Malware Analysis Report

2025-08-10 12:33

Sample ID 240403-ntvxzsdb32
Target 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock
SHA256 357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97
Tags
evasion persistence spyware stealer trojan upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97

Threat Level: Known bad

The file 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan upx ransomware

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

UAC bypass

UPX dump on OEP (original entry point)

Renames multiple (71) files with added filename extension

Loads dropped DLL

UPX packed file

Executes dropped EXE

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:41

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:41

Reported

2024-04-03 11:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\ProgramData\soEAwsoA\WUcwIwoc.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NugkQwso.exe = "C:\\Users\\Admin\\bAwoMkQU\\NugkQwso.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOUEUMMI.exe = "C:\\ProgramData\\GcoIoYYQ\\DOUEUMMI.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bsgsEQAI.exe = "C:\\Users\\Admin\\DysEEYUo\\bsgsEQAI.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WUcwIwoc.exe = "C:\\ProgramData\\soEAwsoA\\WUcwIwoc.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bsgsEQAI.exe = "C:\\Users\\Admin\\DysEEYUo\\bsgsEQAI.exe" C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WUcwIwoc.exe = "C:\\ProgramData\\soEAwsoA\\WUcwIwoc.exe" C:\ProgramData\soEAwsoA\WUcwIwoc.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A
N/A N/A C:\Users\Admin\DysEEYUo\bsgsEQAI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\DysEEYUo\bsgsEQAI.exe
PID 2020 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\DysEEYUo\bsgsEQAI.exe
PID 2020 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\DysEEYUo\bsgsEQAI.exe
PID 2020 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\DysEEYUo\bsgsEQAI.exe
PID 2020 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\soEAwsoA\WUcwIwoc.exe
PID 2020 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\soEAwsoA\WUcwIwoc.exe
PID 2020 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\soEAwsoA\WUcwIwoc.exe
PID 2020 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\soEAwsoA\WUcwIwoc.exe
PID 2020 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2860 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2860 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2860 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2020 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2516 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2452 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\system32\conhost.exe
PID 2516 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\system32\conhost.exe
PID 2516 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\system32\conhost.exe
PID 2516 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\system32\conhost.exe
PID 2516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"

C:\Users\Admin\DysEEYUo\bsgsEQAI.exe

"C:\Users\Admin\DysEEYUo\bsgsEQAI.exe"

C:\ProgramData\soEAwsoA\WUcwIwoc.exe

"C:\ProgramData\soEAwsoA\WUcwIwoc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOogYQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmYYEgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyskEwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIwUIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecccUwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqoYkUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\bAwoMkQU\NugkQwso.exe

"C:\Users\Admin\bAwoMkQU\NugkQwso.exe"

C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe

"C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\goosoksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syQcMAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYEAgAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-797897859-8229112584471525981589126198-477109882-1474249812-1754665857-1745916823"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaswAgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCgwMkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMoEIEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmAogUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-764207885-73019974160736260-17936210178408597187251045-1076996799-209615915"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYwwAIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1118917827-922238928874319483307567430-3857557609331511273470304501958989154"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1010041099016803013396976102133421932-374812798-525757974-960238289-1398489022"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmYYIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8624991601269199535-1857326295941401468533875610910244345-333611773-983189594"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\USosEcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQMgUwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacIwsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AUEUIMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8462529715950067471517377287-1024893411-5319157601324642684-2058889339360154113"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIoswUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5448913042012237902-24353729513956342971414950372-119547988-770640983920661203"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2126260777-74807691615360916001476908773780897421558260035-18961796301937966112"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\viwoMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JckIsocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyQkIwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOEQIsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LuEocUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2024885473-18519329441465532550-1983921931-18234809901161686297-1847663242-1285422067"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEMsQAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1143441444-242941150-2096112998528976402-454621316789017536842014726839846591"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sesEUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiwAQkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "33134493554418228-2117604312-498012142184348642347031034918320356162054997842"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KiYEQIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMQgYQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMgkwoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egYsAUww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5692983911343715119-1729688328-113087959321081777644802454241203964344-1352290269"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egsUkMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2090574472694053206127687816-2821137671177909014307807876-6246727611503258293"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUcUkAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\twIYkwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOAwsosM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcAssYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwoUgksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeQwwIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "718388342-13649447811723351276453470521570811951-1437206161-474751921-1078460158"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\isoQMEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15389705671055283273-189906240315153274841607050487196164207432837622178803517"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1237076542-5219607515306090581150956551363678774-503208247-842332063-594096140"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcosgwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yggYossA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAEIosUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1598446855-1040953532-1768928693-585989906283294520-290328248-435671130-1924686332"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kyMkMkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "514934706994220246-14570578806148473251042982558-2115218629-1884500327968203240"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2068513457-1547065539-11020075071707536297904977468-2135507279-803389499421517993"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1439742700-1981805516336054102-13835422752002892981-1365327615-16002767041561852276"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwUEUwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PskcQYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-304399401245455000-1739567491-1700505897-2046915635-470067594-4267774431640127211"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgowksUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmoAoMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ziwUwckE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-154042230016142927571288308234-7028087211742354475-100281527246274722-895144270"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10667741701203347933-303785038-12762420831796345617-1534862479-1648766088-362453067"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoIEwQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "426241645251023067-548246324-1364547835-389807014-881891916-1905982792-1481524819"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1178499839446181820-1083484912-44321140421413056551015837915-13338310481577311146"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1559587515-23285296317561789352543444281630640102-1026100541-2031944891-498091444"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUEgsoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSMUcowM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OesQkQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-69646109016748494871798408413-1787077546-77588355132851555017591005211649383845"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13452127211310511562-821235972-1018064393-1534666040-150621448-944347468-114014481"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCoMMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2097871395210280602418269505883304721201419005316-2956182761382431181-513401434"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1124923530-312349869-23659995620823379530797149711077755071009084339442223848"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQwUwwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-974061454-20197193082114068217-1102806742-1347521022-620004190-1108170942222672333"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaIAowEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "273088337-11084389312041832131-225132207431045073-31412884-1621588556-368760995"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "116578915738114182-10245072951464219921398304056-1129248742-20900277361765787829"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15063482501985004690869710933176356324391816246719712587491948910267-1821125954"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2886317381666555522-77287856119740280718741987351998408026390009885-1702841940"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKcQQooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKAMQosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1547961035-2076891725-854182038-148342471114562041214416570-1293249606718528789"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11923310394458561366005432821107825067-1411094720976204515195196561679447065"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqwokMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1617742485-5836117441959319078-715772012074094142-451967376289011682-323181786"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-168897199013321759281569921491023695519-846885286-472316529-20618091981408712067"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaEAgcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "953786649610717854-1988150097-341647582-1700582823-56710371-17487009111179733718"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6799251762010667599-900026499-298500276-7800278912145181161-4836673762144158060"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-213281324-11078778882022425900-12560085121562436736-15173514791387055863-377981888"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksUQIsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2132388413448407029-902657412298810276-1083836191943766076-1297315391-1471609996"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-90009823-1074247401-1677598815-1434795997-180930260-1157239604-799443310-843582431"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcgcAMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13697989981525646505-1551149119-17336913838370016342045218402-123697387847592635"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\assQkssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1695899763-331833391679566303171933599118289131891166417504701940834-1349234235"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1301597669301809125-579100114-4683571401938066036-427911732558679444-237206607"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcUsQAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGAgoooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15852129221687401555-20659047091245127217-185371583-32883491-1868887411-713679544"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1391892806823120638-1601706227-1469533998480583879-1547989646-1127308853-430360222"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSEcAwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1849717745-946323739-1457943638719452779997585836-7192825671165854268299325855"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-623635050647917767-871026661871347719429484508-770680066-20009730431734959093"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqQwgIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "443091999-2040872692-6572117811828421815-964853016-126572497-1566307324-890064382"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-945634904-713015306-103776870210448898361001929715-7640328611848448241933958410"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "578945665-9165120491640627119211413449316093765321215574338-1122148433-678969220"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1784535016-1899491582-55701339886421012186713008-1754278684-569561016698013662"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqYAckUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2074427107-906216314-1510037515-524425041201787879-17181555311306509052-1417064110"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "82493742689882607515831502181584394171-186427733419249424411785814961039324477"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekQQkQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-616905385-2124884465108375062812444599461144306790934835920-1523168024508617866"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kswUwEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQoQosEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1751833798-2022364311210582907337453659425970959486244274-1368431528-658620702"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2130242195-460187425-908903930-18200831651129119157750240659-21333265011863968097"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1777048533-16814144631084413069840051859410487795-2081700672-729503253370037676"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMEgsYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-968202219624315909-1061367642436052557-1581361165-162334368486137131972681645"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1111780799-15201222091990238573125977815616307225381245507819857429084-429659770"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-676667614-207691483013105200221474432063-1828088071-213458471038944852379906370"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEAcUQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1233428833184496494420963422241512813625-1939806762-113824565536104308-190851263"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKkYsUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "443308247-137088421503948830-7993149391986386280-15749426762051883406508445900"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-834999514-1034812284-97925689712815079836136678981106442449-444477477-2056345086"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1772877139-1015882910-382717710201293729323792488-1531143559-19263221721324926674"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1321177431187929274144577761168409492-1419782954-606805461028195412-681378500"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-148519901317828260731703103451-20424869031488408157703664488134722218-800951267"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMYoUssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "557026423-6086636555529044951220410196-789226665204012003118290044121085629381"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6503139861426702923-1527314417132708131277021366-1625333984-1947754766-215770953"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tewcUYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "43246905411352862029622449232030404445-1967463612429123857667276478-1854645914"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAYUAYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1088624832-126637658168362890915389812581526020236-740311171-814489534-1992497482"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1798700248131072211227651448-590443097-755707900797738139410194859-927535715"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAwokcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1877596780987409200-1200721131430524611243991424-738574772-213463750-1975491764"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "818953958-576577075-6841975842076504633187792511133789207714004619241043029247"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaUYsMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "78334206620067450791168301053-596674-1335188046290944265-199509459-417150789"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "818152554424081855-1620316258-18613397581692175850-1794520428-454984175780522820"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "153645638236442446636125650-408373360-348576420212015516211058764221192413769"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1366245825-955052239-1721876447-1116674111-1172683245-4934901911474021440-766770584"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-858737446-297848286-1738495955-186813107610744160403720922541962992344-23739871"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGAIAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3867677072123415805-1871654208577072971-1397422651-30629475-1093109684-1321936180"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19502103381867654668-558658486-14608797951950283093743524911-413072120869079086"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwkUMsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15547575161530878847-477954046-1554636506-1130921134485995661556395483-88365868"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "797763325-1459842630-133006390-20382961401367296233-1776726346-582841507-1755167628"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1747912926-97524606613696863291973147840577400451-9664237981600858476-1649748597"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-383174294-1563137255-1963526563-15814510329063870911908819919-1391221253188894681"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12627456601954850186973973333-1614230922-2044996945292330692-965600545-793674997"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCMwUMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1409165250-129575376969991933312364380181716072608-648985037-3392238481417518875"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "83039514902474321-1722452108-1719007998214644867-335804034-1797379769-559428185"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqgQEoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1954494996-1645418455-177236418211242439184903828641766762083117583876-1415701092"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1779835690-570695867483047159-146556819-57537864383680695-734932812-1977565855"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOoMwsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "745268961-1222359787366008452-9090469593578529984842039111408379393-1904678582"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16250637501658081902-43281676020523076998157882751375959854240239727-173827128"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-721952361496156637-1271106441-561175753-263131372-1665955576-1961630324-341531404"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12647432041536039188-953500460-255323476370456982-1936077362-1539567273-356165632"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqkwowcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "869999234-1644439105-1992395026-1473439218-306217161965009438-488214836488896943"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1263982967-472702629-1789231257-1993336563-611675516995447985-72538513741405837"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-386224256-377157700-1086419539285312096-35861888842166592110430213881754049348"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2020-0-0x0000000000400000-0x000000000043B000-memory.dmp

\ProgramData\soEAwsoA\WUcwIwoc.exe

MD5 176d2a0295ee8c769abd4ce213ac3c6d
SHA1 27a26c23422cb8c6e8a73757b0a236a5c3920c29
SHA256 8e3a3852f6170f4c59aec1ebf4330bc17b62798010a12612320994385d0cc0aa
SHA512 88bb26b872ecb64d45abc0c50d9555ea7f1bdfb3a2ada3aebf04d4c6836eefa64a1c7be80482382e2982d9970f315595904921e8e771bf43e11b1af891c69355

memory/2020-30-0x0000000000470000-0x000000000049E000-memory.dmp

memory/2516-43-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2020-41-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2452-59-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2516-69-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2428-93-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecccUwMk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2108-163-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2700-165-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2700-174-0x0000000000470000-0x00000000004A2000-memory.dmp

memory/2700-176-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3028-195-0x0000000000170000-0x00000000001AB000-memory.dmp

memory/3028-205-0x0000000000170000-0x00000000001AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FaYcMsYI.bat

MD5 c73dbc87f2a16ea55f8bcc7824cc864c
SHA1 ef007e7f1e25bb05ed05f82fab524049ff4a391e
SHA256 685d3d4fe35beb2271ae9bc2c1dc3a15018424abe863fb90e03bac6c6812e8ea
SHA512 a0056321b7a553fb6c0f9cabaf714ecb02f8a9f1cee7a5b51dfa1e10a43fe34a5d20acf543b51fc7a7b90587a53f172f10dd55a96b2f7ac20a74de7630d1b0e2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

MD5 8243501c8bec7c2fabcac8cb47d98048
SHA1 f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43
SHA256 4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd
SHA512 5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

memory/1632-219-0x0000000000120000-0x000000000015B000-memory.dmp

memory/1152-221-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2220-206-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2220-229-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2524-204-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\migQocAk.bat

MD5 9a262fcaaa735e3f09b9edb21f9f09b0
SHA1 88751ac66afc433faf785cdf5b331f4013db166e
SHA256 9c12cdab42837be670714e9654d3ac3735f108bdc07543906d052ddbfbd91ae6
SHA512 b6ed47cd7c9eee93729ea18989d043845cfbcb7df27aa5534a6009589ce47a0e794b9a307d30d89392784a41e94ff3715b2940062583e3b71cb169069c17737e

memory/2524-175-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2540-173-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2492-171-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2700-172-0x0000000000470000-0x00000000004A2000-memory.dmp

memory/2700-170-0x0000000000470000-0x000000000049E000-memory.dmp

memory/2700-169-0x0000000000470000-0x000000000049E000-memory.dmp

memory/2940-164-0x0000000000170000-0x00000000001AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SwMIIoAg.bat

MD5 570f0c46e974e4f7f39f2a8bdb59d08b
SHA1 c0ef9107be97793a602f8d4a10844129707eb2ef
SHA256 22b9100d5133d11874005d8f513e3bd0ad2057918db4772a69031e2bec749d14
SHA512 1e40e0abafb35f7c94dd35678692ca68b4dea22a45e722b932a4aa92d8ec39ae08aac04ee9d369d990282ee4b4601ac37e65c2ecad9196bb77b113b978f9ef9a

memory/2108-142-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-140-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2284-131-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iogIAMEU.bat

MD5 10e17be20a9d41794c7b4091e21ce96e
SHA1 89721b9f64a1e7deed9db4bc5dbb0530f29bddee
SHA256 c654c7eece69fd765e5a9a8ed64f521b522929971f00829b023ac99b0c0aefdf
SHA512 77b99a8b20d3d70e7549a826cb2afa30b38b39e48b4539c62f97b032207c5804b5b700732b2a3a9ca53b2168aca9718f9367418ba2205e11296c6cbc3b81c8b3

memory/1900-117-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-109-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3008-107-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3008-106-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QKsgcwoE.bat

MD5 0d1d409faaacac2dcf1a331273947f27
SHA1 4bca7e9d97c2d0479469ec4be2783d2a4e6b4a54
SHA256 12bae275903a5308acc31a03beee8b334ef29ffb86bf913472cb195f61e47001
SHA512 b4f99ce6a6667e38943678fd7c41d8c2b4992e2ad2430ebdf50f24a6f06d92cfdb5352e535d98aa9ce0f1acda210a0b32f99043f1b93581374079cf85abffd9d

memory/2124-85-0x0000000000150000-0x000000000018B000-memory.dmp

memory/1900-83-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2124-82-0x0000000000150000-0x000000000018B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWUEUQIE.bat

MD5 b46d81c77f946f6e97bb7ecad06019c0
SHA1 fa0494fafb411731de42edc0c4bebacd993eab0e
SHA256 3a4b360bfb31f2cf5505ee7ab7a2482f1538da36ff05de22eb031d70607085c3
SHA512 cccf5ddf58315c12b316bf524ac250972a243623f83d5682d226b3f0abcc9fee04267b3cb40426395b89cb5a1250da28fc8ae1796101fd0241ec24e0746405a2

memory/2428-61-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2452-58-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fUQMUkQo.bat

MD5 64543c9f70ed469a94ded6c7b731bc2b
SHA1 1d1886dd22d3523900a28924e824d913ca68d5d1
SHA256 a567637e1b96f7469f9191eeb49ed0b093dd0f84151a79884ca8c8778b42acdc
SHA512 7d668e798ea723f19fdf11342f35a9b3ea568ae34906141e49164253189285aceae20cb72b243f73fc743fc39dd1a193b471fc2455ea3fa55a4836e0280eda36

memory/2860-33-0x0000000000160000-0x000000000019B000-memory.dmp

memory/2860-42-0x0000000000160000-0x000000000019B000-memory.dmp

memory/1972-31-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2080-29-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2020-27-0x0000000000470000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\daQQYEIU.bat

MD5 11aa7b294b7f60e7172ecff5b6c0cca4
SHA1 21cb05797af40279d1b0d4bcaee82016cb175454
SHA256 e4bf4d333c2b9cce8a360560d03f05e9e3242b8dedbfdeea1f6908a7422d42b8
SHA512 8a1eefd6c143dbd99c5c532a6b8f3590f05c7ad06b9796d5afd89742ce6860745a2468182a2c85bea115c22fc9323c409056c8c05ceeeb298888391badccbf19

memory/2020-12-0x0000000000470000-0x00000000004A0000-memory.dmp

C:\Users\Admin\DysEEYUo\bsgsEQAI.exe

MD5 dbeefde432c4cc84855bfe68be83b96f
SHA1 57ce4eb709c53ec2fce500c513a3ba21a3a7a9a0
SHA256 ea3e46ef8db92093002c17a48842799541eb009c3ac958f75c4c2ee7d7910873
SHA512 814f1c0374e48077325baaeb731e6d752dd7e05658b34e565acfbee971a39be05f3d0897fe6c6022413ef2ccea1b2a13cd4f98244b52599dd50600230da02053

C:\Users\Admin\AppData\Local\Temp\dQsowoAM.bat

MD5 2be838be083ff56f935e51bf64a3cea7
SHA1 af920a24351f0e53feff60bee7d10e84d5f20c3b
SHA256 5d524e7f1e6078306ae105d63784785c08927e4ddcf08bc23e35e983a1178182
SHA512 8e3e341cb7d982873ef30469b53b86830353f7fe3fc8fe9b180e13f06086f9ea01d8af6ee2c2c9e500428b8b80afe790255d1abd97ef316e02b3508f723ae567

memory/1152-252-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2736-242-0x00000000002F0000-0x000000000032B000-memory.dmp

memory/1764-244-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NsMEAUQg.bat

MD5 89ecd3d6cbc27acf26d29c4fb0222b3c
SHA1 d0caf5f1058137472db04eacf12f2dfcd0a658cf
SHA256 36747e55b203d1e61d6f8feb62661ef57e935a97278c3d1c32bc308d93d76c3e
SHA512 0ecd835acaa10102408c6da8c702d99b6d14730b53e3569de006cbbe9d6a608a334cfd0d0433c271df043d313ca6c6aa86935559179c3838184cbce989298499

memory/1764-277-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2744-276-0x0000000000400000-0x000000000043B000-memory.dmp

memory/640-275-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HsEAIEkw.bat

MD5 52d82d794571b2259cf81b56ab729c8a
SHA1 ca045b0dd11313985b3f3cbebb825948784c8562
SHA256 ad16b66c60a145a31ca239256581768975cb37b458d9c51d8ed65cfb3b88b831
SHA512 6a2d5c563b6e9f7d9a2e23c662c33c09629b0810494cfe462794537e3fcbd0e62bda560a4a3e803225e06f96f78a3bf70d8ef7dbc22af38fb978206945c72ad7

memory/2032-290-0x0000000000120000-0x000000000015B000-memory.dmp

memory/2744-299-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCUEYIUg.bat

MD5 487b9c704ebe561596d725aee590a514
SHA1 4755361c1eea94fc4a41dffcffa2af9ddc6b49d1
SHA256 9845967b9235fa1887dc903430d555fb3d83c8dd3d04a6296da7d23dfc87ad4d
SHA512 69364f8d6dc3cf3ce2348aac854e6d082db7f87587be20aef8deed11304dc875eb1c37fde5833fb1ade5563fb4d72837544d3c4ca872d84dacea1adfb0c1af02

memory/2608-314-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1892-322-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2552-312-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEcoUwsk.bat

MD5 1c779911c6c9223f6e6685524df50694
SHA1 1d28c611da457b19cfbf4b6b50c713b646ded72c
SHA256 5db2fb351efc69bfc4ba506a5fb6b9f7acf4f8b1c0729004a9e8946b2eb9c38c
SHA512 61f6a9a3210b100b464bca63660e164b57004cae571a14b53951228f820c1077b3133f28f1991ca5a2f31efc429b4d0b2cbd5f344ffdd0cc5f72bb487d0b5891

memory/2608-342-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-343-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VyUgYIgk.bat

MD5 6488f611723f4d6ec5762ef7e3e0180e
SHA1 30aed29018ce81e7b5cdf0d57584fe13d50b60e6
SHA256 2f562773a37157ab6574aa0bc27ea25f69e8494c4eeb622dafcb1bac644ff1bf
SHA512 b26996a7f98118fef811957662e511a9f38b34c96a6596cb3333349a251ffd17e360372e27199122e8c18dd726f4a54e2c848be7cf59fca182b1580d3319229e

memory/2360-357-0x0000000000170000-0x00000000001AB000-memory.dmp

memory/1780-366-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uicYgQYY.bat

MD5 9713b500f0e815ba3e220489336662ab
SHA1 9c79e28c42e5f6304bf871391d44b9f498316628
SHA256 428d2bad7cd72078768015784f9c001d0274a877f85b0530d41653fe471cd0cd
SHA512 6882fb8aff45b6c3a751ad7ae9098996455385a9151ab5bd4cd9826a95ab8942767c9b2730937668035fbf7341da54f15c629e2a2c1615deb578f031455795ca

memory/1172-389-0x0000000000120000-0x000000000015B000-memory.dmp

memory/1676-390-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1172-388-0x0000000000120000-0x000000000015B000-memory.dmp

memory/816-387-0x0000000000400000-0x000000000043B000-memory.dmp

C:\ProgramData\soEAwsoA\WUcwIwoc.inf

MD5 1442243bee7dd7cbbf6784c27c1b1d56
SHA1 ddc00db4e586d364f3980e6ad3e3d01dc5c6b55e
SHA256 3688a2299a85e3307bb7a59199c51a163e39a8300823ab68f24ef3ce81da3dc2
SHA512 582d9c25215b28bf808529cbfbb8da934dbae7ca31c55158338db15e1ba0b5c8e192c0a79a1de8c431bb5cf46868a0bf4f9e8b736586871dbc9159370e6b206c

C:\Users\Admin\AppData\Local\Temp\wAIQAowQ.bat

MD5 62c9b569e3934a7982527666946ca5d9
SHA1 60b6de8e697a0b73cf077cb00aa377a00dba9548
SHA256 590baa3585c9c5d65f992c1902e0f0b0a8209786770b5668cdddda1fabc7faa5
SHA512 eafcc111cac5de06590b1b7612b51e9209f31d95845eaa9b9fb67943b8296704b38511e2bda008f9cf6809c09ed91222e7eecb0f1c0d1380b4c79c199a89e95d

memory/1476-416-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1676-415-0x0000000000400000-0x000000000043B000-memory.dmp

memory/844-405-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cCIgAUIU.bat

MD5 da0bf071556b81279c465016bcdf9034
SHA1 2e8c6796267ce6f8340277631e99399223be8672
SHA256 0b52e668f63bb88e846b4dcb1ef3fa64eb6e008c9691f8f228bec2e261cbd737
SHA512 f22c18ccc5e1cd75e68487f66fd6f10825ba1d98cd77cfa188198e7219de33be96133a9b8ab9bbc6fd89468733608c0047a213560ab6b3f6e8b4c45884533d0c

memory/1476-439-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3000-430-0x00000000001B0000-0x00000000001EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cUkIUEsU.bat

MD5 1129a00c0afa71ff99a8c68b959c43a0
SHA1 1b9aa7aae16bf3b4fa04e64323f536cecceff15d
SHA256 cd6217cd230cd943d65c70592700590a21eb561e71fced931b2b0e17b406ef58
SHA512 47d6ba670dc37c0938b01af5f52e80993b34c5f02c4f0abaf39a2f5c67e8b8e106b87294a0b1783960b3db36cc63de7944473b68f4ef5edd352f32b0a2dc3652

memory/1948-462-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2128-454-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1556-452-0x0000000000160000-0x000000000019B000-memory.dmp

C:\Users\Admin\DysEEYUo\bsgsEQAI.inf

MD5 c057adf24f25152656ce8cc1851b42cd
SHA1 1b20faaea2362844aca85c186803412d58f20577
SHA256 efccaf2ad2fcecd0db08c2438101bd3cfdd5d221179ca330019d8ebca90cc5b0
SHA512 037e8b019adf4aeac9b3abe9166924fcdfb5f876f60439341231964e857c60c84647b954beafec20c02a78a2ab509885724cc307000f1d51322628c75531c2d9

C:\Users\Admin\AppData\Local\Temp\SAEkMsMw.bat

MD5 0a467ed484541b1860ea75b756f8b195
SHA1 f0be25fe7c1fbdb5e5cf3ae8bac8a53a9eb6c737
SHA256 3239ef16af4aad274c702803f8fb53779446b0c6f07e58634a0c26c98098efc7
SHA512 2efd12beded10d230055f6d733ba7157602b26c25c119e57d972e89aa6ad917c0cf7efa5eace4766a971850bb29a6383f14b1b873d70f87e85adcc6105ceccde

memory/2384-477-0x0000000000210000-0x000000000024B000-memory.dmp

memory/2220-478-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2128-487-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KucMAYsI.bat

MD5 3860a17ba39904b07c17157a08cac650
SHA1 65403f0f212906163df96a9653743dd1ed15c100
SHA256 357012c7573363608f3796075d99e229ba23194522a9391561be4b8b9665919c
SHA512 0be38461a8231078e38af8b2c53ef86622411aff355b5e7cb1119e8291e92e31eab88c93dc6db9a305e151e3ccad07efd2887fea206a69bfe94050553829f4ce

memory/1564-508-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2220-509-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PkswcEIc.bat

MD5 e4618678450e72a0a0a9105bbcc4e38b
SHA1 97c4744320020e0b145575a136b300f80289589c
SHA256 3ed5ac3734136c3dc23307cc4066bd261716be01663ec41d8373c6e06b8e6590
SHA512 c8d82781100903734e5422f9941e00a32443dca46bdc49ff78717c15188a1847ca5175e84a831e21b30ec45538e57ebe225ce6c5c67e2ffe0cb1a1cbb40687f4

memory/964-499-0x0000000000120000-0x000000000015B000-memory.dmp

memory/1564-528-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-527-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1624-529-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FWUEwgIw.bat

MD5 03a21845de4a4bf8c9349736f96f3f0a
SHA1 948d6e99174d25a0901ef4d2e74f64dcf7a6b1c8
SHA256 f9b6822c87fdc2b34f309d7ba0bf0e6788ed80c9afd3603e7f89c9d7032c645f
SHA512 53969ccf0d1af05fd0eb1dea0b5e70c9faafb881703fada1525a84269ab3754379a54011b63dba4a437d2764943d8286390b858324dbd92f5dd3bb4eb1ab7be4

memory/1292-539-0x00000000002A0000-0x00000000002DB000-memory.dmp

memory/2456-547-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1624-548-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lkkQsokY.bat

MD5 7fa2b03b0e324e33b6b00a079978f784
SHA1 9fb048f5b9ecc68b16cd09e23974b566d7d3e86a
SHA256 659eb5aeb96791e0506debc5f9257481759f3137b1e9d0cab1d00d902df54c51
SHA512 82566960d2f74893b2db294edb0329370edf6a0c1ae1906d725c396157753d01a74fcf47d2739730a36f57b7b1a1c674854b9ee3088c486cfcad49ec712be87d

memory/1720-561-0x0000000000160000-0x000000000019B000-memory.dmp

memory/2780-575-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2456-574-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jcswAckM.bat

MD5 b84b36cc5d90ec67681c29a7496cc8f8
SHA1 d20103fc4b655fa2a7c627862bd91b7a3e0c250b
SHA256 865002bca9d0534a5f9a55b55ac6234ae47dd9e41b3ecef5af39f0085dede961
SHA512 56e8fbfbc1afcfe8f3f08f7a369089b8a2f99be4107206a6f0724f42b2719c72c992a1c6962f9cd0aa882b52594f8daa872b9f3d3aab48120cc4d7647f36ceb4

C:\Users\Admin\AppData\Local\Temp\ckoc.exe

MD5 048972e55dc5e4ebb6c820884e46a78d
SHA1 5955c9b00e5e674336c3879741291f4b050f8f02
SHA256 76f919e6c054455f350b2a7ca9a0ff7592e2111f7692acf12d28d7829a52e016
SHA512 4401c8f7078313a7bb7604c284dc3554a74df717475e3e5916ee9e752681bd4c47c57e52040ce29a79e8364c5dd6e5ae872a7366e10fcf805c2228726bafe275

memory/2532-603-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2780-602-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2532-604-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2860-605-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zEYwYcgM.bat

MD5 077f7d160c3905527931b6126f4ac0d2
SHA1 997db58e19444a7a1246606f3b38c39734d00ecd
SHA256 7f61839ff47bc816cf26197c9045b8ec22d34e4ed6cd482bc0b92f1bd0133e4f
SHA512 3652f43c73ce5d9b3df566ed43c9226fed8696d3c089c0e9a4a42f1e520abe09091774b66b2dcb197be239063f00ac29da7ea2c8ccb1267a3aa4990a19a6f91c

memory/2860-624-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VyQUsMkk.bat

MD5 6c4466cb5a472d5ab14951b74c2e261d
SHA1 21d498355c05bf5888956a35d8e41885dcf624d9
SHA256 26686c66e92d4b38d5a9aa4d67e6d13a578a386c2cdc8b6c3f89e336be492169
SHA512 6190fb8c47d09fc34fe94422e63a3ba9c7715cec25af80e1479dd9af0f5d4b4c708b7ebfdf3df849a8f9462831f1af2d40b346f30ba147a941fd60b772ab7a8f

memory/1576-646-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwMYUgoY.bat

MD5 f51931f6d12b521c904e7db7bd2feab7
SHA1 8bc0463c2ceeea05d866981a6e5ee559dcb1f93a
SHA256 94e4cba640f456c2bec39b0d6003a0ec6b7795dbb12e017dcf4e2519b96d5963
SHA512 39641f2b36498ef56ef2c6e6de4ed612ebe204416a0307c5ba136a8d11fb7afa4c898b4b3615ffbb1f7dc83e75092baa517ac143187817f8b347bd46407dc20f

memory/2312-665-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SigwIowI.bat

MD5 2d26476f83707327b6dd427e60c7bbfd
SHA1 4742f8e7ca215bfb1f586d81b64bbe1edbfdb6a2
SHA256 2a52425be3eba102e6f940f83151a299e8da4c1337fc337b7f69bf8a1b32d772
SHA512 0d03308070f9cbd9ba7711b97ffad202b7953b2c96e6c35ee12515943dbdcfa2fedd92eda641cdb468ef66048966e62a80fe73af173ef85ffab48d206cefada3

memory/1628-684-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QSYIYUUY.bat

MD5 00d8567203b91d0770d265355b266b82
SHA1 08785bd6e0c7c1662cd0520f3b1d91acda709341
SHA256 4c68b53254ebf2f43f7826a7db6a4cb6730b545bdb722c1382d5d2b66fe69002
SHA512 a1fe5292493c90f04d0f391a238a695f12022be55c9fd7bf15f26f0b6ea0658bf2d6d42252353d1ab5f80173a18197961eef2db118736a783717407961f32273

memory/880-704-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sGIgkMMg.bat

MD5 d8cbbb96f452b92df8f259f83a2fbd4e
SHA1 b948fd4e2bfb8029cd4c307bbb44d43b889ea492
SHA256 9e6c9af33a08aa9755f09986215425a92aa774ee37b84d1a2d6f2615d5afd5bd
SHA512 b4c83f74613336f8e50d43a9137a0364e537da85328e7fa770e6bb82d2bd33a8caf37e5c165f8b19d348ee300532e38bf73f35a6b4a65610b5e3c93600df597c

memory/2796-726-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KCEYEkwA.bat

MD5 4475a46f24ae6c22bb78cd9e29339cc4
SHA1 6a3e23a66fc97993decc6a802f46be36d76293ab
SHA256 b8c96c13d0c1524233a04fab8d3e098e0496e63b882c1a877cab0e3c727823d6
SHA512 4d736bdb08ba53cf6b7cda357e6ca103024c0afdb5811a7433c6f9e5d8835c58d5e1a6e7cd842b6b9027902edddf575b3419a5da33cc8814d85b0792a4bc060e

memory/1688-747-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EyQYQIcY.bat

MD5 5bc345f9b71d1ca56358b8d351cb956a
SHA1 30b36bde3511003f6a69eadd1d20dbf7c58992ea
SHA256 3b73fd918573c614a4c22d7c9831fc14a63363b380731191626aa5113ba68ee7
SHA512 a55bd7789f0c66dc25048f21a7add0f5d2faa0059bc7b087d76833605f9c203defe3a3be4543bfecc9a4d8b474894386eee946ba7c54bb9978a903c9552610af

memory/2240-766-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TYcQowAI.bat

MD5 e2d03347304593f07ee359bf1c119f54
SHA1 c638396b63dec8d539788025e0d49422eb251249
SHA256 f087f82ff03a2a29927c7cb2c31d5c4bea777dc8325585d54950145aac7d3d57
SHA512 5ab7dab8168f8cd4cffbcd64d0b43a5f4ea50a95bea3964d6d495f7fb3b475f40bbf6946861af032982b5488e4e0241f5dc69d03353f821124300b21c2fcef68

memory/592-787-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PKkkgMgI.bat

MD5 1155ff231aceab46303378d287573dfc
SHA1 63ebe0d788723f82376b762335120ddcbb0cd0c5
SHA256 2334a8397531cc1e04675f59f89ee08a33f2a08b64f55fb5382ff955a2d88df2
SHA512 853c93477040ad2fff5614f77d8e40fb60f40a5a829a32eb707ba275963a45dc536ae9ffd6460ce56f7b7f561bed993f4eb6b6b6c649b39178e15a268dc7c6b8

memory/1880-808-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zWAoEEcc.bat

MD5 697c537196b1960a589dc0a9f923e8c4
SHA1 354ea0a90f255e9cb8d7275a2114f2289532add1
SHA256 4081d69d4e116d7e267d5f36bd788965cdda26d5593b43043e12d52306a7fdbe
SHA512 c99b3be4c8cf42971364f7854adf49c280b65df81c35b9225b05ddadc27195a414a4574264c51caeaebe69b55d35db25a16062d67df2490f8c2d7da51ac8370b

memory/2612-828-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\taoEIggA.bat

MD5 df8033ae4bf8028c4c7e97c03e1fbdf3
SHA1 6d4d68de2b793c5f6fe96579b9ca8859e64b87d8
SHA256 c07b30a30969090a4c859e8fae5916b64131249cb7aeb5353b791acb12c66c4c
SHA512 4d5398ca331d638a5f3a75067f0e1e08651cdffdf7ae0e8ff438111fb71f7c05355581c9281661b6d3660f61e6b41e2ecf2b88ea681a9561abec989fab237dd1

memory/2528-849-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vIwsIsMk.bat

MD5 e0221e4bc97e36adebf64f1e663da2c2
SHA1 736a40d287c80f4dcaf230e8e7e534e2dd91d48b
SHA256 2632a7b0e3bb9f6ead1d4e27673983a16481aee79d253c247135fd170f9df701
SHA512 b925b36bb4f145b969cd368a691859e2706f4334d464126d2fe7586c0f2db062b48cecef36cbaa5ac920562c5e28242069d2e7566f1cddef15ad5b738009fcc8

memory/2072-869-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rIgcQYYI.bat

MD5 ff28e4c7b336a367a6aea53a3ceb499f
SHA1 c1aec72bb331f1aac296ae082ee80a2193b870bd
SHA256 f6f18ebe5a64cc479c4cd66b2f2a45f42581daaa7512dbb8ea715898c31b45f0
SHA512 2370b3992982b1f3e2e91a20ff63dec25a6d575f2c52006936c073259461a71873360a2cf50f370a4e440b69af4013144aafbb22fa74e370439cb4ed2130d56b

memory/2004-891-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yYosEMQM.bat

MD5 7529bf2cd2f4b57d90c1a1b137bf37bf
SHA1 a5583380149dff93bf3ddc1b2310c9b455f9942b
SHA256 ce614617513faec738390a103cd4422f1386158300c06549fc55d946639e9651
SHA512 d32d8135dda9a50d20386a9884c44bde7cc6091c9416ae7e23ba3b8b797fff193909deb3c1429b628b1e6fb2d7f8339e62fcd2d79294eec7e9c98489f9658048

memory/960-911-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIUm.exe

MD5 6df1e038148343c04314c46fce2354c1
SHA1 78fffd4b74287ccec2d8c6ee94aa83644c178cca
SHA256 e603772c819dd50af0b2536a383460f50472fe4940ba3da9a6c68292ff2110e8
SHA512 bbd018980d92426c362b02ea90129d79dde5b027c7a9790135d2fb347ca7ced4554e6af5f863d787848b6a708edb195110a3f9aa2225f4b155e6f81a9891562b

C:\Users\Admin\AppData\Local\Temp\Acso.exe

MD5 2654d6b1edc6a6ed4755bb463e4a2da4
SHA1 6be64d0de57aafa3e646b8e22a9eddd9ca67704b
SHA256 52bd707470421b33fba1ff8ec525d4e4b979696d0dcfc3efb06f0af45bc0340c
SHA512 8bce7de182c3f306e1a6c23ef5226a23b6aa05a6fbea95d39b28dd0ae43caed135675a1343d8df1c64c07a83803ccadc5103e0e68bb27556de3f9ebe3ba7eb24

C:\Users\Admin\AppData\Local\Temp\KMoEMcoI.bat

MD5 d366a85f7896b3df749e1af8d5b254db
SHA1 c678ea9c8977c79a7a4527ad585d4221e772c922
SHA256 f0d44311e025b0c7c08c6cbff67030c2b5bbfb52be1d5eddb5413e242906f8cf
SHA512 a3406a819b270db763e30a4cd8382a6d391aaefd7f816a03c2d597e42a6146a1ebc8de90413c040c81204ef54fea24bd7cbefb8c0ecd52cc751013c5158f9eaa

C:\Users\Admin\AppData\Local\Temp\GskI.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\GEIq.exe

MD5 3141baa6581cc4c05969237ccc380668
SHA1 8741f81cd6c6957500345365ff74a910dfcdc1c8
SHA256 4f9e155485492a3a2a21b3b989cb1e794cc51c1269be79f81376c31b94e27168
SHA512 cb3f9672bec551435e33d82689b67c5c15ca1d497939419e4243e417f097fade2b1c56ad16e37cd7bf85cb8844e4288dc147ca8ce2f5e298f11da2bde5d25707

memory/740-971-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEUS.exe

MD5 e2f645b4accce92b209188c245136f72
SHA1 93141a16c7896d1672eb27ffe4088705ed1b52e6
SHA256 8cee25832138dc833f7492225978f2ead410fa85869b301904c81c0e7c079119
SHA512 2b940525d1ccad48767ec8cfc2b6d3314d64b2fd71080205751e5d19fdd261ec3cfdca0fb38b3f90cc67792a9ebb26d125c2c3fdc7fa0c770c390bb2f9ceba03

C:\Users\Admin\AppData\Local\Temp\cgcq.exe

MD5 22f8a6351b8c1c70cd8b41e116519a5c
SHA1 505329e523d8395403acc1bb2e6ba6ebd5337b2b
SHA256 dee551d21b0b71254ab63ed5f76be7c72e5b15f80e9bf4077e27fc1ddeab851e
SHA512 f3319838eff1538bdcc074b2b2d19af8411b9018e939fc8fc5ce4c9a78a1dba9218c7ba8021899a3b2310bb01fe5e50d93d18950c10ebaab320a53abb18177e2

C:\Users\Admin\AppData\Local\Temp\oYAS.exe

MD5 b1b24e7c3b105ec60caeec71bbe6b757
SHA1 f9068a4ecf09abf737ebbfa70c1035e84c4c301d
SHA256 5fdaff0ab28c580122cbf7b1cb14b98acd84f4ec205538a774455c0f3f1f1458
SHA512 d8cba924d394de52532f7cc46387f2249bee8dea5b7e2c6be535a593b786fd22a10830b66e275d84d197ca56f9f7b539547e8b6d2334ffc162ef176ef608a93a

C:\Users\Admin\AppData\Local\Temp\aWQwAEYc.bat

MD5 f4f4455095237e0c2ef4c6839b894a6f
SHA1 d8f154dbe8f25b25c5c3b1c43ec279d19a181935
SHA256 bbd8d9e0b36c49a92816fb2b9244d5fac4eb1766ac403e3a28f56df8024959c5
SHA512 ad50549e2a039e5492e3573142818459f72097058de5256142f15c9110a67fd10bd5b00af1274f25b3fc427fbf055604a981434942878faff7e010acaa02d240

memory/2648-1030-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkogoYcc.bat

MD5 6a07f74af06e83c55dbb304dad9276ff
SHA1 47703925e4b70fca8253c1a23565d1753368403d
SHA256 77b3cf56247e20085a5d749d7cdfc1e31fe2e1966d7b541588ff00f1cc86049e
SHA512 5771a2fa557875fdf847d1978fc2f447248b5639d89f716f5caee3c452b446784622d1f70c8cc1cbd09dcc183e0cf1c181e7737de52595f437c4322d7ddf07be

C:\Users\Admin\AppData\Local\Temp\UgQq.exe

MD5 fd058ec37ff87e7a289a81cd85911e73
SHA1 5f3fe0f016981f11c327daf2bab11d0a22eced48
SHA256 09f94d2ba195b27e006bb0dba2b6b248279e8e814fc6636366ae095840ece725
SHA512 b99cfae8a6ecb20694b1c75763bf9a336de645b72ce7a7f5d5cfe14f363e962ff0c8a77700918c4adfc8f5a1b5acbe7ace6d2628c590ee4794f444efd309bee8

memory/1292-1067-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YswU.exe

MD5 1eb65ebd73af31b845e2a1cf2a29b493
SHA1 7472e66edbefe2640b3b6a9e02bcf986154a3deb
SHA256 6ce42c87b2db53a6522110efba0b6ee2819cdaa4c69a4e5f0b807ff593577378
SHA512 dbebb031312e164d8243f4de4cc278f10185d9288a029ceb733e5be20eda6b4b46ec75ce9171024b74d54b1743591b924ea32fe098855bdf6dfbcfea8a2d030a

C:\Users\Admin\AppData\Local\Temp\MeYkwYYw.bat

MD5 2cd599f30330286ec942c108f7be9c5e
SHA1 0495039f415ec8b0c660905a5a5678375775d087
SHA256 e4eb3fa6dff316f50ae822bfcc06376e879ff46bc5a38efd4e12431e65b1c68e
SHA512 91cd0482662b85dbbb8fdd6a9214e24c97485c64b00a252cb52b9d4405bb27f69fedc8c56f775cda73a8a4e4bd6bea599b22f24e48869d6eadeedd00bbd13455

C:\Users\Admin\AppData\Local\Temp\egwm.exe

MD5 6492c168d7c6cefb7c8f4b420f3da818
SHA1 173ca9780795625baa1e0dd89c8fa9253f876203
SHA256 12331ce802c4303bf73e78f96ad52eb0866de674a41bbdb759dda1978960ff12
SHA512 7e396ecc27df8c48acbd7739b9f7b9b6cb86ccd48e23b2a9bb577b749a7a252454ce306f730e2d21bdc68c14caf88d3cee300bfc386e862dafdd358ebcbc1de9

memory/2344-1112-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScwG.exe

MD5 d3fd129e65fa9143012686ba9ee3744f
SHA1 c1cd9447b38fab6ee2abdd0a0076d523e5d74001
SHA256 daa676f9b4897c3b924373a094d092fa5829046b3332643aa6538d57a138bc8b
SHA512 4764395e44a4c042b6b475b56f6efcae27e471c5a0dfb1493f1155a94533bae836332cdbcc51e656ed58c8fa78ae75b5fe872626d1b94039a49ebeeada1e694d

C:\Users\Admin\AppData\Local\Temp\EcMm.exe

MD5 10b8cb401d3bac2843bf822077e55227
SHA1 eac49ffa8be1eb9543c9b6c7c2fc43b8bb3a6c43
SHA256 41386c772a3ae7ee846503f211d9f85ad16dcc9aee433d8c07479202351974c7
SHA512 9f63a56f22776da168248a32209e2463c7364ee0a36035bdcc4d91134ea73e4914795dd6036d8381820f3346b9f124dffed2b68d400a11b1ce268ee367671f94

C:\Users\Admin\AppData\Local\Temp\UYIM.exe

MD5 176d56eff1767f9bfc9256f5e2b0bd1f
SHA1 a9aca80de477a9f4b48a7bec63407bfe027d8f7d
SHA256 d60701a132ad3de03477aded1ddd5ad0a3e071177697a1266ae827fe43a72276
SHA512 da92ab234465fef403ff21aaa8745361ce243534aca0fc566d10d4dea451e204de6e08aaf61c20f30dd67f8fd1a79ea19da1712006eedb7a67b0474fc6e04dc2

C:\Users\Admin\AppData\Local\Temp\beYsogMg.bat

MD5 7fd3a071abfae8f8441cfa091e7157dc
SHA1 7da6d19f28718ba68533653314a856b5138c8244
SHA256 844d6cfacadc6157e865666c9d762581451554bb947d0949960b68a6a8d982ee
SHA512 7c71e9cd0e5c51f00579e11e42a335dfef3df2468df5b62a4d3b189f8d83766fde62df3b46449fece1ecbc240223264c95ae3d690c369e41a7b7a38f0cc9dd05

memory/1604-1197-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IssY.exe

MD5 ce85f8fe3c352a5a1cfb75ed1495a15b
SHA1 09b84a4632dc50d0fd00f79d71ec8234ab4bf579
SHA256 28a541c133282359bce503054f4df9386124e01750a66a87a89a39c96d83f467
SHA512 3d968351ae22b42cbab85e218643146812533f56327973017be33e65bfeb00e3ead8fc2c9442af9514716bf5312087a651172e8d34f4392e101b76dfdbedaa1c

C:\Users\Admin\AppData\Local\Temp\ewsU.exe

MD5 05702c08286b9dfbd62765bc9f8c93a3
SHA1 810f445e22bd4d15c3614ae969074fd8762b6f22
SHA256 9846e7add6cd1637170caab7d8a55c5235a32d3a245185efc1511f25199bf661
SHA512 7104a369be124c9c77333d4c5b7fc4726ce6df35d0926b188bd71741698bfb388d51c5d43bc73fcb7eb82d14ee3ffd0a4d1f61f3769cc29f96177cb46ef4477b

C:\Users\Admin\AppData\Local\Temp\qoEO.exe

MD5 36c3070fb4aebf08fa172db94c6284a5
SHA1 76a91a322a30860d374cec71191ea2efb069b885
SHA256 0c5c51bb02ec088035bdef3b8e6151f9ea38ea5c6f1126c3c80535c6eea6f496
SHA512 2bc78065ca8d13f878e5bf25657a70e1723def2be0588161b1eb3b118cd53d15842cbf73054a6d632392fc66e1484188269fe8238f962d891ba36c7860f63041

C:\Users\Admin\AppData\Local\Temp\RiswIEEs.bat

MD5 ac8e60bde26048230349dba1cfdcde8c
SHA1 00d978de229b465dbbd6d9e5bee7ea0893bfc54d
SHA256 0d3b465d1cc7101d430ae0c0dfb846ca87e4a5950d91c094a9e81dad48090a5f
SHA512 22ad2edbaf55f110224b1891a706008f3713c5258915cd969a25612f6a68578a6e6975c437422b02cd95f8edfa972ef06bdeab1041ea04cb02f3d67a80325a08

C:\Users\Admin\AppData\Local\Temp\iosI.exe

MD5 a678d38def8fe5a5c6943f3dce5c235a
SHA1 2188239d85064386935288cb967b645fbf606f05
SHA256 f891037d849096a34a0f53bc8a29eaab8d06ee6eb854a98d8eaaa4b553a857f0
SHA512 4abd6d6eb83214fc85e99c3ac91098cb330d0e9414adb9f67e9af09329bdca9e9e2193ff115d51cee3b6cf9301fe7cb5be9dadd80ca51546fc479efb63babbbd

memory/2668-1259-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yMoQ.exe

MD5 41288b273bfd1f0f062d428f4a3332b0
SHA1 97ae2548922fdde25ccc16cca88136005bbbe7e4
SHA256 c01a8f2bf922c444464c9dc26a70c1cff660c2bb98bd1371a96ea1813faafc6a
SHA512 8a442f19ef970cf66ce46e9cc6e41cf54210c70127700b42da33b48685dbccce72ee74c9db0f166b4b5ed19c60fa0bb552c82202b584016904e03a54718e0986

C:\Users\Admin\AppData\Local\Temp\vSQgYEEo.bat

MD5 c774b9824d396b2fcb85093a9b81fe2f
SHA1 af5193e34b9cc672ba4ad10e5d353b34bd119d77
SHA256 9ebbc57b2fcc30f2b132f7ea6d0c4c82fc219220bb394efa9006f198ae14c16c
SHA512 9a94d7377fb0d8f082b32c5bc3ba3f87b34319ebe9e4169625e1c53466867c3c890dcace2303e6c6df3e39aa6249e05fda09a21840e611a9d610fe438385320a

memory/2128-1303-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ekUQ.exe

MD5 87e70fe186af9802c6ad8b0109528648
SHA1 adf3e92f7a3c3db8e93bc105805da11d96e588f5
SHA256 fbca5817476f19897e6e82eaa60f8c850631377622ebaafdd75884b75ef23c7d
SHA512 0160167e8aa8b421a2dced0027b474ff6eee9f25b9347248dcab0b81d4ba6e8f22e8d83b8780e0630728f5bd3d7bf3b495fb0ef5929d182be7d6e2c947d4cbf1

C:\Users\Admin\AppData\Local\Temp\IIAy.exe

MD5 f726865c6525bd0264f843e67a6f09eb
SHA1 02b06f7beac8b531e98a2c62e86f05f61893e8ec
SHA256 76ee33430fd578f6d8157169a865598baccfcc1f9fadd6944cb73411b3228498
SHA512 bc9bc18340276f2f6d020a8ce5bfefc951fbd2828713c2c26061bd9b2a53161b6a0d6513628381db9e5a93a9857b9095e3446fdf49d30a48494e7a577a1ddebf

C:\Users\Admin\AppData\Local\Temp\YMUg.exe

MD5 0d7926b0f9a63bd07547901f5f70b9a6
SHA1 18322f5722cddf67c988d979c10d21af9e321a15
SHA256 ac87b650ead1049426d177690bb761e37ad02d88edba5902a0d2f0ff1af0b4ea
SHA512 6c7be4ec8fe7a353fcce766748f8a993ad91117a36fdddcc14801e2fd65b9fb35cfe8cdfb6e58be602fb4bc7775bf4a1dc9b429b25e90962f68b6348bdf06b80

C:\Users\Admin\AppData\Local\Temp\ScYQ.exe

MD5 8ad7802487e72c21dcd9019a3d8bdeac
SHA1 7f3a2de082602e4a687483a14999f857635e2454
SHA256 5e3d69419373f3083f367c4ade3e6426b3de1fe0b731ce4f800056780239b422
SHA512 a5bca653d8a15181ca2d8d589d78a3ba0a05e0d9fbedba2b5f38be28a0a3d790aee21143e8d576214e3a629128af0a5d8a153f32d004f59eebbc14bed157d68a

C:\Users\Admin\AppData\Local\Temp\UoAQ.exe

MD5 789c22b65ef07dda1209b1f3527fef11
SHA1 eddda9b9445e7efbb064fad6367c1979a7a5fdc0
SHA256 f0ba52912e631f96f03db4d9a928eee5ab1ed9b4a2c716f17d6521d50377f116
SHA512 87a51116998c839959080a0b401b3e3adba29e77764378071f29fad6422e3b794e24ed7301d636ed839263ddaadb6f5b2da1c1ee43250bb20b1758bdf1e7b27b

C:\Users\Admin\AppData\Local\Temp\OIom.exe

MD5 2b8aa5f0518c46e5c46b51025a3eafca
SHA1 3778719cbc544c5c4ad9b59777fd9749165e26ca
SHA256 a41a30aa3c2048442bc123e56d6b5b4f50beebc7faf122ad07be8f9ff1bf7625
SHA512 6ec63f0d89ad5cd0e39a2ea6ebb8016d035e0c94196eea3b306200af8e9829d17c65452ad7c1875a05f80f9786daadd5598d43241bb14a6447f07c9bbd908d30

C:\Users\Admin\AppData\Local\Temp\KIUm.exe

MD5 07a83210cfe87174466c8f664c1ccc32
SHA1 94e14a2e4012ffd4cd3ee95feaf623276a590444
SHA256 6302c0e797a0d0b85bc6562ed438f5549b687c544cb070b038e15560c82d133a
SHA512 711fd5793fa74c7013a2b4df8da78a7420c9af5913bbf6e22b735bd47bc823c84096f0cdc4a9aab84d0a2bb0e5e0c7e86e45e3572573374cdd78e50fbe907731

C:\Users\Admin\AppData\Local\Temp\nqkkYkwg.bat

MD5 c0c804e8dd8684ca38ba5597c4970cbb
SHA1 eab9ac255bdc410d39ce50f860509efeba333d04
SHA256 da04f4e707af5c7d457ffae3b348fddb0815694181c3cb4d8abd40d0b6abf080
SHA512 536ca5fd57364a2c579bd68136a6e6dad7a64b0552165d889a03e5e24e77d2df2c4c603a64791017bfe44ad62d5186c1f8a817ba071ab9cda0e2834a0f7d77ef

C:\Users\Admin\AppData\Local\Temp\cAAi.exe

MD5 e01b0c5e4aa9d0d521fe3d5a2d5dac3a
SHA1 9b95093ca608401081c2e185039c8b67d735fa66
SHA256 15f836e8ae76eca7b96fba78bf9b5ece821eed7d1c5a74d8fcc93357caf0743c
SHA512 a4641ec96940bcf6d48259afb3e58b981037c955bcd9cf6a3836e0cec15c3e6bc70955aa6ffbdd8e5633a6fea078e3dcb751a7df1bd72fd899b6be2eef0b705d

memory/1548-1415-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\owgU.exe

MD5 b450533683132cd9cfeda13a9e7ca791
SHA1 159f4db960cee5d105cd00810bf2e07f078fa55c
SHA256 bb5d423205abf8cd9c2ceed950d3756e66235d9349bf00cb3486a728f81be3c6
SHA512 e70866a970ade40e27e67e229595a8d2eb2418fe6af7403d9789d486faad7c4067c25bb768287d06dacb1f5754dedc5da06fd13a65dc013fd9b1777fc25198d9

C:\Users\Admin\AppData\Local\Temp\SUMk.exe

MD5 9b10b4c8045b589c8ff019ce500353e1
SHA1 8467ab3eadcf9a5cc05243e2f20694689990e5c9
SHA256 bd2d541a84251c9615dd7acbdbac9bf58b13d68bef13515b4c8e4a0e87685827
SHA512 b75b77933417a5e725568772fdd0c20618d64104dbf1c5af4984fe9aa67878c311c0ca7477c90112f59dda76ca69457012d4af1aebb46b1fe936d5a401777ced

C:\Users\Admin\AppData\Local\Temp\jaoUYcIY.bat

MD5 e6cecbebfbf19572f1191d25035e7ca9
SHA1 41616cef19a654d735ea0034dceb3d2da43c3813
SHA256 b134536cf147459b06d02a371c721d4e9d89945833cdd7410a274043113a4636
SHA512 5fa60628caa98fd4b66c0badb37a41cc21ce1e584f7acfc1b24ca0e7a2c4587f0f38fb74f6634bd778210f094322ea10dcf8b41b986e98b1e68757b4090626dc

C:\Users\Admin\AppData\Local\Temp\WAMM.exe

MD5 2d09811fc419d55374f13f3117e9092c
SHA1 a04449076c7ee3ae51572928388ba117fb3c38e6
SHA256 d3ab3421e4847ce3752857b63fbc72db40c42ffeffa07f687258271a1908e106
SHA512 6e7194aaf3acf465c51fa96f3cb3f81a3bc85376ac745275009c90421ca0282fb00c8bcdc44d6bf70c4eeff760536f94ae1b2d68cb32e3f3d9aafa49b96c2cb4

memory/1368-1464-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIMg.exe

MD5 211e265dd1fefb006730e548e59d8f3e
SHA1 576a83dd6005e5cf7f09e4c75be887a182f66467
SHA256 10d7f9df49d33a318c7030a24c61e7f5e153772790e3c6dcc1f2afca9a0395c3
SHA512 11c47c608947f153f68c5dba806a6576781f6d2a7a8f4afcb221bdb08acb8920916510a071533b281b0e0d839b2506c86211780a566b9faf06aefdc0a714712c

C:\Users\Admin\AppData\Local\Temp\YYAkgQcc.bat

MD5 05a80b720137c417250a24bdae1e627c
SHA1 5748875932bce3026be8b7e9721d1907a3e6c376
SHA256 f08894ff1dc84127f974a008f0d74cb2193c326071707d8d6d7b51210fa165ed
SHA512 8060ad2f59d4875856ad1fc53c7ba86e7ee2f03c149529f45f9ae498ff6917ff41fa09744f12892cbc7327024fd6110c7afe2b9127f05a6bd217773e88ab19bf

C:\Users\Admin\AppData\Local\Temp\KokC.exe

MD5 ec05ceac3f46c83bef6c764b05a7d4c9
SHA1 180e776b60d5bed861091ff30f838eb78be90930
SHA256 5dfa373706f077e529f4aaf519ac198d8b0dbfbf5ada3cd69fc50c09351eeaee
SHA512 e7817a60a9e42c316b565dd630f1e3d5a6b0b2b41ad571b728f7d8fbe7a61f29c98051a55d9274743787ec6eff8d874d2d24f8713af285e4ac048c78543daca4

C:\Users\Admin\AppData\Local\Temp\cAga.exe

MD5 8d0dd2648f9fdea0798c8710d2925882
SHA1 0450447bc5d97d8cdb1e0d26d301c5268b1a6cdf
SHA256 5e4a196b385fc9c6a850e7956d8f07efea168661015a2cec0c77ca8e8237d20a
SHA512 5849102d82be6f48d03ef84b64d763d6f8f510471ed04dad907b52c713570deb98249a686c31d198a95d59fa40f774eea80fe25127fba65052cb7a190d56026b

C:\Users\Admin\AppData\Local\Temp\aUQI.exe

MD5 fee3b3218ac11458c1590497daa683ad
SHA1 e0e56a36a6e368622c982c6bf74db46000a9e9cd
SHA256 1899ea2ffc4b725bfc1cd3e2ca0bc56d3325e731bdc7d8db10c4513322f71ca8
SHA512 108f263cfdb327ecccc3b0759697bb23b8b6c3b7ae053f9724665f1cbe171e722e3ce3acaec954ba393ababf715e7212b554941b991d9fb97f0b3aea0d2cede1

memory/1600-1533-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gcki.exe

MD5 836ccfa7d194e22e9049d7d6eb308ea7
SHA1 e60a10bbac4d1f62a196bd466aada655a47a52f6
SHA256 66ed181a97ac546d422dafb97f1d11e6f747580fd07d8297e4f0bdfc386cdb75
SHA512 c404ef5a5cbb87f9b62b0a713cec2a4e6bf7b334178b48f8f05cd2b96c3175563237cb63d578d468d01415e3a1214125b9eec2141e0269fbfdf60c3278ff0b0c

C:\Users\Admin\AppData\Local\Temp\GQEk.exe

MD5 873bf472029746f8a22d93fe877ce36f
SHA1 545d2163d2381f6a4a70908a6e6a75b2d8d8abb3
SHA256 eb677cd73e76a2fb5fe85d46be2e71fc267ae82df90993f77a2e01df1e453210
SHA512 4f7b73593a5b14891c13dfffda9a72570a0027d9d03b92125b1ed3f6de99784de10648a0925f5e4c5dc1fc3207b02c72f536cf798ffae7adee374e42b6a785c5

C:\Users\Admin\AppData\Local\Temp\GoAU.exe

MD5 44a3e2ed5355ec7f5ffdfe81dc9e6595
SHA1 098cebee953107b7f7be7fb0d36ded3ff728497a
SHA256 608b57d20405d607f99c596d8e360f3adf2677d3ef52007db951e4bebd4f880a
SHA512 c0b57f5a8dae324180829514a48ef4788b07d9fa408581f52e86d2791436c605b039a16d747cfa0884f2273fad6463a0131fa129495c031d03f1542f45bf160d

C:\Users\Admin\AppData\Local\Temp\aGgAUQUs.bat

MD5 e16f0504b437bdeffbc8f9f7eca4df0f
SHA1 a3092574e0264d7ee37becb36a02105193524cd2
SHA256 39edb7392a01de42e1f8593b92bfa84c05af15d08fcc88da6c165c9963b40627
SHA512 667ded513c5b5799851b29c8728efa6960ba5b7a30f4ea8f5f11817261c8c89c584b52e0391bf9bfef8a0ea5c498f5ea97a0b2f9b983b05011024b0cf844db65

C:\Users\Admin\AppData\Local\Temp\gcoi.exe

MD5 979d7116559fc86a80b3718431b2f574
SHA1 829a69c8dd070b44ad176f1c1a8bbefb60b4e672
SHA256 d76c8e495f967112ff13fba9379258f256377b34e5c0b041d51dfba8050d68f3
SHA512 a75894dc4601a10cb17d2f52a62678bb5ba1cfe0bbdd6bcf19c15f9600efd7125ffec3d12eb219dbc1c9ee96c2c58d2dce69f6b912a5dceaf4d231fe56261bde

C:\Users\Admin\AppData\Local\Temp\ecIi.exe

MD5 2b1187e9daabb79aecbd613365bb0bfb
SHA1 e09b91b495d237f8c1633ca37b0036310b0afb3b
SHA256 738151584d8035a771dcce11b99da12a186d5e95c21d2a1f089f228c307cd408
SHA512 10abfb445fba16ee1c219d3ac226bd4f2b936ae1f2410e3e5d84ef978b2f6f782accfe908994019e0df5e927b11a95715e4274b2e36c1b1a2798645e6925055e

C:\Users\Admin\AppData\Local\Temp\gcYy.exe

MD5 85ae5f593272def81475d653665461db
SHA1 0f5abdf427d9e7bcfbcf834b663504ce7f028648
SHA256 19dfe5bce1da1e275245b2e8e7c44e75b890b3ef779d3cc895a5c78da0c25c5a
SHA512 84a052f16081037156708e8500290366e777389e5581627ae8fb6a65ce4010b1178e4bbe1472dc691d652887d29f45ff7729c77a7215af807906f50428ce60ee

C:\Users\Admin\AppData\Local\Temp\Wocq.exe

MD5 1dc228a46d0b24031e81ab39d7eef7b4
SHA1 03ba4373fc84cf5f0ac74451ad133be33d641918
SHA256 b95ac12f0ee82cf5b86e02033f734940d475062532935bfa25c060b12b1b68c7
SHA512 093e185d5b15522f9bc922ea17076cf61cf0687777ee1fca18f862f6d6903595df2a2d1f6c72749b2b81c519bbe2803930fd47ff405f016e7d027bcf5b2ed5e0

memory/1564-1636-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYAS.exe

MD5 4c56c71770eb936480de8e5523bf969c
SHA1 1a95acc7b01f10adf4068b9e462bb8bfcf7f7cfe
SHA256 c91bcec78f54926066217f540bed57f7875902dbeb4b1fdc2003d39a029e9956
SHA512 7e40e5ae0aa2ecc517e27688e6968e83bd1eab5efd4d12ac35c7b0fd58266aa9e7d51fc1fe78cd264d9dc1c1c2cf11839defb211c622fa433b3818223a73fc31

C:\Users\Admin\AppData\Local\Temp\eMEO.exe

MD5 e7b1928253b65169fafb03e7cacf680f
SHA1 71d9117771506db041843739ad6f35f3b17a36d2
SHA256 40d60609173812d90dc904be4917d670862f965bbdf5c43ff96427dc7e96eb2a
SHA512 a73db40c00bfffbce9293cf5e4a503afd86b8bfa98110360f387d2c28fb1bb371ceae2083a1e5fa3826333d718cca908345a6e2f817a756ebdea586d42da776a

memory/2488-1703-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMwYUkcU.bat

MD5 536b411074b9e38287c68c9dbbdce467
SHA1 305b7548da9c06c4a9699d65dd455999929c2db9
SHA256 81a1929259a44a538d8e53eb93a2709182d95f793596d4b90b98d401eb28df59
SHA512 1a8f02e658bf1fadf1a2d7df6ae7eaf841721a82eec26f28fe85ab353086970f199f656e3fdedf75fe5757a78e1bb254b44d2e943cf0c489a268c9fd6633d4c3

C:\Users\Admin\AppData\Local\Temp\OEYs.exe

MD5 70b365741aea376d54371c490b3a8ba0
SHA1 4e2989b423c554fd2df377b616350ecac057dfa3
SHA256 06596372314bd85f7f1d606c4988dfbcf7d6d2cf625e3a33748d30ab20689656
SHA512 11b776294510839cecc2f4f9e311a913e45af3edc13d94de976b7992805691cc1cfdc1b55c1e341c0e5193ab11858fce24e3523fd8d559dd0c963fc241acdd5d

C:\Users\Admin\AppData\Local\Temp\gQYE.exe

MD5 aab68e649170e6b902843a3e290ceea1
SHA1 82e08758ac17307843f3cb5d571990fb56a6008b
SHA256 a820c0f2e62451aafd7791976d123fba61a9685b3e47cad72a3d2c726491737a
SHA512 2688da02875b299d112c5da06039ae99c7bd5f51d6aa638c2124239959892b779644a6a1926a8ba899033b62affdcc77de6f8e397c0e5f3e320425a8813a7a03

memory/528-1761-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gooS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OokY.exe

MD5 c618666ed28dc6a38e5e575e54b918a5
SHA1 a16a064ab6e0d9df2c303c3b020dcfe631d9154a
SHA256 ef39e086ef1a0ef54d4592ea7ba89e2dc085fffe5785a86442791752b53547c8
SHA512 4fd2e0a3acd7bd70d8773b1742d6001d3444fb595580c77dc36c1da85c6323050205de854b6d0f701689a9549cfce0031693910c80d3e3e25598f39a493c759b

C:\Users\Admin\AppData\Local\Temp\SssYMIMQ.bat

MD5 1298c4d3415b51f50f8a5ef33185ebd8
SHA1 ae4281cad0f014d7ccbf14f93b48eb96517567cf
SHA256 fc9130a24d9e7fba6992abec5e82e5db1ece44d64e17271d6bd1fdafabae07ed
SHA512 8f4541f5a0ea930c40995503f2e59e18e598101ad1e9fcda209a4bf858f599677f1b87bbda7675d03ed718cffbeaa9494a3a1e2070407a4815c389052611894d

C:\Users\Admin\AppData\Local\Temp\YcsQ.exe

MD5 376966f061fbbd766e1b66c1fd8c8c33
SHA1 f97225ec2bb9845748009b5503377ef23a68d6eb
SHA256 809d6b3f387d2484ec5a0fa3ea7f330e52f4f5c361354be67a550abd6aaba60f
SHA512 35cd32d428d65d7d18a0c34ae43a50e513fc1e1737c05c1d11e68081ed123632b5c7edaaca1ad94ef166e8abe241cb240e4459ef6d019cf9532f585ed82c3a96

C:\Users\Admin\AppData\Local\Temp\SQUA.exe

MD5 8621eab4ac389c2d88e5a2d00cf54c5d
SHA1 0393c08c1c3d40a4380bbf5279268fa6603ca3ea
SHA256 c09ea3c4b96dbc55ec5c30b89e245fdf972cbc2011afaee35f803025e7bad8d8
SHA512 e03f830a5df4529e91ebafe1dfd1cfab2267f66f5381c80a4f047808ed5eaebcb8d6a0e0858541450f842f02be4ed689669b0e6cfb4d370bb9d0e45fa878bb3f

C:\Users\Admin\AppData\Local\Temp\tgwAcUIQ.bat

MD5 1f84fad7747193ff10c140d176d98df0
SHA1 736a27eb1b705cdac7fbbb88a133f17787a38cd8
SHA256 d54d83c409aa5cfd9d62ee9d5857ae176f51f69c469d222fe003d0ddf1765ef2
SHA512 b1c1b7c689843394181c2ef6a2b406afcf901dcebf0139081646b0b79bc421d6940a1a28f27ce9e673dfc96985e5e2d9734c45c7d8f53279438605d30857415e

memory/2716-1831-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMcc.exe

MD5 458fb7f893a0b42e0ce71850e00c8366
SHA1 bf37ec0586d103768cc9cc8cf9c6d98ad79d5628
SHA256 2d78fead92fdeaabd62276d657a0f503ce952c04324307b1af2da8e9bfc2f9b0
SHA512 c19045d315a52f9682b584ccca974b86f8d795827bc718b5b464da99273bbf015a6108e38b027afd6a2fad1a71036434590adc7a6331993db45ba35002164aae

C:\Users\Admin\AppData\Local\Temp\tcoYEkII.bat

MD5 c207ac7122a274a27dd802318a956d6b
SHA1 f98d1954c458bb5b1bde2b1740c5cf2534e34832
SHA256 42b3da45ae39ae2e7126bb19c933f3b9883603f6ab7eeca0ff3eb3458570c22a
SHA512 54672c1f349dff4f04fc6d9d58da8d6250cd614bfc90a6bf4206b37c25cc769073d7b1f3cf55c5dec23664211f67a778c50afd533bd7a6dc9fb7c647f30b982a

memory/2344-1853-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JukcUEYo.bat

MD5 8d2f19fa23edc6a78912167e35e88491
SHA1 15d278905a50bf0afeb32500f38dfeb19d9df33e
SHA256 588d6461d92118913b9c48fb6afbe6c9ae754c5f6f705eb529de574710258f28
SHA512 3ddb4df83dfe69ead433fa0268d0af7a7834b658766141c48a23f5870acbc51d7a14d25d658d3c15b650e7d59b917e0c5903ebf74ab43af4e24ae584c65906c3

memory/2764-1875-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmUssgkg.bat

MD5 1ca851d9f75b4b214ce9cb55f952a585
SHA1 24a7f9df40fcae9059d932111f8da45f160ab128
SHA256 00baaa25e7c0c0dc571ba25a0fa884dd49cae6dbe60b3f7aa656e1b5bd0f3396
SHA512 046ea6dd3d8911fbbfcda1ce3ce19da0e2d0c3bb16bdb3b7392c69840e2542962334809821aa9c0e6987cd04f17e9d5b80901aad8c337d88b6a26ba4a349d260

memory/1576-1895-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FwEkkwYg.bat

MD5 d5b7fa97bd1831ca7869ce7bc2731afd
SHA1 e3141c3563250211a4197a24089c003832b6f3de
SHA256 e4ee19425a1fd771588f104ee168368749dbc3105e83ff2e13d4aabd8506afd0
SHA512 161e9914d5f4344713dfb412c4d16ecd33c8fabf6bfd11de4f1544c019110129358bfc5e0cec4be1a7e05e4ed017d15c0a05c4e3de9ca0816b7e55822f72ad04

memory/580-1915-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aGowcoUA.bat

MD5 487ed47bf57e7dd8c92babeef68f1942
SHA1 1a93f36d019a1590a79fc65fb1ee4ff8c86b2bb7
SHA256 d59f9932360f107292c53ccf6fdb1658c78ec0f7873b0944b4c6beab90af662a
SHA512 a2030b1505f9e7d15e0a17a30b0cd065f2efb310f53f32ee725303cafb5410ee385bd24123b2d675942470b44517490e057de2f67061716085859aa7db72f571

memory/1632-1934-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MGYIYYwk.bat

MD5 fa51f782f07c8106be5a572b5fde1a76
SHA1 fda29f15673a3fd92cc27f9bbfdb0f6e3ba6d3e6
SHA256 c4024a8dc025c86004c1e076f871571289274450ac6165774af4a0f6826ff292
SHA512 49868ea6d2e1cdf50cb2579c18494b1cb3a6ed925656b4c1330b4dbf22d4ad35b41e4e5b9f91a78d41084c0cb62c85c5ea38f8d33fd9083fcfffa154550aa269

memory/656-1954-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoMQgwcg.bat

MD5 4e3d8a62d211adee1f1bd4b0df09dd1a
SHA1 95a4cbcdcbcea73408eff9d6ed7f6cfecf8c3559
SHA256 c996cf0835b3639fb5b5341210caffc393b15bcfd6120f6e096150aafb15e68e
SHA512 d1d225e2903789e8a9ae0bd287a05c679ede240f2d3f0ac302f90e76c22f8de9bea7a719585087290cc708d777cd8649479c85b56d15a101b0b7ff8e5507e812

memory/1656-1977-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\geQUoYEo.bat

MD5 8192485b3e6bfae06d2be9621bc84247
SHA1 011103c6857c5d511f2b1c6c8ab4230f9ac53c56
SHA256 0934cea4e804307baede2093636fcaa6f101c92e3cd2d7f874ab0f55879aba4d
SHA512 65b5c33deb9816b68873f2a6e964a9fac6cf4c63292d2fc52b28b80cf7c1fe216d0b485ece844491ad954323eb9f1ff103acdb3d4d176fc59cc2227afc2d74a9

C:\Users\Admin\AppData\Roaming\EnterOut.mp3.exe

MD5 421f17d683cb924a374113c4b6c49849
SHA1 cc68b60c0ffa8aed4fedfed8b2b180e0f2ec5736
SHA256 3d0e12e5137b4501814b9f5ace0c41bb1dbf7df024d791696b94303d3450f8f9
SHA512 dd8ff46a33cd5812abfab453b9b77294d40cda132e3f5adee271ef9c493462019c9e03534e1c3601d4ece1738822edad8619a33d637c9d5f2369cf23b298324f

C:\Users\Admin\AppData\Local\Temp\SgoW.exe

MD5 253c17d71f1a3daa96bd1a79b4534d17
SHA1 944d0c448f6ef1d1a03c94ce5f4d1c858b18c97d
SHA256 68995a3e876f26bdac8019970739a2016784e49b740e8ed8fdacdbd9cf26e7ea
SHA512 096d4ceaf6d0cf8634f2ecbf8d7ea0a98e40c7f2e17c9e84cf16a47f72bca6a6dd206779e2afa8f5b4eb7befaea6c18794ceb394db3e703894364a275249d564

memory/2044-2009-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KWgokIQs.bat

MD5 25ff631ccd793cc1348f9d9faa3f4878
SHA1 f2d270df80ea113e29c071a7d58d4ed3b40c02a5
SHA256 3ae5836a6f48103c8d402371a67b5c18774fb7c4c316ef53605a1d3819a64d39
SHA512 406694d7b5a4fbbd90f19ebdcf14256b988eedcbc74de080a0584f1e3c170b12efeb6c9b2c3f19af90f50641f5509280cf0cc8bb68789a8dd053c4b7c5ce34e0

C:\Users\Admin\AppData\Local\Temp\YAIu.exe

MD5 f9c883e427c121b9bad0212e71f75789
SHA1 8368c04f44010cb09829c1c492eeb67b68ef487b
SHA256 9926b81294b4c146c897d882b4c5d09650495e3406666a7d69ddb7c443334f33
SHA512 25a9e790015eb9e926621d151c98f192ab2964d150679c447320a5a846ce3ba69e2a912b6e132cb64e7c852932024c28fcc18dc47c1b2d450d32fb9f49264b60

C:\Users\Admin\AppData\Local\Temp\oYYO.exe

MD5 9549ef530b7cb22d95ae146ab5275fa7
SHA1 3bd62a022e56e1d9b1ee52e50b2c93a2797992ad
SHA256 9c778c9d6f7d6e74c9a27625ec2dbf6b117111c28a68f95575c82d3076fecf2c
SHA512 685a59aa518f2c05895b27e5f273add6446f55d67c0e05867f4c5de0c9eb83601476bad1377d726988c5a8b3694a434bb49e4c220679cc7082dd1ad12cc95ff9

C:\Users\Admin\AppData\Local\Temp\sYMu.exe

MD5 2058cceb3a8aa1db975d5c3389a737ad
SHA1 554d2fdf79d899374c23312b458c8576ffe95916
SHA256 23c4de7a7af8df89642c94270691b0c98577fbdcf28f0aad98efd7e2eb555029
SHA512 8b5c7edba4fcf6cc93b4f0efcbf6f83d2007922e8572e3d2375cb169508bd5d0afc640e5c6f09c019ff48ac96bfe49eb56863224fd241b8e70c797a898e87e9d

memory/2396-2084-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nQkQogcs.bat

MD5 6c822f35c766c740eabd978f23db87de
SHA1 586e1319568997d815744fffd4d820bedc356042
SHA256 282392c397a2466be36da254ed9dbc38bc1f95395248ad7c74e8524f7826f732
SHA512 5956c039a155eebefa133c331e40ec468f4e5f3f65ace5549119f0a8bc75c4b0e83f113ad6469a8211d1851f1230b2b3d56673ff84dadca79767919d2a4dfdc8

memory/3008-2119-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMUQ.exe

MD5 33ca23e6575092e2c539227162225f89
SHA1 3ded3921c41dab3b66f6f8f835de861223f92be0
SHA256 82c1c45b9911d58d541cf134f056a41233e37951a25cae97b1ae52f6f515924a
SHA512 a385f89a68641b1bc6809ba9757e8b2d4e5b885e50f5b076b6ccdabf40c2200a24147ceb328391f4f2bcbf5493c46067a4942334fa56db8ba0151d9f61452fbd

C:\Users\Admin\AppData\Local\Temp\YcIA.exe

MD5 a0942fda1189493fd07ac59a60c648ed
SHA1 d310c304ba6e6d9f031cf4ac37c845ee71c77fd2
SHA256 30bf4d9155d5973c8c293bdbdd7b902f9747d0a70a9fb89559b9c52b40f7b674
SHA512 52e3f407dfef720f5766541f19d0c775ec2f6a6804e27e2915ae52d94ed01231108fa7f084705bcb8b08a3937ebb825b8489d5257fdb08fcc7b2912e88a44126

C:\Users\Admin\AppData\Local\Temp\feoIYwYI.bat

MD5 e99da602dd485deacb7f52d504a5424b
SHA1 160f4533e6ed398fd07f3f323e4fde52c08b6a56
SHA256 d33b78f972951e999f82c88739cd1ade0c425bdb663e0907f5f6cc0979aeedd8
SHA512 09f6819cc815d54f2e3002b97d20f55aee31ba7ceb1fadbebad17a6d81a48162a81510aface504477cf84e7f34ef28cc32704b3bd8fd39dcfbad27dd43894ee4

C:\Users\Admin\AppData\Local\Temp\ykoG.exe

MD5 5d845b73de9602ae4d5dc4a16afd70f5
SHA1 4ee841c7bbd142163e88589086adada23ffbe2a8
SHA256 5e28cd93e1fa1e40956869c250bdb36f0733770889ed24b4eb8c5e56fdb766e6
SHA512 03bd39da9971e04161e7ad9c521b6500dbd94e9f58d3a4da5b99ca139ba4a8c70bf334e08f97dc359d39dbc01187c6217f5fd22006a63d3394c8b4ca6683286e

C:\Users\Admin\AppData\Local\Temp\qooY.exe

MD5 6721b4d00342449ce33622f1f8f46f09
SHA1 742e0d89863794e43e6f450bc6a24ccdf4055fe2
SHA256 c216d8b1f9d7e756eacf493edd7738b4f6346e1ac2d273a20dd9918846fa0dc6
SHA512 02060d1f98aee0a968fbb49ae57b8b6ed25ab7deb620ac691b50cd004c867b6792eb0b3d38dd2954775cd628f7ea241e6de2599de38059e7c49b34c2cb814057

C:\Users\Admin\AppData\Local\Temp\kAgu.exe

MD5 a4c0d303992b3ca98333fcf0cf7b3247
SHA1 f33ddcc0bc9747f881b75ef4fa6d699977fe7d8b
SHA256 d0263214c1e15fe1795c1542a21d0786a09f76b677a5dda91bfda98329cac159
SHA512 c52cceb858cdcb1a4355ed99cb7e585b43e81ea125d811f1d3547c9a228c4f2c8dfb83536709fde9dcc4de0160b9e4203c3760e6ad3753354237eef6f796aeb8

C:\Users\Admin\AppData\Local\Temp\LkscYAgo.bat

MD5 067f1b8e2f13789dc630bd594740aaac
SHA1 7e04c6cff4b8d53177ca8e0c920635ec772a5cb1
SHA256 dd9987d75d0c879c697d9526528ec748684318ae5fa0118d1c8f9c542eae4968
SHA512 ece07796448c4448c4432dc955d100d6bc2686a3c7c64355f8f783df581e779830517fd9c8a608b9a5346eed957fa86202d1d8256807a5a6692cdeb3cde36a69

C:\Users\Admin\AppData\Local\Temp\eYAY.exe

MD5 e1e1a07ea71774a9aa8c5d0401499d1e
SHA1 1756fb23b8aa4240a75debeef0479768b3136af8
SHA256 5e4caf602defd37532d1e71876e602c19b707fcb67dd390e0fefbe44d01ac30e
SHA512 95026869cfad6dcc64f9a15fa556e8f58191240439f027742b5ceb6d108508c3863ac13b7421e5951f24f6bbf88769f74e148b0693767be5c798c93afb620534

C:\Users\Admin\AppData\Local\Temp\qggG.exe

MD5 be7cc204696cf373f616eb5132fce7e3
SHA1 10293ad457c3ffd5ddd3c04d69e04b8779f76952
SHA256 b88aa90f1a4be281dee22bc7f5b441ab6180eadaf4d756d2eaa76dc81601f6af
SHA512 876ca050e2f115eaaa8bd4032b7626adfdbd0636bc0da21cc7d7deb36f238bde55ee58fe4a5ac9b66da228d2412486ad5ce4096e69af14761f98644e5f25ce09

C:\Users\Admin\AppData\Local\Temp\uwww.exe

MD5 cc6a1b140594fe284b632992207776c3
SHA1 a200c59c918b8fec6c8aa2a2077795d4a21a2beb
SHA256 dfb0f5bfdcd8cc4c3c380aefc3feb1733999e63584ac10ed487d631260851c16
SHA512 b531efda6443bb2caeecb87e2a00f076f8bf337d34a69a1890abd1b3b860e0112f25d8454c027d105f5b4fde59afb249b537d0e79bed6f21396a50d076dd679d

C:\Users\Admin\AppData\Local\Temp\ecEO.exe

MD5 6a4e6756507cb9aaa1a7a48951a48f28
SHA1 65f7805903f5e235b73bcd1345b3bc661d251254
SHA256 f85040b3b497702b3b2563c6ec8f8914642c8bdeb17b26a81c81d43ea719143b
SHA512 3bcfab6f2e63a69c4a562fa1b6e27557edd069a7cc0ef27d21e7e69c2262f61c523668bd252cc6c29c308e26aa8500f317cd5ea712341e249779111075caef81

C:\Users\Admin\AppData\Local\Temp\mgAw.exe

MD5 a2a86892a81e55afd6a037b40d3deb18
SHA1 3e65c8898d5e6ab60188c3554b203284a32a8ed0
SHA256 424aa78327ac64dec84c2f21e27c0e925b2b218682ee46def846024fcd0a0830
SHA512 c26b728e4baa8afb2c00f90028e0abcbc7061e65c0359ecbc6236ce0b89f13be404dd2aab56f832fb593f0ce944b492ec176ece40904ab3785a2c4940ee46e20

C:\Users\Admin\AppData\Local\Temp\ScIO.exe

MD5 405bc235c8208c1c8de8725be2ca525a
SHA1 4a3ef218b5cd4b8e6873143bf11a1b003c719520
SHA256 cbd2728187c88ef1afc5698be69b14611b6ee0ba1b7dcf73d59fc181c7618c08
SHA512 a9fad1a1e121a6f18e09d3b0dc6c73a281d86a45619101a44c1d42a0757b5bd4385fc852eb72585a179e7357f774cc7523fa6279da5cc6bf7b85ce2de9cd7032

C:\Users\Admin\AppData\Local\Temp\uMMw.exe

MD5 8dea08ebd13e3aed446fe387fac655d9
SHA1 82b222a25a62abd6c51d5fb066c247e115171b47
SHA256 8d4c646c48027f94556aed712d291199a3dac781d480271278cabff335a9cafb
SHA512 99533bb222b6949e6cfea32d4b0809b9dcb2323a2ba53ec9d9eb11df696643d38fd9979bf95eed036cc0f7778158a9de2c41892449c6f41bbf2c2c4144a1de43

C:\Users\Admin\AppData\Local\Temp\UEAW.exe

MD5 5d293c927bc569ab1a89ee4cacab4514
SHA1 4a5831703ed7408da00a1c0ee710b6baad6a894b
SHA256 46357c42935731f7481b8c4f4dee0e89dd5fc5b6aa2c93ddd4433ff4064d79db
SHA512 99021f87e82d1a2b33a78dca7ba3b711cf60967e932d212c0f4b4338b1c3316a772a7b58350c7a223f41396e398adf18ab608b52604dfaf57fa46b92a4930446

C:\Users\Admin\AppData\Local\Temp\KAEE.exe

MD5 7e879aa634d0646a5a6c4e6d35d56343
SHA1 bb41882e90d16d3d81233254cbb375a6ac980191
SHA256 3235d8af8a49a8d797802d67dd390e2c05b10ead40e204ea08b3f40f43b53a95
SHA512 1728597a6866c5507a9527a49f953eb7db3b89a9ae429eb1c937d9059e5961fa7530f8d11ecebc2f4482ded1a1e82c87dd5918f3ffecd2dddd6b7de28ea1da45

C:\Users\Admin\AppData\Local\Temp\eGMUkcEc.bat

MD5 d3c0110868a074a23e52bc9d97886ace
SHA1 469d05dcbc9ae29a8e927e3942cd604330c1d966
SHA256 a15ce75285bed178b406b577f11d3c383af8f216f4f91c9daf1b6e3295d5c6cb
SHA512 20472df647b4e1186a0b7bbd3be7ad7bbc56de8e6784d3f026288a55398aa1423aa0d47ec9b0b7e8cfa0f0735ec33aeac9a5f5ce0400c8d3048da0b9fb93263e

C:\Users\Admin\AppData\Local\Temp\igYa.exe

MD5 30df17aab15530a7e9873692ee99d34c
SHA1 73b310411eef952d3c94ef41f304222e6d045ce8
SHA256 058dcb48c5573443bd3b3fc38e12e99847c0c87bc174a8254d062c5eb2ce8754
SHA512 836f26460d9b0c2b408a59b28b73b88377a149bf2f9d3ff024dd7175b92dd727b29ede9bc8b2729e7fbc3b55d61456f09db52d39b1261108edc9548d33bd241c

C:\Users\Admin\AppData\Local\Temp\iIYq.exe

MD5 d42def1d6e87b14f8cbd3e2a115f5aaf
SHA1 60938c716e6ba195e5eeb18907cc10d163b3dc73
SHA256 539711b85a7f05370ed975644999b0efb782c3860fc65a5bae44e4f2b4bb3f9d
SHA512 2e2e9c5210a03e639748bf6f167aa0fee13dc70f70741a9c7b68280b67b56cfbcddf087b041986ee9ef61ea4764fb35d29ed3e57489e974f4d7710a5728f6294

C:\Users\Admin\AppData\Local\Temp\qMgM.exe

MD5 4f84e2d17472b9ad70800f41978056bf
SHA1 81113104785b749700b7522ba9b56e799d3a96b1
SHA256 55853812e2b84960d9162266cbaaad7530c327a2bd615851bd116fbb704a7963
SHA512 bcf4b1236d5314e0f2797c9567077afe7fcfddb5c955e52e999ab778ce25aa18a83fdb1da46f62992267c321d278dc5034fdb8ad9f4e02abac29a0ba9441d252

C:\Users\Admin\AppData\Local\Temp\vsYkgkYQ.bat

MD5 850aee5f02a49987491c574e509ca714
SHA1 77c7e86c48c3b2ff87d4b080b5f612c76b08bca5
SHA256 6bdf537045671b69ce985a26e11140045b129c1e4d2f0adfe8945af1aa85237c
SHA512 29ea82fdc563a4e050fba9d7d9d1825c1802ebb99007b8f6dee900d7a416fd2b0ad76fc46a7672bb384f2cac476ae960d707631d2a15d03b99b066bb4416c253

C:\Users\Admin\AppData\Local\Temp\UsME.exe

MD5 759fde9901a724dea9774914eaef0789
SHA1 ff72bb7829ba4a1d92ba743ebca922b95ff6ce3a
SHA256 e7f123db57e5dcb33149f03bfdf0acad0e394bed224c45b935fa7dcec589970e
SHA512 8d755433eff9873ab6b02175307f599ea612742f7b0a98e03fa049f42474f91d11f925b7a295fc05f5b547d13ebf311b5578c605c1da139dd961ef85eef88889

C:\Users\Admin\AppData\Local\Temp\KQQK.exe

MD5 b7311e70ea1ae34de3ebe887f153a008
SHA1 cf247e95b5f2512c0729bef1d73b8776fb7ef81e
SHA256 98dd781123aa9aa9248f9800b45ba963fe8fd107d6204ada8b9e883da80a2aa4
SHA512 5abadef570b4e6bfcd05db4b87f16c4606aa2772f03810b903067c0ab177d9811b4b17bc584aeebcfe02cc3c0adbefe6d7f01f789cfb360c9150df4b33aaf100

C:\Users\Admin\AppData\Local\Temp\ksMMIMQk.bat

MD5 281e0b1d9c92bbf05d283368fe994ec5
SHA1 147f755a2dd09565016210157de0d7186c497aef
SHA256 6cd2e32ec0c91fdfa10661f39bb5074e4ef24b318faac98963a832002311843c
SHA512 16c245f7b986f851d7cd51c834305a9172c78ec98a33fcdf9c6a58641bd81e5c42083c1662f40a7b0ab3d08d7d9c8a9595928a7f6f209780aff85eed04785d7b

C:\Users\Admin\AppData\Local\Temp\AYgC.exe

MD5 bf56c0445d9126bb3b9784fee8813856
SHA1 f6d7c5d50f7cf7d7737089c78132953bb857bb2e
SHA256 93c9fa6c0dd7d1e69bb8ad8e53ed1de891aa7963f468646e1855d4f201ab2226
SHA512 6caee5471e4d19603235e8c69d7a40ed42070ff8ecedf2b5d9cdc82e8c82039044f98f3cdcf20c0a384e06f2a8c142692bb5f5248882ecbb21096bf39e27ecc3

C:\Users\Admin\AppData\Local\Temp\oEQO.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\Ugoc.exe

MD5 6652cf9b74140454a05515698f9e8ec7
SHA1 ed0187f93eff71e5f38adb55614a2a0a8793fb2b
SHA256 a35562fd79ce6f35c2767e79a8a6b84643c88ea313fa0727dc6955afe771548e
SHA512 e7c7273b250e7224746c4778d603cce242cd361368447dd8d883e9f6f15190e6d0fe7b616e8409496b7814672e9e8210ab65c72a5a24554345c7d92c2e9b0605

C:\Users\Admin\AppData\Local\Temp\MsAe.exe

MD5 29c71f81fa4f8af48428227ea9291828
SHA1 3bf929a4525b8599cf56e4a1661a8999b77920ee
SHA256 8c1622eb796baa122fad288805d955264e3d5cc43f42c94d0e3fe9e44c0b718a
SHA512 8cd60170fb7a9f2b8a30907e604ea3ad61e14a7f8e0a710d76acea4177aa9f90b08fb148578a10f68e002a20f769486d3203afb16c7731fc542f9dd4c54ee479

C:\Users\Admin\AppData\Local\Temp\HussEwUM.bat

MD5 fc8aed028c1eb4b7e0d545640382ec5e
SHA1 8818dbac56ad29f2ff60186c38203bf1af91493c
SHA256 ac672c95712a339a9f4f6cfdd855d8e092a9d534d622050c5a0084d8ef54615d
SHA512 654aeea2310e94546c51a30faffdf5b28bcb872c3ea8cfe94b420b1ab4ca08d1379bb0e06c94b5925171d0d2444d705ff09dfe696c5fe6fa9c6d9801a4c46b30

C:\Users\Admin\AppData\Local\Temp\OQIe.exe

MD5 44d06bdd129f9b84c25ce4dce9593afe
SHA1 be53e6b9644852513e54817a5c9abee2cf07b631
SHA256 60bfbcb29704ccaacf765f735b1a881c4d83d52d86e10c20738bae01fefb6647
SHA512 b9a9784a044864d32023cda99c1e9f48f003da9fa99a87d74334abbb3b183d8e8f0d37b9d94648f799abd82fae0aaed3df93a0c022d82f23e1e56d3ee7689376

C:\Users\Admin\AppData\Local\Temp\UUIswkoI.bat

MD5 87bbdb5b627e4d5317b6911921158715
SHA1 a17ce7f9bdc6de4fe4d26f28255e7205d4fefe40
SHA256 63cbdc55f555792e41da41beaf5403f15bedabbbdc640eb205c04ae143f87ee3
SHA512 56c47f45baaf74d38cea094dec3019b6f09ffc78ff9761cccb1d34b1a47267eda8e286385fb38b1d3dbd7705c0117f6af65f80ce4813097aa1e9a67d751f72ec

C:\Users\Admin\AppData\Local\Temp\WYMq.exe

MD5 16dace02ed80f5837b95075efaf94117
SHA1 6d5e4bf451a703a1ce7da35c6becd073c262d5d3
SHA256 0fbd46d34b0525eb77cafb254983ecee58f2608fcbce5b763ebdeff7146ff5d4
SHA512 cf79ad1da96bd1adce7f9407124c4ac28f0ff1cba5c0d9b804f0e712a19a12c023268e83a0f3e4e01d79a362e6cd8a8f943cdadb0cae5d02c36adc257e776153

C:\Users\Admin\AppData\Local\Temp\uYcQ.exe

MD5 e2a21f3aa076f135393e10744117ce7e
SHA1 db08bad51dbc88623998cc3acb2b6d5ee6fcd021
SHA256 58411ce7fdf532e5cea52b515490803966d0ebda5ca58dc95947b0622a45a646
SHA512 37234515d80d7e7219c6a0e4c8e7cec89da015c7907b2551d96b16d918580ac0d552c447203accc60410e53894d62c25a9eb2e6300e15d1bf6204ea194afb79d

C:\Users\Admin\AppData\Local\Temp\Ucck.exe

MD5 db361cd32069dabc23ee7925e3bd0e17
SHA1 e8dc8c4cfcb74c96216894129762ffce7c6e1376
SHA256 5d232d61c5c2139dd0f6cbc2a1fb7994f6a534e15c77c80c42d538581f86ba12
SHA512 d1e6a1eaff356f3ca60e4be4aa521a872fed3c41ac5dde51a2e214fe900dfc308de1fcf71691ad488d0312239156901d6595ce84e418e84f77972b128a5eea41

C:\Users\Admin\AppData\Local\Temp\CIkC.exe

MD5 b2c4a0a212e700bd685d313b9ecd306e
SHA1 14f061a2aa659a360c4023d6155c8fd81885a24d
SHA256 35b2dbc486e7869a4ebf6a1b388d53e7ebf9660a05c84ed9c0431b4f72f61089
SHA512 074e396eb15e8bde61f248b00501898fa281b31acf96a0d58bb422089427176bb05c1ef8ed128f63de372c67318294aea131bc5e6003f403edf70708a4d35cbc

C:\Users\Admin\AppData\Local\Temp\GQcQ.exe

MD5 89d1d44f56f0147c633385b50b32db72
SHA1 44bbf3b9b7713585d9ba7b0868ae1217b9c483f3
SHA256 6be45350626a800327f5460771a2cffd4ffe670f6a7db170b548938d5f7d2b8f
SHA512 076080556318754e8ba0ffcd689f6276d3e0b9c63534193630dd7098e35a4ce29efbbe5cde7605bad7c767737ad1a000ab6cdce3d03a80b9f64564db56b8bf3c

C:\Users\Admin\AppData\Local\Temp\uswO.exe

MD5 02e35175f8a60863170d1afedaf70ed4
SHA1 b899b14b7f889c6461c09a7c3d0f864c362123a2
SHA256 d8b1892965db11a3e5cc46218d24e11ea6d7325c2b0bbb203dd8407716619448
SHA512 23e99619db31091f14c444e2b943cc1909a14c8de8f2c9e3fe620bbe6a66e61a3d2008302690cd7a5c448f38213e6815b064d32b9ed0a9146a9b7c87d5dc2997

C:\Users\Admin\AppData\Local\Temp\iUYo.exe

MD5 25176e3bfd730f198ecf3ee93b5e3c6f
SHA1 dcb6790a7eaad050bc6d0a490e974cab1aa17b4c
SHA256 424cfde81137e684d80ff3d4872d6e6618c6682451d09fceed0d162e974cf0f6
SHA512 b0d3957b15e6126a626f30688041f5f547b03bf7e8b5ec3991d7d50bfbae5f03e25f768fff74ec154d93bd0b1f38e121c363be1a7927a17902ea44f3ecc41a10

C:\Users\Admin\AppData\Local\Temp\GoMO.exe

MD5 3d65ff5716d060e2f8fd208371a256b7
SHA1 1577967326dc41a54d8608f143f5a1ac4d854f19
SHA256 6051247c87a81fcbf1740accf8a655d192897f3f81fc130d53cb9918d4fc382d
SHA512 7326f1fd60e1edace23c5c80e6148f905d77c707374d3e703d2d1fe9394a59c5df54e4607731079b2d088766b56ddd1834bb8737a685aa1e05b819cd1982185e

C:\Users\Admin\AppData\Local\Temp\EIYC.exe

MD5 3ccfc22c5a2bdcc541712645f1ef0e0c
SHA1 2c78907f4ab35a0744503af092c048697f9e24e3
SHA256 9626e667f6741de4a88dcf64f5ba10b125735e6ddb6c08e0217e66a18b284381
SHA512 b186a386ef11edb0ce33a30771a9bf0392bc84baecbc6ede92da57d2a1c40b03d023623a966664116205e5de166d3c59c6470ad996f7e14203f68a70f1953a99

C:\Users\Admin\AppData\Local\Temp\YAwK.exe

MD5 375651c22cee54a7a377f09af2de5ae4
SHA1 909c301f34194229ec178c6ba4a11fbdb838c732
SHA256 447af5d25d27e119bf5b333c628301fbecb0c2342e6471a72724bdcf5495805a
SHA512 c4e07cdaede96febb38bebaf16dbee8201c3f12479d7aafa11433d124d6866b8d932eb9c456bb076a15e64d744ca42cf52d8c688dc0a934f675816bf9b8e82c9

C:\Users\Admin\AppData\Local\Temp\TQQgsEQQ.bat

MD5 7520a6fffb1db69b25d54dbc43adf9f5
SHA1 29a940f6c49e0252bc1794baa0cdf542f59a2c8e
SHA256 7f9860777d148a5d645f444bce2441c9141562737dd98e7c4f9c49854f39c23e
SHA512 7893cfdaac55d043b61e3eaad629b19d5c6172ff60e2cf2594a46f9e438ffccea613db2597a3790c8994397dad235b8db5483f87f216213acb8c3edd08b6c613

C:\Users\Admin\AppData\Local\Temp\iUsq.exe

MD5 63df343c4e86f0494650ca8e83aaf551
SHA1 70d848439346e5e60797691071a28688832c0f87
SHA256 ceb10f1079c44052b2ca8ded6342a664b53fc963331d61c86cbf0d8169f287fc
SHA512 3f0ccf3e206657b9a25ff82cfd884e6fb0696c2abbe12cab43853bffd96048fc8274008e07cc6e59871d5d81bbb25d75398821e33dbb3dc2253c209b5b855ebd

C:\Users\Admin\AppData\Local\Temp\fCYAMkMA.bat

MD5 e89a5349e190a3f4b69d595a67f71d04
SHA1 9a8042baf262d6cbd0731cf6c805f3a60fb8c301
SHA256 376f668209dc0d44d4d21978af6efc7bdaeba9150737598ddf68223327e09a94
SHA512 f2cd61272975ea8707b7093c9ce6152aa2478b23d4975f08285dca98dba22c874db346d585ce96c38818399d534fa2cf9c061b7de43473790daab4030b4d9baa

C:\Users\Admin\AppData\Local\Temp\haMAskMc.bat

MD5 de1bc0bc2f43104f9e51c8f7f06b6721
SHA1 d0f55ce4d9a1d2f22c5d647914772dce07e4a2db
SHA256 14a7e071e6a3372c4d96f027e47e79d3f42e8b511dc2198a3d12c331f2e283eb
SHA512 db3d3885e395ab3ae2d7ee103b3ec6aa0c4a7a10b7582c62595a0fe3b904636dcb64f27396f52141eff5340ab04868f0a0af4fef6bf9b952c5aebb1de5bf926f

C:\Users\Admin\AppData\Local\Temp\IwMs.exe

MD5 4eb35696467ca547a2471055d1a1f5bf
SHA1 9d1926dd81f111f35621394c7d5b270b2265f3d4
SHA256 224daa7d0f112579f8085eccbc5cfbeb59c2a27910537d75a540fa055b6be0dc
SHA512 830679051bd14e4825bf4306780a26d7b9c8edaffe1865d0b242ff370bfe8e9269ed313f9f367f81b2f135ae863409324ce26410b9412aead0c2c1a5715694ed

C:\Users\Admin\AppData\Local\Temp\UWoQIAME.bat

MD5 1a962433850e13d0e301253ee01f8bac
SHA1 e99a156453b9b74bd3e922c3aafaf227d44c2227
SHA256 1384ce95e1cae4fcb1de29c2968ea0a781f41bfd95dc45ab08b32b721976307f
SHA512 a74d9dac09aca5a4bd000d46f99c790a47db5a099a42e5d5d99bdbab0688f9fff3b765ff4ba042e54d094334a5ad4383be2917de1e91ac5493831183f5c4cb0a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 2083d78097d0c5ebf6dedc5f37e5fd05
SHA1 c86974f83fda71c5abf8a07783556295976fb3c6
SHA256 5c68612f75273d554719ed6200461e039e01854b82d112e928642d68798784e4
SHA512 32794a13cdfb203c1f8b63995386c0575a58a80dc7b6b25745ca8ac55e7b3ea18931f3b57cbef69ae035e035b069bff0839e84421dbdb1b5945860d74dffd8b3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 fd3b288d87f6fc9c165c29274f63224c
SHA1 08eb9c3d7c7acc1c982bc6a8287bce9a3cfb7726
SHA256 4c461bb22b0d1914a3f0f432398ff58769815649a7ea15a9fc3c54920e78c5f0
SHA512 408c06ecd27d31605a7d61953c0e9728d6878bee0025871b3a93aaba3e87b1a0573078d2efb0630cbd5c0ad08de4f7ad04bd62ce67eb387ff0b31332c3c01da7

C:\Users\Admin\AppData\Local\Temp\oYMW.exe

MD5 b5bddcd9cbee9a292ba505cf86560270
SHA1 3a3f82e050937306e7d07dd2914b742a6096f590
SHA256 1de90f7cc68a58602579cd955a61393a27fd4a164298820b91e37aa8c5a05caf
SHA512 3da1c654272d60af93c644c2657406a1563869ca4d4c839d5b0e0dc08451131695907ac5627fcb77cc76a364f3b1a411fbb23f96ec0dfefa591eca6d95221760

C:\Users\Admin\AppData\Local\Temp\oIMm.exe

MD5 ceec9f73f385329691931ed40d8d4fe5
SHA1 bebc7d1b50f543fc65708e2ce9b0a84a23ee821f
SHA256 ff58b981275d38435ce0638c8ae17506bd06db5e3e07176a1eda19c29bad0e41
SHA512 50997ab36b0de3bd53c22cd23b540ae62d4ca99ec5913e51515de9538c1de94cbbe12537446a06c012a3b989a9ae0ad105431e71c567bb38b2239cac25882741

C:\Users\Admin\AppData\Local\Temp\iIoy.exe

MD5 68a1e7f94e920de4a1b2fcc2cb16e070
SHA1 0cda5b4ff952cf20e2106bd924bde23c1da29af0
SHA256 5d78c89d7ac690e9ea0f29e93ea43892a2f2e794cacb96e36d0268a7eb906a41
SHA512 07a83d71336074e69b17684144f22bc87cc0ba449bdeefcf9739a6af2b9dd32fbad4911320a0ad4a39e6c549ea747d701a1ce5bf9619e4719ca0c9c4fade3756

C:\Users\Admin\AppData\Local\Temp\kIUK.exe

MD5 8c1b9d43a0982c120bcfe6d07c1b3d13
SHA1 0507e70efcf1ca18e94ec7c80398f51373c066f7
SHA256 c6d788291284f378301d17127bc6b71410dceebcc0b386beaade1a47bb8996a2
SHA512 bdc5f25354ec27be80009f666de6e3c5277140d1869a83b8708fb22ad957db0ca28abfa3444973530bc3e7e5c45ba8858f8ee551a064a253f865185583cb5cbc

C:\Users\Admin\AppData\Local\Temp\aQgk.exe

MD5 d19538f1456967b04dc5da24c7e40e0f
SHA1 d754cd8da55809a39d9a98357d5081bbc32f14ff
SHA256 7d3d3985cbbc5cc96a1856f6298ff5b50723038c2b48b6b4972b0642df168ccf
SHA512 b71f27ded36772f5c07e3233dcd79bc8df2bcfbdf34b8da7c289dd303596873c5dcab1bde123cabb60bc0cca046eb3bb99b1439780f47eb6e910741c0523183b

C:\Users\Admin\AppData\Local\Temp\AgEy.exe

MD5 af7dc32c87fbf6887cc2eb389d931676
SHA1 0dff3731a899fe0d36c07400019f02d469755173
SHA256 8f1167db7d1466d0ec521d1f082e84391a368641e2f86c5caa88dbd3df8396cf
SHA512 7c5afeb6e542d3231c1192f6eb212e4ba0c6ea8f0b79f81ad2adac7384aaed07cc4744bfe578095a53bda6f6299b38b8e196535e1329a6ed1b787b10cb39259b

C:\Users\Admin\AppData\Local\Temp\skku.exe

MD5 4a68aca351622ff4be7fd1d7accfe767
SHA1 085525a3c860bec615d3ae5cf3650306526fc7e5
SHA256 6c38178f65e4309b9e114def3971b46df29d7584aaa6ca9a65621ee2350fcea1
SHA512 8901a09906c234f77bf7e18409837c2be5bd3785fe9ff68cff4de11c5895b837359604c77c89e1ca3e96e1023a874a5f7717a5705086516fc2a2f6a4707fab05

C:\Users\Admin\AppData\Local\Temp\msga.exe

MD5 05a0d3cb2106252eeeb697097e39d183
SHA1 19ffbc6906b51b376ee7d02b7db6414c667f80c4
SHA256 6117530e626614780e2260762d5ef8b7f69649b165049712840897ab6dd9f545
SHA512 71ececf65eed19367440222d9a5de18123a0e839deb478707980ebfc1c544122ae80c2e1f3d5c701cd1599b6a2cb9a3c838d1d58392c323b5beab36c3326f784

C:\Users\Admin\AppData\Local\Temp\EAQm.exe

MD5 995d63739c213bf7b6b11a799fc8dd1e
SHA1 801ac525f2d184467950394cd8846fde5e799d8a
SHA256 b513a20bcc3ae4fca7af6bc6d8408b3f6fb9d0d312e0030bb4b45070f33482a0
SHA512 09acbef2c4724664b4ef2690fe268859beef6219db59fccace4843e94f8c79da87b06a2ea2eeb866746ca3d55a6386cdde7a19c47a9c346e665b3a1f0492fe98

C:\Users\Admin\AppData\Local\Temp\yAgC.exe

MD5 55ebb52068477d326425607535660e1a
SHA1 c3035f17aec26d9147dd81011332f127a22bf470
SHA256 28cc79bbdb1b5c462f00b250bf87743beb28561c90a0776b17256f41d279f2ca
SHA512 6e54837cecd1650c534acc4c6c53e634bab70110de51636df3e53885e950413e0a127438c3585f78f735a1f4594604bf935576e198cb8bf72b65442e50114f28

C:\Users\Admin\AppData\Local\Temp\usYy.exe

MD5 49d107825b4802349a7d1d2afaaafaf6
SHA1 55973b79e438a9e49f7ac13c728123ce14c5e2d1
SHA256 c1b50aa3322fa273817ba4f4e15937cea9a9d9753fda0eaae5a83dd5695113a6
SHA512 cf274d974533729bb8fde4a87b2817a7a1d636c56f92587b84d3f5cebbdc041ef262c6568721ddff73b942037fd14791980e31b0117d7544a80901607a37bb3f

C:\Users\Admin\AppData\Local\Temp\eKAMsMAM.bat

MD5 cf3f096836948360424e4576b1b47d7e
SHA1 0cafc08f8aa8d706aecf2e2aa89cd16577bf5244
SHA256 60eb4f6ac54f4c02fe2004b3441d64a645ef7337d2ed56514e2524bd4cc1320f
SHA512 dfd9f6bd89d70412a33229034a16994160f6ed02924f9dadfd8d9aa79df958ae8a30c4dac3d38c18497c142dc0a3850a2966dfbeec9c03aaeca487a72b036271

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 4ded5ac3c07c79e2cd9876aa0c48d77c
SHA1 65e9d15745f059c2198e9829ecc9c7814d18e882
SHA256 9d260f88b75e65728c537629f71058da557e05aca7f5751b1d365ced8f15a83a
SHA512 a09ad0235f6334db2353311dbb17c08f732de81515e7819e61bfbcb308bb2607b2f6769a58f558250da08fbb0ac065f8e45d4870cad69c947a50558c11255f0c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 ae940aff6abc1a1a1e290ba1821b5bd2
SHA1 2c9478034b587c6defb07957c8b9510e70c0afaf
SHA256 629732e2ad6706ec0493212792ea85e046fab3ef485427c7f22656b88838ba3f
SHA512 bf5a120d8338f6a3fc1e6f70ac706604e20a27608b685452c80c792b72a8868f5200e0d4fe72cddcaa49bbb2916c0d17e3e4fcffe624a96e25be4e723a54a124

C:\Users\Admin\AppData\Local\Temp\HEkYUUMk.bat

MD5 5f5a986322922c3e63fa6d1bde37703f
SHA1 3e322954d4968987c9da6614f5ac98cc0e3293df
SHA256 5051370d7c0589e495dfce3eee7d57da9d504b9180ee1c47758d45964c8fc9e5
SHA512 bf30c5e6d4d3849003f6e95968a59cd9af507c23ca82738464e7b37328cb35a6c4ba344d0b40a529166f17f621f310b7cf1a13c503f64684e058733f6eb3069b

C:\Users\Admin\AppData\Local\Temp\doUYEMEU.bat

MD5 7de3914d6e3fc4349aa063c057bb78ae
SHA1 571608f10dc8734fa7cdc9e602cf4d157073f7d1
SHA256 66c0254d9e6a67c8e6a4e0db7f63106e1dfef449a52e2f56b91cdac5f0776bd9
SHA512 7ff716c5e3aaad9eb45ba345f9a0ab06fc8c1c2685b4c8469bf1ba85052ae8e05225732d56d1db66a6bacdfcc588b97474561be071ba4322c78a065e1418dfad

C:\Users\Admin\AppData\Local\Temp\MiowIEAY.bat

MD5 e4d70398010a9827f44af1e49382fc06
SHA1 52a912351c041615b7aef2f0fa3737a88f2437a4
SHA256 fa1683828d1afcd9e476b427a614c37e7301913274aa26468f5c67ede1883aac
SHA512 bca50cf302ab5f51c9d17bcf9731ffa1bb69559c766e25ca490f32d9adac6fb4bacf97e176944fdeaf60478009a0802829d0aeb3352a099b92bac2c500cc2ede

C:\Users\Admin\AppData\Local\Temp\uQEa.exe

MD5 d9ab9632c4a316a5a1e5a3ddddda6291
SHA1 3f2d7b067da185bc587509eb8c9eb67aaf3e772f
SHA256 9c5ccfaf81e54127e47cd01fe329e8fb521860f46b2b9318834483a30f06b5b6
SHA512 b0ed0a586cab284a8b31a3b9dfe545acd79e777ab7023814f7d3c656031669afbb86d78137364ea824f51cd58eb2bb90cff81f109318a6eceea0ecca10b21880

C:\Users\Admin\AppData\Local\Temp\LyocYkQU.bat

MD5 94f66fa076afee2b878e28f8159888d9
SHA1 76818e788a8ceead5a281125698251f98f8ba6d5
SHA256 08fc1894e5c8ec82c781cf2ab71bf69cc996c8c0506af43475db967468b5efe3
SHA512 b522bf1dbd513d4722d08a42334bbb268c69682be755919ee9c871cbfa9dfa7146882da8d335281838b3ff427857d418bad094142b8500e02944649bb042d938

C:\Users\Admin\AppData\Local\Temp\wYAI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\PsIowYws.bat

MD5 f907236ed8b351b019e7a9ffbdef5969
SHA1 0f74839da4d40bed40a5e31432f0f81f10f920eb
SHA256 ed0318a4cac8a8dbd0e207ae45ca55ae2a239f4105d46d01ca82a55f292cf8a0
SHA512 6f708512cdab8fb57988863acd5d5b197c810b74a79b97a1673601106dfebecdeac82a318606e1df78e0fd5fe3ab1617d3d43ff92942d948cd9f499bfe87134c

C:\Users\Admin\AppData\Local\Temp\UWgQowMA.bat

MD5 0366906266b2fbada02e2fb17f31dad5
SHA1 dd544f1691b92d1f04917c4bfc27d28167e91937
SHA256 cb5be921ac22c36f60c79fb6e67591518de77cf06140a73915d0427d07a5c300
SHA512 3746932aa6d46ce46cf456fe67cc482002bdb62a963367fa69adcdfa0147fd97ee6a0f96fdc67e268fe1ee86daee021be87419a2ea30db6e0bb262a91ac9d4e4

C:\Users\Admin\AppData\Local\Temp\mowU.exe

MD5 26d38b2588ada8ebef46b7cc3d240c3a
SHA1 b43c3a5d11e12a962858ae83fce5931e68aafb08
SHA256 c315486ce8b80b9d3b48b0b64103567da4065f3488e5372dc867c5b479d3aa70
SHA512 d9507eec9200a1e59f75c03d8b15e0fe8d389b8f30062e910371faeb0487488382d5ec4217f0a95be938c0b1726ac8d0b29535d6b249bdf6c5d3bbc54d838e8e

C:\Users\Admin\AppData\Local\Temp\Ookq.exe

MD5 4ed60e29bc0867b311a69de226af57d8
SHA1 4ea84c7335321f6447cc0324024e529bc4ffe330
SHA256 1b66f9e6f36a252ec575b9f4cdbac56a22c8d867fa423826aef5123d6a96a335
SHA512 befaba69b20fbeaf48a86c5c12b93d0d43b1e350182fc9dbd16893eb82cf1310728bb5f126d7f6fe82ce6ca04a9c5ade84d4647df2f8ee34cc947a5e6781c6a1

C:\Users\Admin\AppData\Local\Temp\GsUG.exe

MD5 0f5f89a4ce4b53661aa53573a0ac33a2
SHA1 10ed206c0f17c62870a694cb57d831e3a95f76e0
SHA256 1e90b43c296535db6397ab50f98d3b9fe6f3243deb9b8277b2745d06028f9c8a
SHA512 63e8f81e42e25e048c7ff0126683ab8991ad0fcd63a47ae49d7492a293c56a024f710a0ec17e5a44f32f5c9d87682fa456bca1fdfcc7a2f9a749e1ec50313e50

C:\Users\Admin\AppData\Local\Temp\MMEEwwws.bat

MD5 962a452c73546a369da3c796f525b6f7
SHA1 b39ea020aaba245ba49b861a5fd2a9ee46c238b3
SHA256 a391dace7aed5232154a74a3bd75cf16de521061a0ebab2a0ad9153977aaa8ca
SHA512 03ed1edd20d0ef98ee5b99045a697a40cea3b5fab61d4eed4ce4f59bba69809b228a0029ac20ca97add0c83a4b99580fb28c7e07c3b130b16df0b95352f68957

C:\Users\Admin\AppData\Local\Temp\liMAoYQg.bat

MD5 fff5e51e112bbf9326b0cb96be8a3cfc
SHA1 495eaaf317934292710b96112899f36f87b25170
SHA256 6186d6f9de64d916b929e8ca6ebb802ca641fcc1384b96a29b33923044f8a6eb
SHA512 0e6f7876b428798fd0cc94a741ec80d3189a7a3cc2e3a2d76258daaa843deb24938b0e34d4ee3aa55bf44f6d650fd3dabe3e87ab6c0dddc474b00c8d6b914d6e

C:\Users\Admin\AppData\Local\Temp\DOAskYgg.bat

MD5 6db6b633ffdaef2602e1ebcf4cf0a3ba
SHA1 6e9bf3304c5e56273b6439b920b6adf1de10553b
SHA256 0f0adb6d97c1488d6effce7ed2489aee4bc0eda1baa0b913fad828d3d8f4675d
SHA512 11261abde057ba9cd41ffc4d3ed059bd30d1ec626ae91c971666122885188ae5fb34868044db07501ec8a4f6ae5a2b0289fe1e20d4fda13b5988067b9e6db4db

C:\Users\Admin\AppData\Local\Temp\MMwm.exe

MD5 85b75914985f0c7cb931c7621cad22ab
SHA1 e56d4d4cf4d6718edef4eabe52d5c5a5e92d163c
SHA256 79e62580ab4ec2c5593cb2abd77c61118df3b5d06029ae4abfb2aa8eb7b4f730
SHA512 bf2524f3e07e0f7aced1ffd177923c5fb2586578faee8b8b482424c0d7a44fd6a343f737389ff5813e526306aa2fac48cefa8701bf3a70bd3365c693075be222

C:\Users\Admin\AppData\Local\Temp\CkQK.exe

MD5 dd2cdd04ea280ff9404b6e27ec0353d2
SHA1 6bc9c19e935fa445380626f904bd915175a90bc8
SHA256 db2dba3f0269eea3870cf623b89032ab7dd041d8c9bf6371d1fed5344d6f96a5
SHA512 4c9f83c2de7eb75233bc29fbdbee887ae97701e96df6f081d2d1f633f0fdebc9b1afef67a3852ee1d45036bbd13baa013dff59cfc12124cf53bb7de1a8dfbcc5

C:\Users\Admin\AppData\Local\Temp\uYwI.exe

MD5 6e8b7d2b4b121b5e69c951ffe74a40ae
SHA1 5228e43e30cfaac33e75c2eb307f8451e73a0160
SHA256 212ad6abd9f88377963dfbf184289fa2c95a77aabdffe041e8dad8c278bb724c
SHA512 e3585235115f9e514ef3f1e8080ffe60330e6a8377ca75b534527b24f54a3bd55c1902ef4ac75ec0ee7ed0b4ff128d3bf498f47b6c9b6585a9d45d062b140693

C:\Users\Admin\AppData\Local\Temp\iEEe.exe

MD5 c310be6c45275c8c25ddcb51800be799
SHA1 0123e2e318be6ba25faa0bdbc19a771dcc87e344
SHA256 213ea1bda300f6d2d2c36e61b59fb5c2c8f514844576e0766997464f5eb14cad
SHA512 7b2536e2f9d34f4440ab9d2b49f6371efea3a35fdc85fcf7a880e8894c100798b7150f63f8a0966203bc1f2b5a5afb0b493b6d18e3a5f7d6a30a1be1050ac46d

C:\Users\Admin\AppData\Local\Temp\UAsI.exe

MD5 fce0ba8eabd2f458380dfb54378bc1f0
SHA1 ee918487a018e486865b0fbb23bacf800d04c474
SHA256 82e0446c7fcce3ae8b9fffbb210387c487b3fecc31050c58375e5a5222051cc7
SHA512 0ef9006a866ecdbff58138b24de02baefa499edf9d0cec5c8396ca875ce5ab44ed4e99a8f437dcfc3dfe7aeca8ecfae3252f09b6d3ca8b394dea53b69f143224

C:\Users\Admin\AppData\Local\Temp\wwAm.exe

MD5 7b0af8f5a4255cec1de7b5fc3e159f42
SHA1 bb634d9d876bf24a0eb729ae7253063c73031fb8
SHA256 62e0afbe1f24c2ec5185308476f3a13988ccb6a006b57838acf49a07a025334d
SHA512 2f96f2ed25a3f971bef47ac53a7c909f9760232974c37518192edb417dfa4deb29f917fa8e98dee51e18d80ea4ae2ab99141e1bf9925ad4697cf6d1e3bab53eb

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 36753abf3a1b5340ae73c925010838c8
SHA1 f2d27fe1a6d77d5c37d5bdb73ee67ce4c7736ed6
SHA256 deefe0cdde070ca0b1541c443c5cd91a742ea3e13ea56ab5842ec518f6825600
SHA512 3e951d3bf7d7a0f31d2adea987367ac9be1f2ba8cce2ad550d71d88d76acae31e4b7fa47ff22fdc94d6d005a91efce61bca362acfa59df4d608546178c75ae78

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 cd8ff3e0132cf5aad58b7615f1c6ed8b
SHA1 a05117fc41a0fdf331e9c71f7ad8b09f4f99582c
SHA256 f3167abf2f510ad9678c44540b86a7ef84aebd0331b86790cb5db943afda3784
SHA512 d208ef19e7bb31a1eb87c3d04e1addbfbaf8eca5a5061eea448667d76185ab8db68ad97e26ce9cfc2c6057fc836bfca8af1d135d193512e429afa056a82608e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:41

Reported

2024-04-03 11:44

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (71) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\ProgramData\nMUsYoQw\TaUMEoYA.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuQwMQEc.exe = "C:\\Users\\Admin\\nCQMUYcc\\tuQwMQEc.exe" C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUMEoYA.exe = "C:\\ProgramData\\nMUsYoQw\\TaUMEoYA.exe" C:\ProgramData\nMUsYoQw\TaUMEoYA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuQwMQEc.exe = "C:\\Users\\Admin\\nCQMUYcc\\tuQwMQEc.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUMEoYA.exe = "C:\\ProgramData\\nMUsYoQw\\TaUMEoYA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A
N/A N/A C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe
PID 4456 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe
PID 4456 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe
PID 4456 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\nMUsYoQw\TaUMEoYA.exe
PID 4456 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\nMUsYoQw\TaUMEoYA.exe
PID 4456 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\ProgramData\nMUsYoQw\TaUMEoYA.exe
PID 4456 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 880 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 880 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 4456 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4948 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4948 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3228 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2292 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2292 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 3228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2484 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2484 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
PID 3976 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3976 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"

C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe

"C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe"

C:\ProgramData\nMUsYoQw\TaUMEoYA.exe

"C:\ProgramData\nMUsYoQw\TaUMEoYA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siIgkooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sewcQkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEwgQMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMgYcUks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqMEMoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGcUYoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkgsMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoQgwcEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYggUsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QikIkoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoIIoAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoswAMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAEsgwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQssAscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEMkoAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smwIwQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIscIwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEAAsIAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeQUEAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQQYkcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmAcMgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUsMscco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCUIskMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awMUYEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkokMkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAkUMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmUcsssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqcwQAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQwMwMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsgUwskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKMkQYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKEUgsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaMUMoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEcEskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOQscIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmMUAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkMwQkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcEcAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgkcMgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmMUUAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWYokQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWoUcEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peQEoEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUIAcgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYQogMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcsYcMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKcMAoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMMMwEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQUQEooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMAgAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGYwUcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMkcoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEccYEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayIQIMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoscMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcsIAIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fugYYUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSMkYoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAYccUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skgUAMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meAkggcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyQgMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyIcIgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAAsoEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYYUcMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcUAsIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwIEAcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUEkYEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqEgMUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAoAMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgAgoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYUAEkoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIgQwEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGwokMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGwoUwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgAgEQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAMYkMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViYkIQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voUkwwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaUYIQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BakYEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUowkgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCokgoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIQkMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RecUoEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAMcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwYQcMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEgQQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQgcQwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miUYskkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUQkIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQUgQswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIEMYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWsMUQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmEYkMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWAEMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgwAUook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emogEooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TucEwQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqIQEUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkUgUUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAAsscwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyUwwMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOMMAoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGYMUUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuwIUwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWYcEskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEAoIscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgYwosYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WskUsAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgMwMUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogUQosAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EocAEsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puIQMEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSQwkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQcssEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMAIwcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acEsIQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMQEQAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOYkosIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roQscgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neIYsckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIYwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYoEAoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqQQksck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuQkccgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSUgsMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piUAEgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaUkUwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSQYQEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGEEcUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAccAYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWMkMMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOEkEUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUEoMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYsYksgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wygskkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcokUsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sowsEMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGkUkMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEwsYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roEEAAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkUMogww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4456-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe

MD5 aaf69d9e7f2f567419043e3647d38b63
SHA1 e968a40dc6077ff65123d6af8c6534e537446d4e
SHA256 2262c18f1d9216974f74fc5e08ea15c90c85619d06f711a48daba234189e8fb4
SHA512 62af220f9e6416dd4ae031e35c6bea2a16cf6f9a698cc3d5d423381bb62aec053e47c46977467a4b8003703cfce9afa593edd8c66fdd61559ae6c4d97a6689d4

C:\ProgramData\nMUsYoQw\TaUMEoYA.exe

MD5 18a5fc0c95f86c7f3bb5f93a5d726472
SHA1 eeb14d9cf34d862fbed43debb9b78874aba58329
SHA256 8a4b19fa4c29b31fad8c868c91e0fb217b1547880e240970e4fe4201725a8203
SHA512 878589d8644fd80e2e14891ae9b2e56890a5b894ec55356efb960380ac576e664e8dcb7d6270512f9e3e7b3e375cf7fd3c207eede7bd6175c84b6ae74131aa5c

memory/968-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2780-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3228-16-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4456-20-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\siIgkooc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock

MD5 8243501c8bec7c2fabcac8cb47d98048
SHA1 f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43
SHA256 4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd
SHA512 5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3976-31-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3228-34-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3976-45-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4164-53-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1964-57-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4164-68-0x0000000000400000-0x000000000043B000-memory.dmp

memory/8-69-0x0000000000400000-0x000000000043B000-memory.dmp

memory/748-79-0x0000000000400000-0x000000000043B000-memory.dmp

memory/8-83-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4772-91-0x0000000000400000-0x000000000043B000-memory.dmp

memory/748-95-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4772-106-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1556-107-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4924-118-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1556-119-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4924-132-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3352-143-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4196-147-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4196-155-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2540-168-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1876-179-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4260-181-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4540-191-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4260-192-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2256-200-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4540-206-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4460-214-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2256-218-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4460-229-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4316-230-0x0000000000400000-0x000000000043B000-memory.dmp

C:\ProgramData\nMUsYoQw\TaUMEoYA.inf

MD5 acf509cf45b20f65e2a0767123668f30
SHA1 620dc1ff20b7535e3ff1cadb77f61bed5d790cf4
SHA256 b7408a2710f634af44ae83a9e07539c26c48a98226595ad7d3fb138c138e0d74
SHA512 0f3dd3a78a71602b2ec69057bee8910a4f4890abbb9909beff55d7468c7f692b953da47de03393c5a6935a41e7b4a9fab2f87d6697a7a993cd9683c81d945c44

memory/4316-243-0x0000000000400000-0x000000000043B000-memory.dmp

memory/632-246-0x0000000000400000-0x000000000043B000-memory.dmp

memory/632-257-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4852-266-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3712-267-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3712-275-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3280-282-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4148-286-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4484-291-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3280-295-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4484-303-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2428-304-0x0000000000400000-0x000000000043B000-memory.dmp

memory/512-312-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2428-313-0x0000000000400000-0x000000000043B000-memory.dmp

memory/512-323-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1796-324-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1796-332-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3148-333-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3952-341-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3148-342-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3952-352-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5064-353-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1696-361-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5064-362-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4044-367-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1696-371-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4044-380-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3148-376-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3148-390-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4520-391-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4520-399-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3176-407-0x0000000000400000-0x000000000043B000-memory.dmp

memory/436-408-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2936-416-0x0000000000400000-0x000000000043B000-memory.dmp

memory/436-417-0x0000000000400000-0x000000000043B000-memory.dmp

memory/872-424-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2936-428-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4660-433-0x0000000000400000-0x000000000043B000-memory.dmp

memory/872-437-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4660-445-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5076-446-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5076-454-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1388-458-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1388-465-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4564-467-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4564-474-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3516-482-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2808-483-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2808-493-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3336-494-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3336-502-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2108-503-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2108-511-0x0000000000400000-0x000000000043B000-memory.dmp

memory/224-512-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4980-520-0x0000000000400000-0x000000000043B000-memory.dmp

memory/224-521-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4980-532-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4924-528-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4944-537-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4924-541-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1604-546-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4944-550-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4516-558-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1604-559-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4516-569-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2884-571-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2884-578-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4440-586-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4220-593-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1372-597-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4220-605-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5072-613-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3724-614-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4424-622-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3724-623-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4424-633-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2508-638-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3412-642-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2508-650-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3016-661-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3316-662-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYgc.exe

MD5 c4e349e48c769ca826b0417ac60f37a8
SHA1 cfabb1a117f87b0580037280538ffe78aa5a46ee
SHA256 bcd9099b545b85399ff9f2e84956ada1857ff5348ca1b482cbe0c7a2b8353cee
SHA512 81fa91729538d7f0303a9d1387a8339dc4d7865e137ab851b763f60ee05d3b31f0d7088965e3f805001f34f5d955f5cf402813b12fa344c5543cd46d713022f1

memory/3900-682-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3016-685-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3900-694-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4328-695-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4852-703-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4328-705-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3444-711-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4852-717-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4524-723-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3444-727-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4524-736-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1592-737-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcoa.exe

MD5 dd5200459a344fc1f2058dc4f2064df3
SHA1 1c9d602d1afd523d579f6a7d5edeeb6f6688794c
SHA256 fbee69fd4bf0f84fafa1c4b254491bb23cbbff7ab28f5460e0de118d814488d9
SHA512 cef89952270f28a0bc62b961cd785b2cae5a3930dd9a71f12ac74491853b612b5276a46aaef282b5b531c96314f773a168d40932468dd0f29de3b6f7edc3a103

C:\Users\Admin\AppData\Local\Temp\sYMK.exe

MD5 12e1a36194dc9fba2b3a8e349910cc88
SHA1 6677b905eff000db50adbe2e401a05de4db533fd
SHA256 b797dcf06932d5c46474012bbca83372b22cef621fece86544ec581a0309a5bd
SHA512 fac1959fe9ba6c7f5d113d6fe796ede26c09ec4ba8c44a155326dd3d373dc8df3ab6f4fe462db41f16751e6a985cf32cbd74bef68ad2e6f17a73b994f0645ad6

C:\Users\Admin\AppData\Local\Temp\Kcsa.exe

MD5 d47fb7185101746c0f48c4a9bf7801c7
SHA1 fa33d76d6f32c207a7db4ae12800f4586c842932
SHA256 948976dfe933f807f42f73fe8721282ef11f49f52543bc2c5742e5d205f59d3d
SHA512 ef171ad6d27fa9e03a780ac79fd9b809f933f5260c94366dc7efb4271e7eda05a27f9af7a03db4595b9a88fbe2516b0418311cb58d910a6fe2428849fe5af13b

C:\Users\Admin\AppData\Local\Temp\ckMi.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\YQgi.exe

MD5 22144d6fa9ebc231255a13c49f1d73f7
SHA1 be03e86b45c5c13fa0978d18467d346a8bb3f270
SHA256 2dadd9f486f1d61034d186530b73a60afb6d41cf469fa4413f2d52dea43ed255
SHA512 3644f9fc085f7084616f2ec0b51437ebdd0be7ce8edbf275f82cb3b6bba03e70eeac5fcf4e58a739dd7663f81d04181ecb14ce5e38e579ffc96d06971df1a1df

C:\Users\Admin\AppData\Local\Temp\igYM.exe

MD5 24b64d31b0cebcac2ab7d17a789a7cb2
SHA1 f371b37770baf37ec5a062b7ed23d03777d5d986
SHA256 aada994b55678473e57e1dbc569bb9879da4dbcb9bbbba8f8edaef573f97cae9
SHA512 936ba01e620d8c6f7cbec18f7106da40d009b58c10ff38e0b42622ed6a412c7115e1b3152293b7970016887505091d86ca03282dbb9ffa93e5f3d22abbf59b93

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 0e6006c0db4d924751ab72a58a7c6f84
SHA1 f41310705bb6b9596ddb31ac606fc6e7fd276f72
SHA256 b1f1e12c4829242083da2149ebb3d72289872e638ac90690297594410448518d
SHA512 3be149f72260bdf96833265bdda2526622b948917e76d9b4558575ae74b2861cebbb06fb7c2730ab4e6b764ee5f03fa9b32760b4a51324aac535e5cafeef3e9b

C:\Users\Admin\AppData\Local\Temp\wMME.exe

MD5 4a7c56166d00ba7697adc75fb7c74d22
SHA1 2792c61229c8471ce7394dfd1954b0fa027f4fc9
SHA256 7d428f6217e89412c8b89daf23e3066cb81686f4039473f6ebaceb12fff3cf41
SHA512 28f6f743e87a5beed4d2f009bd52fc2cb3bee62c8ebe91c0d980a113c29dad448bdb5e9f16cbef9ee65ce0bb7ba9d4e3b1844526e06ee7b9bedfdf55b3cbe143

C:\Users\Admin\AppData\Local\Temp\uQYK.exe

MD5 ded4bc2059817a8b96155a077a7a45eb
SHA1 c174d8cff45767bd4e02592b514065f79f5b57fb
SHA256 20040b0ba55b8416130505a3821901bad9ff5184459e841dc1c64437543f038d
SHA512 d26e2314615d7cffdbab3ac6e9dce56fb65d42a2ba925cd86a7820e3c353264dc2ea3dd3b2949538ecaf481d58b7ace166a31d4fee3c10b81fb82c25a0c715a7

C:\Users\Admin\AppData\Local\Temp\oMcE.exe

MD5 c98f8fa1c87162d11ec1fe1d1fdefaa8
SHA1 d882444ea1b52f0bfe6b90ca45a23611a09722a0
SHA256 f997344b3e926e4647ed2cd3eb9493e17b683e1f7d88b68b245f2e74cff2edcf
SHA512 793f78fe2ef16585584ccc1e71e6bafbd28044bf53e4330e5ddf19eef9547bedda79861f712552aec41fff4809593e8ae74a1854aee2941ef67e4e728825b964

C:\Users\Admin\AppData\Local\Temp\ecgc.exe

MD5 8a18f81d767e2498d278035c956a5200
SHA1 c6af82b01ea1f62a801c775943ac3dafa00d2f8a
SHA256 f029eae7e6790c6616954c2b7e98258b57fc8f78d57d5d9f7ea11ad6c429b788
SHA512 2a6d454df85d403ffc9a34263556b61f99bdb1bbaee8368a683c8403b7cec35d392449ef453e95456310d6715b5604fe5c7f5bad0e00ce758805bf7f4981ea3c

C:\Users\Admin\AppData\Local\Temp\UMEQ.exe

MD5 b98245434581e6509c0163b0b44c9e84
SHA1 da85eca15c89ce48d1f59a9d205849ff1fc5f8e3
SHA256 054267b4afa4c07a5a7144bbd797021b1775afc827268789b7a9dea28c47aad0
SHA512 f47e86ab26e4acdc39437266c11bd463ce6eccce445fa272963d4ac833684498fc8489b59b266c5fc86cfa39c6bae2830ca0e2a5237c7d6b33cbc7abe4f01ac7

C:\Users\Admin\AppData\Local\Temp\GAoi.exe

MD5 4a9d5d87c67ab0f321e81ceef25e93f3
SHA1 5d872c5a5ca7effd1468b5ab62c3300e4513540d
SHA256 64fa46f8c0dc5ba8a7406cc4e093774a04c0237237b0a17bea089a6014677fe2
SHA512 d78a6859f425d1e997982b5f5721787e89a2062fa811b51dbd4ef272484216e28f7cb0c294c4aa99600e6c619e0ceae15b40d55be46f9b01f3c0fa73742b5924

C:\Users\Admin\AppData\Local\Temp\yYQE.exe

MD5 f9236ec2e9c3d08db1d2e56e651a9c7d
SHA1 1aafee3e366cc98d5228179653fa5da8d801d6a3
SHA256 904cf7f4d886687802b4c95e956153968bc5eb047694683bd6a3bf8ecfc3a67e
SHA512 297147d8db293cb5fd0e7cacc9a3e9bada70a2737b1c08c32711a684d6f0297508e9f6b155f5f84e8e66e366f182ab79933f77e82f8491314c39a1761e014521

C:\Users\Admin\AppData\Local\Temp\uooW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\MAwK.exe

MD5 d2686faef2dd407585626eab70904cee
SHA1 f2186e7c1d6fd30fff6194f86bea8f27e8c44cd8
SHA256 1d4fdfe5785bd737fc9ae3631bef1c0879c7e77c3691cb89fd6d21f9d5dbd7cb
SHA512 1cc1cae1d282aea8eafff6d2b26308f78a5e02a18b6957a3de3dfa335c38aed148276cb79587261a5e4d4b45bf5eb202e8a0a242eb36ba056f7aefc2e59c8002

C:\Users\Admin\AppData\Local\Temp\gYsi.exe

MD5 c62375959690699dfe23172696c1457d
SHA1 563c37bee595ca93866e9abf120053d527b1c400
SHA256 1801dfe1680a04836fa0331e85532aaf23bbecaa86ed5df912dcc1879913a586
SHA512 f18940e85d236030501af97457ca2239245c4eb7741fd76a172d2810a8dd744cfd1e22c67d9f5265346385a4fa37e7521522cdcf4d3e218379ada02b5e22699d

C:\Users\Admin\AppData\Local\Temp\gAQk.exe

MD5 c017b45b2afec60f417e02fd1c9fb17a
SHA1 ac2d9ca382ff0f43b5236f3fe55f29fe6fe0411f
SHA256 5e9b2ecccd5752b8f844a2445ebf8bea21d6838d8f7896bd38f75d010ea8c5c7
SHA512 3232bca6a5b087815e35a2d2fc0f685fb3c42c19bd02c4d0a0afd4bb6ca60d8b12c082fc0f2e41ab72eec36bb8935752a7b2a6d999e335be2abc402b816f3990

C:\Users\Admin\AppData\Local\Temp\QYkE.exe

MD5 feccc6ac55a37639bd16ee93819f5fa2
SHA1 ab5f062c84373f55603e72e35d6d449db72e2245
SHA256 eaaa63c7167817010d1f83447d1c10c38e1ecc60ae20a0871214a94cd976c3dc
SHA512 0a8f452e05be631019f3b1faed6ed36ff3c9e45868d6e428399d2e3b74d2083955dbb3bee04e73772648b70915a6e90866de49bbead8b15ed137c649cdcd190d

C:\Users\Admin\AppData\Local\Temp\KkoQ.exe

MD5 b2f453aa3c32f63c747f700de1ac64b6
SHA1 66aaf159f276e2eae4a4726f4a44e5b13a23433e
SHA256 7ab9f95afa15f58763edd21fa8d188b8ef0fc3a6cebd350be3e112777187b757
SHA512 95350d2eda5cb4401bb52ae96ae0b22c17cd94718b23f09326fa25e3f37916232355cb896720a2492940c6efdd8c7e967f6bf05e5e0ed593c8325f442bf06ff4

C:\Users\Admin\AppData\Local\Temp\KAwU.exe

MD5 32f723a06e1ab7f47b15cbbfa16acd6a
SHA1 2018e24e389c045386c3132c44a4a7ba086e7f39
SHA256 5b52b9c5eac42a7922a28f7f19756703952499d9f625ac2ffdb438a36d94f7b8
SHA512 e72b0a0b124ff5837dd41696adaf497e09f8bb5b4f8777f37873999e4261b6b171c136177ff0dd449284fa0d9faf4395dd4f5fef8040386fa697f3d5d1e0f8f4

C:\Users\Admin\AppData\Local\Temp\ysga.exe

MD5 fbad3bf499007fa8e9bd41ac85f18725
SHA1 17b564be98b63c9a274bf0e8ae65b5814830df87
SHA256 f741321b170c5f6d26be9867de59cdf60d1ee9e2db00a0c7072e0540ae9ada91
SHA512 a89a4ae817ff637ac95a9afd4fb9bf133218010b258f7084322a6820a13b0964b5ca6a57515573562f8722dfd9094e4ae543e45d805ae8842cd247ea0cd1eb80

C:\Users\Admin\AppData\Local\Temp\oIQW.exe

MD5 fa0bc0a1feb1439d0d391d1da566fb60
SHA1 29dbf7bed2899f786316f40e6c2faf354d5ac716
SHA256 fb1f5db3d8d72c92257ed1f607766ff88087098cadc5e69a44e1065ef832444f
SHA512 69f8ff93f31090525e39b62a4c657fe1ad762bf16d3eb1fbbe790684050a275c11e8de5159db08782f22ff404fdb0580b79ccacf553e72ed1b8e4c957afedf5d

C:\Users\Admin\AppData\Local\Temp\yoos.exe

MD5 81b73526e1122239ab66e8c2591d5bf3
SHA1 25e2310879146a991299e3cf82ea191ac244d0c1
SHA256 a2acca5c75db442e85eae602a2663ed388d5ddb83c3d4dc8216334d9b9f5d8ac
SHA512 8e7b834097355f0f3c542133bd0f06f8c4c583a4d8535fca18daa45ac0464c60c477097a4194383aa2295c795485c6361a7028faf7cac2235d2736f09bf59f91

C:\Users\Admin\AppData\Local\Temp\CAIY.exe

MD5 27fe369ae3a4b220c988c494a4dbee66
SHA1 8dee41e710f5bf3de983a2a22bbcd69edfed4692
SHA256 b20c3c0fb3512a6c31e11bba25db948c28f8e750abea77830f679c31c7deebed
SHA512 a33cb39f38e5dcd7f8a7342d6b042e5e7f05a4df6cf45ab1ed4908150763e4f2dc3761677f77fd6d7a8f38e44fe48aa8927aec00ed287d269e999bd464498009

C:\Users\Admin\AppData\Local\Temp\MEke.exe

MD5 3b0affd1092e707c256ff0c8ab974124
SHA1 f5673a8384b6819b8e0234a658b8e048754da2d5
SHA256 71deff22b12034caaf528e3ba616652cd33c6b5215f0e17dee87eb050770e72e
SHA512 1512da9b6fdf557c7fac42f68665dcb75b770d66473c4d180179f95967faa0758c4cdfd8fabe86564e8dc6f8c2e4da4ec15d9d521bd7c3d82ffc6cc0428a3057

C:\Users\Admin\AppData\Local\Temp\YIki.exe

MD5 beee96edad21d3e2294f9db51a95f174
SHA1 9089413f4596bb534d24ed625078076cb3f3f66a
SHA256 4c4a6d0135abcea8806d83abd438c8291decd5104ae4d8f2a5877556c99981b0
SHA512 cf9d5e28b63b97b7c8e6f40143bbc767f49d4e8ee5ab5b31671d2f1a2334c0b4f33733c4d6f747e94a32e7dc9af384186eacb9374c662ec4da53f937bafba1b5

C:\Users\Admin\AppData\Local\Temp\ogsO.exe

MD5 d6b66d154af83df464751f931c32d21a
SHA1 483bc0c8ec37511ae9249fd43fa52f1d33ebfecf
SHA256 675f6fe3ee05fcef502bc9721cc924e11e54afbdf78018d0e1c3d909697fa7fb
SHA512 e6b2df76b091eee33b40f1dde795024606a12e3ca662a49369e155cfeceec585a3caf617d1090fd715bf756ec1f73916d9638399e379fe30c2ecf46db2f7c088

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 f093464ad972943a601e98da6bd770ae
SHA1 bf2c6aacff8d60370037c5048de0392e1774828f
SHA256 f32995719297f1c9715f3a032e96c0b0aa86a9d4e3abc5740fab48c50180f3e2
SHA512 9794ac6050b27ce91a8b63cbea820f77f1b091668c927b751a3e7528d12498a54691462075279f6eadb1453c75178cf70a27253d7aa1e0ea309f269b86ce0e16

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 88c7b5af784e7e5eea254054ad4da595
SHA1 d06c6d0fa9b71a1e4f06b385478353add00906af
SHA256 ff90b018b62798a985a0518c8c8788f2c1da5bdbc03f2c8288658396c1e900ca
SHA512 6d5349de0edd9e3704b58c6710c00d5fa89e28c03fc27729ddb412c45793012ce5cf14754dd80eac17a97b977770caf0533f9079ccc5d378d4bb8e462fe87a93

C:\Users\Admin\AppData\Local\Temp\MUsi.exe

MD5 66d6d30d0cf23e23b60c3c0e836a7591
SHA1 5ef7556c3e176827da3de13fad8c7fca51c10fe4
SHA256 e40efa526f9da5bf2c152886bcbc26d19c233ba41925e1c192fd14177a9573ed
SHA512 c8fea10f21172a0246e8cbdde6c9e77b787c7d7f32fb8874681d39d10bd50b9e683459c631f83b771a9251057a9f3d37ea92a9a975392b08f39b65c3563add42

C:\Users\Admin\AppData\Local\Temp\EoEW.exe

MD5 ac9ba8225bc8eee16f1b7c596e43ed27
SHA1 0c7da594c35ede48e2d573a211ad8817b9670713
SHA256 f7316b519788878d09c9e7c5ac60ce2d8e896aedd72a50c56bebaefcde29a616
SHA512 020dc380e94ae581f2e603f5c1899907e598d915ebe3fec071a018a2e505dd8f95313c119d3c2f8343892e410bf6066d0c918ebea8e3b05a7777ad5f91aace0d

C:\Users\Admin\AppData\Local\Temp\yAoI.exe

MD5 25fefca92c3c69e5bc8650caa708a5d6
SHA1 f7b0183c0558b1b898b1447327a1f66eec95a5c5
SHA256 a149de788aee4e3b6add364ba640ad24f9191efa41ffcb5ced73469f93c3166a
SHA512 ba0a3dd910f14111054544ffa152324f5cb8ccfa67b81636748f21696e9b05ae4658e2df6dd46ac03a1dbb55be76d5e12196b06e925efabeb1edaac1c2da7bff

C:\Users\Admin\AppData\Local\Temp\YoEY.exe

MD5 ef86e108d5f09a6ba5f0513e26d8c9de
SHA1 7894ae6469a1e2b1de19ffc54dfd70692c139a56
SHA256 75b0e3e3e5b06a89f2962549407c807c6bf66e2978a766917c8a8994f085ce89
SHA512 d513e26e7d8f32a28122d5ac7942d1e19d052e7220134dc5ee1326f856cf4b12497d36d761c76f6067987f80c06c0b680a3355ad25939ceb009e50a07dbd3497

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 5386518222f638673e188bdcfe709944
SHA1 8a9df75f5aa1560e6506b16800ae0fef8e2388ef
SHA256 77c9592878d719c4b89bfa1ace342e82a191a12b2423f994558437da2292fec2
SHA512 52e412834b2112fde6537a10660c6bfd89de83aff50e2448a1d4389832715ec6e107c0f3ed5a6d96b4fb3e79a28eae643284c3a12f7774440cefba5da86725c6

C:\Users\Admin\AppData\Local\Temp\CMEs.exe

MD5 5a48938903fc2ac84223a82b3858e042
SHA1 a9f86b53bc387f187d8907b290cafa3e1faef53b
SHA256 fb5f87ba86d2da5639be41b9381815bd8c94db45099eaedff379ddc6a072c18f
SHA512 ba7d9996bc0fa5d89176e885f61185704fa08227c78e2dd31ee03000f346a1f1cc581d0043686953b8f36711c1a6cfd67fa1cf5fa7a2623ad7bc2189cc5edb9f

C:\Users\Admin\AppData\Local\Temp\MMIu.exe

MD5 e612b1f1d3b92222a802b2b3555cfe65
SHA1 ebe4f88a690576aca45f67953b074ff6efd10737
SHA256 20cf7dae58d65fac8a94f084e5dcba411530e59890357ff86b1e8ab0ef740203
SHA512 7a5b93cbe5bd646dfdcda04d96383d1e0f03b8f81d61f2bd0e05d687c71adea1494c8fa18d72c98f698b2d4d9298a872484a4a90bfec38b5e776c72622f28b9f

C:\Users\Admin\AppData\Local\Temp\aIwM.exe

MD5 071227eda74c1260251047faef8712d6
SHA1 317a0783b58542adcf4eb91f7ed1306d9ba9bd18
SHA256 39b1d448e486d99c2cd8a79519953ef7f4b9eb181aa6c0e15580a5c7f63b1938
SHA512 7fc1f6f327bab1a1323207c2b31f53587c816720be60f150dd9402092d48b590885bdb2201fe19c2d9765e323ef6b60921c1ed6679bd050856246da45cc0407e

C:\Users\Admin\AppData\Local\Temp\qcwY.exe

MD5 df7e0687495316c253c050c4ac7018fb
SHA1 d6f179d657e6d81a36e95c6916a76ba50585d7a8
SHA256 eda014b4fbfceeb2622e6658398221b4bc3698e93e7a259726c2900ecc087cc3
SHA512 39e8beafb92cc12ed887f62302bf81d436425846447012ef440c85af8bd2585c9c130b049defe399b40f39cfe5fbf4c53e5d6fca8cec5b575a7cb0fbebcb38b8

C:\Users\Admin\AppData\Local\Temp\IAUo.exe

MD5 e890c5e590dda507d320cc08b23f7113
SHA1 aba0eab5ad051510a615a219dce5de9b02d3e815
SHA256 e8cba55546097698666f4e4b18a2e13a701c9d8e2d6b16ff77c3a7ac2ee74549
SHA512 1ccf357b387cc4e471cc34266225bb3d8dd9ff28c5434a5edd761e19602c0874df07a57a525df0df034992d5550e9814aa3de16ca9ef18c2f899fc3237962a8a

C:\Users\Admin\AppData\Local\Temp\wUgC.exe

MD5 a5a0b6d5ecaee07f6f89d3f79a8082f7
SHA1 ca7a69e14794b31a9e19970b7454043e85794f97
SHA256 4d01882edd09c414fffcb3d907712b53421f9e723b95343de44b9840540ee232
SHA512 be8f019144a7a8c7277df98f040ac3ed91fe4dd6bd82a3616e859517f01c17532c2900deb03a1fdf1da9a53230f6b52841db8ee5676ff61821372ed383e6e53e

C:\Users\Admin\AppData\Local\Temp\SgoO.exe

MD5 ea5ca149cc11e23fb95c45ec23c1dc36
SHA1 a4ea5e04bf9ff9dda88abde41325b0cfafb02a7d
SHA256 ac7eeebd50f2974b44114fa2cef93e8632de20495de97fcb79c89fb088cc3e5e
SHA512 2aed7d9bec41aa58716c24a0d78e00608f073d9880e242c6ecb52c8ae792baef5e56eed04ac45bbedebff40096c0c7d5baede746839e00ae27582785ba1e3237

C:\Users\Admin\AppData\Local\Temp\qsQY.exe

MD5 2924bed04024f0a5d8bc7e59958b7867
SHA1 6c22179d3a46f6e36b9f77667952d788066930ff
SHA256 5cd55089efd56937aaa6c2053dc272e72af68208e6297cc851b3ac2f2ec8096a
SHA512 e70b25baad49e35c33ae2c3e29c40061763d6e51fe0d699ab317988ec7aff6a5071bbdea77f8a74bca4dfa85d7bb066cc70979b35e7b15c3469875e5c1c73e01

C:\Users\Admin\AppData\Local\Temp\aQoK.exe

MD5 cfbe780bcb4a01a0206507fd6f20b714
SHA1 0f21667ee691c7c56267df809a6ce52786240577
SHA256 b63617e25dee615b04732fe9e34d6572083ba783f0715c2d7ffc07c5b7670f59
SHA512 b989fd593c71559da1736ec33ea6733e95a4dfb124ed100a4721b74646da46d7d53e3cc13e97a9c8dee600d1555f5ed2d00a859f55d4a251e2192d5df246b83a

C:\Users\Admin\AppData\Local\Temp\ycAQ.exe

MD5 250db6f9ded256bcb9c88245400e48c5
SHA1 5b57a0c3baaa5c36eeac5f40e49770655b0664dc
SHA256 eb1e36c537543c9485eb438e6b273346a8ae90038ceb90589da553c80d380eda
SHA512 57c1ed66785f1f225164be108da646a7ce2382efe744217e39e818a4778e9e9848da84e8a736868d4ef4b5b66468006439c641cbe6c2077185c7abeed0bcb3c3

C:\Users\Admin\AppData\Local\Temp\GgUc.exe

MD5 82790740c10770573a565b1bc85108c7
SHA1 ee88af0735814c3684f47d53a8b77110744b7636
SHA256 ec003009d56f3aada3203f5f18742a48e8107ce7edd4bd65a2fcbffdda8f4e69
SHA512 d1ee9af453f7f3659943f3836030c66d0e0ea1f42659d26b4130282830106c62ee441b8baf2d18d06658c6fa0d2b8696e95c6ea7a955341a3654775180e21f05

C:\Users\Admin\AppData\Local\Temp\UYwy.exe

MD5 2b2076bd9e4728cec432e218a63d0806
SHA1 a14399a0beb60c18ee7522bf8f15b1ab14aa280d
SHA256 0e833b3c282f07aaa4e9e1d6044ea3d8cc2b0074bedc4285fe988176258fe327
SHA512 740d4f66438e5260b923ee6579ac84c454c1f50526337923312773a065c224da5794f95d9b36cde4bc48449ed95b55f62426577d2da3e3ef7a8d05de56dbb233

C:\Users\Admin\AppData\Local\Temp\WQIs.exe

MD5 ac7cdeb7570c3db16cda280be0b28f19
SHA1 b4cbfe9b81540165b6dd419f9314c68b8ced1524
SHA256 ee4bd973528ec3355c70b6fc174277fbd7c63743ae48b5c8ce9fb54fbb9f2b21
SHA512 90ae03f595d648bfe5e98a0577494ad870f98a3f289cc7702c58f1dcf2a9fca351d896ca40316f563023d7168dde126c431a09fa48c00381fcee651f83ede78d

C:\Users\Admin\AppData\Local\Temp\EosQ.exe

MD5 27ebe1d5174a7e01d1a669ca22b42884
SHA1 9dd3576735e5969025390bce2fe8070a62bd254f
SHA256 3d44e5b1cadfc4b3b0c07cc389a3d15bdf48c7e85d5a6e9ab1a1bbeffb5562d7
SHA512 c21f9367238a2a03e228208ef53e8175ef6bb5ff96c1c0ce428dfd2a1dc1d8e65d76e36d8b24dbf5a28d36582635861f5561d5f9ad7a7008fc10f704efc6aa48

C:\Users\Admin\AppData\Local\Temp\QwkO.exe

MD5 dabff98e4498f3b2053fcdd897016ef1
SHA1 ef55217c221fedd954c6df3027b7594d5e86ba4b
SHA256 486a1142fe093a720594aac905b1ffcc23e57f446ade1a15e3a78f3c2d2f6b5c
SHA512 f1c1f44338619d8c75941da2cc87cdc5057f757bdd7e78bf8868473d012514dfcf295d30d39e4146cef8ca01b081152053a6314100ca3073e3f9d2d8b7e91133

C:\Users\Admin\AppData\Local\Temp\sgkg.exe

MD5 7d1339113a6a05b48ddf582d2a16ab33
SHA1 4368dff37ce7534fe3f63d2c06d040eff538286b
SHA256 fcd9cc1eb7156df2e7ef41723cf3ca23839b663c50577759af298ac994a31cf5
SHA512 d62fb77e7980b00caf582c3b648b77ef1137e67cab02743e9126c5e85ee7d138f73693f83d9c08109723d5c2d6737843600e41eafe4d3ab4e0ab594d90f1e667

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 63368f090c0bda2574e491f2de206483
SHA1 a27ce1022f71b612fdf2ec3f6db366e5dcbce22b
SHA256 0a95938da4b61dc3f0e3a519839fc923707ba458352e3521b55d7cd3f3744527
SHA512 a029e7e8e3fc96a087d047e2bf81a72a9ee806177bbfbe86dcf6a9e129a44da2ba494230b615a592100cd33867e87da7aac46fb6b5303c03184ef29be535fca5

C:\Users\Admin\AppData\Local\Temp\sMIE.exe

MD5 d4d3194c53be9e6b75feb8f64f806429
SHA1 247c8ccf82bc3c52bcacd33962aef0acf8f9ce2c
SHA256 059508c5135c9ac9b7caef92872f462f7b201ac28a026af9e9d118b782f9649c
SHA512 79e8578105028a85c185efcc03932c30b7dc6a39676ddad93c210a85ca17ddc669037c20fbed759dfcc29198d7751c704a9b608414da562e8fab9d9b62a21860

C:\Users\Admin\AppData\Local\Temp\iMEY.exe

MD5 71cc0e64965f2f12b98b3dd8f9e9f4f4
SHA1 e5782b54f8800c311a51cf769eb208e9bc89b329
SHA256 ef24906f9a57c591d7619a674e4c6616efd7a1826359a65b14c758e04bebcdaa
SHA512 1bc02195772bb699240189852c5f33f8ceadae928f53e0b961610d9816ddc8a4ebc465539160d8e0bbe7d202256df250852ed0daf44b5d1f7a39021908ea63a8

C:\Users\Admin\AppData\Local\Temp\mMEA.exe

MD5 0d8af2d2bcba3a3c872351386f6d9d73
SHA1 70a4679fb0edc5b8e996608cdb87ee947806a263
SHA256 f6f0d1fa78faa43aca181711bf0be8916f869023461cdc30e13b893422f8f247
SHA512 0284cd83133ba78e9604e919e68c6519f6d21b1da24620672aba7499c8fc32390ad3c60ea880ef5f29c114b6ebbcf162555a8bbf0dee9e6f36575a51cd7deffa

C:\Users\Admin\AppData\Local\Temp\kUsw.exe

MD5 c02e722f84ec75115b8160bf1642ac0b
SHA1 8a6d439416578ead43426c1843e48b3e9d52c4e7
SHA256 8e45b9ce216408e0a3a4843bfd63eace25a0c66b366b88473d4b624a4a3415f6
SHA512 7c5d9ebb59bbad579d8ce4b6c5eb8df50812da2f05ac65b4fdb91d1c24a08077622701f7906da69acc34f72adfac096c33a15a83577d3f8fa128c3ca5824080d

C:\Users\Admin\AppData\Local\Temp\OIQO.exe

MD5 89fd8eb2eccdfbf524999bd975fc8bf1
SHA1 5b9c427926d8444bfbab56aa778493e39681a931
SHA256 a97717858c6c16a6facb6b146683a7a6ed42729caa4d3820d33f89711c3c1d23
SHA512 9689cd588a67c0055e47495f51e43cddf9fa9c5ac4dbbeb8cb134fdd28da120d33397bf2a47659f4752e124b41312782111b54529db819622d1e7ad756863028

C:\Users\Admin\AppData\Local\Temp\OMQC.exe

MD5 b522fb970dce661e0b97c163ab5c8a4e
SHA1 8eaadf0b564a1b59f9d847e0e38464f401ca4e64
SHA256 f5022e498a5c9582dc761f5d6ec94ed5512b7f5bc3e752d533c8cd6f2e6fbeca
SHA512 2b6ecffcacb0e9b0e6db83d62f9b2277029caddafdce3c5068cd081273c4c58e9adbf0ba7bc88c4a066b43cfd5e6e9e654411d007c5a55c4fd8c73f6baa0d9a4

C:\Users\Admin\AppData\Local\Temp\SIkY.exe

MD5 c3fde3c7cda40392cc7dbd5b837033f7
SHA1 49fa483d4be26674fb16261485fd8e4af6b34709
SHA256 0fe694efee76eb83dc013731f4c4b56b6b9f1d40f792ef568ba90a0fb13cac27
SHA512 128af45381930ca4a4a0e1afd009301b6c5fee92fe28a92f5658027a820d060b148f089c3f0277de5ce74acb587c07b3f4e12169f3dc061a61f40e9d575c0987

C:\Users\Admin\AppData\Local\Temp\qMUI.exe

MD5 26ecabefcbccf5e87868f2f0cdc35cc4
SHA1 30744b920a359a97bbde26ea4c04d434f7d5188c
SHA256 e150202707f77c466c3bd81bf607b8f24aa254858bcaf3d9b62f492ccb2dd3bb
SHA512 0ae7aaeec7f2c5695a81cdc0569a172e62500b10518a4e18afcfa379ad550e90e2adb6395494efaa3b7c780f78c630c60bbc0f11a6dbdd4c3c260ec00a7ff36a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 9ebf9daa2e174c6f820328894ea381b8
SHA1 19d3ab4d9a7ed769943e151bad3fd674fab6a3f7
SHA256 ecc32bb7671a98a8677224bfa437447971a97f3e716ac54e112430c28eca1d40
SHA512 b8310634a1f3007894b3d6ea95bc2d0165d60a3854b4e12bc02446108822cb03a2b1368babe5b1d4b034c0775afd5d4371a40bec89a6886e383fabe41fab2c39

C:\Users\Admin\AppData\Local\Temp\mEga.exe

MD5 2726326606abc5e1a2dabeb131f71e79
SHA1 60f193659d8014ce5c598b5cb613af4e95fe1e73
SHA256 e2d0179027c13c3a1b59f5d5c51da57adb95bf8cd88a7f94c0fbdc75d0746ce9
SHA512 b520e414debff2e1a64b23f81160372c460583fef1d6e88415ac7a4c0f084ac4e1797c4851eb71f2da5ca9155af1a94876da11ee3e63d985243753c883eb5d7c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 a3a29f13317e8925bff4dcd532990e22
SHA1 91f99cd579af8df3fa6b0737de99aab3336ca73b
SHA256 bdc6d071a0fd7fad72e270ad3db0a96d7766ca1bb92f9c3975792d87ad0e1939
SHA512 b6d1362d09e78290d48abdcea49f5f7dbbd8ecbd8fec69f86fb74c1e3089a91b24180798aa57aa41b38f4e916bc3f5ca06635902c64ab6c3330dbda0f2d4084b

C:\Users\Admin\AppData\Local\Temp\UQQu.exe

MD5 d7e74779d87e6bd7773ffb53bb6b7611
SHA1 0e5d0a64aa81d7b3e49738d1a909249214fc1e32
SHA256 d52e44956536432f8deadbf912793fd394093a39d579cbd32984d01d6dc461d7
SHA512 780a7f586c41b16891b4f66dfb2c970123b3b88f14df259f79d1ff875b36b5a6325bf9f1f6d805a3ca4bfd729e143f344d8e434fca5bed3af3ed352e98863b9f

C:\Users\Admin\AppData\Local\Temp\sYsI.exe

MD5 b3f8fb8469be84e5cfed2f2da26512e3
SHA1 66e37f282b3102046cbd08a8b471bac3b81994c7
SHA256 15281689cf5793339b37f09f482a965f1d7cef3eec92da85532cefcabd19b61f
SHA512 56c0e5eae1b052e6faa80e2bc816859e61e2e8433c62d50829156d900948e27062b72aafbf27c5d9b0f9e6e077d738b69005d58904b87a66118dde6a6c8d63a9

C:\Users\Admin\AppData\Local\Temp\kAMg.exe

MD5 9974cc78cd8e0d03f9bbc877f40e5187
SHA1 e08a942bfce99469116b6d676b787f923e8af243
SHA256 e1409d2dda9f2b402f089fb9c4e8d6e58e783b13ab4135a0124864dee9031d41
SHA512 197bad44379b444c1c2903cab42ed3618ae9f57772b806690edb0f78d970fd57c2cda7670ca9c7f745c916c3e221335f221ac698c4dfb4354b22f609f07ce140

C:\Users\Admin\AppData\Local\Temp\SgAy.exe

MD5 ac9a82e78f8692741fb3d9b52eb55aca
SHA1 307e387a5c957b373cac9cc7422e05f311f470a9
SHA256 20c1efd3ff08864f503dc9a045015aa57346219926f018d77d2d06f7e9a69919
SHA512 dbe47bdc59a5db17646900ccdd84e07dda6aa2eddd4a780a77bc092c848ae2c3d6251a81c83bf5cd8b5ebff627be233c2426c5e24b41d6411a3544d3eded2026

C:\Users\Admin\AppData\Local\Temp\ocUC.exe

MD5 7bcf9b72be0987682056191dcf1ab527
SHA1 01316ed2a57f5ff8806320857ceb1b11e000a0c5
SHA256 a5fd71204685b46fb7a63c2d5b4bcd155ce99991c26f82f418d0d201b1d727ee
SHA512 527c324e35b85cc39b93e3f6c2530a44beda7f7fe3e36c2bf52887700a4dbfb0b6e661f322b7b092971a4359086e07a7491139fe8e56906c8b2700c3c5edb1df

C:\Users\Admin\AppData\Local\Temp\SIEW.exe

MD5 3416fa0dec33c7251bd00a3830ef6da3
SHA1 aa615e8344578abe18a400758a8f1389b009871d
SHA256 fed1e9f36d55fb9bde1e7a8cf939d566c530c5b944728aecc9845dce5d45886c
SHA512 91fdbfc3bbdacfefbc27c503b307d311b3388222f5a517952f6841b486bb79fb8adb638cd2aacdb4cac73afa90cd228c19c8e8abe13f1a3c3bdcbd83e76fbd95

C:\Users\Admin\AppData\Local\Temp\ikYK.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\sIkk.exe

MD5 5625d3fd50e5311d1dffb9122a96512c
SHA1 bb1cae79e443ed8c1504c0cee37e8d9c4f6c0646
SHA256 afcea576336b5be438f43be41cdece88ee48c3d9e20584af079bfedf6e15b872
SHA512 58a78e4607fbcd9069f31ba5c9f673940fdf3fd26b86edf3fc68081bcf3629b66a28d9ff2efc8b63d1c6dc74cf2905c1410dd88b692f9c25f0ec1f82b1be35ed

C:\Users\Admin\AppData\Local\Temp\UkEA.exe

MD5 96ad7ef6c10b9f4522686f176c765bac
SHA1 2674c42d3482048c2bee09c60b5a240fca72a58d
SHA256 ffaab6188349350ea2e3d59f06f6206eb5e8ff62771c900e42f2ddc6b0edeb87
SHA512 6c40009c58119fd23c534cc284194380db391e8136c5698a8c14a31a62809fc1c551a36429efc754a3a88ce8c05b346167caa9575736bf3a6dde1459002c2461

C:\Users\Admin\AppData\Local\Temp\Mokm.exe

MD5 4952932df3b8a98a9b419de8f151d70e
SHA1 2313abbbec6b0de710eea262bf1451c6d6330252
SHA256 029f78c2154c5f98bd1adf5353cf1db1647cd4c38cf4773657ea37f88e78680b
SHA512 278827483dbaae6b81b9333aadff645daf80695a5d663cca71f82d8a3040743b553febc572ca5a0bae2509dce1999d3555122e6245de994985e84eb3bec68aa0

C:\Users\Admin\AppData\Local\Temp\OAgs.exe

MD5 49502ea68fdfb0baed9ddfdbe31118fb
SHA1 c8e2392c7223b601b75177898b0c26a6d989de5e
SHA256 d88cbf571988f7c13aeecbdb73a31abe1af1eb7e039edb24575ed7ca7263e658
SHA512 5d3e44891ad71dffd98a554d307886b7060a8665f4f4f1d23f735b68aa6bb4629739383d789431b1acc4ae0dd298644a7cb1d082ae7966999cc55f4bfa05e156

C:\Users\Admin\AppData\Local\Temp\uokk.exe

MD5 8a92f96d391ee583b6faef3b9ae9823f
SHA1 d26e87abb4d47d75be0a18340e1811632eecbfd3
SHA256 96141f5061c0c8cf2609849b3f64b3f2c40616e9eb684290cb14b54f0930c045
SHA512 77b661b2228da644497dcc1d42e6ee33c188ca1f02a66a0b332fe0b39215d7732fdcb86f91c5d4b3cb19aff1485756f795f79caf05bf77818cecef34f9e9b197

C:\Users\Admin\AppData\Local\Temp\KMki.exe

MD5 c0f34a3b7d874d9c798f374e46c1786d
SHA1 4daf70f96fb1cfb58776d9ccd4b673b00681529d
SHA256 c293b6bddaf3929989e55a60930d05af2475d6e7342ea8cf2cee4ef6245ab131
SHA512 d22fb682ea36863c21669edb7a45567d808a46813a650fb78dda46c53adccdb19385107dbf62a1a46e80355f5c68e69c99b57c49dbfeef9b98325f33626a79b7

C:\Users\Admin\AppData\Local\Temp\Agwg.exe

MD5 f5be9f43a51d89d9171d538abfb80186
SHA1 d30f4cc46bb9afb55ea88e8cc65477ced906ab15
SHA256 147031d9e95992539dde9cf69e7593edd30787ad8ef0a4f57670ae4faa64657e
SHA512 b9a9df664db9737520e32fb8288d5f54589359d2cf0d2caed6fc248e01ba2bd83c89ceefa230d10664bafaf03750e8402d2133c9284ab851c1a89f618b641787

C:\Users\Admin\AppData\Local\Temp\oIsa.exe

MD5 f73325f382f010496143270be6158bbb
SHA1 b09b0424420813c63fd75042321aa79131a76eff
SHA256 793176427d4c5ecfc9f4f19bef0e8354bc9735f95801865fb3283816605de45e
SHA512 879a92f3b869c1b41c2e7dd81f9c57a0c73b083d9e6f64aa62904401420829d05e1cf01c3ee3332ed976c52c656a2ab4e2ed3c90e53d786337e63c09d9c510f4

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 7e2f14316f177c34411e36f122b12a5c
SHA1 ebed797db09dd32ccb7bff76b09fdd850769997e
SHA256 87e04cb011541a5a2e1c374523853e601973f007822268e6ee4e62049954c2c2
SHA512 e23aa80ea92798abf0e4841d81012656b58839e9ae7e3e3e548aad71909625a9cc99a043b33928adb8ec1f3143fe2b243a00e2a32ac28c2e4e64ff4f74fbd217

C:\Users\Admin\AppData\Local\Temp\UkEG.exe

MD5 9bad6af57494dd7b9e873de94eb08907
SHA1 b62d06b28f7c0517aa2bbdecb8618b9f2217db1c
SHA256 d3610751743b5e78a0ca74a3e65bfc415847e4f2451a5fae66278e787333ac02
SHA512 bd18b30d7176b6237ea4c86b930e7aabbe529617d10d45f1669b26eb8c04fdc54eb4caa1840a95046ad638976490a425bdce3396d1c35daacc4f7d1b8200c414

C:\Users\Admin\AppData\Local\Temp\ywEk.exe

MD5 49ca0a5a9b33d994490dec38dcf27849
SHA1 66b1c7e9f0908a50b6782fa3578fa37e715e2895
SHA256 4b6eb0577c56741db7ddf5b374fafa1123a8785f1ceb9c2e99007a8ff857aa15
SHA512 534410a4600b8bcfa1b33760cfa9b2d40ac9ca14c0d812c3eece1879abaa5c743aac0d6e2701d9e5ce31a475ff6d58ef14662b399261518c0d6c777a75c37ffd

C:\Users\Admin\AppData\Local\Temp\iYEC.exe

MD5 070f4e00e5fdf10d6a6bb2676dcc3b8a
SHA1 795363d51b435abe2a7923578e7a434524b71f29
SHA256 caf4c0d32a19f97b5f8fd93022bd56017659125512e9134af8605cf8c43ed69c
SHA512 32b04044d2f2bc83dcbb301867a35e258ac1139b6a180a51a1b081ff994bb84d18f8bf5428b03d2e3a141fa8eda1e4428b5640d74b0843db1d105fc71cd903de

C:\Users\Admin\AppData\Local\Temp\kgkM.exe

MD5 2200016665e5e704b7e6ee39574d8f7e
SHA1 b479783b7eddde08bb5e95363aedf119c2c99053
SHA256 3c1c0ad781af5ec68bdc597cbf8c2678a9b7b3626f8cd9be3064a76da4334a7f
SHA512 0f2f23905162ff67590cc09f826b813d6ac260512cc73a2e5e7e4282e0c4d3f1b6f16411e59c83ecc80dc12d4f99e89d40a7e847e7e848ec0f1d5d504427e341

C:\Users\Admin\AppData\Local\Temp\mwUi.exe

MD5 7f623110a68f29b985ebd849dc19c759
SHA1 e3bb903096b9d72c191b2b24bf287feed4cbcd5c
SHA256 3d14e12a211841f059969cd996ee673847193153c58f9294385cc2b397a79ba0
SHA512 e30d563544c90f4544e80d654c0e0ff993cf04b1febbe51b086ec48d20cb4cc0dfd4e87f1f82a794d7352cd6be4677084f4b01e2877af4401699e9f87778dc0b

C:\Users\Admin\AppData\Local\Temp\mkQA.exe

MD5 71eccb01a74cefda8d6306eeb86e7330
SHA1 1ee7926ef420c14c7ffd8659e8fd3a7fa40b6996
SHA256 24fb1ded35fcaacc01a1a5477a846b1b5ff9381fbdc15b5af7cee9fd1051dda1
SHA512 288c836e14e24868c8f3e7d6b76ee8c231f3a9ef3e5468c7ccd3c6291b128b3e37fe360d94fe4854b13bec484b30e82876337d79d454cb37d703adb26ec95f18

C:\Users\Admin\AppData\Local\Temp\WQQO.exe

MD5 5a851107fcdec3be80f234c34a90d399
SHA1 5a61d1bb51ddb178a4332d19531750710c10944d
SHA256 462f1d8133351ad8ef317a97e6408bd42894a18ec74fae5beb33c548c505a8c3
SHA512 f8ed8f6c1b2104500accd0611884e8dc8219d9df3746294ed1486626df4bb284c34711e3691c1c37addcce7dc2cfea3e1aff3e365855b1eeadcaa76050c89ced

C:\Users\Admin\AppData\Local\Temp\uwwA.exe

MD5 3ba7bcc73cc22666d92667fb3da57d06
SHA1 8f75569baba29693205fc03ba7ad5ccddaac8ef3
SHA256 475e59a15ffe4ae61fda2ba859b0a090d8df76d5fa72c8ea57ee1450ca3e3322
SHA512 92175b3851f152737fb0c4c40d2bd44068cf32f332301a1e21742bd7c5a08432e3dce97f7e5beb516c2db15a2af5689a76de56611119dabb8ad6ecc890233f80

C:\Users\Admin\AppData\Local\Temp\ogks.exe

MD5 f45efb735e0c37540e2851ec8cc632ce
SHA1 6726cf773aadbb0ac4465375b809ea0d42e0f099
SHA256 1eebf9fd19c1b3ffc77d55baa3be724c8fe636fc273426776316a403029315fc
SHA512 f7a1434085079cf4e01d30aaafc7ce4cfd275880a1b4b5a3891472cbaa89826eb8b2ccebda01560eba73b56e2cd75eb311fe9a667ffa4ca28ba38c423a7e4ab9

C:\Users\Admin\AppData\Local\Temp\gMAY.exe

MD5 2be9cd62a72759a23dabc37d0aa3e2cc
SHA1 552480f23561a081b59baa9c7de3d1f845d89fb6
SHA256 1ef38f72dec287adbea09195e75e50b1b4b499fce86dbd3162909dae6ccfbfba
SHA512 131ccf9c3c8aae765d685436f89b41e3c1c0e5cbddcbb477fe2e17ce374d5f2398e010017dbb05565fe425beb11f413a25c01ded5bc1b935ebe339a9cc35ebed

C:\Users\Admin\AppData\Local\Temp\gMUA.exe

MD5 25dfeaba432865cd01eb2a75f8648014
SHA1 557103a9afda71ca9271c0216fdf1dbf8b5216dd
SHA256 012ae85629ee844bdab0e82c871f919f526a39ec2e254074a4b89f07de4109b0
SHA512 5eccfc213ac386102a47e23b571c874761a63c1ad4a8b6db3994f20af397f173d058de4d3ddac72ce1f4fa46f02b216d875108e8ce03b5a7b1c679c2d1ab377b

C:\Users\Admin\AppData\Local\Temp\Usko.exe

MD5 ef315d66aaf3856d47fe8789f8523dd0
SHA1 cdd6d2c5cb9dd238bb79bffce043290198a23393
SHA256 07a5cd71e4065d04da89b801010d8b3bde78c9c405f4b96a05a9e8a68c7d145b
SHA512 746b2db656ce88a2b9f2e4b4846cabe64404497618417da1937611461a3f0e1964381cd8605493d5dcaab32d8db8f486e34967973c7779f2981e853412cb09c3

C:\Users\Admin\AppData\Local\Temp\aIwQ.exe

MD5 c9bae512ef91f1272bf2b0dd61729356
SHA1 951649abc1ef03b175e4afe570ffc9cc77e98368
SHA256 e8e9d21a9ef6d4ab527ea31443d0813407cac91378ae43b80a55f240f76d8d9a
SHA512 e30b6f4f056c91267b481b4740df1f600a799da9d460e7fd17c86c62fcedac4a6a09add03af800bfcedcd90cbe73183353fe0227fcbc382ffde476f8614ec538

C:\Users\Admin\AppData\Local\Temp\AIUc.exe

MD5 10008deae0384969695572132fa4c2b3
SHA1 6a9d3a2092f50e805ba741e8bade6fc32b354788
SHA256 e0829ee4ba02940b43e6c2596054bd1553131f98f33d02a05edc77a3e1c61b6f
SHA512 8e336606f23d7b752cfbbfda69f9b0a18c9a1f1488a27b07fc680e1b118414a610055ca97b8f4b81115bb67b27aa43e02222e70a1fa2566a171bacefc17670af

C:\Users\Admin\AppData\Local\Temp\Gcca.exe

MD5 212923f67adada9760c76b23fcd0db5f
SHA1 244d3d217f9a0b1215deb3eb3511fff8faadca82
SHA256 6b3b0a94f85fd2c6a1b49f437519e78d2cafef52d87d106f42efb71ee5872d04
SHA512 66353524cfe6ab512fe382b3e0fabeee184f3e2de6ae5f84a95e1624b89d05e01d43b4bf44cf25ebc110b89aa5ee70664e99a25190e3677999f47015bb612129

C:\Users\Admin\AppData\Local\Temp\ocMK.exe

MD5 2c33dffb1adb625cd7d9ce05c3de5567
SHA1 a2778a7bdbbe67e43a79509a410dd939f0301490
SHA256 74d2f62444c43a4f52e65ef9a31231c9f338e625fc07a50e635e3d6ce5037840
SHA512 082417771f0795adb00b4010173b6f79a5c0fd0d5e1ee0754d42891ee4702a041f9aad9c385b1ed9c2a22cadd55af8ee6460649e3e2d0e4fb83e8a3616efee66

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 8dcfe50f589ed1bf041a34eaeb662cd7
SHA1 f7b060985c4da082959bb13f8793e22aa9c71a01
SHA256 6c1b75caceb8351b9a700f1c00da0c8423e3c026019015322fb510d1899b1772
SHA512 c51975ee4e8310586aa0bb70d89fdb5d302c73cd2879b20c733ebf043e78946257a11f0c47a8dec7a3cb3702a9ed9a0d4d77d99e717250a8b9351e62929d4630

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 67f57d39c59eb5c0d085921f15092203
SHA1 0690a10917272b7b6d045619463bf3aa34c626fd
SHA256 4ab079a95d55db7c8163949eea938f910a8d24fd089e18958b2d0c12f279a9a7
SHA512 0c5a72b3a3fb4b4ac3770c47c0ed75618a1eab5d5eae3519b53c7da4fbf1ae6c8ff265c45bf8bf1f1e0c5015027d68b9dfcc770d1a28f344a5c6fd279168fc81

C:\Users\Admin\AppData\Local\Temp\AsAS.exe

MD5 94a3c3a732b342c34dc75bdc28c1c231
SHA1 36cf6de084b81414ba8942751ec61911c2902710
SHA256 3dbd2438b89fac441ecb533ff1cf54e1d0248cf8d6dd37db31874918e79568ab
SHA512 c3a61334c7b89f6c96e966ddae924f5850c6fccd3f823c8b655d72184fd41af9703afa8e1ee5527a25b1710097260aef90d899d73423437cd58f790b4d73783c