1 15e5b718ff96857921d3fbe7e2708ff9569f6d3d
SHA256 cdee8100aa98a7d73e8560a129424b022b2c79884a18d8c021be2002f5a6033f
SHA512 08e2557c15d1d76bbe3d5a72811316ea34ec2a23b11d64e2806bbbfa584db3be3ab9bd7db39aa30cd1e10a0c16adb153a32350084a167af7b389550c54c5d62d

C:\Users\Admin\AppData\Local\Temp\CQwA.exe

MD5 63f4e26212860e12fbabe13c4f5e6214
SHA1 f8698a10c51d8d431a541594699ee04add4ed326
SHA256 7e30d4e3daabd609f326c9628d1537891b40af1ef6257d8bc9eec860cd7b5fb7
SHA512 872bebc1224cda2febbea57b64c542198dae03c568893ac9c696e70c94b6ec33f9c483b4ed6c5fdf1613e75041f6f0e9aa976b6ca09b7f0ac02f119d6039e0e8

C:\Users\Admin\Pictures\NewConvertTo.jpg.exe

MD5 1ea9c04a4060d14809ba3a7b9e3d730a
SHA1 d5a7448ee89daa0c9aef1510afe711c32237dabd
SHA256 fc7278e37e1ff84c9ad03c1d7c77be4f68c99b06f4dcc1f65f5860da7e3bb438
SHA512 3e929eb9d41c056072bab2d268be765a469f50b197a1e056b6b4e7a0464967a048712c5761f8bcb67af15a8525a6175c40df50bfee91ec9f6789629414ca8a17

C:\Users\Admin\AppData\Local\Temp\bMkO.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\Pictures\PingRevoke.bmp.exe

MD5 a913efb20e811b7fb7897a0c05fb38bf
SHA1 4b3e71d6d6dc6ce8767a5bf3f9708de444db38c4
SHA256 6b287feb825d0b346c7f57b4a1292dc17a5fb751f5d05d99f1901ad95722f6e0
SHA512 afb7e706c86c80c6965e68a76607848112c579ddb6d5b55ff37c77a1e792ec574df68fa1205a7c994fcaf093af602d6f26e9aa90ad4fc49a2004b029eaa81fc2

C:\Users\Admin\AppData\Local\Temp\GgcU.exe

MD5 f6b6e2b1d2f30d2817c98cffdf63e592
SHA1 fb388535217463b3eebb3c4377a992f0b3fb315d
SHA256 8a2f449472001e26d588914a86c148a28a553d1dbe1761f04a30cc8d628304d4
SHA512 89cc208457d9ddd361122aae056bcd7084f4a56e99bc324629c9f8fb8c459d7447b0a9b3ae67d765c76873d2a546158f602f95cd7f35076f55df56d0deb47cbc

C:\Users\Admin\AppData\Local\Temp\Ycww.exe

MD5 64ea15eba95c21c98322f44a476e7230
SHA1 1063bbdad8cb77c0d117b5e759b635cd05b95fde
SHA256 7635c8a4419817847ea84c95f271bcef796558077e23366b5836c68e1029f950
SHA512 2f8fee565c7e6250efd3c5dd0e6d8ee1450bcf76d151e9af4db4568f588c9b395c45f8b6af3942050a4d5c36b7c7c87290e7673a6ad95c619cfdd722da438f93

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 a7d119f68af551aa920cd7da4757bb04
SHA1 5d15c9c30bf254cfe963f1f03bcfb5e47769bcb3
SHA256 4dc20cc769f85d5ef60e6660da2fbfa418178ddb37ee7c632df9c7cd74bc9b18
SHA512 2f290157425549aa2b0aa329fd03157231037bc5458991660e03ac141ba55888af17a4781dc7f330cb67db612c73c55800ab2613cc750849a7362fc818050115

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 a9f2dd07f3b004e2ad62cc36e9beb4c5
SHA1 27fc17c312e21af590927ffe1b219eb22704418d
SHA256 627588aefb1392fe5051ba0e54e8a8a6234aef0953614cf6d4ba7d7ab3ea0eea
SHA512 c50d7366fb17f70be7d1638e16ddf1e0ca9ae09a8be8fd3a5c3c177197528343591c99692b978c84b371c1d23686a237a931018f192b6655b1e3a6a004fdc03e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 73fdec3d26943af116ebf217bca7b4ce
SHA1 966f854a24c9e34f6e9c4df285e9b6245cb850da
SHA256 a75dc47631cff504460c9f0e97f984688bea2202ba59f7cc22ff71789e3d195e
SHA512 48b766aa1f2889420d809c1fd55dd991b26db06d0e76d9db05a10506b7e048c265fc2ebd4a5739c6f95211a5c3b0ceb46d88bf2e5280ce3fd55a817d36a0a8e0

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 17cef6f2ec247a67ebaaa42c40d40cf7
SHA1 22417d7f0985404003f10dc8d3dc2025ea4dee28
SHA256 a8ea9237f3231e1bdf43a1e2dcd962f91980597f847caef410974aded920d37b
SHA512 fe432d191eafaa694f5949e28edfc8355556d637c05191491bff4acbc0e0b232a2bbbb836eb2727b8061e9c6069a23040bb8de247b937dd4c515314cd58d27e0

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 444a2153eba02b75859cff5fbfc09ade
SHA1 45e8e623d14b55eb3f0e1f0664432a0befa9af7d
SHA256 a70852ef1a510e1cd03cabb86848221ce473108a8a040f30a856a294e8c7b939
SHA512 56b19d4f2f13a0545283cfed14867d08e7cdba75c3ba425a1d1dc8fa3bfc36e9251f20ac86fc57e925903cf50efa0d24906591baeeff7f828c77268e4952a911

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 11bb5e82d89e058f5074925956bf94b0
SHA1 ef3e12b08665357e33c533fdf2848505f175aaa4
SHA256 158b8474d4f4080991a024548dc953749814bd3c616ec08a03b7e0528edf13c9
SHA512 af305d0294514649d8434d63a21826cc403705deb2993d26e1f01a14662e91a6b0c3cc40392765575f1962f6e19f8d9e2ef479934264f9b34496685a18893c98

C:\Users\Admin\AppData\Local\Temp\JgAS.exe

MD5 1c5dbae41c4de3e418f3c15541b8e5dc
SHA1 0694ed6f5fbca77b0d4df63936dce59019f4623c
SHA256 bac2ea6c5326e00d7212c1dfd4320418583e80466a736c13d4c838f5d9dda529
SHA512 ca3f51b2c25a7eacba56f146cfa89c0b339569d6b6b7fee9b146d0e4f2a247cc13d557736b005c4ded90459c874ca40b49b3fa63420772cfafaa71727f87466c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 4f476a2ddffd8d8c76cb041b6c0dba6f
SHA1 a471d3118a3c31e6cd80c68d5723613cf768aa7e
SHA256 3b7b2018d9e3e3dfcce2f52d87d8b418afa1ad087661c6eeb548e22e1461c43d
SHA512 fd8a0205d246b4d06ae3f96085ba96c2174d302fb57dee6ca26d4e6ac9668631443dc4e131eddb9527576b800ea832573872efdcec24d3a50bfee7bd7311adbe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 695bf592731461bbebca4086a5aedcdb
SHA1 4ce12913cb737098cd6845e4af26e82e7f8fee95
SHA256 01665bdb5ea75bac1a00bca1f82eb4c63750cf961844e03686c5bd1a27250903
SHA512 a0512b3fba1199f6b024f87adabebdb6b15e0585bb3839d48b83be8510bb3cfcece75d8750300d7030a0e7fc391cf872e12acae85b6e3128831fd5aab46dc173

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 a8d1c78a548ae5f051394354c00d855d
SHA1 75f19dab5b5dcc7070c7c0a9685f6cfb3c194de6
SHA256 297f7bd7ccf16c2e0873ff9cb64214952a355cdb54eac530b86c0ceedf73ed3a
SHA512 5e41ed8314393635c8bba026e2cec49e0fc03e12fbafb6e81637518d4a741ba30b7dfcc60e0b7d52067a0df1fc45ea544afeef66864591e798b184b17165875e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 05accb32363b40334cff08e4ea111a6c
SHA1 a29760985d402ae814d1d0394d42b2aa2fe3c9ca
SHA256 e4801e70fe156c07e624bb616143b87b0791cc31954272c9dcba28298daae5e9
SHA512 627114f69d5668018f34b22304d8431b8dd39c9bbc2977651511db71aded6729c38b513e040b9f58d9cb3bf7656cb2734e7d10b50c0bcd114aeef37c4e620dbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 8c36d4af1eec53f56ac5fda5c4328f25
SHA1 6460739ef76418e3f6ebb549f5cf129f13ba1b3f
SHA256 4554fc9344e0da6fff75d56b7c98885a2d7727056cec0807ef4e0660992cfd0a
SHA512 303c2e0d132282aab8d41b78b218b04d4882e4aa7aa4853bc0d79757a408172c6ce8d8a72a209f31b82872213f70b148e5a416e8581bce0df31491af3dc1e8a0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 77cdbc9fbd1fe50d4f0d989bda50cbc4
SHA1 6d955a4a25a00020d583f830a65627ecf0c1e7ff
SHA256 b45cf1dbb6033919bfc8e2b97dffe9c7b796946da1774ed3e95acd6634e95b97
SHA512 7b4e9b27bbd8ba4d5358d2ca41ffb43d411eb12828ec89d5b5e10156908e66c129aea6ad89a7751564e6df7adb74f2c06a7a9781e85474976ccfc2b99d01135a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7bc8e7caab0dc5fca83c5b70f54d61aa
SHA1 9f1a492c55297f74092ffc56ed32e59f1cc6ff06
SHA256 dc42e4ea47d8d5dba55de1263339c0c2940b1a1bb48be6ccc1f5cf13c492d3a2
SHA512 2983365c0695ac35f161a8cc4bb08fbf87014d53afb845e9302629a9e7bf401778ff5148a1e6231218bf7d263f7bb151e9fb929cc6cb39aeb640f0da2b66f956

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 438ed73b549517ec0a697018aa3dd4a3
SHA1 443b967037306a5c9b77228f200bc0a3f770864d
SHA256 db233e91840055a24f59f913bfef385089b687dc13c0bad6bb946d065186b686
SHA512 b7afa0f38c4139f61dec9104dc425bcd07abb4d0bafff9f18d92a460d61f764b77f39d32ce3897522057b0bd3987d02082ec4755fe84ad9e2cbe726b33b77b10

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 650f3fcdcb9ac92a262f3299874359fb
SHA1 936ee17a76a4efe9e2234d8c38a9c8f55d6d6bf1
SHA256 0f4a3e43eba97e74b2ad4da515c7a808406b18920d6d30159dce807a6bfd5012
SHA512 1d231e7a95ca38e41fa74ff0dae964612b346e59122d4a0fd4570afe81cd07abdc79a6126a880efacf839a8d8933bb96d00a3bf4100fbd5b6ce17941ab299c67

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 8c2614065d2ee4cab483584939ccfdae
SHA1 d1705436644a423678ffeded1f3a011c4d0cf2ab
SHA256 6613be18f4cc2ecc62d86ca3903c2a4f0c0e70f164b7accd26b99afaa09945a8
SHA512 ab3220324ac99093df21a4f4ccae403a6c42d7c35e0780bb82e105cd4cb52d8bcac9625443b3eb918badfd5f16794816b225a4d5a954f23ffc4a446843f43ec2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 12ae32c0f47b2657123ba532ca16ab52
SHA1 5035c808fd7422c7d740d431c211ef01fad2f5fb
SHA256 31c432cad10830117efa80bbfa4df92749bc829baa5c6a580226f7e02917f951
SHA512 42e3bd84ee1f1702e718cf286d62303e7b5f9329e7937bea9ac93d394cfc5a9b7ffd2c78c7175aa783a6e5fab2e7733b92ea9ffecbdd535b1815d5530cad0a3d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 518be2beb9c581c44fbe1f699d7ed86a
SHA1 99d4d4d51f588a10b0fcf4d45ce3f9172541a954
SHA256 4e734e17b6c8d011bab1d1d02083248e3a5b41a541a72a8e39ab927bff4ee7ba
SHA512 a28cbc8b66fa3f86256c01af59c2d1a8f2a93f65bbdeaa640bcaa66ced15cf2e6e3abc84d991209227c817edafc1698e67299550804336a5eb8d880871e2d25f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ae2fbed8001f98d0571accf58104b26e
SHA1 021b4b0444d8a319e7cf9ca8f8c4d2418eb38737
SHA256 0456c20356d29af82a0d985aa8ab949b7a61d37c31c0645665cccc77f3032941
SHA512 e942a2f08ea1254ba96baa6aa9de13e13952ae2e2269b66604dd86b7adadc96f02400a6b103d5fd452fc1e44371d00289cb3b040d0ea8405339088e063267536

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 8223263f8cd6e73f6d3691ebf7896545
SHA1 6e62b8f8f0820c83ca4813ac3b28560f30ce80b0
SHA256 570fdbc66ad27771476959278f963d0bf6f357b51f61b19148cd4a9d3f91e0d1
SHA512 b98fdd77848886ead2d3c2d3f5558b16a10b246513b260b4cb8208b3b5a965540c02c7a8be0da9bf4ac1bdd460d473070d4d3beb40f904294797b8686ba5d319

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 2cf265c757a0a434831393af3e526bb0
SHA1 6375248c1cb4336e571a89c6f462475ad7e6d71e
SHA256 3abcbd5acc7cd9ed4b0a19343d597c925c001f6b2ddd317e0d45ad30cd5f35cf
SHA512 2b88116c599935329d75b47af08315ba954b2bf23022839efac669cb9d6d8ba9cf071c00b843e579fe2f030397707a38224941afc6d4f7c24f7110c3e126a31e

C:\Users\Admin\AppData\Local\Temp\EocW.exe

MD5 de47afb87a00fa56ab03ae93d98582a5
SHA1 d97d9c0031b840c213b5a461f75005f2fae330d2
SHA256 78ca1939de14bb383f64c43b42ff54452751de538be3037cef7df88d9532f5be
SHA512 25dcea105cf6e18c7aadca84d674d499716bdfef2b110b636e2d81561588a87e4a525b26a0f5eb1db6bfcfa6548a9e540956713e5afc43bc2b75b53c368b3bbe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 e27114ce2b5e687f0011b218cc597e60
SHA1 1d3c31f86f79c99610041e718e8ceccf16537e95
SHA256 9d7575b345869d6fc9135dc28e565e2642070e1b1d12a723d07493fe770ee6bc
SHA512 a5650686d024d7b00c0614f2b9a386a0627c32b422d3647e2f06fa3b4f058ee1bbca8dfd596c504d2bfe2019c686ec4c48032e425804bcc1aac4c38cc4a242f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 f2d868593bd9d138c7f81a669d1abf48
SHA1 dc3b97a8a8ff9fb8d958e5dd4a98be7c43857618
SHA256 11235a0aa34766f9ededb01b177f491371ff48a04a33a9c04192c4160d90cef1
SHA512 7ab86c3ad71fe834c888e0f414e48fda6f619ce304c5c3413cc2051dda471239e7eb2ffbec0d59a65739dc58db57f37bbb76c7d54a023ec8b0d6ab76083c96b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 3a5d76115ed1aa273a514e9bc91b561c
SHA1 fd52410bda04c33bec3e513c983bf101812faa5a
SHA256 39b1605f59453de3864a70dfeaf7f67ae00f3b28fc71f89062b6090356ae6377
SHA512 a74a23c6652264a909218e0c9f9851e6e00e61116fd891aa763205cabe9916caf7425851167910506c0192f01e93f1bb26f6adb2bde3c1b9fb217cec7cd238c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 4b24125ce11925835a6ab70e4bac3d2d
SHA1 7e34ff460817cea5e97ffc46c7c5060735dafe9f
SHA256 24ef015fbc5e5b221b5fac129741d82a4924b6b6f886570552350889117edc26
SHA512 854496678d069a8f30d177a0c767bb7fd46ba74a461edef0963be9b8c20db817033ec3b3178e1a0450f095eef2e51e8bf945872b62ad3e4adf3dac60b090299b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 db765c59f2e6af53ca7549dd99443e5b
SHA1 0c1e39a285a8568aa454fd76930ddeba299189c3
SHA256 e84021c04ce3683ec983084eb861d3b4290072e3b5ea9096cbe2afabc21033d2
SHA512 20d30873e78812b1897db725ba5ea30e558d76dccf36b9596a785b7d4ca382c1e13263e523bdb0f97471cb3425074c0dd79c75b218511b7c420e951af3c77e80

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 af5f6a186e3795b39d95dd34e232bbfc
SHA1 1483ce1d06516d69b4645b0608f7e8a1c78a21b8
SHA256 6c83ed7d0dcee941962d0f91a2e9c4635081befe897b2b97f2be03071b7ffba2
SHA512 91892c0b99f6a4df975120ac201bf53cb26914a147b7073b851983b01ede9e255b6f03c88ddf8853dd81051643b91ca6abab588c07ea44d68a106d17136f722f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 55ac84c4ec53fa1ab1fe5bd288aee61a
SHA1 13ed7beab12edb246d97298d95af1ac9527733d3
SHA256 cafbb7ee662f0a45cd98a99b05028bc5b86b666bb794971866716291612db94f
SHA512 3ae2210161f3a0801544c41e6745fac92b4a38ede00e77a2a85596c4c050d95394cfe2734aff41fc0a8b9b4ce972f1ee3c9f578158efdeeeac60f6cb0a8c6bae

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 5a7265c26ec660c259dcbe0785b62525
SHA1 1ab64727b3bb5d4c55bff1a08bfc7f1ab00b5a51
SHA256 49ac31d695a238fd8ca6b1bb17a72b438c7aff89beeb5ca426489116b0cb0ada
SHA512 7f8be37e2a63012ed28c1de1ce7f94c8163559ba426d7bb298808b29121e9e2410fe385263ab4361b875f09b7b83d4c36398591a520e7630baa96ae6d87d00f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 8e7abb4c1b6bb89d213992880e3817b2
SHA1 7388440a3f42f72423427d3e9bb097c4e817d1a8
SHA256 7ba2318bdb8ec5f5750d5ef9b550f103819e1e6472d84a3856d5546a4cc14fdb
SHA512 e71db031e92e8791b8857b601d6cc7160c2d12a5d83ea9bec149e8dd4b78dbd1c355f4bd54831316891075359aff4314472d8a69e9da6b45b83e141d9384cfbd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 e000dd1418e6c132ea24824059b0f3a2
SHA1 549c69dff5562f29b7a782568199ae0add2612fc
SHA256 b251c633475f34775bd5786b6ec2d9313da374fe856f5e88ba3d346c51ca11d7
SHA512 f2249471a33b3d3a1448e7251b459464b33023b4d9f62d3894eff489afc0ebda2529d0fa6eff5268ef2325e0492183220dcc5d5e16ca52b605cc89fa02c121cd

C:\Users\Admin\AppData\Local\Temp\ogUO.exe

MD5 49b6856f2eee58ba9087f5d1859defdf
SHA1 dcdba4e25e40ee05edd5330987f3f2a52fff6699
SHA256 08955206f9c202c91c20ab5741b4bdde3e76626edf1764b8f425dc717ee5b7eb
SHA512 64b0915416dde052bf15f6cd4955305661e9f6aea67dab3175392225d9ad37615f7c4017b34af18eb97cd0de50ea04dffb16b0e89f4505f6b9efa76ec03d6c3e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 d4095aa16ddba06ee8a73878ab0234b1
SHA1 4fd822aa14b6eb75017ee8a1927a8a13d1dcc7db
SHA256 a531ef34c02d146c768a389ece6fb1ff5b0b3ce4397488227125e1d4be4f0a9a
SHA512 77bff5ba406239e51ff34eca927dd4d934f29683c54fb873b1d0126d8a652f82b96583291f209669dd575d437637826d425b3e419f08ad8ac72a5eeb84a41532

C:\Users\Admin\AppData\Local\Temp\LYAK.exe

MD5 26a2660ccc8773ca0663ba3dc1286018
SHA1 365e6d2bed39a8243d2cd0f781d9768fce02d3b5
SHA256 f4d74bcea52bf0b02ae6d10760aac920b64886e70aa546e32999a6dff0b46c0f
SHA512 6e5c8704787b7a6b873b8eddb1eda30ec2b9ccf97f48f3249cab127fda95018b8cc46f3fd2846c0a544635036f275b3249dde2d732c1122b97546603c3c5e960

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 3e389d4827a2c96b75aea49c0e31aca5
SHA1 bcf62ce1fe2c29566ff9f7c2bbfa5d4462552645
SHA256 4752656aeb034bf372cc361a549b999a0d52ae7da513aa3a514ab75a49240dc2
SHA512 34e37b41c9b6ab916b141852bb85912fb65a11a043ebf156a86ba5e01c66237eb434a185c7dead5d3efb69e53d2e452fede80b31c2a070f6a57f1891813887cb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 5d856b50d44e9b5ae1e9c573e0f519a9
SHA1 4aa7303f5694fca835937405690862cfb69b2a17
SHA256 7ba209f722f359adec074efa74da1e20f5ce741974ff958f546f79dcdbe60c9f
SHA512 c9fe519637cc783569ad52a2e6b00cd12c6131e4984e343cb95589c3788ae412c1dc3726b229541d7e0573ef4c6658f6a7a8bec5ceb91838e5b2c91c7c822c01

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 cac7de3e9fe1ff833c652e5a069535f8
SHA1 99f1305e92ac60067a688c85cd3b3f37276e253f
SHA256 ec861c8ecf80d6b075704fb3012acd5efa6931723e2f61761f54c35b75514a68
SHA512 db17cd899701a71d15280d5aa5020b6f582e115e95beb5c40500ba18fca14fc834098b683c0039c1c712489e2b55746bb436f6b038cf5c33f85fa678f7c2e4d3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 983aa6be05be6d59d7e80c58413dec04
SHA1 5479161ab87ef6381af64fa38f0289aaafbb0b3f
SHA256 cb83fe08caa41e8878dd3b9096a0958b9545f7c66b335c783e562fca1a657821
SHA512 38176341860f9e48fb19eab7fa84d92b62081117dae83cb85f3206dc581a28add1480fbd0c9a0f6a37662aff947e0b34f18291a3755be967b0a8281bec04fd31

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 c9104d550b51a294ec7e8ac6d48786ed
SHA1 966d8886a68c792b4afcc1faaf489bad5b34f40f
SHA256 80a06628468a318b0e14a73c87d5ac7a4ac91b917ded883a722579f4658c98e6
SHA512 cf7c236f5d340dee6f46c5bf2ae255fa7eb5b06cbab540d117a9a1a67f0b434c704c5c840cc04ef678b9543b7912aadd35ce24a80c2dc20bf69da73fb86f7b2c

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 284d669c090c0cc8b9eff61e531930fd
SHA1 716a9a4cb14538f76a9fd348e1f9844523120893
SHA256 89aba6352ef8cdcb7625c19e059d3e75913253aef9b66af75bbeae37e0de5ac7
SHA512 5a69bd39800069c425d9a1ca2ec58a0709c8f462086663ff73fa7ef887a05efa2c07538a588bc1b3785c27746f2a330ab91dda6f46263a6948e566b93046639b

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 8acb36978db5f9271348c3de62953c7b
SHA1 b6127ca7febfa7bdf6c0a4a9437091b39314b764
SHA256 0fef15f1f2d1e8759afc6470dbfaa990134f2825b1d8848be35ce23fe0238e3f
SHA512 5ad1b2b9142a54bd6648aef193e8d2a7ac42a4bd84e0c941e0aa6164573ce40ada261358832feb5cc6b40120f4cd20d1920a96760ec4ec5c55835d699b2a939c

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 43d85b3b17398fd4fecd7275d2ef4e0b
SHA1 ace10d4a43ae81a38bb582eeb2a7026c0c34d2bb
SHA256 7dcef6621b8b536d4d34472497e92ffaf7c2f9d04d2b6db872ed608d2de02b17
SHA512 9271a3cfcdcbdc52b9927b9a2f98b8f4536c419d0469f82781630157df207ab41176cf749a6753d691619dd2422ee09c5d79379b3666f6a46557f221ef5a49e8

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 aa9b5d4d481d5c9152e9053ecdfa37b4
SHA1 7b96051b372dcf95b42892830225d4c47c75f634
SHA256 2866a70cb96de3db8b5d449303f5f2e5a6ec62470b01b2719e7425bc89881054
SHA512 7a6f9e0cda7aeef6657d27626fdf9f4d92d8b3c14d6d2c5fe789f261f9e8eaa289f11f142e135ed33b15f3d0a71bd455998d1a8e78c68bd20b05db7f6b3684ca

C:\Users\Admin\AppData\Local\Temp\osEA.exe

MD5 707a89bcf4f5de5001dc1b2d3807e12f
SHA1 7ce1e49697b64d5164b5238c3a328a26fd63cf58
SHA256 e244ce110010534d03b4ec2092dea7ad3a45d63d16b86ba4330b4f4e35655f3c
SHA512 ebe16a21472f371522f1618b618beeb8939e4fb12dc03bad6d0cd08b450029e0e4c1460399e6c53d2109cd0511862d1d94cfba43cd10515722fa63bce3c1deba

C:\Users\Admin\AppData\Local\Temp\KUcs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\EQQY.exe

MD5 8033690659461eee542786927595ba8e
SHA1 99f10d5f724060e132839705d1bc43e8bd6e67ae
SHA256 3f70a1ed981b4d63e44f6fce0ed64429c543a0e1b276237612ebe9a25fb93270
SHA512 406f82c93cc03a9d0c5c9f6ed9e1d3189cc26e089b100a96fb87bd49736afc2cd1d11b28f2d8e48c31e95ca5231d955947e927bdcd990af78667f4f88cb483c7

C:\Users\Admin\AppData\Local\Temp\IEgM.exe

MD5 d97d81dde277a09997df2c781abb4c7d
SHA1 6d5a61cb4a484659382fd6f8671df05d88176720
SHA256 f4ffa48f8e4f7ce40af2f54bd855fd186a60c821134c54369117353bd3a35316
SHA512 0f673db9f779e9e1a03cfb054fe6ca972402b524f3dd3958b0f7357a2a15bb7a63bdc34b59a402248089fc8eacb8f51e424253ea34c9388cc2f2796fc3670b2c

C:\Users\Admin\AppData\Local\Temp\gIUi.exe

MD5 187ec61a9dbefcb47cf5b21c05b21994
SHA1 d11abdd3febe9d6a1496ae7dd8d42fb77fc4b9f6
SHA256 3d341387e6d0aa6e7e648bba47ebca41a5ec4ea5a5371d7fedb8426b820d9f4e
SHA512 e8b188b39410798091553534d782e3f27208ba9dff5a9a4e112294c1246d58ab0bb11d6fea85a152c4dc6a7c7e0c9ea29d036e2fc37833b14a2905065ceed3b2

C:\Users\Admin\AppData\Local\Temp\CoUs.exe

MD5 3b6b05d4f16c0d70d7c11041154d4561
SHA1 ab63773069fc245b7a58abd0b2ea615d5da0ad57
SHA256 e01dad3e873b7631a81cf703041a809705bcda3d511f96406a708998d5674e99
SHA512 ce7d580b05900ace25c81afdf9b3b1b64b2305964a27f3a71881e02cb5b071a72efc990dc83d8b3d5bbb576451628bb0e6f27f52b545f778b35012f782b31740

C:\Users\Admin\AppData\Local\Temp\BwYG.exe

MD5 04286a046eb150c4df8bbc3a983e1a22
SHA1 69f5dc265a65531d6a8d5119358bb7929622f1eb
SHA256 c7223672bba64e7de5c6e728682a97d505ebf1282e8071a955fba28e7ea3760a
SHA512 e6efe2fe4c425ac05b2201444d9b035f32e7a0c3738ed7266cc2ec18bebab6a7ec1a68f3c88f68969e35acaf691a9860bb75004d918949ce5ff157ea14956698

C:\Users\Admin\AppData\Local\Temp\GAku.exe

MD5 91eca85a180dd4cfdfcd21711b5e01c5
SHA1 7ab1109b474c6d0f6017338b7dad482b907e2963
SHA256 4488358978ce92e155a469de00ac1703d3654fa5704f0be5814177a382c921b4
SHA512 69ab504508fae335f0309094ee87933830806821c56edad4b009d1ab14df6ad534e34b90d6f69948fadc72de39f156d19952e097daaeefea9e1782d50bd57aff

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 2d08c94f0abbe85d60044026e8af1598
SHA1 01108700e9a3bd8be27cb6c203018be434844ee8
SHA256 7245f96f80e9effadf8575f7424c685a6845d1c0cda2706fd8e9da3f83f5a0bb
SHA512 fc01f3f1ec047d2b75871719087d33e1f3aeaca25e9b6c111c6d8705346ea389509ac5087154bc5bac6a0275997dffdd590ac14a73db55383f61613481288815

C:\Users\Admin\AppData\Local\Temp\kAIS.exe

MD5 51829238e1bf1b3366ac465c3443144d
SHA1 2ae85259bca2b19ad5d63d08cec1abd3c6f52f18
SHA256 e2d65bfdaa950293d2b11d9ced1e9bc2f77f03b4c46c7683d3c9ed1e254788a2
SHA512 4d043c39cca13b9f83f501b2e744987fa9ca8e7fda9ddcbf0cd2f9e54d9ba76763d44cd561bf63f219ff5372ad34e503e73dc71f9710b0b0d1b667768d483366

C:\Users\Admin\AppData\Local\Temp\TYkI.exe

MD5 550d8a7cc9afba5f725e4d1b3f243518
SHA1 6c4fd0e6ff273b2d040ee333c1e074a9735da823
SHA256 d8e1782b55a95c5b0f8e54950038dde2dbc82044daf9f824104fdb42519695b5
SHA512 31d5f548d46fc63fee9ade79da6f97e90649f8c2d55f5daf98826ba1c06a69d1e16959789caed93dcb014dc00eaa6649740cedfa5c4c9d69344dc7c5cf938f95

C:\Users\Admin\AppData\Local\Temp\jkAQ.exe

MD5 5da122d918d122e9fe26692cc011d1c7
SHA1 64d7f15da73ebc1640bf3cc936c17a2aafea04ac
SHA256 c0549e773db4735e325919bd970e5005db173645f0ea11a1d5153d755bf3aac3
SHA512 0ab00527cd1084efa4c844cd7779d1afe7714a061f1aa26bf21e709930bd6228f581f8a01964f1306eb2dd7ef201f14831e0303d78d70eac231b68d90b5de104

memory/2604-2597-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2544-2602-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:40

Reported

2024-04-03 11:42

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\ProgramData\pCAwYssQ\uUkkwkgY.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ToIkAQoI.exe = "C:\\Users\\Admin\\fwIIgsko\\ToIkAQoI.exe" C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uUkkwkgY.exe = "C:\\ProgramData\\pCAwYssQ\\uUkkwkgY.exe" C:\ProgramData\pCAwYssQ\uUkkwkgY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ToIkAQoI.exe = "C:\\Users\\Admin\\fwIIgsko\\ToIkAQoI.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uUkkwkgY.exe = "C:\\ProgramData\\pCAwYssQ\\uUkkwkgY.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A
N/A N/A C:\Users\Admin\fwIIgsko\ToIkAQoI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\fwIIgsko\ToIkAQoI.exe
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\fwIIgsko\ToIkAQoI.exe
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Users\Admin\fwIIgsko\ToIkAQoI.exe
PID 2200 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\pCAwYssQ\uUkkwkgY.exe
PID 2200 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\pCAwYssQ\uUkkwkgY.exe
PID 2200 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\ProgramData\pCAwYssQ\uUkkwkgY.exe
PID 2200 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 4460 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 4460 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2252 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2252 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2252 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2696 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2696 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 3868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2380 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 2380 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
PID 3484 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3484 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"

C:\Users\Admin\fwIIgsko\ToIkAQoI.exe

"C:\Users\Admin\fwIIgsko\ToIkAQoI.exe"

C:\ProgramData\pCAwYssQ\uUkkwkgY.exe

"C:\ProgramData\pCAwYssQ\uUkkwkgY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWsgwIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIMswUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\towcIYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skYEIwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQYooog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csoMwoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VowEwkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqMgkYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCMgcEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwIcIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmEkMQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWsscwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAYgAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMIIMQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkIkgMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIMEwwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heIEIcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQoEAskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IagggMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyskQoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmoUgYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SukcAgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCkIMIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCgUsQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAcwYosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYMQEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcAoQgcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyEgcIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doAEkogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqwcIcQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JewMYEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doUAQAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkUAYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiEwEEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGwsIYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUAcYAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcsEsUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIIsgEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DagQwMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkEEccog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcQkcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOwMEsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEgYoUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwwsooEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NckEwMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqoUYIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUkoMIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwgogYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usQEggcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eagkgEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEooIQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGsMAkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWoAQQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buYckgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eysEkgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amwoYsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWUIMkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwEgkIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEMcQEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fosUgwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQckQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOgowQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAAUEgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkcYoUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqgcEAYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOowwcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYwQYsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKIoEsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgMsUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMsQEEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYYMEMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYkkIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIcEccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOUgUswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsEQEgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCsUsYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgkYQwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwAEooAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REUQYoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZscUQUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xawcgIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xegIUcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imckcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWswMAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKIMwYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omgkkgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGswIAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMUUIUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSYwMwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIoEgEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okIwowko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCQkUEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWMQoQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwswEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKsQQgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgIAcIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOQAAYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKQAUAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIocEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAIkgIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKAQcgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkssocIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYIgIAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkYIQsEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUUEYwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcwAkscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKYwMcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcgwQUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqgocosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQMMYIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIQIgMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcMAoocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIowEQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGUIcIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYkEIMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyksMwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGogAoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMoEYcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmskAwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XogoQckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMkMsYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EogQEkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCEQkcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAkcIkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSAcYEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSskkYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BysMEQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAoUEUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwQMYQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUwwoEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCkEIQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYMUQoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIwQckIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMcswYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAkEkIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIQckIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKAoIUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACkkMMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOksYAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaMQAEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2200-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\fwIIgsko\ToIkAQoI.exe

MD5 53bea68353d9bdf53a52e8232d09a68b
SHA1 92c345ac271b8647196b2327856852c563ad968a
SHA256 fb76903be755cdccfefaa650a461ec7bad164899df5a1fed0fc05008d406b3f8
SHA512 8b65e1b45b7b05e2aeed818202eca209396690ca97227054851d77fd3b4399ed2a19e2f40c4d43b8b8a6f474b06a09e0b1ea2291ede79eb0a795a5fb8720ea86

memory/4136-15-0x0000000000400000-0x000000000042E000-memory.dmp

C:\ProgramData\pCAwYssQ\uUkkwkgY.exe

MD5 2867c7c8d941058663630afec93ff0d4
SHA1 27e2335d0b08c2c6475239875053372ce48140c2
SHA256 756f63bce3f424859fb2a63ef1626044b024d09ae42b2cb6e020eff19528d394
SHA512 8c7871c7bd46d80a1f7e5a1a108ee5c9cd1a14e9f9103025e7288b29d62427e338888a0df261afe6e28bd5427aa3e30cf537d12a2520791fb1142ab0eb76fbc8

memory/624-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2200-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3868-20-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DWsgwIsk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock

MD5 8243501c8bec7c2fabcac8cb47d98048
SHA1 f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43
SHA256 4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd
SHA512 5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

memory/3868-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3484-31-0x0000000000400000-0x0000000000436000-memory.dmp

memory/228-42-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3484-46-0x0000000000400000-0x0000000000436000-memory.dmp

memory/228-57-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3564-70-0x0000000000400000-0x0000000000436000-memory.dmp

memory/220-71-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4028-79-0x0000000000400000-0x0000000000436000-memory.dmp

memory/220-83-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3172-91-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4028-95-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3172-106-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2752-116-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4564-120-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2752-131-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1756-132-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1448-140-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1756-144-0x0000000000400000-0x0000000000436000-memory.dmp

memory/448-152-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1448-156-0x0000000000400000-0x0000000000436000-memory.dmp

memory/448-169-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1104-170-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1104-181-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3616-189-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5016-193-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3356-204-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3616-207-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3356-218-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4984-219-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2592-227-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4984-231-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4764-239-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2592-243-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\pCAwYssQ\uUkkwkgY.inf

MD5 aa109c23fe31bd643aa0d3fa2fb13244
SHA1 2c99d1c8e82cdcc24b84a59433a7d24ec914a349
SHA256 cd653a26f8747b94b774abaf7f3e7469a59db8523ca9a3dab0594edeab9683ed
SHA512 49a943fbb2c2fc6fd446b375e5e017bedf5fa9b9b21b107b5ce8feb98ae8172794605dc69f7ae338106042f8248574de571aded1537dff123bc36209e8265e6c

memory/4764-259-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2960-256-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2960-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2720-274-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2380-277-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2720-285-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4068-289-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4068-296-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2576-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2844-312-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1648-313-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1648-323-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1448-324-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2680-329-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1448-333-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2480-339-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2680-342-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1908-347-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2480-352-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1532-358-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1908-362-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1612-367-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1532-371-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3124-379-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1612-380-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3124-390-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3616-398-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1440-407-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1580-403-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1580-415-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4972-426-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2144-423-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2724-431-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2144-435-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2724-443-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3376-444-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3376-455-0x0000000000400000-0x0000000000436000-memory.dmp

memory/400-451-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2980-460-0x0000000000400000-0x0000000000436000-memory.dmp

memory/400-464-0x0000000000400000-0x0000000000436000-memory.dmp

memory/896-469-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2980-473-0x0000000000400000-0x0000000000436000-memory.dmp

memory/896-481-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3296-491-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4240-499-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3992-500-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5068-505-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4240-509-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2480-515-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5068-518-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1764-526-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2480-529-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1764-537-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2360-538-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2084-543-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2360-547-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1152-552-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2084-556-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1152-566-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-567-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-575-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3760-576-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2232-582-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3760-585-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1440-593-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2232-596-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1440-604-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4988-605-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4988-613-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4564-614-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4564-624-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4664-625-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3892-633-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4664-634-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3892-642-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4868-650-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIEQ.exe

MD5 081b06b4c371e3fbbeb6935af61d373c
SHA1 e9f6253a10c78dceab7b1d2b69c5001e33432b18
SHA256 6c727157993c52dc3f886cbdb4c3255aa3983096a0cd52fd7c603d5d21a53656
SHA512 4694095fcd38ad8e78a5d0907bc8e61e96cf547ccf413e28d8691ebbeda7b7300d2903ddcc486bb27c41119661fa9526c9825f4e796f68fead011cfe6d85d054

memory/4872-673-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4560-676-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2328-681-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4872-685-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2752-690-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2328-695-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2752-705-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5048-700-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3124-712-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5048-717-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3124-726-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1784-727-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1784-736-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2952-747-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 a4ff1eed634c37ee87092a7ec3ccc075
SHA1 9894e4536366bec2fe334e2056e1ac2da5d93fd4
SHA256 57a54a07984f675247dfa9924f2608e7f544f3c76160fd94da3082bf4bda0372
SHA512 df514c768216e5be9cea1cdac482cf072853e292633e8e0df6c2618abb43f5d4b3d47891593d2e539e70acb3ae87cd9aafe90e2b436f88f0737a1128c9e25b41

C:\Users\Admin\AppData\Local\Temp\eccm.exe

MD5 70bbc790472f2c6dea33615c767d5b85
SHA1 8e4a4af66552a05cf42ab9251b95a30e16906be8
SHA256 3d5720833f5dd4bb39956952d4e0c6a0763279ffab9299bf9516e4591c57453f
SHA512 c57874956da7ac28cc811d4762ba3a5a8c003d426a817560cfe523bb7d84722349525c659c1db75ccfb61d8a61f66fb86b6eaccb864689f44363900699ac49f8

C:\Users\Admin\AppData\Local\Temp\OwYU.exe

MD5 9d14db2abf701c4a7119f43b2d4348bb
SHA1 358c102f44b46a94be59b911f5ee0b802029ba62
SHA256 01132dfc148e6d4cd71fd65ad8333be2940524eb0dd62b32735b10b30e0c3e89
SHA512 82e07f860ac94a3e3bc36fb6feb9cad07e5e96551f58be788c72d390fe44e0b6648780735b6bebb3aef0133ddec17acf50261c045fd8dfd303809d8acf6888a8

C:\Users\Admin\AppData\Local\Temp\GIEW.exe

MD5 64ad2219e3c0efc01f105d6e166d5e81
SHA1 24089019733aa68181d17a478bd8c8647a2f5ab9
SHA256 fefd525eee0af8dfe422da61a5c3a2f323580e0341a3b2d04a74f42baf6493fa
SHA512 faff539d8233783d022ea982ebf97298f711b3bd1217c245970f206101db8cbc492e75abab87293f1f7819fd1e77a22d9d89c36d3e10ae1b8e518019390660da

C:\Users\Admin\AppData\Local\Temp\OUwq.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\mEoy.exe

MD5 6d6b46af8dd7181d8b5bb87262ce9a64
SHA1 d2e9e03d7033a34373ecf46e5a7416e7dc47568a
SHA256 fd6581e15b74e2cedbfff795646b1fddec7079034a5a20f244a60e965e8836a7
SHA512 d87c93ff744e1947cde69f0b0673feda062d8e702b4544282a03b9ab9fce593c2f2fe8d35c0aaa938f318d4da42628d120de4784336d2570db7e074db02e4c96

C:\Users\Admin\AppData\Local\Temp\Usoc.exe

MD5 0c2053a393ceabd32dce39dd0d58d25d
SHA1 fc0f0cacd960a02f3561bc2dd6d0411c147070f5
SHA256 95d15d261f96510e013b244904ba86ec77d32f1ebed2db647d2efee227fb8e01
SHA512 7b9e38a48f36388f27dcf76435ce7ea9891297da66940a4cef4f1369429194f189840b8258d85c15fcae6ec9e9936e53ecad6c80989b44af5d2f8766728aa374

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 f7a549802d6ce7be1833e87f3fc52167
SHA1 cecf3dcbb7263aff66f53f058b5fce122f6bca38
SHA256 b5dc5104f2bd8cffd913ed793d9ad045e65eda8e6a9ddb0a9199763b9b3318f6
SHA512 1a46a25e67fa963d0113b53e080c90291f83287335dd02befb3ae39efc507ed38fc30c08efc1d7198bc4aa1a5ab749f06dacbdfaa79ad1c3ec6c1b730c6370e4

C:\Users\Admin\AppData\Local\Temp\wcUE.exe

MD5 cf815026e6301a2cfedd9106d1e81a9b
SHA1 57c1b6850ad14d9abd54fa7de33057934ec338f1
SHA256 e0c4b11214031e6162b39df0b2663b3e0c149a3d1fd3cebd6d980a1b982da607
SHA512 c914d54f3e29988e0932c0cff538e76d63fe57cadd1bb6f84fa7dce5956fb7f1212f1791b1caf8216e4cc23f6b600b9f31c2cf309a6f5a42f3b8637812f83246

C:\Users\Admin\AppData\Local\Temp\ookk.exe

MD5 b72f5f804c7eb9a3ae7cf6b102b572e2
SHA1 ace40989a728e72c71181ca70c1d19c693f2fca2
SHA256 e8b2d127dab30df9a6bb26a55efbf8eebbf4d05b10bf20fbe56029a636e5dc66
SHA512 9551b75db6d597bcad281b2a266ba0563a8e68974385679ab73cce5397fbc2bf30a38d15949e215dab2afb86b83cfd77303712eed2cbc2362b7d286fdadbfc0d

C:\Users\Admin\AppData\Local\Temp\YQEs.exe

MD5 890b61e5c25000c7b58d7ae1203ecc23
SHA1 5d485c955eeb1b3f45e549155315db4c63ab3f06
SHA256 ceef3c7bf2590b965f16b3bd1438da43145f450581ab317f30a30b55dd62c80f
SHA512 28106fae751a9b9ba949518e4e5240aa30b16b1bd30d7928a384686b65301647e4bf366a05325c475f9e439d424c727ff785cd83460548764de9843b3c406f7b

C:\Users\Admin\AppData\Local\Temp\QMQe.exe

MD5 0c8988545d55a30e76b10eb4a62565a0
SHA1 08e94e2d6a93d65a10c359ba7579a88f323ab87f
SHA256 0dad40cb794c91df2764180cfde883bbe5cab66269e51a88bdc241eaaed36d76
SHA512 1ce434a04d02248194fd3b600d2361d27284763f3ff596fbf97a9a56364ddfdb37f110fb8ddc1c1af2b2345cb275737c848a04d711906254fcd8cb3153aa396a

C:\Users\Admin\AppData\Local\Temp\kYwE.exe

MD5 87f07b4f2ebce8b1ec0f9ebdb21c8f70
SHA1 b910718ca8b6ce7478babc04fcdac993bb3d920d
SHA256 f3d35284f7850d082ffa17836776edc67b8c7642be35531a93c58f26cb20b5d3
SHA512 4282015e04180aa022907cbb882703c5a5ae9e0f8f2c95cc44f1b64aa4e5567c59221e9ac8294ee647e913b285c59cf8a7ce33f26119733cb5f54617d269800e

C:\Users\Admin\AppData\Local\Temp\oQEW.exe

MD5 b9b118c8b0adefcd5d101496d26591f9
SHA1 b7ef08c5c56c8ef68e3079e796e0094ea129d4bf
SHA256 1ea319725ccb16f82635dee584243263e1bd9ff6b0b54065abab06e5320b0f4b
SHA512 0d1346ea64464022b522f25df393709a7f5e4daab1ce550305b73aca42545ffe63ac3124aa762f9e9b2b04d95e125061d4512ebe903f0316bf3a5e7a3191ab35

C:\Users\Admin\AppData\Local\Temp\mUsS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 3bd5a1b47b8be328b64e2edc255a92d0
SHA1 d338fa590139a39de0634d86a2cc523a5e06049c
SHA256 a004db5c9310fc8e3b6e42403a267d19144aaed4de8ffe8e3f85f0acd4039de5
SHA512 526e4c8089c64df04ed11683b5f62e08e95b1d1c8ff0cec25eb44f9f1588a3e557b995216bc49b18e19dd4180b4ab5e81159bcb1ae6dd31cb30bf34bb9cd9be2

C:\Users\Admin\AppData\Local\Temp\qAsk.exe

MD5 abd7f8c826e0f09413cf1764341efcbf
SHA1 92052b408343af7af1cc543a8bddb8f969fbb7cc
SHA256 5e417d4e520af0b372b834ec9d471065470edadf116f878d904777d468c4410a
SHA512 817dcca3557cdda8341ca9de6579c7ff4c21abce8e3ddc4c3150bc4d071fe049598e9d5684f44d65d04103c965afe0070aebd46d26d4bdfaca37f95069a131c7

C:\Users\Admin\AppData\Local\Temp\IQYQ.exe

MD5 883fb32afdfef1623174491bb93da61d
SHA1 5ac3d343f02099f1490a7a43f403f65be485057b
SHA256 44bff2cbe58babd9e7f7f17e9b11d61579277803cd9a05dfde57314b80e6cfc2
SHA512 12a0be3c68189b53bd83f7b60862c62e996ee37b5f850f1d08b24584c42434d444cd7a08417ed9ec0a6b2afc5d16be0de67d9d5e46ac9fe89332abd9ecb74660

C:\Users\Admin\AppData\Local\Temp\MAkK.exe

MD5 6a8a4636e6af29976e0b2798615e13b5
SHA1 31f38320141e6f7370573a59f935c5050907e83b
SHA256 63033bc56361c277a9f795e24ecf058831897e2a9340e100182d7de332079969
SHA512 bb80c13edd2cfab45dd4858a5e9a94ad85ec6f00324b17672a33d6ee6bcb183d9814f04592732fdd5c3b04549d4003f326fc27b4703c75b10f40fe74d3f19e31

C:\Users\Admin\AppData\Local\Temp\KwIy.exe

MD5 661d9dd0a815dfd9e09e8f7b2606c161
SHA1 6d3ac9775c272343f9d5950a80fa5f846b0d935e
SHA256 64ca941951053d10709d079f8aeb28c25349f3f4035c2759d86e131a7a389e21
SHA512 7d3b07e11c8ec947923c79fcd9155794f800fa847ac3cf5620aa6dfda1bfb1e11efe962a722aa1d0efd417b2da837d65a2550b14374dea3c6fdf258432e9214d

C:\Users\Admin\AppData\Local\Temp\gAgU.exe

MD5 e5266ef4e7f6dea6dce230214e99104e
SHA1 87096df6244ccf9ac0db998a43b6a6bcef47fc30
SHA256 71e07fa7edf7a945daf876c725504df632c576062e413571a8a95e497c7e67d4
SHA512 c390892b664caa6fa1fa34e5ae91b71d2801af3a21af27d7b88d312715db6f009a3dd4422537959210b732b236a9914659ec9f1ad471211a3c80297b5b8d9695

C:\Users\Admin\AppData\Local\Temp\wwEY.exe

MD5 555120f595e9289970e0c325ef70a7de
SHA1 0aaad552d95568d1e1b1fe00f701eddbf8b8f707
SHA256 4ee8fecb71312c21742569e64b28996a4cb219525d1ec1d1f87a4c3ca5087ce2
SHA512 c7531f5c71fe8edd66709d9954a7e1e65ca8d82a7596e4f726c03d2482912369aef621133208126b169e58ed765e66e9d50d0d9633c71378bc6a22c6164b97c4

C:\Users\Admin\AppData\Local\Temp\YUsi.exe

MD5 ef5d18972414319db0e6aef141172a41
SHA1 894dc7e07e88fc402ea24ce50cfd4cf76da79653
SHA256 74ca4ff1d7bfdedd3ba0615cd6eaffe25581437eb550702e7e67e4a9b277652b
SHA512 d6eb144c3e68941599f86160ee731e25d54b4b487b74406ce59767850cba3084f5937095a514d95d52c2b9f646e3185803d1fb9a845b8d9f00ffac28c2387975

C:\Users\Admin\AppData\Local\Temp\QkIQ.exe

MD5 afd648d7c7ddcc46a895809927f86e9d
SHA1 cea766dc8c277eb77f69870238df22b0c60d8328
SHA256 7ae0bcb32c49fc4baa469e31097efd3999e28abd0dbd3e0a14a13addf35201b0
SHA512 eeffd78e66a2642366c09be0e7e47d136328f389facab72c87575eb0d464c19a1948b0cc9eea2feb3fd80cbfa652af44683419f95f618af7f1d5a828bd21ed1d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 ae9cfcc09354bb874d4d1ec4788c2294
SHA1 abb3165b41969819311d68f077109ded61ef878f
SHA256 9bb5e66d641fd6eb7e9888d67f0c4a9108164bc71d5d1a3d294337ec01945b00
SHA512 727a147b38e7039d849ec591fb0433d81dd58d9a22c460c0c9ebb6ce5b833e9484fade2b1c9c9ceec4503e506b10e638e39434dd2beb043e036bb2c7ff8f634d

C:\Users\Admin\AppData\Local\Temp\iIMe.exe

MD5 bfbfd951be60bc640c5655e3dc5ce53a
SHA1 e72ce44d72f01526d1ff51262dd62f70b116d288
SHA256 2b701f2f43d36ad366bc9005682baf27eb795726b05747adc028966ae4d14bc8
SHA512 7c0f355970e4c849011ed352ebbfda4728b3f685b83fe26baac388fc1a9c966262d1898306d63db1712b3953edb8bb0ba635e4bfc89780af7fc8e671fc61f78a

C:\Users\Admin\AppData\Local\Temp\cIYk.exe

MD5 92ac5e7fa5c8daa3775ffe090a9d099b
SHA1 e80b8277aa1b7a577c205ca8f3a6414fb07721b5
SHA256 34aa81e932380f76776004ae06cf1ed9c4dcd23365f1fddfbbf4a4d305265799
SHA512 094e6afe59c1ef0ae926d5aca472e2886dee5cdc813c408bd3802a2f0910d206785b8edf746213eadb0ec24b388d82eba89a02c26100e97c031b6223a6ee1226

C:\Users\Admin\AppData\Local\Temp\wogE.exe

MD5 bc42756d8834960c7588904cd3142e4f
SHA1 282737aa3c785e88bab753923aab67fb2857fb1c
SHA256 9733c258d9e0d807be5b05e64c54aba7051bef64de4629af05d91db2d48f3602
SHA512 6f9e79be722c09c61d65f9077f88a1e12caa0764eb6aef07868f5ff6d6ec8db7f5cea6f33f5050e77f87a6ac0a64c6a608084c5c0f3329b75a361a19b76b6e6c

C:\Users\Admin\AppData\Local\Temp\QwQq.exe

MD5 4ee14ee3bbb952c06cc541629a8f5c0b
SHA1 1f8b3caf956f6ae27f93451d1613666ee8041f6c
SHA256 a49ec54919d6a4d6d96dda1bdb967fa9bf7fc45370f74d9e20781f1b57f19bd1
SHA512 1e9a6ab1b8f183a2bf70082d5f90b9ed9f1235292a4e2e0a23f63d76b8942316932784fdf06e8d15badad6404357a2c3b169d7d20c52c332925e6af6e1e78a30

C:\Users\Admin\AppData\Local\Temp\Ykcc.exe

MD5 42aad639da4480b44388e757796d270a
SHA1 1b6ed9b04f92ca93245226efbc7960307a8f979f
SHA256 1297debf79d3bd635f35d0f07d7748972b46359ff532184413585c10ec281b22
SHA512 13213a52cc11aa3041fa62adcd1219d3f59bd7cc81eb8aba08c5a09aea2a49a252a6067a5c460c3a1a5d71e85b3c2a4c347c0a174baf00ac565b5a20960f9e97

C:\Users\Admin\AppData\Local\Temp\uoEk.exe

MD5 b68ac0114e2b10b2ef27a9d11439ff40
SHA1 096c4ec6b3bb0cf88eabaeee280615679dd2dbe3
SHA256 3d3f38947514fb2c4edfaea6f80d8ae3619bcd0efb55a87777a2f0de8814660e
SHA512 cc243877f775e97475a1a7a58fed68e3468f20a6cf2f1e40477ffac58e32a8554d77d79999382e80bcc6bd5626ffacec1bd35df2ab8bd9185734a9b0423e330e

C:\Users\Admin\AppData\Local\Temp\oIEe.exe

MD5 4543649f1b127ead8862bcaf58989edd
SHA1 88e1264e36ce7d89385391a81cbed2508ed36c65
SHA256 01597e76a5491c10b65ae6610f121a7dc862974c40164e740a4750305673c3da
SHA512 4a3796ed962511d268b09d4184a55e95d1f9c0680233c24e8b051306689fbf93d5f479ad95ee44d17da2d36c495a3978cfd7889f83b0aac91f7f0f612c8a36a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 95266da1168357ece444ae9aca3df5c0
SHA1 b65820006529c767a63e2a861191137f5222f9a6
SHA256 7b931b7eaa43b6e16620dd7009796d2e70df23e96de23c89fc9b055ddc78c48a
SHA512 210c01eee9de9a75195c82b851618738db6dd0505d0aefd7e3eba87c77af0018dc26e2d682a05f7b77e23f089937bc799909bd30a722e1e0f60938db50edde53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 35bedec18ba1b628b2f70db5719d64c6
SHA1 8479fa1a49bc3988500b1de0df3b7819f5926d56
SHA256 5934fe02360e7080af085a6cf1b0e7b41e3f9d4bdb355b933f014b9fd8b1deda
SHA512 01e34de49f12a6d251ffa0e2354db16d90cf58c8cf0310e5fdb4758283eadfc39d3c8c8c6d66306d7d79ebe35f1dcbb106c55c4466ade78895d42a5445d65617

C:\Users\Admin\AppData\Local\Temp\GQwE.exe

MD5 7c83ca7a6fae9e8bb5679aa9d31c1970
SHA1 89fdc17bd94b19c698c22930bc192c5989231461
SHA256 c6eed9182b2a5f9d782abdcaa5e4e2ed27ef687cafdc45a7be4788c6c1ab3ab6
SHA512 890d06c779f22271fedd40667083da833b6bf2ee402bba2d2d4f8ee3b12af04c1e28ce4119e178ad6e287af90464651579d7a137aa7679501cc86ab648ff0825

C:\Users\Admin\AppData\Local\Temp\gIwc.exe

MD5 5ad7ffee3fe23a887dc78f3791df75b4
SHA1 33afd2ac7a8611e50e5e25d5cda9ea21e3ba6ab8
SHA256 ba3b90c09d8d5ed906b4e306e89eae0cecce2d4d52f5d18dd64c0896c6f46b0d
SHA512 496cc6b06f37cc0c9ca1dd6abe9d443e40c14eb5139e4c964d6e4482f7b30b2930d37bee6205b1844d4e7cf7f12232301eb5b3a1267fa962d54f884d606a7903

C:\Users\Admin\AppData\Local\Temp\wUYs.exe

MD5 502660b75edba9001dbebdfa014f2cb2
SHA1 85db62efdbbff781c706ce02eafb7b9f9eab61be
SHA256 54f92e9116cfb18fc8e83389876ce14d72206a5156a756ecb243210e5a8ea42e
SHA512 a314a13f346186519c6b34d35f69a7c7d607c7ce2b838527ceb51c92a3808f215201aa223e47c6fb4ba7f585d0f3686d74edf909742d2e907d98901d07b578bc

C:\Users\Admin\AppData\Local\Temp\QUQI.exe

MD5 7bc148e0ea571f7c4e382b841cd14ea5
SHA1 e780acb94bfc424156ff80b86427da7720dcd3ab
SHA256 04d9532c735a920352cb6b0b7b24935a1ddb6f4795367e7e339812ff53b251ba
SHA512 861db5f97315a32939cd1fad4484097028423f975a1280680719bff82dc5d812a2321c5aea1facdcdda17ab5597cefe73f94b3984fa3bc610ce01872658576ab

C:\Users\Admin\AppData\Local\Temp\aQIG.exe

MD5 7803fb21a3f34a33f2328927b0d9d137
SHA1 9ef3af308e13aaa5499449433c48ab574b21f5a6
SHA256 8eb17b08693f462c2ffcc778edab4e966a618328106bd3c8adf7c089f140c6e5
SHA512 c14f14045512f5b3f15b77dc5a71317162736b0d798333fd847e7a868306769bfbf9486ee489ac3d867f883969ce34998151617b29e62e50438aa6969b0ac56b

C:\Users\Admin\AppData\Local\Temp\AAIs.exe

MD5 e369502d7bdbbd8655ca143e9ec612ac
SHA1 f01279639642cc689baea868ddbf6884aa647ad4
SHA256 55881dcf9f70acfb5cd912a0bd36ee12c24dde52c36e863781696516ccc27cf6
SHA512 4f73128fd05d911ccd44d4ce373c821808b3ae5f5408ae95a8f0b0b614294a7ee4dece99a9cf25a848bd0735aa6bf91d7373d8331c05cb1b58f52c7aa0c33731

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 37aa8c6ccc081a30f44f3afe70ae37ad
SHA1 1333d0cc9cb2a5b1ae6cea24f20a0ec925efde9b
SHA256 4e2bc8f1128ac1c8906aac2723127bb5b4fb8c00ef2654baf8fe6962533d0bbf
SHA512 86c625b03e6be9d293909dd692ab902dbad3b158e75e6768d55658f80c11144fe36f9f4097c35795a01d0f12d1710d78c24fd54a668cc69f7a2721658329d802

C:\Users\Admin\AppData\Local\Temp\oQEG.exe

MD5 e8eed9bec6063680092d2da571e06303
SHA1 ee537ae38b4dd5b0d1c1a3b2ea86070b61c3edd5
SHA256 a67a4599256af5d855ace63ddb5506c4f7168d876a56ecfe3888f7637bb1d7a2
SHA512 d05c5f3ab5c57b0845cae88dc21e904c7f50b65a42847195cf7f6b292481c5c89977cbf201388e65f36a1460ce1bea1fa7eb982adc431f4f05d2f5b204dc0cd1

C:\Users\Admin\AppData\Local\Temp\kwIk.exe

MD5 5594e9737d53df9ca5fa3f4fb5185ff4
SHA1 e4b80d74dca65b3e09cc3b09e9c2c7c3deee0507
SHA256 03f708d0d5a4be2438c39eea5a05f4137b1fecf710886088df6a436b4a265ca3
SHA512 2de88a4871273fec0a3414c108d7a8cf892b8eb039bbb91a8a408ff8a7e9a3836a903478f380b7da8b981494da6289feeea9e9d4c20f762139704bd2e4b8ad6c

C:\Users\Admin\AppData\Local\Temp\UsoE.exe

MD5 d4c3c57e79f9f272601834c0c167ea96
SHA1 cd2da0b85feaba7fc7567fd215a097f0eb18e86b
SHA256 26ed6079fc6f29bdbec57cb16c0fb8e8af6cb7b5666771bdad128e81d2d975f9
SHA512 ef755a3d8e214343a69f49b09a08a4f2b420b8f51eb18f5519d1993ddf77cbd57633ccf99d6580067fa9ea0ce3dd687cec5b2fafdc2c576de213d560d3102d5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 9fcdf26feccad50a82996d3c304886a1
SHA1 d32d48e53271d993a9464f34902b24ac93e75de9
SHA256 c10670be2c3639571f5f2fc787b80d643410de23c77f05931b17a8befe113c2c
SHA512 a91d84d668c4998aa7fba8f3ca2c79cf0c736c5ef7cfed61afe0dd533cca10c6fa51eed56f3ae9deb23ec206ece3a71a13d504de8bcc9714f87c2f60c23a74cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 c3b0917b15b332dd8b3c47f702daf7a6
SHA1 905a8a08d8b03397883b3ba66381849a8556ea9b
SHA256 4e815d9b546d9faa92b0c73364ce2af56731791d6c3d92615950dacd17182d3d
SHA512 c5fdbffa82824b270a70cfa354d35a76ddfda0aa9a30892c6ee4fc6c7dc836353140932b9f1560dbf83e2b500ace9dd46ae87ca29e472d4546217ca05c3582d4

C:\Users\Admin\AppData\Local\Temp\ukQa.exe

MD5 a753eada141b2a9ffa6f3ac033820ca2
SHA1 48361210ca20b7e53b5e899430e58113e2d03e03
SHA256 a105de0c8e6fd713efa6e7349651710642475043ce3061b2573ef7c3f1bbc1cc
SHA512 1f06da633809fc6f2d9ce491079598bdd84a9aebfe326a717a4b3851ec34242bc65ce27848b92ac7fb4e384837ce60d3bb89d5cfe15dc0cfb3d2dbde3e5b6c88

C:\Users\Admin\AppData\Local\Temp\gUkM.exe

MD5 c893118885bc48bf8e6358b29f4f6b0f
SHA1 6d00e58e067adf16e011b8ede6ba7371798189b2
SHA256 72914b2d54bbeeca0344b9d55c4e2e3a5b183ee801665c922ea262ae69d4c70d
SHA512 717ca024753aafb7779998946f267e397649725f21af068a53e7d779e06f3f08025afa207d9ffa467b4b406f02346238c3fa59b46984f790270c37540ce146a0

C:\Users\Admin\AppData\Local\Temp\ksIW.exe

MD5 3304746c803fcfe34454aaab0e1dd2fc
SHA1 50ca8485a9059d00cb669890917f85aab062216f
SHA256 f24fc6773b6b47bef8b83d11a5c6947cce21897c6ac0b58c8557064f558681d0
SHA512 f84dd7004058e0a71b411fdf397fc0645cd8a29962875962e97cab1f89dcbfacb41910ea3c72b80fd69a28c8e36b5104f4f2d8287d0dc337b7db48efcd976908

C:\Users\Admin\AppData\Local\Temp\wQkM.exe

MD5 cb29a1bd98d56e859d7e0cf9cb5d177d
SHA1 5bd860b53044b0a66a7451c00de5e1a687407efb
SHA256 4689f66176831203dbede6cd071f7f50210c26d0adfa60ccf839043ad8a29482
SHA512 eecc5f2069764ae416e648f03f5f5d774b7c74833ddb0ac7b141cc441f78465151198294fcd8cb6f87489b64668c42b51f8a636e273b511ea422880d7c45754c

C:\Users\Admin\AppData\Local\Temp\sYkc.exe

MD5 e159cf3169120bf08bfc320860047418
SHA1 20604537aa88aedc2fec9c7aa9ca7726a7d76cfd
SHA256 10b7f218b94398eafb610b394c1bf87d58084ff801c2097689f3b9529b16a4d8
SHA512 7b6fc4489b4be9083d1e842da42150cf9598ee9fe45d1dde595fc7307efc9c7d19e537230057ee4ee9f84826de7bdd4ebacb6a3153dbc92bed462498ce464c79

C:\Users\Admin\AppData\Local\Temp\qYky.exe

MD5 6185cec3f21738704f0e99945419140e
SHA1 8c3305f97ed093bc05fa71b543afc6c514121ed2
SHA256 7cebde024c3fc59878d4cb59daaad67098170df7d5fb305e061f1a9ee3069f92
SHA512 ee65ff068fb7ff3f431ac3a7d691ac65b94bb0d3a8da76e13ef04fa5821df46742c9e159f304179999994e35225d675e1ae168d52b09ce653fedbba460dd5d80

C:\Users\Admin\AppData\Local\Temp\WoUc.exe

MD5 b16bdc975fe4c6ce7533c91d7090c3f6
SHA1 4e9e0fd5f231dd7a9b55da9bed68352d17dd043d
SHA256 5286cbb91125907ba60cda2f9bac84916744a25ba0a743d4b9dedebc63419b04
SHA512 4df55571094e57c31bd402b12bc799c0708c2a205b178584d00b48a1b60bfcc63b8d91580c7a331f6712febbf49d0666b2401556fc047d91f4dba9b0a26420cf

C:\Users\Admin\AppData\Local\Temp\ygQg.exe

MD5 1d00901d5f5ceeb785a043cffdb188a4
SHA1 9c3b5cd31e33857abfabc6c91359477154f844f7
SHA256 305e8a83387e1eab86237b29ee6409d414f2e3db641fff008583fca0be959b16
SHA512 578fba07d45963114218d1d60646a64f3c878b4dbdbf3e437cb3dbed28697ae29c45ebee78b008bdd49cdce9e80ff7228e889bf38732e8695a898c34e544bc50

C:\Users\Admin\AppData\Local\Temp\IcYQ.exe

MD5 0d9712d91d2c3987eca32218968b160a
SHA1 0b74595b54b6c600ab655d01417ed9ae51b26bda
SHA256 26794c2cc17c317f4b0a8d71c118166dcf19ea84e7079f594d53e82ede362607
SHA512 8251823bc4b7c33de3b847cc5d3c08d9528920cfdd8896a067f9327b4428d5a2598e20ea2231dc05c53ea4ae612c7ec6230e1cf3318c71498291634b5807630a

C:\Users\Admin\AppData\Local\Temp\GIke.exe

MD5 158216efbeb9c98dd122003ec60ec5a1
SHA1 0f0444bf730e86f0503ea2e6985e04e205b00955
SHA256 ccb2b1dc73c986d381a56ed08b41f791d5bbe79cf9387a582d0bed60d24dfaa3
SHA512 b45cd076bfa8144d3da927d61dd3a38ec2b93040187a6a777dfa4cb3fe25944d272aa50a44f043fd92a814742cd4f8fe07ea90fd3ce5b0f564a8be0c59e45c9d

C:\Users\Admin\AppData\Local\Temp\oYYq.exe

MD5 7c29c9291f43f38e300a8439c359b9b5
SHA1 71aab885099e9abe14d2ab132e66135fd2222228
SHA256 bd9a5dbba4e4620316febb038f28abe6d61cb7766543b8395a375954d3e8270e
SHA512 42eb5ed2d3721e6d7c00eb4c052082523ae13d18e2dac930fb4a000d5e5656c59231819f9a0b1744bbd8fff46ae02e0b9bd65415a7ae1ea0ddce747467a34690

C:\Users\Admin\AppData\Local\Temp\gUIC.exe

MD5 1fcdd93cc6966496ce6c875d61d15d4a
SHA1 7fb046879a1c5bce7d1bdf31dc6a0dba95b11e1c
SHA256 e4b5a45fbaac5fa73e2b679b3838f30f1d2f9e7a619524449ffaee3a6366cb54
SHA512 5f4f6c2b2f894edc4684c34547e7103a2dbce9380a0152ac98beac983a3e3cbf12ee2915eb6c656dd4a3ce7dcd9bd7db2752abb6d01c1aefbd85ecd869c37db0

C:\Users\Admin\AppData\Local\Temp\CcUw.exe

MD5 a4ad7c1c78e1195ab1d687a33e82d1ad
SHA1 810b22793f1b12c9756423ab89c952bb1d972d2d
SHA256 ee1921d18ce9f68f9fe4a36d3a677a7002dd24eeef0284508fc9a6d6745a7dfd
SHA512 026c3a2f0d049100a339f3aa6e616479075606ea762b2ed47aee789a382bc389ac23cd0a0a153136571209eb8868a82c2ced430aac6eb6c4cc05d0285e666281

C:\Users\Admin\AppData\Local\Temp\GggW.exe

MD5 72fda1249f943680560110fc91df0749
SHA1 1f12d7354c929e9536103ba304198a912f7cd32b
SHA256 92ddd5a3e17168dfe22849a878a428d59b75fc268b102230f835485dc81a7dba
SHA512 7d591b80c7a6b30e5bfe93fc9f57491e6a7c64573a31d421e81358ca1a2c7270f344dfc005841a26fc2dfe6e85e2f56de818ca3a0548e7c7cf462e483f1ce322

C:\Users\Admin\AppData\Local\Temp\SIsU.exe

MD5 0e5c32f1560d9136d5f351c233aa1204
SHA1 70f8cc8caee592393f8dd41d748927342d8b0f73
SHA256 96576f8423a11b34cf39cab8b51b31d76537474dc5f8c68b18e5f68867e9c84f
SHA512 eebbfb230a1a406c8bcdac7de6420f6875e886f6ece3bd81cb62f5d3993726f822cb921204e0f2a8b83bfb91bf31eaaae122cb6d172d7bc722f129470e808bec

C:\Users\Admin\AppData\Local\Temp\SssI.exe

MD5 9ee9e6b8b3809f1ed3faeb893d4e57c7
SHA1 4d24e87745692a5169033b1b53ba097690606d8d
SHA256 d9c450071bd5967e00a9bef6e4299383351be2c073cd927b3fac4e68ba42c06e
SHA512 5f827bcecf2851d95f9b0d54188dd57d038956750c90a9fad46c77b836d9d464f8da98bf623953f075a6a70eb88cdd27b3902c12afcd5d4a012c248f796cb594

C:\Users\Admin\AppData\Local\Temp\akcY.exe

MD5 b66aaf864908225ed92e0154a3781c3c
SHA1 0b9158b63efae55d1f6bc9a8a5872e4859060678
SHA256 cf8860abc06e9d445a1804f3684ab5e128122ae3ce88eb8da08d9767f47a8187
SHA512 67fcfaedd2b335ba49d4c7f8a2da351c12f9b735efc416cc16c9019d478c936dba5e645e71f1404eb18256764390d8f1d754675c37c73ce6c42385c998314b21

C:\Users\Admin\AppData\Local\Temp\MsgO.exe

MD5 b3e365356dd61a881f65b93f0456b52b
SHA1 c6ac1f7d3d8cdff1a8bbfdd5f00299f39edc4c02
SHA256 2933f00af973e7656dcb786cf663e154ec154163b2054e958efe92fd42681643
SHA512 540fce8ac05424df27489d17739aac55fc6a7c4f57bb7aaaf9bd0c431dc822722b3d60a3082d40352c9ae3a1997a5b7e414e0a098462c22430444c70e9a120e0

C:\Users\Admin\AppData\Local\Temp\egsq.exe

MD5 5ff53cfa9d29315d44214567ff8a6924
SHA1 6e9e6264522597863aff55aa107712e87d7f148b
SHA256 95f23abbb51380a66ff8e3e0a381bb513f65eb4978dc506f15e57f2868a239bb
SHA512 6ad1a88ea4ebac1bca64f23b1974854f5b8d531d923673e48dfdfd99d2a631b659a1e7b8ff517c83f7d09673ce17aafce0f58bcf742f211ec6a6d2aa53f0012f

C:\Users\Admin\AppData\Local\Temp\sUEq.exe

MD5 2eb333db267a3fb9e4412ca888b7a2c8
SHA1 9d1ed2609f287b1a92083b81365c393ae76c13ac
SHA256 a2f049f20ddc9c0cfa03f469234a17f4fdedf3dedeca5fa068caae173418e4a9
SHA512 d1a5929ba920b93c351beac5dcbba077ecd5a0f52b82a0d89f1dbb8b08a96f45c26d96a84d04acb77859b4121b9f15f1c1d13f33876f9d13090eb9f044f7a871

C:\Users\Admin\AppData\Local\Temp\qQQW.exe

MD5 838cdbc26174dccc43a2e888854db243
SHA1 7db4d64e85b64ec99bc316ca58fe139da46aa51a
SHA256 9e399f4d55085e1a935cd00affa4a195765964245a112f67df3bd32be878cc77
SHA512 f938b90cb0959be7887be845535674de9fe73338bbcec0341730c86411f2e3137747c23a6d0052d335d038581a0f61b2af40835aa3b7946fbc34e0b802931545

C:\Users\Admin\AppData\Local\Temp\SUEO.exe

MD5 4570f5feb409d587f595c6182317db91
SHA1 10cdbc08d843cf2a2e0858c0ee7e415c42c31c8c
SHA256 c22de5fc6caa745463be8a1ef7a623ef22f737032684cb526b95cbd4df0c1ec7
SHA512 d63898e01d6aac215afb4ad13d5278d03b5c450aee609c0470d3b89ab674921f770f6d55afdf3d26a6075d25d4be6da4afd293742640e0f7e773e660326ec125

C:\Users\Admin\AppData\Local\Temp\MsQu.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\UUow.exe

MD5 5bb6a20e80f99eaab732aa7b30430e3d
SHA1 665eb135d1e8294661e80df8d0806cd76351e8b0
SHA256 64297226067ab3e5e9d11baf482bfc417b8c6e4ba8d305abc132a7f9faee7620
SHA512 61cc98914fbb8d3b5c1e953a940245281faa109287438477c9434038be713fc44cf26ce4664723badfaa09b3a817ac649abeb3724d28c0b8ea91a34bf825ba48

C:\Users\Admin\AppData\Local\Temp\wwky.exe

MD5 ea0ea6a531954869ad803835080e5f82
SHA1 c572de36eff68f9723e80b3dadbfd10837cc2eb1
SHA256 f2e3273976ab5518ce4251682ea0aa61b14dd421650580ae7e8669d446083315
SHA512 ae79e6b94b4fdc161f55f24cf9a65d3c829091c6ec046196a6e2c217873594c143fafa84b64ada265d08321abf3b907d676f370f7a9c70ce7da44bac09a418ad

C:\Users\Admin\AppData\Local\Temp\sIUo.exe

MD5 4ccfd768c2f3aa233412f641904c9bce
SHA1 f8339bd64fe06f7c73f665920c5d75c992496a49
SHA256 31194a659ed7461e596a8d86ba33191dee6e57e5bec1bf7d48e49217f6d44bec
SHA512 5ca999e4cdf3b7253abf99ba9496246914fb6ef8e628feb8f77808518196d0e260ef9b73ef61a1d76789df9513afd0c75a63502a1d718a0357a14f97b467d2ec

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 9088fb9e83f9f74d8ee1edf0c0d02175
SHA1 c00815b7707b59904d8e4a993dbd168602ba8d81
SHA256 a53e0077f65f5004a8f30a47aea14ec0f06d5797982092a437f53131b4be0307
SHA512 6e21987a4d63768c5f9ba8434ca73e741be41f705736d57ef8a6d2065d65c17cb16023c166de1430b93db9806381f0c0b7bdc2f790f9d290a63d1081582eb125

C:\Users\Admin\AppData\Local\Temp\akIK.exe

MD5 6fc46c292edfc4a9e970bd04c03441ac
SHA1 279c88769f4a1353f80fc285edf4b96d7e6b9b79
SHA256 44bce510f0a8a57873da18fa6e21e3ba20a1055c928c4d896d6a4871e3f59a88
SHA512 b07aa2f22d3f2ed56eca228951cfbf3d609f3d59d1a2d3fbac91becc7ae0ec16d0596f0c6fc302efd0c179180faba75b60f0ae3aabc00b6533ab0f8b8e88d852

C:\Users\Admin\AppData\Local\Temp\YYUC.exe

MD5 7654af235fd58eebf30e859191f0edf3
SHA1 d0db09eeb97223be6a4920560552559443979d2a
SHA256 5341a91262f96190175e0daf00d16e4b6cae6fcf7fd72c58523c18312d7b1450
SHA512 a76c416e6ed6f24c7034cd0699598a067c82e526119aed18b8c0902511f7e7efa1e76d4e98ec004d8c1e3e69bd7b0460911a65308dc2d996d382f569d574a9fc

C:\Users\Admin\AppData\Local\Temp\IgAw.exe

MD5 7b742e6dd1380476db494ebd9b448d51
SHA1 8ee04bd446ebace96878a0a00a835a93971fd3f3
SHA256 d0e7b1cff3da07bb81c8b05f006281c9a7c13d21dfe5a33037230da77cbfc080
SHA512 dbcff52f56fea0d3abd9e15950ea5b759bbfb3b07fc5643924fb5923486bb418daae7f98f9a1e42315fbde8719e5b8fc92685e981747697c7348b3d52de64b66

C:\Users\Admin\AppData\Local\Temp\sAsg.exe

MD5 8e3bf4ec2edad1ccf3d0c0b410750487
SHA1 7fb15912a61f687d69995fe4630f34035dfd63d7
SHA256 2034ccf75c3e22926a428ecf6c6aa07474447544e0638e9d0489f479bd823ab1
SHA512 3bdd32c9114cc24006e2a9c36c6bac3c76a2299b822bdac73b7455dd2b063ee2a6bec5b1fe1bd72e0818f152a18aae3a570e55a20f37a9db4291436271912447

C:\Users\Admin\AppData\Local\Temp\EYYO.exe

MD5 38bff9223281f6e12f6675e4a2af6863
SHA1 9f95f790c6c25c14f5a5942be5b0cf57827c3431
SHA256 aa450495d8cf34877bb2c6f4555ab410b3f6be9b031b82d3565daef1795ebd64
SHA512 bf5a2c95a189585e4309fa3c671edcc50dd9f4007faf2b209d5feca77bc76371034053be0770308da9a14d87218f051dfedad73acbfdb48c6ef5812931bb3bff

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 a82db564e197066cd6f94fe2c0faab6a
SHA1 2c31c6c2456286be03ccdb03dc9b254c9a22dbab
SHA256 00db9aa39142dc7bf3a5e84b7578d298cb300935289c79c4ea07aff1074529ab
SHA512 0c80e9d4a020847b39170b35dca3bae45d7f6de56a4e929a50e6cd0184d1b862aad678f658ab07de8d4bb9f4b6792d29d786ca587ed6bc2e804a710e1591000e

C:\Users\Admin\AppData\Local\Temp\ewwI.exe

MD5 a3b302d85b7cadea3ffdc6f23ac2454b
SHA1 17b204edcdbe461530cfc0713594d350e685bba8
SHA256 b0e2c6d9373c05f307c480c71525252e6c5528897a84648db5b11a147de2d7f7
SHA512 c41d645aaa38923c4b965b8f90dd1f1ef3787dea0d9d2c670dfda3266459bf6cd7bcfe823be962445550431a246532782caf125743cb2b1f8bed1c5cdbbc9273

C:\Users\Admin\AppData\Local\Temp\gEUi.exe

MD5 f994fe4742678d6d8188f4141e984bd0
SHA1 7ba99921a64a903f790db7b39e265e77b53bf4f8
SHA256 9c8a3a97685d8dea166f2c7d382dbda65f7fc43e4eadd26fe261079f343164d9
SHA512 4c8f3d1cb46e1ea58f1e199e21cd7e3c7bd3db74e11eb96c37b8d27cf985d43f9905e4d006eea3d61771b17ca72ce2aad3aa3b0ef844e62b56cd012028621532

C:\Users\Admin\AppData\Local\Temp\mEYU.exe

MD5 c131e637572a52d4ad122609371657a5
SHA1 0f7d10a8df02778f495de14ba2e743c9c2348e48
SHA256 b10f22319c8a33762b20eeb0ed1161bd2ff11932f5cb89fda7c33bd875ada690
SHA512 7c39001dcc659592d5e0fd4e241ac1dc1c786f3890ddffdff708a4be0b0013bb2616405a4d7d24da53ac964059aecf56e7351165a58d3d14a540b74f1bd5ce37

C:\Users\Admin\AppData\Local\Temp\yAca.exe

MD5 203cd1d673ca26888421ff2c4f03f4e4
SHA1 83c660907a5d0f87c7a4c2cabd96a2a933c35aac
SHA256 ef4eda2b05819671da8cff4eafbe5fabb510262f418ebdbf9ec144646e0f0a33
SHA512 23acc01a25acfe03cb8643c2cf1be2e0530ea891a3ad765ea1512072b43237dfdd08220704e5e81317bb3bddc3f0586814d9ad05064a35ba34bdab9d01faad52

C:\Users\Admin\AppData\Local\Temp\CAIo.exe

MD5 10f46849198f4ff0f54e36866c8f0779
SHA1 ca164471fa13976f9f64318baa316674034f63b1
SHA256 e17d9c5da2d847418aa90111335edc4db3d4ca0b0b270de172558946ffd4c857
SHA512 febb988c35f287b77c9166e6d02d45aa3c17954eae0157e572bca32dac11a82dcea85194ec230ce21b902a1d55568cc9df3342b4a186b339ff4a66f0ee78dfee

C:\Users\Admin\AppData\Local\Temp\qcIy.exe

MD5 dbe9fa2dca5b43604baee88046f231c9
SHA1 ec9dfef03b1f5c2fc9929ffddf5a074d0b6e996d
SHA256 c1e1915278e374bd0cd982aeb2fb155ebacd623a9c06fd4316bb20a6f1465f19
SHA512 e69480e497a14ad127f1473831a663d97b02ef09d70f6e8a2734d9eb61bada56b57d6b94e77f7ade8270789e206fa67d68597a72e13aa5648d787ae61827418e

C:\Users\Admin\AppData\Local\Temp\qcsK.exe

MD5 dca395082f81d12cfc381a9b3e781adc
SHA1 277300d9bf5649f0800975b263ef3b91e9ae0257
SHA256 02c8c1f08f89054291f0f2ed370582227870c0ac7018779796ce91f0648f1c2d
SHA512 334ee4e302c2553cdd6a16e22518ba4107dd7e26c912f5e8b1e27335aa0dcb35df58c337e7b50d74cb816e717470d010ca0012ffb58e6c0c2db4c43ef2d4ad1a

C:\Users\Admin\Documents\AddWait.pdf.exe

MD5 aac30674fc15fc31743a8a5709706a0c
SHA1 a4a932435633171964f99f80ab6e8f6a70fd7833
SHA256 96a3c373b23d23f4aed6fcbb1c2aec0f7e6771facffbf3a36593e57ed7f2dac8
SHA512 c8855d8c628751d45285af97b83b9322cd7216387fc0565ea9da26ce0ab2a13ea3a60ad140b1e9400837b57d13143d043da70afe203cc234a64691a90287c4f4

C:\Users\Admin\AppData\Local\Temp\AYgU.exe

MD5 e5ca4870776c326dd2d38bcc29b9d3ce
SHA1 dcb9210292f83e6f39e28afd47cbb88f889e68ef
SHA256 ed7ba53c1df5a3ec2a97022a78c036a47b3d2aa6c40a22139b6d10e0fb457785
SHA512 ad7ef2d0124fb9346bf660c6a41f7f69e3c586dd9701e1413688939c20b1c9851b2bf0b914622e39565ec63246a62b0ec2e8d4201282a00cd70a51ba2fc60d57

C:\Users\Admin\AppData\Local\Temp\QIUu.exe

MD5 54fd63bfd10e805dd34254e9c6031af1
SHA1 210bccd8db307b9d36a67d936e9b0b47d91d6428
SHA256 b623d2d8a3b26f28c32f2f9bca845503a02eadb1fbc77ef66ce59fd462c40bb5
SHA512 b822eb0341d8ac4c73e64d6d9cffe4adcaa6a6e49a47ae722b6358c4465c987ad7d1aa2789e05c337c7bad5c4f4dccbbba982e721b19e00fff64afc3393abefa

C:\Users\Admin\AppData\Local\Temp\SgIy.exe

MD5 f8d4fc7f808fa5f04e544cf5d2e2a180
SHA1 8f615cb07e2b1c73bc45647487faf040c46e7853
SHA256 ebd089cd65e2161332b732c10056aef31dbae6ece3719b63104b241e0ccde178
SHA512 c0ca43f0c76584c824be15f6d4df30531efa311c191b6f124690fafa35251ab6c7e11300814859a2d20fc0e8302873f23716061fedf509b32770bdf30dc49778

C:\Users\Admin\AppData\Local\Temp\IAUa.exe

MD5 b60eec1ccb3e5157acae511cb8aa96b3
SHA1 3df34b43b236d137913e8a1b8afda900ac42e0f9
SHA256 c16c1d1d3e70cd5165329651d25096dea57ad40af4970d1bea1280c17ac340f5
SHA512 24b8dfe4a0fbd3e3ba4ce13ab478106cfee35529a9248e9529784520f289d25f7c9f260ce11072f1443b7f471371fd58207c16d78f0121292efb002335207b7f

C:\Users\Admin\AppData\Local\Temp\UYAo.exe

MD5 72a0bbd8ce7cc43e5e8f73e713f57f3a
SHA1 33510a0eb9858d188268d3ebea25aa8c27b0556a
SHA256 fc88f7a7a2f12ff11ae422e6806f3c633e1d784486762c126895b957406f3865
SHA512 87e608f9517b0fb7b1fb7f2dc3ab468104e84fb23eddf659e38a44ca35f529303fe8f4f85607fcbc783d9e185d1c4aff07233b53b84843692a166f86f452d79c

C:\Users\Admin\AppData\Local\Temp\YUIQ.exe

MD5 200c8053f56b17cdb8705dc51df6d9df
SHA1 9e93f646cf91bd9f821d87060b4fc288a966c0fa
SHA256 0fc6221152aaaabf8e2d390407e3be3770e1ceeb5351ed028d567d4ce31bbd3e
SHA512 757377cb6561f556821069ca005fefe7aec150bd24d98029ae750b028282cff3ce9359a1648ded5e4ca4ed335512640feb9d675a4a1fa5dee474065cc937d0e5

C:\Users\Admin\AppData\Local\Temp\KUUo.ico

MD5 c7fffc3e71c7197b5f9daaea510aac10
SHA1 23262fb8038c093ac32d6a34effbede5de5e880d
SHA256 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865
SHA512 c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

C:\Users\Admin\AppData\Local\Temp\wQQW.exe

MD5 c682f6984f1f670c35f95d4a8b5227fb
SHA1 7c20a3e1ecedfb202d59d4418f1ff43146fcaff5
SHA256 575ffcedb8e6b8069a8a3746b05cfe4ded19174237b7d9278dd5f6c3c212a883
SHA512 978021bad24cde4ce9559a4c2c820d93025dbad483c99aea890b618d5a70296d116b274270cab84b5879951170c8cc5d58a72077eaca80c32fdaefd97d09ba4b

C:\Users\Admin\AppData\Local\Temp\usYA.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\qUYS.exe

MD5 80b727907c508ddb1ba60131eb478456
SHA1 cf2d376b5f23029a8602209cb762299a53445a61
SHA256 328dd65b8743b44fcb3fb1d32c39bcbb96cd5b151a7c4ed1831441ac40355b9b
SHA512 481e8ac92cc52ba02bfcc98bbb09790ea1e68a665ebbd0a0f4a8bbdf68dcb21ae5b5d32e86490a399742091132bb9229b8d4c4d5bcf3f021b82e5d9d277b1aa0

C:\Users\Admin\AppData\Local\Temp\qAEM.exe

MD5 6151ff354468e592f79c8d79d020af5a
SHA1 86ec9acad3cfd010d7103de1bc7ca8b2cfad1d07
SHA256 86afde626733a491b8992f6a6da16eeeca989583604695e3d6e7e38197551dac
SHA512 81342a9342d8e67e37f6cedccd6d73848cadb1bdd85ca54435b9fb5dd3bb850186d6c28ddd5fb8b712f857992a114fd5f8acd182b9731724abd940958814ae75

C:\Users\Admin\AppData\Local\Temp\qwsm.exe

MD5 20a8f054fd9054d307361f0b91a9b8ff
SHA1 f209b8ce341a4d5754fdded69ce05ff4de6512f6
SHA256 64ef964da600eec309e7f3b1badc9813eaafa895f0b1706dbfb3b8d93b7f33d9
SHA512 e55f2460857ef8e3b4e4f4be2e2f4fc3a348a8481df0be2450c4b67b7d08a4d9c38a247c9948fc0b307987e89ece6bd46dbf7df87f505b0189ac22f97e1dc495

C:\Users\Admin\Pictures\PingSwitch.bmp.exe

MD5 b873c1aa3598f5d3b94e337ac98959a2
SHA1 b9146195a1c6182cc425ca7c7a6e5ec98a2a771f
SHA256 7b654f424469029bdd0963de69503397761a6717edba2cc17f4fd6eb56c63129
SHA512 dc1762d4f2ec65796f67461f4a2cfa14b3084262dcc5b6f0f02a0658dd7b052948717433ce70d5ff51e05852626672a487a44b07ec5b7504bf7f253352c268c7

C:\Users\Admin\AppData\Local\Temp\yEou.exe

MD5 db659674e5917610fa9f80f584f2bc1e
SHA1 090fc761d6b1173b105269723df2b912f50c65c3
SHA256 f352512b6d30fa9d15acc84cfa3c616b6733e693cd15e63dc7f0de974d1fd508
SHA512 ef6250fc8af46adc8e4a470391cf8800d0a92b6c72e9bf8a8bf3dccf5a71199c220a57de45817221c6f30f8c627a25286e7f22ce593ee63400ad8b77f951f064

C:\Users\Admin\AppData\Local\Temp\aQEo.exe

MD5 bce15b34f2514ffc128641b715acaeac
SHA1 82de2431f7c7e7755572ed6cba7709078840058c
SHA256 cac1a57bb0fc3d9fbfaf112dad1bf64a43ecdf94f79dddfc544b7a81e79dd3b5
SHA512 8d59d35c094d6752df6abc90e5529057d81bc7f35af9972bc09ec23cdb01f4e040699b09137f85566d53c81d39a48429088c63af44da09bf7a557a2d210eb3a4

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 38f5677b78ffc3afc8473abcb9540783
SHA1 5ef04fd5dbca745634f7729bff357f08820e110a
SHA256 642447d120d7286d8edffcd15667323b3f1e5a12b122aa8798103104b6479ca0
SHA512 df241e7e0ae90f003ca3a944e07d74573bda508458786df29d56d3d2fb20ed67d0ea7e65a29d3bdcc10e57d023055dd118bdc1068c6f32ae26556c9d76d8c259

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 fba8c77fbadeb3fb721398cc0ae68e59
SHA1 208ee4611619f90b492aae6703673c183199a102
SHA256 134862048863c145ad1bbb7683e02c7d1baf006f00087ef21d0228998db2ffe5
SHA512 d45af4ceb02832f17e2e084eb05547a2fd77ea0c87d12554df055b10fed588265309d2f4d81587e10b5ec9c812ff6c5d1dc8d98fd23c6cdf6512fa25ef85ff42

C:\Users\Admin\AppData\Local\Temp\Asge.exe

MD5 f9fdca51cdc543aa76a1cdc13fe6558d
SHA1 25f96d5b997b5f7324fc653c484aad06b2b9d5ff
SHA256 9ce0586ada366efc474642c6752d9fbf614da014ca8358208bafc12df1d485fb
SHA512 cbb78fbc604cf70c7ce7284761c756f50c97edb875544c15231107e5ba57831802824df76101781d74f8d65e24895b801e990ee63d81479d119ee2a3d775fe31

C:\Users\Admin\AppData\Local\Temp\EIAY.exe

MD5 210f11bf51e3f0d585ffc9ba226b39d6
SHA1 dd415e49c9eda4546340c2fc9b088500ddef521f
SHA256 8ac994432597def18d8ff56766b84e9a17170e4dfe76a9cbc4dc919b6ffa97d0
SHA512 871ecc64317988897817dc85dfad3db3e29e7332b6e485af35779384dcd3e001f2ae813a6008d74a625237b4492a36a2f12219889417a3c066c8e2ff86dbc2b0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 ceaa32130113d1925c5baff934ed58b0
SHA1 5a6144187be81ebcb4f92ed2d724e100025ee89b
SHA256 41fd637ee9b123afbb76d22bf3566013634066e51b3be18e311b34926bfd9734
SHA512 52364a524f4edcaf7283de201d9e8204ecd03f8acbae76e2e32eaf81b540a46ca64635b92166121e30573cd65895b08c8627fb1f6f85e1037816a639f04ff069

C:\Users\Admin\AppData\Local\Temp\WAcg.exe

MD5 a1f6c0a5e681aba5e578ca200b13e985
SHA1 8e6217d485666cbccc7323e7010ceab0150872f9
SHA256 efcb24407b71e29849850ee49764f024d00c2e757adead62e57b83125fa93ac4
SHA512 f8c966056bc49ef0ca1241624d6b541a480c5b1d981a64bffb70f888fccd1f1bd599b28a885224cb1a547911f9614f3d160648e52b8aee365cb21a721e8084de

C:\Users\Admin\AppData\Local\Temp\Ykcc.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\InitializeRegister.bmp.exe

MD5 96aee7ed5e0ae63e4d85bc43e8f34a3d
SHA1 a4e3b20d9e899926233b70d53feb8b4762432d56
SHA256 0577a04478453d09014fa006159ff65474a21c7fa789a79610fcc490a8e6cb9b
SHA512 d67453789e351bd66566ae090f050db9b02a73442c02c3a81779ab7c0d3b8d333f7126f30a4dcda5c19f0f7335efd3d8b99245a5dc5e9f46174f08bdaa6bca0d

C:\Users\Admin\AppData\Local\Temp\yIgy.exe

MD5 b4959fc9ef66a87fd45057c788435c43
SHA1 4524e02b21ce0c1ab715654de6051b14f2b8f168
SHA256 90a4022bd40ec9245999448c9a4910ca1ef2268b24ecdab8cf6610260923ca3b
SHA512 652fcf0dbea1ad357a731b95eb5406b78d31bad386b932edac9a4b374831f3364cb15d28ff6c22f058a2c0ffca588627ff0267a32205c92f7ef3feebc809ef4d

C:\Users\Admin\AppData\Local\Temp\sUsQ.exe

MD5 6b4ceda8070500d9f566f137c8a490c5
SHA1 eacdf9a8c36ddb9ac95d9527fb5fc9105dbe2835
SHA256 ffeab5a688a81c832acb1cb818af67a8683cf92ea8fa58d74e0500da761d57a2
SHA512 75f4fb13b42d417d97ee68e4824c2e5634bc4b144b3c2d607abd02b4beeabe782710e6725e08d4b452b6160fb843ddf44d24fb9009d351d0149620f849a84665

C:\Users\Admin\AppData\Local\Temp\QcQk.exe

MD5 1c0b2845451b4fba91fcf766d27dd0f0
SHA1 ee2502c5f0a897ed306f8078d12ba836babf57cd
SHA256 6fc1b3cfd91718b0ad98141b080b507585f9048fb029dd354d3b89bf7cbc3ed2
SHA512 b79a1d7b246cc474eed56d755160dd69ee0a11996115399d3b9ae9df6f7f972b8dfd97803fe7ab18f062e4e758d6ab20a99cc0e993629c12170ac09b785a8964

C:\Users\Admin\AppData\Local\Temp\EAMY.exe

MD5 dbbf8d8e14a7b86c38c80bec6d8cfe51
SHA1 9db977b851f934cda218c7bb07fe3012b84d3c05
SHA256 2f9af9d8ed4dec1a1b5a0fc7eef29db9d549c4e750632dd32c6979c4f8f41b47
SHA512 d7bbbdad3fe57b2fa8539cb80f19c632756864a185271fb4d9d631af68e1683a24e1702749a76d113bda5a05bdd4563894d2e9d389e3f362c356c0990ea7abb4

C:\Users\Admin\Documents\SplitCompress.ppt.exe

MD5 0fc7daabfb3a1abc025ddaab810c4ebc
SHA1 dd1c384b3dbded2b8e600ac8523680d3d69eff81
SHA256 bced303930e75bf97bb303c6e8e126704fac908acda320c1245e23db581c244e
SHA512 0d7112b52354f0c36f854b42dd2f433a6cc63f86522cb90f13db5c23c6f7d4d88b13f34cf4e27594ba7f01d3e7c9f9ea9aeb8ee9fc0923905e37533e56221682

C:\Users\Admin\AppData\Local\Temp\wwko.exe

MD5 dc9b803d74f2e9c1dabd54be6acd8ad4
SHA1 a08ea0d57bf8c6f1a7b2622a858332f8bb8065cc
SHA256 44b54aac5490477dc2fe18a68c8edbe10d42ce48ad31d8f871108265b429754b
SHA512 308feac616c6ec81afec24cec941af9ff1551a2624d5cf3a7e8dd6b5c0881d45ca6065085ee212a117d26a4e77d06c9630984b1a8d9e5b9b6254a6fff3784d6b