Malware Analysis Report

2025-08-10 12:34

Sample ID 240403-nvp35acf61
Target 2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
SHA256 4b55af0b4dc465f8602b815562f7ee3373eae6a4d8e840ffa3f3d5ebdc4cd57e
Tags
upx evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b55af0b4dc465f8602b815562f7ee3373eae6a4d8e840ffa3f3d5ebdc4cd57e

Threat Level: Known bad

The file 2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence spyware stealer trojan ransomware

UPX dump on OEP (original entry point)

UAC bypass

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Renames multiple (79) files with added filename extension

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:43

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:43

Reported

2024-04-03 11:45

Platform

win7-20240319-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\ProgramData\PUQYsUkI\HEUcgocU.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HEUcgocU.exe = "C:\\ProgramData\\PUQYsUkI\\HEUcgocU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOcgoIsc.exe = "C:\\Users\\Admin\\DwsAIoEY\\FOcgoIsc.exe" C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HEUcgocU.exe = "C:\\ProgramData\\PUQYsUkI\\HEUcgocU.exe" C:\ProgramData\PUQYsUkI\HEUcgocU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOcgoIsc.exe = "C:\\Users\\Admin\\DwsAIoEY\\FOcgoIsc.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A
N/A N/A C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe
PID 2188 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\PUQYsUkI\HEUcgocU.exe
PID 2188 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\PUQYsUkI\HEUcgocU.exe
PID 2188 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\PUQYsUkI\HEUcgocU.exe
PID 2188 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\PUQYsUkI\HEUcgocU.exe
PID 2188 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2656 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2656 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2656 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2644 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2764 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2764 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2764 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 2644 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"

C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe

"C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe"

C:\ProgramData\PUQYsUkI\HEUcgocU.exe

"C:\ProgramData\PUQYsUkI\HEUcgocU.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LygcoMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiQYsMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKccEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqYwgEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcooIMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAwsAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYwooUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCAAkscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIUwMUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "982850551-1827256527112714102010765497062138409825-5708321972042977718-1310193349"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "441101911478081259-29561069310184093726748213791151448767-189414610-1838979945"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\awsYMYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIsEIAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\voYgsUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9141638251590510877-821547750-277112308110244313-21229965771338270719-59857456"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgUEAgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWwAkMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zaksEMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-973284350-1534019470-1988482592-1544381736-628988146-174432968-892173183-1718717969"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwUoAQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKsUAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWMoQAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1802118083219702957-936120935-213967804187176673-13120927531485651783-409857673"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEEYoAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1594602574-353697237-639790933775659775-310925637428090589751567773-34327730"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2081620197-771711776-66441832264710862-861499497288064118223982566-667011280"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkIQAMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16896658471878398578-1836774310-3640799251381214071-1787217035-621779195-1044988160"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqEYMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XigosAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1373528465259611938-1422519294-1290185850-19803406911276053801326036395128217709"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqkYgIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-114343638639602639151107758111727894114114942551809542772-2045296689567549758"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CykcocYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1483779509-316889710-16798809931116543430-477302492-19268786401823287862-1194580955"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAIkgQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYcIsoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "77843880-137659196410093953700957858-3517319941975153527564949191-892220546"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "54851559684780836958705960711636898998459166251361559997784100-954313868"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgAwcYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYkQgQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6755134391642288799-203784352916581445811488755972247795611298189981-79061929"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUYwggkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1847051280-1254068126532777440-11356325241616440922-1767996685973643952-656466159"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcEQswcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1761807378-314854632-1409216962-1278326401-1490617865-21106238775254620431087808284"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6396849607729030427823173521280598380-8082698-1562326869-874550357-413868744"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQMUMQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-132549135237973828119999735341362685158-379308992-1981470077-1152985969689577608"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5545184481039618886-691236102-11081809231714124851251528114305519207-706460608"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1758931716-7734768951649651493-1536769599-750504892-838233980-841277534-1008990125"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmAIgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2188-0-0x0000000000400000-0x000000000043B000-memory.dmp

\Users\Admin\DwsAIoEY\FOcgoIsc.exe

MD5 71031b8ca96717ca03820f38bcf1ceee
SHA1 0f8b7c28f91c36b460f77909376eef813e66b56f
SHA256 61e608041f94799a9fe75ba90b0cc7e8bb6b2628abe4545dc81ea43431598706
SHA512 76afd3ece4a01673b2aadbbfd59499cdfdb3a70a4c694868acac79c2726d76e133cbf79389f54b8642f0f8501d99f6d4125d327463a56a8389bcd60d04d88fc5

memory/2188-13-0x0000000000470000-0x00000000004A3000-memory.dmp

C:\ProgramData\PUQYsUkI\HEUcgocU.exe

MD5 6ef6a14cb76e048301e66cdb950d3aec
SHA1 6c875145040dae00e5fa0726c2474bf5fbeb7e96
SHA256 09463eb8a2bcd7ed89a64b6d2b07e55c563eeedfeb2425e79de50f93e938c44d
SHA512 0e41fb1f024a25faef374d7ce25fd487f03af03820b7fcbba0ea045eb837ead7a37c8c1e0154e79707f7d5e912a28720844a145b41db4f17fd39339cd9e06f00

C:\Users\Admin\AppData\Local\Temp\kKAUowQM.bat

MD5 20ccb81aace2e03f8c0817faa3502922
SHA1 020ae06d3acbf32e7ba0f94e5948b7edf27d416b
SHA256 114295aedd736d14e56c1c080511ec12cb624e9aa16cc3b33b1b3261907f9c31
SHA512 b76a8014dcb60f71fa11b525cdcf02b659f4826adb897c18e3b9b83f6c8f9593c17742c192b0bb843b2c2ab374c0110b28119d2995edc3621b49fe813c31d226

memory/2188-5-0x0000000000470000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PIwgwsUA.bat

MD5 44543943725680630b543d75807e951c
SHA1 bab86f2d45e412950d298b034e6d84f79fd63a42
SHA256 b8972823bcaf099ee57937cf27a789cccb5ba30f3a44a45240aae34bab06a4bd
SHA512 a409af7e26390ca1b5e2cd857f4cddd866bd82d9176506309df8e20ce0320a2dd1fc160d32efd7bf7f1bc1dab0c76903dcb4ca00e6783a49ee4af3133d5647b8

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

C:\Users\Admin\AppData\Local\Temp\LygcoMQI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2644-56-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ookEsIQA.bat

MD5 3306169adaaab1d3443bf6b7d1c7dd94
SHA1 4288ca23908e1814fc35c74ec6d4e1227a803084
SHA256 eed4a08dc17134bed369869458e04ed211191507ba4f3a3db572b9ef712928a3
SHA512 2635bd997d3c9001956e64f3f2ace0c4d634dfa5997e1212527da4722e9fc8c4c996285f818cb760ad4c52d6c6b4af4768c40d9d3b3ebfebf622eb66e1b4f905

memory/2188-57-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2916-80-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\oMssUgMQ.bat

MD5 6451da4fab235d458bf10b7bad70b195
SHA1 f8ce0f0c35406a5c67197dd2077707289eb7e204
SHA256 fc71d4cffcfa51e292cd214c2fd555e0701ab73e3b37e0ce7e432c1e8b7c5967
SHA512 f4f957fa5c4ccc17de25f95ba406a8c823703aa788ba41a15542c810ecc327df459d7559b535790c70cd7cb8011a41080c86ea66d7ad255dd7e98f18e8bbe420

memory/1696-101-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2720-103-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1744-106-0x0000000000160000-0x000000000019B000-memory.dmp

memory/1172-107-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUQYEsoo.bat

MD5 0cba06d4a449cc0ba3366875c4295d90
SHA1 22921e60042d9d3a91722f8935b32a5ab7494cc5
SHA256 572df41561f10ebb22a51a485acc2998ae36c29c7c1a5c4a163fa7e4cf0d97ef
SHA512 1ab3bb9cd0dc84dbc17033dd53ac500b85425d84caeb901dcada9aae0ab65b39867702830a0766da9812546fe56cf7f51ac8c71e73019ad8131dbecc95af8a6c

memory/1172-129-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1764-130-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-128-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-120-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UoYEoQII.bat

MD5 d4a3af41765f1128c8cde32a837f782d
SHA1 8091c6995956830ad7c8fe8426acd84fb12fc54b
SHA256 5515a435994b38cae912da50be16e7556776dc0ad511e10716f3ccbfa069abaf
SHA512 3417b85b6540d8af37eb70dbd6d06406d814c9934f0eca44bcd83b80f07c2fb98c393d1bd76e54591d60be0f29e581ca0d555c1ec8a34fca932aebd1b846ffb3

memory/2808-155-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1764-154-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1528-146-0x0000000000220000-0x000000000025B000-memory.dmp

memory/1528-145-0x0000000000220000-0x000000000025B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYcgIUkc.bat

MD5 316b27572cfa0cedca74172fcfd6f58f
SHA1 3fe103be271845fd0c4280ad69233a322f20cbdd
SHA256 a4ac1c48140966ab218908176881a6aea14c2e485b31bc201fe1d97140d31e1f
SHA512 ab9bff9dcb0bd701d77559711ad6bd4dd63ead07151ee4882f067ce6e09723a257440d730b9d55e8534c2fbfc9e7a8ace9285a62ec66fd69ba255b5a0bd34623

memory/2636-175-0x0000000000160000-0x000000000019B000-memory.dmp

memory/2808-177-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2396-178-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GkUgYcEE.bat

MD5 8d63983e70480b56b7baac132edbd3bb
SHA1 94fd0607381b4d4b85ae105a3c924953c64f46a7
SHA256 776e64bd72dc01b96556a2341c9099847150e3ab38973a96d5233c0db78d53f6
SHA512 673d1646bfa16638dbfef1005f5f09696013ea1263b0278b65e767c116799ac2bf815a6cd2e7f7d73f555f73bebcd8d2d09836dd92965525b19aafc007fef524

memory/2396-199-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2384-201-0x00000000001C0000-0x00000000001FB000-memory.dmp

memory/2364-202-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WcYMoUsw.bat

MD5 4af4a48a582a5d45baab08e78da189b0
SHA1 6024ba94c718611a7f1aa0eff1b38ec6a149588a
SHA256 627725c323b3f350e10dc4d54937ab46c9d9e653047bfd262e8cc064789e2faf
SHA512 4849e1068db4bb277cb0c1025695eaef7e8e9ffbef053b1534d809281996e4616231dbc1ba77d89267a50ffc4578b74150a7a20fb03105f0daec19061c620acb

memory/2624-216-0x0000000000750000-0x000000000078B000-memory.dmp

memory/2592-226-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2364-225-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAgAQwMA.bat

MD5 220836c588988350a160d46e7149ad8a
SHA1 ef6d8ecbe4dde21e2a3009a7b6b7991e5791aebd
SHA256 cd2aeb19a3925e5fefffa93b63bc6a4df16fa27cb5922519776f28bcbecdf2a4
SHA512 74ad3a133b1f98f74a44ecdae0e0756f1d98ac56acbfefcbabda0a1ed1dcb01c9414b133e3385151382c66fc29cf3b43eb36e59719d692afe549885a52b9d3e2

memory/328-247-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2780-246-0x0000000000260000-0x000000000029B000-memory.dmp

memory/2592-245-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GWcMMIYc.bat

MD5 6557665cdeefd6a9beb1b23c0608a7f9
SHA1 c77907e2ca34e4e3620a691d45bdc251f6fcbe5d
SHA256 9a25e8615ede38c37b1fc9953e55db6f2d251438761f47abda6c5728076f9e9d
SHA512 cfb84ef0cc2b42300a5de4487c19a4e4637dcaf38e66619ccaec3b6056993d1d31fce695c046f4b719a73a30aae39c2ecfb20309eab1b19400aa995fcc67e94d

memory/1748-260-0x0000000000160000-0x000000000019B000-memory.dmp

memory/328-271-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2420-262-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LUwEcNUA.bat

MD5 da792c8448c8315a4dee30d9b7562ac4
SHA1 78d073f1eca4319b424fb354948b0d32194ff7e5
SHA256 699dbf611be2145a7475e056d7c7d336e12242b9e0d50c492049df443db5871a
SHA512 56d9d59633305e01ebef8fc2926b709078480dca5ab4a20e747f4b18cc2584211043c15fd3d51d225de1effc905d4cdf8a3e3ebf9d7a12da98c1077fd0ffa652

memory/2420-294-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1764-285-0x00000000001B0000-0x00000000001EB000-memory.dmp

memory/1472-296-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1764-295-0x00000000001B0000-0x00000000001EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KUcMAswU.bat

MD5 fe60cf8c7db65a50451c54e9d42a8ba9
SHA1 629787865498602b802aa4f61a4285cfb398a568
SHA256 e77e87216b2028a5b47b46ca9d9a188e74fefe43ed6a687df789d51423e4a206
SHA512 92f51de496a139512fb5036bfab0c197090f91a2970a34680a0b7eb44fec7be68a99876db0f8c875c7192543bfb30b30f7dde293a89ddd730a3e024724ec899b

memory/1604-311-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1472-319-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1604-310-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2188-320-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dAkkUsgg.bat

MD5 1d673b544d201412592f47e1fe88fe26
SHA1 7b15ce28c228cabcbe124bc0955d46f9bf7a1fa2
SHA256 acdb4819bdef9a99268e753dea8499216f07c0bb31a7818918adf743769a257c
SHA512 451a13142dd68a816c4bf02958785afecd02aebcc2f5d0ace9e05265d4c34878fc040a3bdfa42cb832992481ef6d8b92a2453c17e341368692dac8f0389fe200

memory/1640-334-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2672-333-0x0000000000170000-0x00000000001AB000-memory.dmp

memory/2188-343-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikwAcsIQ.bat

MD5 f6b6ac0662d0805be08069e91a3a5fdc
SHA1 1a45275de047c5530a60f98fbe60214f755c1046
SHA256 809608445e9dc05b26958216606c721200cf8f280af1f3d44694cdb439f13912
SHA512 31740832436ef4242037d0eb3d461b11e5fde16f5672b26e05a7823b46cf7097e9cbe0048944dec8dbfa0f547e0694150f24e7eee93f40b8bb591d711467b66c

memory/1804-368-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2440-364-0x00000000001E0000-0x000000000021B000-memory.dmp

memory/1640-366-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YGgkQokM.bat

MD5 f1fc603276035da692f2a124133fe1e9
SHA1 acb1b932092c3b27362fc8e60baf0ee98b929730
SHA256 d5ef1e893621da1e998ba791ee7c1cb76b9fc5844fb0f27f90c53e3f895d0103
SHA512 35ef91b900b73856ffa66e8f06b082750390f899547f9e0031515c2b6acd483696f3d7cae49ede3ddae1a89c57478068edd197b193eea18f14023a582bb71de2

memory/2792-389-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/1804-390-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2792-391-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/3060-392-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QuEUwMwY.bat

MD5 d50b689a54d1ebfa4b2dd328ac1659aa
SHA1 f7c2b10538555605cefc87d993625b2af283fc22
SHA256 74dc8d6df937113cc9fa6267fd7034150054454f5d1f04250118a8596a99d9be
SHA512 b8304df6c81a899889b5868e12047f6d0e5785bf88809975983f7d7e23e1d42331ab928f97af5337c4de360b135982924e7bef4e9d1f3af9c6a49bdbc16ff50e

memory/3060-413-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2092-415-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1744-414-0x0000000000160000-0x000000000019B000-memory.dmp

memory/1744-405-0x0000000000160000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoEYAYQk.bat

MD5 b9dcdb2ad4c1eb6a43accf03c31ba435
SHA1 2c6b0470ace051791c562e0adcbbc33ca933d79b
SHA256 4039bf326e2ca455933a05314c066daedf0679872df75e3e14bc298e07d329b7
SHA512 3e1ee52a3d8ca410903b24318efa05f8ca43dc833e03318d8c08e69c8078ae48370ca6b02e9b02be497d42d800429174ca449f15905b04efacdf7dd602ad12f0

C:\ProgramData\PUQYsUkI\HEUcgocU.inf

MD5 e54e29644d0609bff2e754de4e96583f
SHA1 f4856254dd6901df4b52c0d5424fd94019b2c7bb
SHA256 2a60f6d9fc8c4d6a6c3e3c7159b61cfffe6821d7df4f060756296cc6c9e8edda
SHA512 00f2022f64476ef294bab5f1dffc73710fdfd16cdf4245253ca33389b802819ab41f4e39c672aa4e4b40ef729f1d26ad0c09e0bd647cebb8fc6f5cb2858d8de6

memory/2828-427-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2092-437-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\DwsAIoEY\FOcgoIsc.inf

MD5 7d62b510ef400c8f593e0b2115e748c4
SHA1 102a791b1809407a7e12dbc6aee782147e63ffa1
SHA256 e2732cb8425f19b3ff67f9bb069bf7d5409eb00f4d2692a89f3339d252a4bdea
SHA512 ec2dc1834525a41306438f52d49d16b05ef04712c98e511353bf94023a781ba142a76de05ea4121973a2a25df81fa30e5a476081ac9bbd5b953688b6eae3a87e

memory/1664-443-0x0000000001F00000-0x0000000001F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeoMcock.bat

MD5 97562ffaefaaa15dedf3b040a9e634c7
SHA1 07600eba8d6a0cbb7d4e986f30be6130b05f174f
SHA256 35d49520415899e7f1aaa5fa53cf62bd710e032bb6b73924b6e5909e4304be09
SHA512 52d130d6dbee493bb28c30eb5f45b8657a88a1bae02e84b87dca868a54794500f8381d66a35bf7610d53583404dcc83f55ee2232be33de209f6be43ce5dd5a15

memory/2736-464-0x00000000001A0000-0x00000000001DB000-memory.dmp

memory/2736-465-0x00000000001A0000-0x00000000001DB000-memory.dmp

memory/2828-463-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2300-466-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qaAsAwkk.bat

MD5 327acced86335a06e3dcd674d3174139
SHA1 60b73b4dc55eab373c12ca23de3896a6c653f6d2
SHA256 0967f6eebe79184684b2f1143baa9882ab9c29d7eae269aac8ad2c79ced92ad5
SHA512 a4b7cbdffc6b3cb4b35a8dffca050a467a1aa9b6ad3d29cd13d3b328404f78a57240dc46d090613a36ca8762b189bca4767ea922c1783d74ea29fe4416a0a58d

memory/2300-487-0x0000000000400000-0x000000000043B000-memory.dmp

memory/320-488-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PaQUIwko.bat

MD5 b89dae8f25330eb7c65958be7fc13016
SHA1 7e0a3ffbe24dd94a8ac44fd0a388845760aeab4f
SHA256 8817db1abbf193110f949ac2796ccb47fe681c991d2d086ccdfe56d37fe8bc03
SHA512 936d42e8fe20a2b2a86fa7436673a1281a27ed6c6b5b0bc47d1b6668d8162f3dbcbf3782d89f39cac2b044aa446b5dfe816cb6ff6831d16c70374adadbb69a20

memory/320-509-0x0000000000400000-0x000000000043B000-memory.dmp

memory/816-510-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2408-500-0x0000000000260000-0x000000000029B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\imYQkkIQ.bat

MD5 331e4867eeec971c667dcc6a0c3c7ee9
SHA1 280f396b04004ca27ec8ced105cebd634a816dfe
SHA256 6686e32f39939f190fc57fe881f5df5b0c994fe73b841d56644246cbe9bd8af1
SHA512 81e5badbc83c3b2cb273b2d18ef97e1670774666576a4df1d6e0bb9d6ec76f1a42505f7928e8cfcf4b49df1f84a025486bf53951e94c848b853615d24d9984f0

memory/2844-522-0x00000000005C0000-0x00000000005FB000-memory.dmp

memory/816-531-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vEksUsAI.bat

MD5 8590e8894261e25567c811154c920ff7
SHA1 b49c1bb12a9cbb859d9ca568f4b39d1f02534c5c
SHA256 b000f79547015fd882334122016f0e75ce55ae1f31da927ec7bc4b40cff51067
SHA512 7fd312aed04ff510e2610099d1293b7d160a6ec6b2c9596a485e5b228094be69d4f1bba1d751fb4c9b7af8fa1969b76b2bd384dfed25fe53caf51ca0d6697a81

memory/2020-541-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/1076-543-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2120-551-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkEEgAEc.bat

MD5 20ab3a373730e597f47d0ef53380d565
SHA1 0764d6a6fe9bfec0a94cb7c6541639727a14a096
SHA256 07ff46b9c0318461178c8e92deb41b255677bf3cca2d772e3d286f82bb11702a
SHA512 2c9dd7d755a01ba99a4e40ba35c8c15dc618db7e5291af741e9aa63900f4f757cf7ba57d9acf767cec9a090df33da1fcc030d4803fb690d1e188fc9c4e15fb26

memory/996-561-0x0000000000270000-0x00000000002AB000-memory.dmp

memory/1076-571-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2452-563-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CggUsscg.bat

MD5 0a78dfa8e79e16312b00beab7ef2f390
SHA1 2121d199e6dea7b7ba5a99dfd5579a97dafa9201
SHA256 fbe69bb672141b733d8d78db6509accde81258585aa2f74a7dca69d02457ef73
SHA512 0ff2758ec7a03c27a6ed988a47f5de5536a4e4db830633fe7288a0df2f3012d28ed32ef34cb2fc3788b4dcdf1fb25d950a8a57346802edb1fa2affc250195958

memory/2556-591-0x0000000000160000-0x000000000019B000-memory.dmp

memory/2808-592-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2452-590-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EWYkAssk.bat

MD5 c396e88a0ea4fcae0932fb29ac170cd5
SHA1 a279932ced35ca37d8e0f7d2367940ea5bb73c3a
SHA256 e7e07096804d57fd96a01bdb40522f296b5d767559f3cc00dd1d30141114194b
SHA512 e4409dc9da036898e54f01ac37c5a2ef3be245964d47adbf11729f87f6a68f51c113da238af8cc608d63ce2b13da99ba59dea5341095d13aa766b81cc4eac14f

C:\Users\Admin\AppData\Local\Temp\fwYe.exe

MD5 da22fd8a3b48dca52f268dcef6f1cb3b
SHA1 11a6070428f77a1d6593047adfbf8f0e238082c3
SHA256 81eb656a0ca7eaf773083c547f69877398f0dc65c8b394c0b214be252f3d55c4
SHA512 5accfe6d764c57a209a441bc51511fb73a5c53e4f6017727bb213b64636f7baf03fa1d020b8ebcaa9921ec57b1ed983a3d79e66fc9d390bd330558e478d9c3f6

memory/2808-625-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1740-627-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1072-628-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1740-626-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KSAUsAgM.bat

MD5 bd5b4fb7dbc4ab6a30c6232da3d1a388
SHA1 9c7d77fc4cec947b41c3e5d95daf22e49078586e
SHA256 6140c3585fc5f392aecfefc11d9b525abd99ae50bf32d97b49ae7b1bd4be675c
SHA512 16bceb7796536df6df92ed6a51030e03f07962d5cd721760fcdc0403b67e06a2ffbf47ef42dc6dfec4bb265306779127b9047ea024d0d5e80060413eb0b7146e

memory/2080-638-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1072-647-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NcooIEoE.bat

MD5 f6510691a4a865ab657d8e20d5d78400
SHA1 1315385cd0ad42607aee5dbded2a03a781a75975
SHA256 dfd378a4d802c0da8af32756533d93ead78b10c3ba518a033e1b3ccfc5e6e730
SHA512 409e0965647cf75a20c801779a8a1e62e561d8c64035c0a942d8e107f400ae9205efb858d371a935e9f3a6bbf17592269a070df6df3d7995e182bf09a96ff084

memory/2352-657-0x0000000000320000-0x000000000035B000-memory.dmp

memory/2080-667-0x0000000000400000-0x000000000043B000-memory.dmp

memory/576-658-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LWMUUYck.bat

MD5 7484d9d53f69453ff95b29869494b042
SHA1 d008d1101fb67c3bf8f1229cb4045012b76734e1
SHA256 2af01d1ba643884217deb9b7f09d3e9d719bec850ddede39f2f9dd10c2e53606
SHA512 8730ecc456c15cef4ac057230e7fe3569fb0a52e377383183f38f81defe64759b3be3118608be182d95f8af3e2edf8d0a8dd637481d33f54beb7b0c3dd32c1d4

memory/1680-688-0x0000000000400000-0x000000000043B000-memory.dmp

memory/576-687-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1632-689-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oacMUEAQ.bat

MD5 c53a51e5a5d24867d71367b1e662765d
SHA1 db21ceb7a437e2ffae4205f1c7cdea63a86354a7
SHA256 8317f3525aae4c0cd5113fb079e282c3db3a7ea5c996b8cfa1a9c9f75eccf730
SHA512 bb25882727ad8bbfffc0e7aeaab91e9abe75751d994a308a84c5521a3b2fbe03d3f983d9f9f28f2cdc045b2a820ddf0389975e48a262b80d3c6d122ea4208e90

memory/1632-708-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2948-700-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wyccMgMI.bat

MD5 46761cc80f04cffe806932307a8f8891
SHA1 4baeaffcf287236c561b5b718413e21fdee73c77
SHA256 f70c090ca252e1a87c8473b377619828a471316042819c1da623c7000115028b
SHA512 dd65047af0ebeb3d3ee15762917d425a2730df5595183b9efcc580162d9ef97ae69f72c7f7989562288031107181e0234a2bdcd1c30dbe791d7825ed4a0cf13e

memory/2492-718-0x0000000000260000-0x000000000029B000-memory.dmp

memory/2948-728-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1192-720-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEEcQooQ.bat

MD5 703dabf4d683baacca2cdb5dbe688f91
SHA1 5b8d1efa6fe9b93e9d5ad2983b5707547df50dab
SHA256 51cb2fff1c6b481848b2f485bb9b86b8ce44b9967a47844559f602c8aeed87c3
SHA512 8b6d822889aa10980be903238127aa6677b2af51ebea77c5d8101e0dddfa9190dbeda6e19a90ab8b4f80d65535e04a47cee9d9ed70376e9b746bb1f592b32478

memory/1192-746-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQIi.exe

MD5 171e5b7936f87ea534ecf605c542dae0
SHA1 1352e972e350d66d87902ca35d9a80680967c443
SHA256 f96ccc9817c7fba58d892b759146a411339979c76f042472a99226a481a373ba
SHA512 d00575fc4d0ea597d9bd6a1e98bc21e6a1a77f5cc855c7249d0c47b5408598d4b2f88a6591cf0dacf5db59bdfc7bc44fac7ead0ae533a1809b1b31f7fa49a6ff

C:\Users\Admin\AppData\Local\Temp\rsEI.exe

MD5 0d408d8e76043065d96ec260f239ef57
SHA1 b72884caff7be3cd702527efa6baaf4d8aeea6d4
SHA256 a01792fea12638f8e4e0ab696ff76efab74285f3b7cd2221aecf838d2a4d2f93
SHA512 c37c30ed8815e6ed199e3dc99e14a4d19c586362319763c6821c614f235db3ccaa6745c2eaa2ae0149ca01b39880712d30923c5b634c38177d255564b71dcba9

C:\Users\Admin\AppData\Local\Temp\pIIg.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\GIYw.exe

MD5 aa169e9dab75062b8ec17286526d9122
SHA1 6cdc8ecb480a708bcda180dd84a4daa1f83f6b0b
SHA256 e7c46ce598149b790ee5d1a7f8fe7fc9f61fc33a9909b9c3a333e1c74205d54c
SHA512 5b6655d227dc72a2a52a982d7558a6cd2ec7dfd560d29da3add261056697ad113e33034d1b743cb9b5907182c108c9a1d8448f06138d20ea39c6b976e878c344

C:\Users\Admin\AppData\Local\Temp\QEsW.exe

MD5 fb7ab3b6c358dcdf75edcc9914b7c525
SHA1 e7c63c764350a33bbb4c524ca539c51c4c128877
SHA256 fece08b2a3d7d9d7ea09838f0538a9c8388a9527d0974c505cf2b3b53b4fe1c7
SHA512 b9df02caa9657dfe2a018c577485b993124605fa5d672bbf7ab94867db12b28d569aa10cd090048667472eb64d5d0b9a97ffa264a7488dccc04343e5b6939a84

C:\Users\Admin\AppData\Local\Temp\vQQK.exe

MD5 cb36c1bcb344931d2e58e1b2821030e9
SHA1 802eafd1dcc1436eb197653d1efb6d6dbaf3f295
SHA256 7dcfc8c19eea990d6bf93ac4d6002a8ee44b1708fd30156323f25c69a70cb925
SHA512 ff28c5ca9f18a750f3d636430e0b464a174c5c91251193a8d16705c73cde70275524011a90b54d1469b50a5002b48788f33b72d5da2a180fb3bf3f6e4712df0a

C:\Users\Admin\AppData\Local\Temp\jsUw.exe

MD5 d0a29ccd3665ee95168ea08e6ef4575e
SHA1 2a1e9b076f94779be2bb8430dbd02b0aeba6c83e
SHA256 9a1b7727d9ea7d1d586447388ee824c0b58efb6cb64cbc515351a11c60aad4f2
SHA512 eebe089da6322e506c598c359cd211ac3643e9a551eb4bccb28d78382138a61326f8a8c709312b6e0649c564ec3381ce0dc98d553eb6ea13108000ef1c5c6944

C:\Users\Admin\AppData\Local\Temp\wYwg.exe

MD5 dded33c6d3373803d3d2f51ca0e8a202
SHA1 042a79535ed584a515ece85c7ee2b87d7cfe2378
SHA256 700a1bf5047e1396d6e40dd4fdecff7e3bcb89c28248069bab9142d24e25a147
SHA512 f2495531e5821eef8b14fd546b1318fb36b379b2c9594ab64f68e56addefc4719c586beb3e94914c5833c3481ee67faa77a072b81cea0ca7150a4fd109393ff2

C:\Users\Admin\AppData\Local\Temp\gQMC.exe

MD5 71a3d85023dfa25e2d4f24e7a8617fc4
SHA1 5c8e25c940faa415aa719438a18ff850e4fc91d3
SHA256 532c25e537ebedaa31e7b605137da47e2a3fcee0416786b4aafc5b200a480353
SHA512 d4ec139a4ce12c381268c6456b29bd5bbdfda29a13dc993f50a101e98104a72fc49568cb9adfaca3bdd06d2dd96313a4d0bb70226c4c786d26aee9e988f12952

C:\Users\Admin\AppData\Local\Temp\SccY.exe

MD5 b5e1afee24697696b8742f1acb1aee31
SHA1 d0cab8849a5e8589103261f18b349165b41bc7cf
SHA256 4dcb117522dd1224115d083abcc22e06387647361c3fb0d075c40213335d0da5
SHA512 92a557785b023047311633a3b48e3e0c83c06dbaaba50548e9919be6492a0efe051c6e12ba9675fc47d8c55c80946dc1280caf2035ca58a239b2c59ca39db83e

C:\Users\Admin\AppData\Local\Temp\SQIC.exe

MD5 81a9a55a47f98e5c439112c68614006b
SHA1 12672d9e5b47fd4cabb84ff798ce9daf4f818220
SHA256 faad5a06b0474684d1c4991a8eaa3b9529358c248c07cf722f84fb33de18b8d6
SHA512 11c8d1af496e3b69aeab88636af7cef3dfe2b1e5087bb1c967d3ce60320fff4c7b9701854f13d59cdf88a8d4d0f27566fe3f565fd848f34e13bd90e475abc67d

C:\Users\Admin\AppData\Local\Temp\AIkw.exe

MD5 102213453f0f7de4a69628ece63768a6
SHA1 8b37c47388ee133da6a2125d6d774bec3f5081f8
SHA256 eac81ad6350e087f75df86c3439b4edb180e01231d76a6234a4c81e12384d08c
SHA512 a706a2c662a1fbea22af537396d606d6629a0776c9ddc1edd730d47818d78d2ed4084a4a38c963231577fa687f9d7904a1fa088a7dff0b20d708c3b02238543d

C:\Users\Admin\AppData\Local\Temp\BkwM.exe

MD5 131a2abcef8e84c2d10ddf9bc4f7df08
SHA1 dde0f9ff669a8b4a752d10a9feb2c15acb397691
SHA256 13f84088f449105b6e680a5e0482eff8a00460f7f61003039fc4e847bd9f7916
SHA512 0f1a4226c5659ab7b98c3d6f1fc5c20a78b121a72474d52294e4758d6de273561352a804b8c28baae12acd05d80dbd569be63554450cc795784330fc43fc0a52

C:\Users\Admin\AppData\Local\Temp\VAAu.exe

MD5 a4e027937598373c4fba9a07335d130b
SHA1 a3e1b71e489cb13c4d0d5394bf3386423d5b0516
SHA256 007d9f83b42790ad66756bf014f70fd6649c2988c53b2c96072be5b18f2f81c4
SHA512 6cd8c39fce443df691ae60a2797de5508817be991025e29103e1e990d9f639777142b020c7d7d8574fbd88c3cc5acd8038521497c39c3391527aba8c98d61e9f

C:\Users\Admin\AppData\Local\Temp\YooS.exe

MD5 182a19ca711c6ff9e1490142754f5e32
SHA1 43b08d60dfa82815475eaa406dd18ed72fd17625
SHA256 a5035b01612aaad2189b633215300f1894708b2752e29f442f444133ceccefcf
SHA512 58e0391f17f21bd93612f4548bfeffaa133b0d0e2e11be1f48049b627baef44d93394b9ace9e9f5446608a0b2c3aaf302807b2771feb3969b0adee11afcb3460

C:\Users\Admin\AppData\Local\Temp\GooM.exe

MD5 4f1e32c00fd6402372b91034f6e0c0fa
SHA1 fa3461033aac070985203d53ddd333307f1928b8
SHA256 778f460cda651b2f4448065ad0e22ddf153ac83fd402cf1894da2778f8472762
SHA512 644fa9c7de2994ca1841be11eef7dddebff47ae7c417a3ff74eb491d4521e700b740b1fb368f828d02ff40004c392743d75441feee509d93a5752d26a2752ead

C:\Users\Admin\AppData\Local\Temp\ZwMm.exe

MD5 38f892e5bcc70a8f2a0ddfdbfa7fc141
SHA1 58d8cb19dc3a26af9324c5f87c44f74c1bab173e
SHA256 56b09633d19a59ca212426025a37d8208ad94cefb2d564498587f19da16975b0
SHA512 de49e3e4c191e7556a804d81dae6285e76a8a8900a6dd25abfe375eae45b9bfcb7abe97442ab988cbaf67e784a5ca49e6096c478d12331a7669097006defcc68

C:\Users\Admin\AppData\Local\Temp\aEQC.exe

MD5 54a64dbb261aebd424f3093f771b5c09
SHA1 3965a90ca3508156702ebc495f30f3da20a26797
SHA256 051e228e130e4cadde3d15b78311c0535afe9743e44cc6ae54c7318a8900ba14
SHA512 dcb624d18148a153828e7c64232cabc9224eb719b4dfa64991ef808b1e2602dd6b975ede22e559ae34aa4cf1793bc65e6c6e69b835c10bb3a985abbccc3e0e51

C:\Users\Admin\AppData\Local\Temp\VEsS.exe

MD5 5240893b55e71f852a1edfe0dda7c13b
SHA1 e33f0388b2884a429b25d4b5bd16a31bacaf1f73
SHA256 3daf917fc7da4304ed331aad7032961c1850229250ced4c904d442a29d7ba4d0
SHA512 f19ce21fa08fd91bb142c9d14a0ce95148e640e7db4f27f7173ac312019c1deca6d52175aebf0313b3111840586abcfb7714c4bf7203aebd9102f82f7d9148b7

C:\Users\Admin\AppData\Local\Temp\GIsU.exe

MD5 aca32dd0f8d49c8a32e57584312aeb4b
SHA1 0b714dc9c7b94e14ceedcdd7dc4f9316a1d3e71f
SHA256 76dd5b585ebbb6ce4177af1dbbe072bae67828cc456585e1637ddb555e3f8492
SHA512 4cdda69f5176554d5a9ecb0531581c422dfe7625c2639a2ec53c1166f9d9ca4eda450e04a55e80ee65b9f7b4ba81f067a1e9901059b35be768ee2d936294f669

C:\Users\Admin\AppData\Local\Temp\iggs.exe

MD5 4b56255635a3583ee1695c0b71d0c7bc
SHA1 750ddde05041f56500d8fce75b3466d57412499a
SHA256 98a49d509c81083c16ecf21fe5177900e56d3733c4e22657ed388ec8c8cf9ef3
SHA512 e35d9a147e94068bb0bc9c36d52f285f1be45d456e342b56d1051e094eaf4770e48445219a7c60a57e2c7161b22856a4c4e8f7474a9847bd183b8e5c2048451e

C:\Users\Admin\AppData\Local\Temp\HkEo.exe

MD5 5c06c793cf16314dab78d8cecf3ebb83
SHA1 6ff4c54156e05a54f084e0847d30a4bfa42e17ce
SHA256 1b72779e4e6f2e72ec24de80823741176d9c107edf26a4b85e1eff3aa6720dcc
SHA512 f506227fc7b9bb4480e9cd18b997413995fd009f2b7131d05981df7861d5b9be66fd992d544cc1326aacfdb5fffad81f1cfe2b9907b1dd36b4e5f1150cd138cc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 88bfbdd20128f41f6e44089cf0b9446e
SHA1 abd6b9e269b216f2f278aadd4e341673535bd8ea
SHA256 8425ab7dc70747bed46c0a5ca9fbb477c8e85734ceb8c33376f99b17189b3475
SHA512 184127f37c1043dca5f1809b50536910f312adb1a4a753d4eec5e536964270dcd32b30952d9b55e2a13b5ffdf73c4da844ec1606359b887d8b5debef4fa9732e

C:\Users\Admin\AppData\Local\Temp\CAkU.exe

MD5 50ed157a559446d3fd1417abcddd3802
SHA1 2afe8e465695cd1639d1a2a404a48d2614069189
SHA256 71b8951be43973d9839a3e574ceed1f643d4a12dd3b608f7426497f1c08bf781
SHA512 7b00eeac6e6daec9795d1fee1da389146b959f3f8b764d52d11c8b5fd2a636ebd3b54ac8e954ad3c30d97664ad92563b54d063e0be4b9bd01c16311ced17ca42

C:\Users\Admin\AppData\Local\Temp\wwIu.exe

MD5 620c086326064722f47078c35d52e830
SHA1 023644b54464982d30a709ececfd6a90a52c3298
SHA256 977d8c7fb534b26b54ae2f8f72566d3a17a45d7ac653def13b3849b9628034cc
SHA512 07af82c669a431340d1358717ea2acbdde41149ff10f6617e4e9a6adecaadd13873f49b6f1bcdf634d0414e1293ced50d1a3185a12eb4a458d6f5abd8a941bac

C:\Users\Admin\AppData\Local\Temp\Okgq.exe

MD5 51362e21549212b22e411e737ff18ddb
SHA1 8e15db7537a9dc2619c982704abd1164917e4c98
SHA256 cbed7901f06c0c129ca49ee5f26849b5766413756e1b72ed0fdb5fb9528d1135
SHA512 3b08af4912d96156ff2d8dfd829e5d4ba457077b5a1386734479205aac58453cdcf9e4799a15cecffa9e94298e28115c818c75114ad0f93cd7658dcaf44595b4

C:\Users\Admin\AppData\Local\Temp\RQsS.exe

MD5 7ae9db0c12c76c2f75fb64911b505960
SHA1 a62e55e5375a2956d0f79ca6e92e07b713c80eda
SHA256 30b2bf0da9522be1cb58033b98f5ce47afa5fee117371b4d49c7f885b3a2ac95
SHA512 33ee5131fcbb2142d07b1f2ee52e21bbd944b3721c5a1d5cd674fad036873873900d06c0edc6868b6742b175b024b769187a3a0f9e12ae26efbd2499b60dd046

C:\Users\Admin\AppData\Local\Temp\rEUq.exe

MD5 37981ecc6bf7775fb8f6909e4e064c45
SHA1 81731189c4fd22beb489307e94b7f5aedda141a6
SHA256 b2a9a5b2191a02eff390f1a591a5f275b3d1366793a47783327a4bbc90c1f59e
SHA512 18f388703dc3632d63968e6b48eff63d92e45ae46f6b555d9e97185dad973b39668132007be218cd59a7b155a4540139fc61590cb9a7457e5322dad6942faa86

C:\Users\Admin\AppData\Local\Temp\UkMe.exe

MD5 f5b1ff63f81fcef3d093c637be7528d4
SHA1 72c31e77dd33c2817bdcdc02cc3110e396917115
SHA256 e2fc0e3e864e097b576165e06f2010835170107a1d0ec8a40393584eee1f9d71
SHA512 eeb166c7dd4ff55d6b279bbbb65c29adf13133e80c0a0863e89b424f681ce8d0553abf390a23434f3d125f643b5e094333c20c8644ccaa969e8fd04f50b20d8d

C:\Users\Admin\AppData\Local\Temp\Lcwm.exe

MD5 c43f7a0e562574860fe0a6105a815d9b
SHA1 b41b1b170f19340317cbfedf20e2f4918932517b
SHA256 3b3a8a70def2efe00e28214cf4e9655ae2b4b188adf01a2bd003d445c546d5ca
SHA512 9ede0cc8f084f36e56f4cbb654d1ded48e42deef9292fea1696a7a17e5aeb9f80d32bdf3d78c92638ecffbbe67c497ea95e3bd3cce68150dedeaafdfb7cb8adf

C:\Users\Admin\AppData\Local\Temp\MYUC.exe

MD5 9a35391a8e17b18127616ff33c351a50
SHA1 ff84df2fb990641391f6cf9294dc071dcbc522a6
SHA256 5e5a98518bbbc3a4d930abfb13d511ba0c136a2478abfe2d5221138848cd8bb0
SHA512 9e63cd2afa5c94d43da981c32d8ed9fa0874fe08819d42a5fb4a57fc6b79f37ee4a99412b851634b25380af561968e2638a43f38b8d14fec23ea04dd4fc4c607

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 d9a3dda95f55b0e9fcc483680da30367
SHA1 015195d69a112fc6adb0f6d64b057a1688205caf
SHA256 381d81fdde70669b7c134f002003c5e9f8b56277e03f74b55db0f0625119ccf8
SHA512 0d41d5127f1237826cfa380744e98ea25ead020357cd3dc82b2c1520ec07fc78f84b9175b4f041800cc596c7e9db3843d69c38f5d3edb7cee512e45d19852f38

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 6f6b56611a901bc51022e9c3f44a5110
SHA1 3b76cd3c8ec875ce1e92e2078da5c61aca492fba
SHA256 4cc973d85672d9f92568c90bdb495ff80ae91f8964b0f133b68c126d44bb3ef0
SHA512 e86ea6605fca300453ce866ecbbbe23fb607da1c90d4d1a9a11db0cc70d573209e0add6d983178a4169052ebdd87848183282a0e04998f603bb234c67c1eeb73

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 b808a2046b2ae231d868d84fb1f608b1
SHA1 4e6b679acc8f879c565dec2de1cb84c916e64e8e
SHA256 8c7cea84f47bef438ebafa4e97adb5d3f3fdb5b62a227332d0521cad3ec56844
SHA512 8b39643a74d4248d55f6a02340792cf1edda636587d36129bef3a38fa7c4f3904050bd549c3c07507f759c3007ac12f1b867d357e1d1c7a7dbee5330a14df5d4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 ac30e39f7d6cfa12b6f04ae869a85431
SHA1 0e0e8edbf9e23d13c77f681862aea1daa4e2eacc
SHA256 7b319c78132df64881f4a875b764d8b0a8d73486f9628aa0553c4c8f2a98fd37
SHA512 7087f828e8cf6ac6d07177d3e1091678c546ba9dd11930ba1eb50113e05691d90ca3b3d70843c5d29954cbff745e8ea4fe5f8af39a15807b8e4fa96343c03c52

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 3d5a48cf7868dcbd3780410465e7b7f5
SHA1 45c0631422a29b11926aa41a2c430554d1d15faa
SHA256 b51708024e8b44ca7e893dee39e77b5400236a0cfdf59b7c81b9f65815a2a7c9
SHA512 adb50e4dc95ab137b13865408b7cb6011296a573a744b30da53b68e98590f6bf5005d3f97adb6a6fb022ff7a469997580a33223dd2155a31a2d48f7fa11e326a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 80ccee6de01fd0180d0a6347a35776ef
SHA1 201aafe1fd7aba252769f4e99a5e7cc4434bb82d
SHA256 abd81ecf26ee2d322d2ab41eeecf59b1aeb58eb21b8ac921b5d62fe4346272a1
SHA512 0c745dfb5c17eaf17f6a70e5ba1c00fcbc654698d3f27c0dbc8c9d616d55c9839af9eb97b33fa5e67388de8caa8358e7293a1c10e3c4ac7509b8fb54934d82ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 613b238a2a1a1f11afb23fe2de05d0e5
SHA1 dca825803d90d4c2ed321c78c6ee1e8c6f6ab254
SHA256 aecf97d072ebdd38708db619550370a1b3787c656e3e190fe5064d1cd5936dee
SHA512 87e897d23f0f2944e0830441dc9b31b2e63d3d78963b20694a482e5b3673d2f15e2a4dc26738128823c1cd80f2003980a94456e33696ea172a81cfe16844e3b8

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 cb143860a533cf99e83ea8a6dab4a473
SHA1 bea0675b0c9dc48e6fd321a437c8834284c6bad5
SHA256 d7924d97fc57a97c6563d7d6cb157573ecb6d2870b2b89b79e0e5192426a1a97
SHA512 f6c9f9685703496a00ad0a2ba51afdab163d0010851d35b001d49f185b50863c6b43845af88ddb798b4f6bf4220fa9021151709caf2baac2fc75e40c9c79316a

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 cc8ce375fdeb8cea6a20e73754eccd22
SHA1 74d74494a4f0d4ab4ee84db83e3a7a7242de7518
SHA256 01c3edf4be76d64fab0a49f5d62db6e80b10950e887b52855c7e42eed372eba3
SHA512 510e3031e76e514a042acb7fee933e2ea5b3dc80e50a7c503ab4da08750a49c09f4a24430e4a533dd0433561f7dfa1d1445d18d83c82f485484c10403da38c87

C:\Users\Admin\AppData\Local\Temp\QMIu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 37ecd0dbb0d65f3b204ae02f37c915fc
SHA1 6763d44ad8b9a35396cf12e8f8bb0e003c8a6f71
SHA256 fc0bf1630d43a1469bcefd2f5b7fdbe655a84f4fff6846589fc838bd56001a19
SHA512 5579214d87b69bf51c8b54062cfa9bdd1cc2882c538688f891905c0fefed0dd4881a5e76bf2c5efcd5864d85f2140e49c2a6debd332e65ca4c8256e18a709128

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 c7503eb684221b51eed1da39d87a18f5
SHA1 ae523a148978f105933022a694f672052fa6cb30
SHA256 f86ca006806b2fa1dcf261a189fda1ca23aa38b87907dc64bc8a63a36258a41d
SHA512 54f4e2a51fdf084538e6212a39c0057ded5773217edda6c16762bfb245b60f1a19174b6ad1a941cd605f48d78ebcf7c01172397df46623781ae7632189081faa

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 67190686258304c13c13edc547037e26
SHA1 4e93f11731982f7556a968b694ad6b235050a276
SHA256 8e389afe001517514d073d160b4e9ed342ec8dd4755fe5aa874824909ee7850e
SHA512 27902660825a2eeccbc4ad1720d27d0a20786692fc8e838dc12e3ac5b4f473882efc82a7b69056b91d0285434d41020cfc5c516c8cc8e43124fd450bf0280152

C:\Users\Admin\AppData\Local\Temp\lIUw.exe

MD5 a32aeaa0fb5fdd2f1b31bf76184f1852
SHA1 88ca51f71e212d7d58915b6254d833bcd36185a5
SHA256 9987e5fe9234d35659de14a4a75dcc89dc22f5319184bc3abeb66b7f7e176972
SHA512 6538dc7ebb2f9f398076f3ee9f013a08025f0c785ad2347c3bdaa7c3c5ddb05754ed16fa55c3b18bd3412387f8a2e487697db70b9b959b586c42da2078da58ae

C:\Users\Admin\AppData\Local\Temp\xMMc.exe

MD5 150f69f398369711c03cd5c910f9248a
SHA1 8f6ba5343dba5011925f1e87116f6b2bbad8d967
SHA256 4c1922d8ba6d4e8db93f2594714b7642f610d9f2135834ca0327cba7951801eb
SHA512 b3f609131b62bd409a79a7c08f5ddfbe21da7dee36de7e1619138b27ff8652f332569ea3ac48d9056d84fb3ed64f6a98c560c80b82a6fa6945ef7e2fc0acd5eb

C:\Users\Admin\AppData\Local\Temp\PQYU.exe

MD5 8642e51f38a2ce18b7906fd16347c515
SHA1 03497b74530eba928e77f9805af27209afec2334
SHA256 6130b1de59eac5d5c60687f9fdba5101e3e395795af49a2fc3a7b414c9ae4f7a
SHA512 09fe5b1b1c33b90c8f4f9aa5188645d60942ec6f4f660b65439c734066c9d94b371243f4f34d5512f408d385acf97fc08e70b7ad21d18d0a72e200ba97d4f94c

C:\Users\Admin\AppData\Local\Temp\uccW.exe

MD5 582de885f977be7ed74389c84a2099ba
SHA1 001a80de91a8635ad2a0ffb282922b2c17999b1d
SHA256 dba68f72a5f1a977c353ebc5487f383101095057e7a3d91b834716e812a274b0
SHA512 1892b63dbc9857f738d77c3f9f7040c52648d61b5d57c7003706b1cd8ad6454c3cf39b39c6722df4e31c83ee7ee4e4288cafc725a5bafd0e445de553b6f001bb

C:\Users\Admin\AppData\Local\Temp\pYIC.exe

MD5 18d43c54de7e9117e7aaca5413ebfc9b
SHA1 636f0242befc4636c89291546a3081fdb21c83fd
SHA256 ed5496c9171abafe92a3193b463a597a90ec1d552cd275a4954ac5a93cd75348
SHA512 5b23a7899a1cde9f79ecb9ad958bd33a5f1aecd22d8d0ad5b36cf0c11f377af3535d688e084d27de25d94f93e5760b2da36cf571eec0598a5a3ecca74317cae8

C:\Users\Admin\AppData\Local\Temp\sQga.exe

MD5 5120fa6c7fbd97250c1fbb5e07dd9caf
SHA1 27c733df751213c269bcd4f63b581b5117db9b80
SHA256 d8b80c698be00d7f600208554ddd061472809c049a5217b018fc016932a55547
SHA512 3f99eb39e0d02e2bec3b239e46dfe53a497b1468cca57d0afb8afc05822e90547d189b35552118751d935719dadc67412bf57bdd6914805945da1b0f1064b474

C:\Users\Admin\AppData\Local\Temp\iwka.exe

MD5 08085b9b775729e9b8220c7cf386951f
SHA1 4b86deb554c21c53e1d65915c383394e302df182
SHA256 20d6ac9e8d052e59b61854bb0baa1e752b5c7f7680eab2752ca9ef7169113d89
SHA512 fe01f0ecc9318075791629771656dff4a4fa02c528f4d03d5d8aa25a9080be25ccc218a808cacee9240715c45cdb4a0086f7b98aa56080610ca2a53d14992d82

C:\Users\Admin\AppData\Local\Temp\fkwM.exe

MD5 7d2c64ccea1dd4b8d4a9bcdb98b2b5a7
SHA1 5548b13c067c1444128512b5042e116c4845b5c4
SHA256 97d6214d2a50ca1c20c5d9224a4f6afea9d4e668c3052f98eac5d62af5b3cce2
SHA512 cccd270b813647f9ccbe15c8928f518d680213bb8eaece0f3ac3747082d1efb7ac4800e0e030445d423a99fec3221ae37cc0b80c8315696764f9af368ebeb778

C:\Users\Admin\AppData\Local\Temp\ZkkC.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\PoYS.exe

MD5 561ae61b4f189cb3da7268d41db9d348
SHA1 098bb31eff6d12de69614eb71410ccc847fda58c
SHA256 1606dd2d595293a3db648a06783bffad6d19f495a8c3965b21ccea4c43727a1e
SHA512 90d12e9f964526a26259f84aefaee0e44c7a187c137ff84f37c66faf9c25723dafc807b8dd1bebb4eccf2c75fe3d83ac84de3623896162b4c142fe6bcb7b79b8

C:\Users\Admin\AppData\Local\Temp\NwcY.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\CUIe.exe

MD5 4b3a2035f6bac5f3acdae37b99499b64
SHA1 09f9a49203b6325b7441c4900c2e078c1ffa4bab
SHA256 a152fb61aaeaab1dc12132376c65d213cc737f7a56396a7dca6cc1e35c2c7188
SHA512 3fce37eaaf6263ea8505cf108af8d09d12fed75c368f4d5afa58d15ec55e04acc981063d8482f6ab62d4f5d214b8db6d8fff5a68ad3fb258dd32a8991bfe09f7

C:\Users\Admin\AppData\Local\Temp\vUUK.exe

MD5 7f3fe9beb8a0fbd86001f16e48d31b8b
SHA1 fec90026587e74f153bfc3cf245962f8ff3db1fa
SHA256 9556fe4516f2fd0463773c3e79d61b102aafc71030dc56e02cf45dfd0ed694f8
SHA512 5aeade6e985833b868d945f922f768d9d09d271c395e91c744a5428aa5d82955e58833c43434032401e0cd229dbf63fd416206d6209457d4712b9b366bef4d6c

C:\Users\Admin\AppData\Local\Temp\sgcM.exe

MD5 9c6363a4bd5cefc1a011ad9e92b3b535
SHA1 c4f0ca7ce61d77eb8559f22050f73be6712ac4a2
SHA256 dd4d67af4c01a6630cd3f6d4099af97b208f5ac815e9eb6285a7383d92b5a546
SHA512 c01750873536245e92364d843f72cddb69c75b5d287406aaab650811d34d998644afc115578c7b6b29517669afcd742ab3da56413723ff20c64a8c5c5834977f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 a887e92afc41b3989f8e58cb80c1ccd5
SHA1 d3549aa07fae6a84c0594c2820541e2e863e6296
SHA256 3e4df523c6c47fc0747d74f0e7ad5f78ff03ec4fb8111c8a3409006a4a897d35
SHA512 a1fc8cc00b114e434945c8133d332412bcb26f37fe051eaf2fc86042ab41fe193ad109fc3738caad53e57b185ed4a967f92adba7be9c48070cc43a39fe788006

C:\Users\Admin\AppData\Local\Temp\vUMK.exe

MD5 95b6308dac9788b07060cb96b5d4d606
SHA1 64f4062b86c78d53a48a90ef680c06dacd4cc4be
SHA256 8f3bc432e67c985cc92a204457d11922a9af5cdf65aac0f5da853f2cee25e264
SHA512 94a98597af976b28313f55dcb771f1491b1800ba0bf5335435ab74c30f2f79f50a47a4cd188ca37f0179f47a549e6381d63b895b0d784347220a30789f5a606b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 7329489910a2d17e9a8cb04c384d5ebb
SHA1 32ce1b924f75b24d8d287b41b30de2d198a8585c
SHA256 0aa3503468f5965fad19bca72d53908edf3059a6e6db92d8a3075bab042ec0c1
SHA512 a8ff4f2cacec3e2a9003e10bc8acf179f0d4aa23029f57143b2839da157b6cdf227e70f6f9a357e5e52324d923f5a770ab206653123f1f079e7937a8752e4885

C:\Users\Admin\AppData\Local\Temp\zgIm.exe

MD5 bfae846777a30d1650c1eb6332fe51c0
SHA1 7d0bd727ca285275f4e245649d09357976ce759d
SHA256 1d09522ffd5ac4574695a4f85d15cada244a8cc9bcc70ac57a0f0f5eda1f5b6f
SHA512 df6029c9fa46e6865b6fd1a98f81b02ae4ebcdbbd133f7c12863ea4bf0e0939546b2b0b8740e5f07406de6caf4265c94254e945f78ecc3bc87d9e3e0cab1cb98

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f09a2f115d38514efda9c154266b968e
SHA1 96e6979ac52f923a1ba414e5925213c7360c49c8
SHA256 6fcfb47a0baa187945b0888f8316a8f5baa4985fdda5af6df05e6426bcc2370b
SHA512 6daad4e4221720f185f13174cf38a887fcc50036b4d084bd89c21311337d41796cd9040a150ed2d48e94aabaae8bf3886ade57668fa39aa7111014f7324da19e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 72000e57cd033dcba32d141c178766c6
SHA1 c29004055b7e2461532a662bbbe31c81263c7d02
SHA256 1ce2cb9400a4429bbe30c610447502eff2eb16785e71971e276ff690f6f40ea2
SHA512 5e3e22f986e371bbf93110e4231b14267ead69f8e0bae8f5d7493f05f60ad1b0c0fde83d443f97fe3d9fa002e02b6bc6675bb8456baa4ace1290abca24978052

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 96b889bea7244aaa5d0d29ee7cf7b31d
SHA1 4ca9cb444699a75d383610311fdd59a06ab1aa80
SHA256 88167937c3ac65c1ab14748173a065aab7397cbff0c529c17d25ddfc4c9fc813
SHA512 8dbb9d03d2144efe3ab3b203258dfb5962389940e203c9b9df3ae20c0692a9eecfa6fd68904f8cbed849585cf18d3d3dfdfeee06194eecb9a66ea0fbf9fc5300

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 bec95a813c52a85895f939e639d2b1a1
SHA1 928d5b680a12c1a9a7b298bb877678dd0ee753da
SHA256 d203cfe3d6321e3000ed5b7953a1a205720c0e32db8573265472505de107c30a
SHA512 90247faa2c8b98ad93d35999f8791f8801a750b9941a8a8074008023a9e272d694349186167220143f8f6a441745220efd65b9654493797ba3145b42d760bd0a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 d3ae8b1df909bbd078a0a82eb093acca
SHA1 7d79ee8642535736335c37cbdb7f5ba2ad26c607
SHA256 3da07686eb5cbc4073ee9e097af1c02fb80c8be7cebf4ff7ac1c7dc14daa56ec
SHA512 d3448c451e6d3c1587b78fd43601450c25126424e29e0caa785b973db1423323eb9821708620fcafc63c442af180da39704e4c9c8fe825d42189fc60d9422b87

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 64ffc1ba6b782f400ce1d94eded4c6e1
SHA1 42ce80be444f7c8c2209ccca41c390784e9f8568
SHA256 f10136c93d065bb71f48323a9f45ecdd8d7543bad30df741f908ae019b304928
SHA512 3b75ce7ada5e02572b9284c05ee62fe31c03fda7f9b3bf0d4862cbbd6152c2f4abde204f50ca3db9f9c137a41afd8d221e0580286a45da6ae0f627eec3532a16

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 608be248a0a5a6baf34a09bd7e52b978
SHA1 8eaf8348252f4cf6da1c04168d86c8999d554c06
SHA256 5093d3af7350d06e19e828b3bf0132ec4c6ec59c3099b4f079f6bcfad799ef24
SHA512 28e1155ddb4ec675f4972f819c5e9fd29ccf0747ab55c4ce65fa123866baae81b00e54baa646bdba79eb3d1d367469ab7c05b1dfa3d77669f20de16ac159dc34

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 630b0b1865d0303996798ccf5f00989a
SHA1 ad404cdcfff0b0ce71102fe7aca15e3b4e8f0d18
SHA256 6646bfde705bf1cb4e3d9d963fed80b5b3411d6bf4cfda61d4cdaffb978860a3
SHA512 ae75390c1313f7e67fc0fc23614f2cea9268caf9de0d86f29ce8922679d20f989537db3f2b7d819f60d0e8a62398b7bf45274cf14b2db12cd018817837c54a7b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 0a22e33e34ee4da3672a37764352efa8
SHA1 9e8a9fcc501a6d6ec68b39468ba544b339066e19
SHA256 1b8ae1502aa7592f791244c7822a316c8e43e4e852817bd56258c178d6c48f80
SHA512 ab7aa3b38832ada1b05fa0a40ff0a58fab2af9dc5729671a93b70ae5ec425413ba981ee4e8a5da1f7f62219da205fd46875fdaaaf76dd99776e9df72f2d78170

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 bc9526bdf8181497df8e6b81862b490e
SHA1 79fc6ff59d27463c00a43fb2d45fa3354c1cadd0
SHA256 555a1db99a362eb894a5edb3875ba66d6d3bad9d2823421d29f2a6789dc00f48
SHA512 26902c32788d0ed76ade0d28ce785d77e5f5b73cdcfe4b9e91af6b56f371505a6940086dd2a9b8ab08e7a94e4c043bcaed36a1e2cd9f90128cce703f266c3a5b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7ae1eb1e5acfad8cad72efceaf5c518e
SHA1 b50079f3c2bd7b52d18dfa595f556009d4bb7371
SHA256 04f194127d6e148cdf52590245ffe2ab9024e3249160ec6e592ed4a40e7395ee
SHA512 4345441299b8443341b749273e1bb331cfdc081d9594bd1e265b5908b80b37a59a53b32eff0d8651b8a2c3afec75a6f69bce56a139c3a062b0339355c05e73f5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 41220611d5740a27b0dd947b6d868890
SHA1 be2948d1ae4619854c50dbcd39bbcd9b35eb89a5
SHA256 b85f04cfa916bd71481a0fd2f7fe0f1f6ada451da5277cacffb5e111d5fe8b68
SHA512 622bbe723f707d129df645839e423d3172e26eda4cde534bd37d610f05f3564f3eae8750f77edb4a05594cd0dee856de2a93b9335a24c45a3fe7af28aa5fe94f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 4452eaf120000570aff31e439ed57731
SHA1 4296eb55eb5e31241a6c81ea89a1093b79442c9b
SHA256 b813792b50619b66f7b8debbd32a2ce44422908bdaf9c6b5a0159d177bf15800
SHA512 2bce25ef09aa30be934b24d7131fcce51962234478317aa26b145362dff1aaeabf2614a35141e4edffa282d8c34f0f30bc6e74c9112d1d74035ee6dc61bab2dd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 edd22b40b040c65fe473dc21372a99ba
SHA1 8fdfd745f5d07235b68bcabfeaddda0a4eac112f
SHA256 8ee5e98908cf29ef812bb6d917b776baae7d377cf1196fcd7a44351f8b32a571
SHA512 47afe29f2b5ea90e46fe7d218093fe4a2f16e38d0801f6f931a1ec4afb3dbea945ee2fae40e4c665fd1d0e03ecf6ee85b688d9111849e5f79ea7ef1285ad16ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 0109e54d57d3b0703c59b946e0d58a8d
SHA1 6b1d0e9e2b667d9288559774879c8debe784cfff
SHA256 5003baacb3cf2e9649204194a704e69381319c401c73b8e95d96a05a7c700345
SHA512 e86514cce096a3e5e2b60801c8c031cdafe255b69c143ead5b6db48d141c519ba86e700bb0d48c23a7fa846a012cd85b33c29fe2dd563e49f2d70e4eea161dca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 bc78566387ef5bec09918686b76d1ff9
SHA1 65f648f585a2d600f3ffa8de3ae1c30f78526049
SHA256 f11acb6b5b8453e79cc5958d54a293feaf606c2f7aa443de6f1eaefdf9f896bd
SHA512 219543ac1cc60c1948c9f4bef25527bcb40bb8c2af13abe5a3afb159108bfba5aa02cbbe4504f3f7c001d443997107634d564ee47d5ce3dab32ba6a6a74f377a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ff3b4b1a40ab001a57dc0a643f624ab2
SHA1 8107f78133710ca5c9dc7fca969f50ead8ab477e
SHA256 bf0cdcd19622fc6c2a22ca3b8401558696f707d1b6997ddbeca40e3ea9bed37d
SHA512 fff2a7741dbe8a2d77f1fa9ad4b79d0fe73af50667d22336ed3662deaaae2ce065884f4f63a499f3f23dbef17572d692e3f2aab76286bb65fc1b5c23a1d0ca09

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 316fc49239c8cdfd5c54d99412f5203b
SHA1 8102eb48e9f2b96fbfbf00920aaa6ac22c3bdd66
SHA256 d140b163c6a9025ad6b7900c5cb4414c647e3f2cf2a69318daac7e8454ca9492
SHA512 5be9a8bd24a56328879df21016120a8d5a541cf0ad328b8907e550cb63296dac7d9cedb13a9930137565091696e88a5bc0eefdc8418aa5ae0487c6c272ee9dd8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 a4002da6339b87bae1b0569e2d9703b0
SHA1 bbfd0ee47e9dda76ecc7ea88c7ebee9250169bca
SHA256 4571631efc48f425a91fe4e50c06f96187483aab808bc4e18897685753d1cec2
SHA512 b0a39ae2dc10ef61e65413479cd4522498ac00ebde005f25fed72a126c3adb20b581545ca54686bf4bd3dc82aca9dcacbf84d9f5f7ca0db32c518e6a1948a760

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 3b8117bed4974bed4443e889c45ef2bf
SHA1 f48bdc2f32a723a40f922a59826ec6a118d06b83
SHA256 43bba1caa9f8c3cdea2049dc0bcb8690fbbb7d4df55a469fcd737681822dd96a
SHA512 ae8cb2beab5a15c9db34dbec8c83859d5871c32d252cf3970d0539b1f39d8ce5b8f5c6f39d296f5bcf551a675fdd9097f5d651ee62538825284bd16c8e875737

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 d1e8ca395bec5c886079efa69cd36885
SHA1 34219aa545e3e29ce20d7df4c1780f25a953ac99
SHA256 a437028c0cc7803d2971e4f92c8c62b02b7ed49d8bcfa9935ba61fde72a750aa
SHA512 303004e7e0491e48feec83f36e8749c5714af4627193a7e4855293e88da622260a29b2f42128c0b860e9832e7228f4f16f33faaeb53babb62beebad4a908db0c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 9a090e040dba94eb6f93d701ba5d70b4
SHA1 dd9ed61a98e413b8fc51c64e2001fd2f893a2f70
SHA256 e1bbc604b68cc9e53a8e72e54d88568704737df49c5763814b35ea24ad8037c8
SHA512 ce2f3cadfa19a9c2ab2c6c32f600234deb5d56ebc3f4a5eca835c573e7f6ac7196d6f82f5bd46a948f99737b9fa5769a35d577c7ed93f8907c4eb6a266f2daed

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 fbfb8608d5628317768aae45bfd9cd41
SHA1 ac9534b178662306432f8380a3e27090a64682a1
SHA256 78ef9b578091672b5420ef48a64e4bb88a3e19179f59b02000a3e71f7af17a55
SHA512 ea3a02c38477103512925dc91c43464289340ea21d5b82f3600c7dbb506a03d72ebf36bac4f8bc7df7059711b0c89b5b946674e3c8277bf8c543e0d624fba442

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 359d9072878c538de0d951e710c8f2b6
SHA1 0bfd4f934cf75980ebeebd65a4b610206c4c0e39
SHA256 442e425b7fad36fc7183d5191c40d320cb0a95fa202bac648211ecf1158cacc6
SHA512 dc30ca796825da5e7aee1969f8f96876868b23b861b77d9bcf59279951420b585508748f8dc2d52fca2020f3a52c42473f62f6339800e0df5c1a1f5f4ec1cd2c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 7606544074a80a5b7364e95aff5a2e6a
SHA1 b0211e05647cd6b31e6fcd87a53a912c798b27ca
SHA256 c8d5e295ca284d658f35a97eef118be4d7edbaf39adc62e06d50e73cf5c425eb
SHA512 68cdc8fe6e6311dd639126cde223c9875d92fa2ed3c78f025b0f31e29efe1a12b6572bcd826379420e672d9dfa0ffb532f85f0010596947896a753985c145575

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 cdafdaf5cc0e2a09dd81c8c7e80780f0
SHA1 026753a6e81e92f15dfc8b0b35d01ba081219950
SHA256 1d45bad11d37d4dde8eb9612e84aa2dd7e976470debf8dff45475d31342df66b
SHA512 3feb4c20aa67887deeb314d2d2e7eeb9e8877f30cb8b256007b2fc7b51c366579b33602244c15da9414e26190f921c773f2e0d26aa34064ee5cf30cfee046af1

C:\Users\Admin\AppData\Local\Temp\sEoq.exe

MD5 94338e622cdc427dd58b69157ca9cd55
SHA1 c042ba49fce55a95eba8f5417caecb1e20e97e06
SHA256 5bab9d30fba185dd98ccab52170533c8bdb90e9c03be54d5a1b1fb374b71e226
SHA512 567948be641853aa8bd335fe8288159c4f12acc3e6dc68acff27fa41b31f2c2b0ccec8e1b331aa6ad2f56f74365025a675f5c9ab2d2645b017e443397875a827

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 a4ab4edbb4d98aaa9e163389dab75fd6
SHA1 309c7d054a33a7b9c6bf6fea783a1dff0a3a7d04
SHA256 5f81e1c97572de019ed571047461f1658d32cd5db8005be9593d76806304ec7b
SHA512 7b316b98c58dd7a1e5060230c407755b193bb0bcb691b8e261b86f1d8064bfb6bcb21f1a8d95533d6e78794d4c8bb9f1c7e4f73ce78d5ce42010f8797e745bb8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 872184ae370c43effb44e7235a4ee55c
SHA1 037eb76b7cd49b4527a04cec0996b757e6fdf6be
SHA256 9a16f073a6238bce08b79505cd31799a9438bb86fe8f2510984b602da66c36e8
SHA512 7c9f4bb8fc241fa22fa3b69326ffc3f1cba8a1d8b1b1e53cd1d6fecc9ecb4bbac1d369779d9b5c372d6359cfa60588b2431beea58e19e4f7b8247ad60874428b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 8101edff8c1457361cbda4516298847e
SHA1 250ccff7509253bbc137e3fb18277d4de377a7eb
SHA256 55d75732faf9203e2a91221becf3aa5ba925ebc26809aa2709cfd0ba002b7230
SHA512 907c2e0b7741f339ab9ef06a23ddf7e15bc6915cdbbc4da2f200b9cafc627f3b1a034045a52b3a58a17b46f8b94172663f8ed97065fce4edd38bd1198abcd3da

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 cdb8c108216d0022517cfaec0e37e35f
SHA1 8fe3e0fcf6791a714becf8573601c53da13b9170
SHA256 22c22939c7c0a78c3b4fe45385c98150cde2b1f300126e4562eb3ba638804c10
SHA512 5d9e2152cbc824e88415f8d3117a22a0e5271063b911dae6f7ff2a3ddb63e93f135aaa460dcb6600147ce1087686b9badb47d13193c943e8496a3948537a088a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 445829706384c734b102ae0588f1a706
SHA1 d9f7dee1668eec7cda378c562470775caac95cbb
SHA256 efe223f1a1b5a26310b4c0c7f3816202f0cb0f6d161914351140b36a83629f2c
SHA512 9aa406a6ad9eac456fb3e3c42b0b497101b2f8f3a2cc985942ed43e81f032b900c1dc97ed24f0691fffccc95248b83662da7ac48f37e46210e870c50e56341c5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 5ea89923ca909391ed57e1c42341a619
SHA1 dca7070e1c25de53fcdf8ee7fecf33ff96c2c956
SHA256 f74da9dd86a0b253f41f54b400d97b276a2977632e89967e92498441b6e90629
SHA512 429f109fd10d29e3ccfeb5b690e3e581f9764ed489b1e0158d086a09310de4c8112ba715877f5af24ab5680e95cc5375546f9c444d02d515d4e9c806a32230f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 df839a3bc2395ebea7d976d6e7fcd39a
SHA1 cf3c157e3ef42b1e0270a5a13e026a22cd6840f8
SHA256 c911f2477ff1840c13f2bb2a0f67f9af67ac93b7337462280288faf2ec427d5e
SHA512 c3395d2dc33547236fd76bb574dd87a76221c7734f80af291d47ec576e66044edffd0500ad6e4fb6afeac11d57115d8c1f1c7f7bef3c85cfc8d311ded0f82d78

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 b08b2920a860ec0719ead86440bc74e5
SHA1 73ec7a33b7d7f6262056341405f7c8849418a7d3
SHA256 3f70adf8c5c4f13a0885c9e6008e7203e8f90328ee8b816f540e352cdfce9d9a
SHA512 0a64df2e46e2ba4c9fffe17781f726c7ee9cf2f2ffed3eb3fd9881edc1e4cbc8d0e55d6f5ab157f826c024442ce1a63ac4e578b9c4d4e152b430fc3273383f30

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 4ef13eb19f737887224d190f498e0c5a
SHA1 9410f0d54800893de1ffe1e83526d025593ddc54
SHA256 b9d22d0432d4b4cd3c09296277d9f15256c3f822394d41823c5f4418a1ee883e
SHA512 49939ff9a4d4af28b3a682001a1e2393a383e3d382ca8fd82bf9713009e6408e3dce5051328055b01099898474ec77ffc12f1061f0dcac9d07aa3310a3649370

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 05c11a0b2751f6893a01d6d8e24db966
SHA1 ce074fcc2146955a91296b5fb65f5378b53a5053
SHA256 76feec77bb529d152ed6f09811991f78d3bf7e75fe5996dccc4f3d308dab7b39
SHA512 c56fef86eba9d7d302cbb5d088e79d254fa96bb73b0094eadaf8ec6ca5893146ed1f72f5044ddfebb3d0182165103da786ae989e58c315a93f6d5019961a0114

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 517560afb92b82d4001bcf06b4f02926
SHA1 534a025c07438375f84f16b4477580eae0106cdb
SHA256 51f4edb1a282d8b56e79ffbb1faedb03af0cde439f584b4f309ced97ef76e725
SHA512 c810e8aa1899a5c8087048d54f0907b03165dd59b71c1401fc556dc2b913ebf704eb47986e1e748c0e84f09f899e806578edc8fa324e4c242639354c1f654d08

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 d7cc7251166dc04851e991fa010454e5
SHA1 e415bfce0a6ffde6e939f69bab54b430b6fd3967
SHA256 78e57eabac3ce1c9fab8d6c188b86ca19c0adf0fd534d77b5e72accd8f481a12
SHA512 007b78a75754f529a42500f518cf21c7f998358de9eea4f24d67d276c17d9f78a72aea4217ecbf0dc131633c515e838efff40f5036330856e52bc80e69e40b9a

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 5c7b40abcd771202f7348471a62b3cdb
SHA1 b28c986da2b167e128559cd20f77a726673516fb
SHA256 ab5124d34a16cc5f27c3deaf8a30b609c2cfa1b3159fd5f4be8cadb160b6d08c
SHA512 e809117342ae3068644e45cc465fba2f269ec743916bc268d6358e08a2585496d3b797992443eb33f13bfdddead71f52ecd8e1553b76a98e16bdbea6a5255e12

C:\Users\Admin\AppData\Local\Temp\nIQa.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 cc60526ab5f4599275b86ed64e8540f1
SHA1 94fc7d37708fa3caeeab51542e9db4f00e7972e0
SHA256 da3025f8cf80af954c1483cc2ee4c0a1805762ce14932fedd3f17a05c7627dd3
SHA512 f7ebdb3542addb61fde8eb3cb953b14ea0ddc21626a7fb39a6bb5a6f17a102f0621caf6311e31aea1452232eba5c8122c06998e7724b075d5a840eb82f601abd

C:\Users\Admin\AppData\Local\Temp\pgcM.exe

MD5 e6b7f2d129406f725d5feb01cb87fc3b
SHA1 43d1ee3ba2539c46c10f5c9d58387cc1266c0ddd
SHA256 a6bb042810b1015257ac91b32846931554deb44119e55e1a439995ef95aeffa5
SHA512 c1b997c87af256a3226bb0f27e150d8d44aecb0ff2016f0b1b4e409776b1d65fa34f2967b522a68fa79df2031597007900c16d6a5e548b6c7501c1865804a7e9

C:\Users\Admin\AppData\Local\Temp\UgUG.exe

MD5 d85cb5694236431558ed016f0c31e62d
SHA1 8a39a805e443ea61fa4b1a6e2bbeef546ba90bf6
SHA256 01c73475ace17d15d30be9b21b1e829480f124165768ee1cbe6f2b9b23f7b0f5
SHA512 5af89a2e73695935813f4c24331a0300b978462c59482c4ba3324c90e8a54ed42dec23a5c080942fb9dec44c31a56b1b576a367647db97b5f5975a81700edaaa

C:\Users\Admin\AppData\Local\Temp\MkkG.exe

MD5 85f21e7b67ff0880f9e89af03fc35fbf
SHA1 cd651514b6e174bc431d6dd34c814406387d158a
SHA256 7dd4d4d07060b0c7f1302802965cc896df620a5b9234d74c74af626ed770f022
SHA512 aff8446d01b874d231bd55e22bf7e6ae1fec80bf719f1efc167e78f90b0fdcd27a528c40b28cc0bf99b0585396344b25fb5cd9ca30606809f8dd15ebd9f30483

C:\Users\Admin\AppData\Local\Temp\HkwM.exe

MD5 543c256a994b8806dc1f3cae828bcc73
SHA1 bab280000884c0b1a976d86b3b82174dd8bf8a30
SHA256 619e440ed1d12c71b97c6fdd1b5877fbe64fa68dbad88d193a91dc31fb5233d1
SHA512 28085a5fb07eb803350eef31c269c42d145db3ab8239db78066d7a1ada83ab8a50ec41a314c9f0e4e9d307ccc229f9859f2bbea8ab278be16b96dcacd9efc642

C:\Users\Admin\AppData\Local\Temp\SwYY.exe

MD5 9bf9baf2570055a5ff4691eb432ce3a7
SHA1 3749b55c7b294f3215b382f8d1c8dc3e2f29a4ba
SHA256 b7e96679fbca2aba6daadf2641073a9b3ea4fc65cdaf0c16ed146058126317de
SHA512 6f03ee9f7b73cad367fcb796dfbe8284eb0165bd013a966747601e67ccb66f018f5c02e37c613443ff4bb84c53202feff924aa860d404d66caeb01277c880951

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 dabb59f25c80c1f681a827041859d685
SHA1 a1ceea70112ffe04f0efd8e5ae1b3d3fc6929a91
SHA256 d19a9366a46d54d069f22c56ae4af045ea5a8b3230a456899713be903c23e9cf
SHA512 96ac196b0c79807126d312939d95c4d849840257303297fb29f0847041400a0618e17db5aa2d8df5ca0537b81733fabcfbe1aca4fb909d8553d25294e20b78f3

C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

MD5 48ffbb64736b973bd57c94965179b656
SHA1 c93b3f2b561a16fd1f21bcabb10387436bd97ff4
SHA256 c3bf976186242278bcbaf2050c1c6f49aed4f13ef8681c5bcec980c2b61b0729
SHA512 aa35905a6ae8d9ed990fd4f9f1b7b9a1947bff7ce36cc2dc4e0aa17d2c420e5acd3a1cd7755464cd4191796690d1e11766bfd9357994e22f9dee4492f488badf

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 7428aafc0557569fc194b69f840bb818
SHA1 f89d4116c33e071aba350b100770abe3295a18e5
SHA256 f0ed2e56bb232751e0c12fb77815651e59236939966b29bff4eae62a3c458625
SHA512 4f7e55f2522ee3aa95f830cb183870cf0b078ef4069575ea7784a3134c25c4095ca694b72871ea94ad39e312133de1ba562431d17256c24d1a7d1b298006f735

C:\Users\Admin\AppData\Local\Temp\EcUI.exe

MD5 6fa8ac72c22fd4f036d107e537ae820b
SHA1 b115e00fc0b3ddb0b2a3a4d8b90919fe2054ae4c
SHA256 55bbe54ac6e23b7d632e20fee45b918eedba0ad777f2c530669cb5e05a1ce362
SHA512 47517a9f04700d3108ca2e06cd0947423eba6850539aaee40eee1f297657a160541cb25ec7ce98523e08e5eb1dfb06f7a77a27308a5fa5fc1e684ecdf3a37c14

memory/2928-2576-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:43

Reported

2024-04-03 11:46

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (79) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\ProgramData\HkAQogYk\HIgkEkcU.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HIgkEkcU.exe = "C:\\ProgramData\\HkAQogYk\\HIgkEkcU.exe" C:\ProgramData\HkAQogYk\HIgkEkcU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foQkUccc.exe = "C:\\Users\\Admin\\DyYIUwYA\\foQkUccc.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HIgkEkcU.exe = "C:\\ProgramData\\HkAQogYk\\HIgkEkcU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foQkUccc.exe = "C:\\Users\\Admin\\DyYIUwYA\\foQkUccc.exe" C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A
N/A N/A C:\Users\Admin\DyYIUwYA\foQkUccc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DyYIUwYA\foQkUccc.exe
PID 1040 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DyYIUwYA\foQkUccc.exe
PID 1040 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Users\Admin\DyYIUwYA\foQkUccc.exe
PID 1040 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\HkAQogYk\HIgkEkcU.exe
PID 1040 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\HkAQogYk\HIgkEkcU.exe
PID 1040 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\ProgramData\HkAQogYk\HIgkEkcU.exe
PID 1040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 3012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 3012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 440 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 440 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 440 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4908 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 1684 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 1684 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 4908 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 940 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 940 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 912 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 1468 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 1468 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
PID 912 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe C:\Windows\System32\Conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"

C:\Users\Admin\DyYIUwYA\foQkUccc.exe

"C:\Users\Admin\DyYIUwYA\foQkUccc.exe"

C:\ProgramData\HkAQogYk\HIgkEkcU.exe

"C:\ProgramData\HkAQogYk\HIgkEkcU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koMcEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugAIsoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiUEMwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEMMIQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWQAQogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCkQEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Weowwwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmEsYoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsoQIcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIMgkgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeUQQgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWcIEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoAgUMME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGYMUowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoUwMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewgQoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgwEcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEccEYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWgscwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaAckAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqsMUMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JigoYgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOYYcQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGsswQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYUgIswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYUIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkMQYgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAYAQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeAgwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEscQsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tygQQgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TskccIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jokQUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEkAMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKccIkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkUEAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOkMwMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcIowMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGkkUsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCkscsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkQMIowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAEAkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diMEYEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgQMYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeUEcMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UesAUMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqEIMMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyksEQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgAQYYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv mhMZqsZCu0+bXjztmnJRyQ.0.2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUoogQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeEEoosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUwksAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmoIMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqccUAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOYcMAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmUoIgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naokMYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMokMkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deggUMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUcwwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKIosksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUgYAwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuUoYkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYUokQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCwoIwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQUwYswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWEkgkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYEQIows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewcEUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYgUsoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUEAskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baYwIcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWoYsMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYEcooIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksoIwggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIQEkMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkskgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCEcMAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEkwkQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyAcwUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcYwAwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMgcUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcQsokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCcUEMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyMoUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmQsIAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCIUMUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMIwcEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgAogQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoIMgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOQQAgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEgccYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqcYcYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcsAUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUMgwAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuoQEcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWYkwkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOgEwMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiooAYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgIwEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCMoIQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuwUUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1040-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\DyYIUwYA\foQkUccc.exe

MD5 c899b7e19f7bd94f4da25366869630e7
SHA1 f9edbbe97e9cb02c34ad0563112b7ed00f8aba60
SHA256 354414cd170e1ebc267e00dab4a1ece294f02d2e2687e171b83547297b14553e
SHA512 5948a6b13aa9fd969f4eb8af50ee301844935aad83fb78a11a14d199c9b64ab5cb3297b7b40bcc405b8976acae54ba55ea38286259e6a56036ce83433322449a

memory/3360-6-0x0000000000400000-0x000000000042F000-memory.dmp

C:\ProgramData\HkAQogYk\HIgkEkcU.exe

MD5 e351bca8df21a31a6f2462ac0f00d878
SHA1 832eedfbb3c1f56eb3ad9f4d0acc5a1ff567b05e
SHA256 2e314716e1b5daf17409c9248712ffffa3794e0f722f4f8cc91a95eae0b59ced
SHA512 f430303a0b7841e342dc5cd57df4e39d5231825900eb34c19d7d707f1bec56b6a9508b6cef75c9aa6ddaf641ec09059425f975ec4df4801b906282903819efa0

memory/4848-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1040-19-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4908-21-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\koMcEgMQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

memory/912-30-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4908-33-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2316-41-0x0000000000400000-0x000000000043B000-memory.dmp

memory/912-44-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3932-52-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2316-56-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3932-68-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1672-80-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1552-91-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4232-92-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4840-101-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4232-105-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3816-114-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4840-118-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3008-129-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3816-130-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3008-141-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2996-151-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4896-155-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2996-166-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3012-177-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2192-178-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2192-189-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2708-190-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1624-203-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2708-204-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1624-215-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1676-223-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4472-227-0x0000000000400000-0x000000000043B000-memory.dmp

C:\ProgramData\HkAQogYk\HIgkEkcU.inf

MD5 4f4820453a250531e498b74f904cda6c
SHA1 363d9616e2fa6b4702279168e08d714413319592
SHA256 cdea11886c9ebad6beb8a3854a06b68709c8db83b0a4ef7a8d8acbdfcd58727f
SHA512 d2617d7b0bfc856d1fb60fd38faf0cf024e5fd19436f7c02e4a5be085bfdd3cd854bf54dc6289cd309d08bd5b99834ca959a294f477fc40c56eaad91715e0b19

memory/1676-241-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3980-254-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4656-251-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4860-264-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4656-265-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4860-274-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2924-276-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1920-282-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2924-285-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1920-293-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1128-301-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1712-311-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4416-312-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4416-320-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3736-321-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3736-330-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4104-333-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4104-340-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3448-342-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3448-349-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1688-352-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1688-360-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2072-361-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2072-369-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1828-378-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4308-379-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4308-388-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2056-389-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2056-397-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3892-398-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3892-407-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4680-409-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4680-417-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1744-422-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4884-426-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1744-435-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4256-436-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4256-445-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4416-446-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4416-454-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1300-464-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1128-463-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1128-473-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2636-474-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2636-482-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2216-492-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4880-493-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2216-501-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4916-502-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4916-510-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4232-517-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4796-521-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4232-529-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4832-538-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3448-547-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-548-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-556-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2208-557-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkIw.exe

MD5 c92d54c05fe7257f352ca40fa71357d7
SHA1 76d28a1f5afb1dadaea8dda9a23354d661bebcf7
SHA256 5f95396e7988141d95c8f471d724317babe71bfe8da669739737a8569f867ea4
SHA512 e60ed9dad72e9d37b5cd65549d72c02462c4f06a0c830a363062b0a69d2990f9f9f3391b410e6dd94a2d1beff9f4eb5c5ca10b0213e24dd1013fa4d7ca297de1

memory/2208-582-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1408-590-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4916-592-0x0000000000400000-0x000000000043B000-memory.dmp

memory/64-601-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4916-602-0x0000000000400000-0x000000000043B000-memory.dmp

memory/64-610-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4264-611-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4680-620-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4264-619-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3924-627-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4680-631-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3924-639-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2184-647-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4364-657-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1496-665-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1380-666-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1380-674-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3600-676-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3600-685-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3540-686-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3540-696-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2340-695-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkIM.exe

MD5 d5d96c54df33ced05c138884a5bed642
SHA1 a2e6e2db5f47baccc84735c2e06622c8e9e07295
SHA256 03cbeca3cd22bd54f87ebedd1522b613abc709ff5cdcca7bb2031524d78662c2
SHA512 255f04c250d18228fc667fc7fa74fa031be7fb8803f86d1fb465349a0d6d8ed8ff5cec2c46d6fd60a29d253f74df817011502bb9c3b14ba0aa9d266bb05a1e41

memory/2340-720-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1056-735-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1500-745-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fkgi.exe

MD5 c48639a8dcf43aa980b2721bbda6559e
SHA1 88e0a8d846f43630e04b2cf05d9f6c196bcc600c
SHA256 73b90826008817c79da6db87b8e37af8761c199c8f746f528f13e23ea035e720
SHA512 e89d4a7d21f4a5f09ce1aa16bc79dc199e330324b9f11838f08555faf348c522d9cbd42ee7ebab044c0157b3053b11899c654fc258f1ce72e8acb7bee70b6f13

C:\Users\Admin\AppData\Local\Temp\DQAa.exe

MD5 125b1ddfefc1338d6985f6bfffc176de
SHA1 44f91d182e6458ea40a4efbee7b0773f4994a191
SHA256 7b3e4dc6cb1d95606033c0b3313d76d6da0cd538152fee440c86859863f0c946
SHA512 01a171dd717bea617e5353fbece67a72bf303cd2724dc1de763317e9e4353999764909aafe12321c2fc822729b568e2268248f803c62ed078a5164b81255ec9c

C:\Users\Admin\AppData\Local\Temp\XMAa.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\bUgC.exe

MD5 b01eb8db637885b05ab5c66d1a52638f
SHA1 031b54cec4b5f478908a3c61580656761b580cd7
SHA256 f83f72b912062c99d2a6300a18fee4974938f37454557c7f1ac57339fe6d92ed
SHA512 a68f324185799fcd6e1d50191002ac2e434a57803d264b7bf890d74f209e80cf60c624f4b1abeb2f5c78db0ae3000080d1a683d7e706a7881e01e1dbb874a9fc

memory/1248-782-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1056-783-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JgYG.exe

MD5 6f08fd0a1f32bc92692ac0d6e315ebab
SHA1 d16cb72e143f8722a527c3491013df587a09eaf1
SHA256 373b4faed5a55a332f66af33dd4925b416b068e8d6432b4e7c9b43a3149ee3a9
SHA512 bfda8849994acd623b30936d00e46b5f60b85f8ae87c50a268e9e192853293b9b85ed1edb4d6ac912ea9aa97b56af479a11f3321417ae82676914a2f66c93bb1

C:\Users\Admin\AppData\Local\Temp\Qgwe.exe

MD5 64ace508c1519456ce658721fc74055d
SHA1 f620dc31bb4ef439234fcdde7241b2143872e5b1
SHA256 e740ca9ac7a117149ed531c45c4a93d83c2adc0b7fa78e1f2a28cca6272dd94d
SHA512 59c88eb391dd3a3c7e30fc347b4938351d52effee8d55fc20c5d3ef640fb4ad05c1785d1cade99b1a3c7cb185c97d745bae7297de76ac0ad2b304bf5bd3ff9b1

C:\Users\Admin\AppData\Local\Temp\Vwsw.exe

MD5 4be738ff34889099640c94b9f6befaa4
SHA1 ac8318bc0a638d190f2f73fb173b5ae2ded07033
SHA256 ee89b9ac40749641b25e8620b38c28b63b9c393a4eff86a5215730ea5aa63db2
SHA512 14684167cc6b92a348c222e62c539ca7be1c8f2926cfa594fb48b45f68c3cbf78a942057a76bb77c009d545393003885e98afc5ee6c2535ff50e5ed60237f1ca

memory/1248-835-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikUC.exe

MD5 86e35daf73e344fbe342fe408deef873
SHA1 cad682de34ead459cf465d961d7e839888e699c5
SHA256 d9bec6a75011329de395732221f6d409c2aa8edbd6ea04f6acfb41a7e8795863
SHA512 c300adf98266d4b0a310cb390b0460808a864d7cee1a7ad69626f1e432a6595d18ce234958ae1b4a9c7d0bc3c6580ded934c3b2e36259d631bbe28a9133ece91

memory/1104-865-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQwq.exe

MD5 e2d9799401fefacdf9f5f5538f71efa7
SHA1 56ff3a41ebcc1ea474db807f833971096df4932b
SHA256 8a2166e4e76daf8ee4365a524a4fbdac0e52970d984c9f8b2d939ebad32ca52f
SHA512 f9ab6dcefa6e0feb22311c824515fcbd7d4bddfd2712ae0cfc1684248ff8931fb48015d3c31bec0c015bcfa53345870f0c4da321712980d95be4b762ac687149

C:\Users\Admin\AppData\Local\Temp\fsYO.exe

MD5 039412469f1bcff1a4103ddc42512a86
SHA1 ebe24e0bfb52eb54d6d55611b3f3ddbd22e21ed3
SHA256 26ed2c47db3225b2194283eeb940fad3d67672877b558cb41bd2f79d8fd496a5
SHA512 5f8fb1c0c87a206222affaa86edb387f059eae42bd4ab3ff6e06b6b791255127944da6e73e15089ce0d877418e990a9b674ac12959a8539871d907b2d0ce748c

memory/1104-888-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAMQ.exe

MD5 728f5304cf6e15be4b68d59b0aee5950
SHA1 8e60a1aaa330528ec7edd7379d56c0138d45c105
SHA256 856c32d0a016a50117c17d5e0f690edfd2eab42e42f42a92d40c484f526d36a2
SHA512 7efbc942ec33153d0ebe6cc1ec29e976670dde62dd285dd355d02a73170ce715902707c237ef2b482f35bdc0f9d8f088e967fd056b8502fd86b746abab9b125b

memory/2184-905-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XMQO.exe

MD5 a10346b5e2bb8ac1c667711f775b891b
SHA1 45f3566ac39c7f5423f7b10d9dbb7389bee5002b
SHA256 a47fafb8a8e56c607a129d30fa27e398c730cd3b44617b164c2496d4051d7aa8
SHA512 c0927ba623bbb690f8e8632e480d05bd4343efb3605c6ec847138399ac4b99aaf7cfc169d7865edeceac07a3a6c0339b9751458ee4bec5883b86c962781206e9

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

MD5 538f01aa1aa759bce0127e587c8ebb54
SHA1 e9ecdb1958cab65262223f78900a4317536f12c3
SHA256 931904d98b55db2c5ace7a9557200a5a580fcdc5db74bdc89202d4d14c12fc98
SHA512 19385835323d5ddb1d2ffa48236a7b798fe5739b33fa3b070c5a60e5c0e79c35d923f4b526d7e714f23f7292fa6cf94d4473dca425504bed7c4fb2714c221f94

C:\Users\Admin\AppData\Local\Temp\tkIO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\Tcka.exe

MD5 89819ad15ed31bd53abdc48397e1c8d7
SHA1 dd02b31f74e045d108e0bdc48cbf5600b9f26507
SHA256 24262807821a573ca7c25c89a9efd6f1433461f21cb60f845b0be62ea3bcb87d
SHA512 b9e6cc6075ec651129f8c9e09c31f79d93332f91fa5fcf58cf4985a82ce7e1fe7ab3032d34f18e38e8c2f84612f4fab125c2621464eb85418d66b5d631a86de6

memory/2184-954-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQYy.exe

MD5 28028558daa6870517e4ab31982ca3c6
SHA1 fdafbb783f8e2f3e982caaea9df7207c3e30a308
SHA256 3ef9b9f089cb69764b1062af163fdeea2a334954d6570da1f6a0ac736d7037cf
SHA512 e5a35d0e5e2cef30b3c4d2741e0b6bb8b0c0cd2255eca6d8badf5d9d1759bccd76bfa9b02a074982c14a132931c538bbb2aa10fa8a49e76eef1d9247dbb26761

C:\Users\Admin\AppData\Local\Temp\IcIk.exe

MD5 1290f2b62fe2935a561413a921c7bc96
SHA1 6ad6252a4af779091d962c5e70c9fc5b4b3e88b0
SHA256 717b6ec5035ecc1e72f9871a41d1ec081d4bf5f5c24056e3c5f5b8adad0d96eb
SHA512 8248b71c56bae81e82b511e2e3fe456aba96292364f18334958f5de4eea7e792d62ae7a0f4a892ed504e77c35d9756dc73f5b6e8c69204f2c48569d1a089de1f

memory/2516-972-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMAw.exe

MD5 d7adc823d514e16aff866e34df1ef3e1
SHA1 f1f147cee5355de54b315b7b5832af1c174e458b
SHA256 2846572042dc8c7b64dfa149219bc7e26a8acdeec74bfa17a6af2d621e04656f
SHA512 cb0a10329f7a49a4ed67e473fbacb15e0fbc65c498523915433037dec94da74493d82797db692a9fd0624220269fef2ab53f4831e7c616c581fb2254366281e9

C:\Users\Admin\AppData\Local\Temp\JocI.exe

MD5 2f2630e0d50f22a0e2a01f2688d72c67
SHA1 f6ac926b63d5b39fef78d6c25e926473fa666726
SHA256 d37b2dfa890b2aac880778455273712c33ea1096f65500da12f032a94034f979
SHA512 a65b9d16721c5738774cb03973910d93783c40e0c773ed0360fc39fb44461bedd1463a9465332a5321b2321952e5237d6ca306ad83fcd74004b2c9b11a842e2c

memory/2516-1022-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PckY.exe

MD5 37d92cad35cdc7d6163df6f463f87066
SHA1 e1787578da10a4faeb8f8f1844de2429b96a52ed
SHA256 fa92b8ce6df91f4f589f2d351bf7092e387763c4c114c707244ae12bf097257b
SHA512 c13e6cb3684ccd0559d69df5244cdba9825fa3fa1fb6fb72472bb5d22ac650d4e5a1dcd3528c7d4e1b84ee7eb1f033d8bc750b0ca760e0d88d9f545a3a0bc123

C:\Users\Admin\AppData\Local\Temp\YUks.exe

MD5 8bf39e7284e172c0fa2715e4617203b1
SHA1 5aa9cc0a842ba06182520cabc34eb13d30278dcf
SHA256 1cf737cda6751b8ec71b41a55bd1418e846a9c03cd1ee9d55ab88df81164ff09
SHA512 1bfe848e3a71005fbd01cbf40c8a3cce3c36b667dd3d34eb4874d7f37ac50679a5107638f1a08c5342c1cd3615f3a5809d1a816020a7c1ef9a4510120000ca1b

memory/3296-1051-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3296-1061-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uEEO.exe

MD5 255fcbdfbf27f85919c9018960ef69aa
SHA1 7e2a84803a8ba02f60539c66297ec52a28530c9d
SHA256 f84c6a70f0fb1fc8af9475e982dca32805c93bef22adab3763fd02833d60fc3c
SHA512 e48eb3c6852a459bed149d0dfe6d6e477d6d9d96e16ef039337cc034e90f08e1ade8d924517edc57b622a755eed72b7b839025006a94073733efbe0fdf63d1fb

C:\Users\Admin\AppData\Local\Temp\dEgA.exe

MD5 a0b3c9eb227359c6b29f7f0a04671764
SHA1 dcdf745d2c6e344ecd19f175f8c95c27bedc64a6
SHA256 4df50d68928ea377ac13e305efbbaa98d2e7cb0233d544e79eeb23ba2e47ebc4
SHA512 4e5648523f547cb2bd8d2b99e10efbcff29cde8bdfc529dd22e7f1931b115da1bea5400efc330a5a93ea1c1235a5b2ff5927c098e933b8e1ee30459479811c0d

C:\Users\Admin\AppData\Local\Temp\EEgI.exe

MD5 51af8f9690c46553b714ac3211fab122
SHA1 ecf2c714e9bed64bd086ca5918ace7e6f7b0ccbf
SHA256 5bb2487549ebfcd95e8df3b8d05b035f35d98f9f4f959c463af7f99de9b462ca
SHA512 a245f377f77c3d292fba8e0fd66756141c8dec5b16321f6a165af57ffd99c1185d6640053c53c4d7afb50a15d006493fe43bdc166888b3bb5b3b11b42b1b5bbb

C:\Users\Admin\AppData\Local\Temp\AEYE.exe

MD5 ea8458c59e8ae1ff7877ae4fe2adc8dd
SHA1 4286eafa0b48089d43ebd36e7cbbf068d364877a
SHA256 b6c53a80735c02b9c4d454a578d21b1f7f50261a6950d3a4d1be8d090970c394
SHA512 362f88e4f32f8ad4e25a7d1627f9c726214d12cf7401b1d9406e8d42cb3683dd051da2d228e21c52a313baa8892b262fe21ecc6ab192eefd5d854826bcd733a7

C:\Users\Admin\AppData\Local\Temp\woUg.exe

MD5 6ced7d1c6d3fe4d40bd5557a17dcf3c3
SHA1 5418f953e1c24b5ee5306e382c186ce000ccd9e3
SHA256 7e423de275d46f74198deff904c66a7337cc104c70ac3bef42931bb7df077816
SHA512 a93840fb158d1e985490c23ca448912d3bfa0bbf761cb1909fe2190251365776ca000e4edbc93b1131fd1269600b40c33c56d0fccedbfed850379b03b46fc39c

C:\Users\Admin\AppData\Local\Temp\BEoK.exe

MD5 82eaa9b875a79e1366b11be21b578803
SHA1 258c1c15542a0180685cda35225ad022d4688216
SHA256 69bf55519e90fa9c6ac07e6353174aa9d84fb7245f0dbba417260ede7c77e004
SHA512 afccbe33cc9f30f0d2f61ba04ea357d9e17a198a00075b39c43fe2b8c08179dca63d01ad3bc23446ecf45690d61274c5ef1eef161c5777d5fa02f7a28444e159

C:\Users\Admin\AppData\Local\Temp\Igwm.exe

MD5 32bd45c85932567232e78d80056e9cd2
SHA1 1a84b0256e41d11e50c56a03a1fc25d84ac79464
SHA256 669359b67ba81c62a70fe32667c38757f6b30aa54b26ffe67d7af756047e2ee0
SHA512 2c0230613c4123f1fef7137a80cf45d6b55ed7b5f6bb8906530ab28d63edfd042dfc0eb08c31b96b0dd50037f7981071f68015c73759b7c85824d8f57e03fc2a

C:\Users\Admin\AppData\Local\Temp\bkQa.exe

MD5 bd222cb1c11868d43ac8900b7b17445b
SHA1 98f514aceea37ede9a105e4a7add08a15500a5a0
SHA256 415f1c64f294cc09404cfe139d3e6aa5cc1422b5fce1ce637f453734dc396a27
SHA512 349883af2107d0df6204e24804a1da009cd4717cf6c1a9029dfc5ff50e7ca58f17cbb4fa13d262af84f25d8c6d388ec50f8237a4bf822d2a1f5e78facdfd00a5

C:\Users\Admin\AppData\Local\Temp\JUYw.exe

MD5 a4b2e1bdef892a69fa2f0ed9f9ed370e
SHA1 32b56520ea09944330c4bf09424183ed052ab4c4
SHA256 b1857342ccbfe9805ad82dc2022aa325c2b44d82273a7e9a48f5b42f9e17da49
SHA512 60073881cd91006976fe3373e4ab3e79d6c24fc98a1f1864d11de94f6ed4a7db4713d1e23df6f5a4f7529ceadbe7be11907e79787aa7743f330820651cf90c4d

C:\Users\Admin\AppData\Local\Temp\IUMS.exe

MD5 99220b410792f087e5b63d5724817369
SHA1 02d242a1aed16378a713f322d1211d5c09864d0b
SHA256 900612efa0de24b1a5f6a9834fd0d2764d23db0999f78707a91b66064ad54dcb
SHA512 576d3ff3ef4c62bc4c191d796ee097ae25f17adb853dcf1f8bfa9966aa730c6bdc8e6a0a94f0384ba94133bd2cdd993031acab7c082fca9640c8d93807cbfc7c

C:\Users\Admin\AppData\Local\Temp\sAsY.exe

MD5 0586e6d993e78eb12b5edf2a9f54a458
SHA1 696170c34c5c83e8ff12a7d92f796db1dcecfc10
SHA256 3306e60f8eddbf1ab6b55bad2f98568984deec9d84f23bd0e48f07869cde2e06
SHA512 fb8b68b6763eae7b665ad76b8ee4754f24f470c678b8ffa9974087a07d90cd19abc2579e18e2b96ea33e121d1b99c1e51c20bb6878fcaf068029f3c11f9a0114

C:\Users\Admin\AppData\Local\Temp\fYwy.exe

MD5 6006f6b9ad32f2a50a62c0f5e39c1d8a
SHA1 6b161b99cd05eb00981220b4e9051f70b1a77f81
SHA256 fb1bc494a9d63ca8a200cd193287f2b702aeaf4fc496020471e8f1a4f582f9b0
SHA512 14e766c2a579196e001ee802b18bd76b01d605ee9ae6d602d5ced9c07f8ab0eca5297278b13e1ed6b20f617a31187c2547cd34ec9d04bad93097b9f0ff30f853

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 8e695e783e75c3be6fd76c09999ef398
SHA1 5ac072465b7bde3a587235436feae3d1004c1edc
SHA256 e70ec4d0601334099769c90ca9b2a920ac283c718417b2f559bb0330e0e7532c
SHA512 e85eb972e57d9d3dbdac167f1da307a4151d7b8750ca5ffafd4a4f3e09e17b075a74322a58fcef94c2202552287406c7ed3d48d442d1c4829e29eb758b7fa9f5

C:\Users\Admin\AppData\Local\Temp\ZIwI.exe

MD5 fab8a68115ef23b34028c14ed357339d
SHA1 d77550ac97c1ac63bd062398666c3a429e65a515
SHA256 7046c68f8fbaccce39e733519d932112eb93e06447cedd547760a80e2278813b
SHA512 6681ed0de4603105a0e0996c37b3ce34c680c29e6f6b57654a9b3ffec86c2249206db361a88a6b4dab12f4896a2acb226200c63b782a26e06de12344d05bafea

C:\Users\Admin\AppData\Local\Temp\tQEs.exe

MD5 2afbb9202e7901035060d14ec02b27f5
SHA1 59dad92b102b4c9baa2abca7e7aeefefe1cee62a
SHA256 903a8726aab42fd09de345f8aa953638f92bac18f51c104550f835337ac7b995
SHA512 bc0aa9f1d2866a449f791a96c7f39fc21370105d2ca72178b2aa46271989d26b8808654ad1085dc1658d724b88e7cf3b73d2908708033e42187dd8df2f548531

C:\Users\Admin\AppData\Local\Temp\xQYS.exe

MD5 7c5bdb7248addb14e59c296b5adc9c51
SHA1 b1c800830b5d0f0005bbc439d88fa4011731e583
SHA256 70cdccdfa2ea47fcddfd21441b491636f776d04fbe9e90734b9eded8f6f67849
SHA512 918101787ecfbb5aa0103bbc52466888d914e735d8bb3b98c6db0852944471eccf30133148a5be705a98aa1228378fdf1bdc0a63b5e54c005e9bddff50b0b1d2

C:\Users\Admin\AppData\Local\Temp\CAge.exe

MD5 3fe5e8a08df706eadd55cd3a5afbb7b8
SHA1 907e0130f1dbf88e66c93a26f207966be6c7661c
SHA256 1df6eea1137181c0c984b2b0399e89d131b70c71ca02d93f88184ff8f7fa5171
SHA512 c4e9fb9030fe922debe8250a50c694821e772332e3fe19b216d3a87329a1ed8305609e9623868c0434bf33d538ac6c660201b3a7435fb437e0f3317e9ebad2e1

C:\Users\Admin\AppData\Local\Temp\xQIu.exe

MD5 41db8163fff3e53a9c25bd6a6e134d39
SHA1 de3677f31c9117750777031057437c3e2fad6ccb
SHA256 f3a3ca90150e0b3b35214a54be80e286c13b2e618c8df8e8432c67146e1b241b
SHA512 18a0be11feafeed99060699938b27a00efcb7149b9e0fc71a81d33b1e9ddf8304001bc233e50a86ae78e8fe66eebeed59ee53aa3f26dec2b5dc750cf8050fa18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 ee708548dcb82c5e47785a108aa3b4a3
SHA1 9644476f3528a368d70b592b46c51d91ca844faf
SHA256 ae9e624e80f3d92b2b67361aa914f735eaaeb618cd6da418bdabfc7268e5b9ae
SHA512 1d3f6f766c43e250daf5d2316b4498077de8e70aaadbbd5e0402702ed028e6bde7dea5e3fca25eb92b0d9da484a0965187ab2dcf4152bd2a2d78f452c44d93a6

C:\Users\Admin\AppData\Local\Temp\UQIO.exe

MD5 f5d7893eac70f77de333376f6611454b
SHA1 51412c34a69d4a9cc9bd30e6a76e115b8c0f7679
SHA256 50935b5e5e13b67f020a00e6162e387ac0ecf52a3235e24581f25371d17464a7
SHA512 b0158a2531f0c7b7b8f68a55927f3351684079edfc439aa3d3f5ead0b9268eb27d903abc4a9650a30c4560b0bf64d27570bbeb370b96c939d45bccc3faedac29

C:\Users\Admin\AppData\Local\Temp\joIw.exe

MD5 62adf320605665e0b623ca831f020c41
SHA1 58b2752b09610b67f43833f1a18ae112cc361ff5
SHA256 b4dda4790f3959b64d647ba83531a19834ade3fc30cfa693d55556e5aa4eea80
SHA512 38301bcf0a26eb5edef3c3ee7fcc655e183272c161afed06b9b42b1567b70bd464e60f47d1dd79e4ab2b330ff0da4c6214deb3eda4b1810c755c87bf48f31d0c

C:\Users\Admin\AppData\Local\Temp\Vgoe.exe

MD5 2fd00dd79c48463b9b635b5c95b1d462
SHA1 b5b65aee0b0f85521e00be337bc23d8bb6ea5c4b
SHA256 13e91df7f85fba88d207169c389b6f52fe3b0b99fb4c1c7f62202952bb2a7dc1
SHA512 6cbb661d41eee36511205bea5807e73af717a7a70f6c65a48fdf7095b467676de8d77f771d094c752c7f2dbcb70d3810b46e318a6f11391ed297d95d91c6000f

C:\Users\Admin\AppData\Local\Temp\tQUU.exe

MD5 51f706f701d0fa00fe176d5802931108
SHA1 5070d568d57b24d70b934263f978252fda3cb40b
SHA256 b89168c1b08eb9df3ab1c40e8908bd4b8c404d5596790cc61d183f23a4a5f86d
SHA512 87b979a1fd51cba6a6012f230d61a59a27e431cddff64142ab074b8a7ea0e209daf8af0c8567c29db4ff27af29dc0f22f2808927d9010af48e474db51c267e69

C:\Users\Admin\AppData\Local\Temp\xYkq.exe

MD5 51192e9aeda79f70935a4e72b7177f48
SHA1 dbe1b31d670224ce97fc0003ca0cc5d04ca9765f
SHA256 c95f905047914d19cb6d62902a6bb665ba725e5961fcad49ce737d9b1f6e6649
SHA512 77943f8e21d9329cea9a74406bb1c98b7c16ec33850eab955be9809d81000b3fe8fb9530ecabb94190f7534840e6b65213a69e1837a4b287d3d167f326407d35

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 0c1e2cd86eeda2c95d31f8e18c217c3a
SHA1 1253bcb99763976943065b39926d8c20391d71f7
SHA256 233fc27ab2300747f5ca385e7709eb006535a720f58f3e211751a169a1bd1f0d
SHA512 aa17a393acf297de3ba32736a040aab238b5c036bdabac498112c8ae327e89a4279dd102e9f560e4114bf0c53d49178be03e3f5536c2af77d6cffea75104d90c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 c0eaf7d4113fb1f64324907d5918b72b
SHA1 3453aa26525e521663653870d6f06f40697bb5da
SHA256 3b29c25a17f1ecc318895cbeaff6787e5a53a866e4a341fa84351ac81bfae021
SHA512 c58b254da6d14d7bd0c1ade3ee458b93dada0b95f6ac518c7b6651f4b146082b2fb55cd41036ff4a2a2c1b3ace99b837a0f1fe06c7b4303c40a8f57370a65b68

C:\Users\Admin\AppData\Local\Temp\ZkUe.exe

MD5 6d51661beb716afaa8620ee33c11123b
SHA1 867e78998b3d1402e5d5abb3d5e309b2098c78ca
SHA256 35406b1745b2cc449acfd3b3d1c58ea02addb0b1836d3c51445b704df5389201
SHA512 f699404eb15f009b2266ea21dff8ca3225d8dfe72492653b59b019746e2d1bf3d9964a9b9aa9e04b65bd90cefd76e02b51eb4559ca63a2606c5b57cb5c18b9e4

C:\Users\Admin\AppData\Local\Temp\agso.exe

MD5 ed315fb7ecf18fb5bfc9ab63b8477753
SHA1 0fbfaba9d7d09eae710ced07e6c8a99af8011c3e
SHA256 55669d98797d9e4a6325d7c9a82bd15f964e7ff311513696207db2aec6faa424
SHA512 e24144f0d909e22ea1acc4cdf7de3d7cddf2c1a50aa108de9ea0df6f5c14fd1135e112c23e89e1b897dd82c59ebde9246c5f53f094db54770dfed3ee19608c5f

C:\Users\Admin\AppData\Local\Temp\XYcM.exe

MD5 a875b97c6f85bb9aadb400cdb804d0a6
SHA1 c1e86e5c1d6f16813b988132c00c03d44ccc2769
SHA256 b9c6ba455a2dac6f0298bb8cf5c607575f7a0feaf3c4deda5cd8e4d25ee45573
SHA512 2ce63fa2c1236a6dfb03cc7b2dd1c1bdf7e8c1c4ad01444f4a3c90d2c0c5f98012edd717d0e78f6d292434a910106f03e32a11626aa39febb2a3ac40f5772725

C:\Users\Admin\AppData\Local\Temp\CUQu.exe

MD5 b4f9e861814df4bd069a4e6a7197ac4c
SHA1 49f9cd56ddc2dfd6f9e158e6b8774039db331152
SHA256 b1517fda599dd163224b488b7e42c9effb15a0c8973a813fb7ab3ce39c7787b0
SHA512 3346d624b0c55db1be31a82d8a647e0ec602af3287b006139f176862314bc45857a26ad41876bc3617ff1838718af98c316b4efc60a540fca4346f5e7dff94f3

C:\Users\Admin\AppData\Local\Temp\MEAE.exe

MD5 11368d31799d994b8b5f2bea706c9968
SHA1 533db0d18500ee07bfe178fbe98fbde043f85e1a
SHA256 d4e0209a7ea824b8fc8af3cf1a9335aec3881f38d0a9f847428cea99a07838da
SHA512 479f9a5306c8317b9ec53fff93110d22c20425fa78bbe89ea9035ce7b108ceb99e28ddf7be3b6fc081faebb85309d982edc264883007b0b8e849bb5955783e3a

C:\Users\Admin\AppData\Local\Temp\eUki.exe

MD5 44d39c66b8012c64451444b6e77f803a
SHA1 eee194c2d74494a3e4b77ae6117b5dbb8fbd766a
SHA256 5b7873ebb7a98691e9855d25f84781c835591f57dbf41ea53638c43a5aece37c
SHA512 3b6348c299e0878894b7401eac8ba371f71aa7704d666a1c507ed6dc00539e3e3cf017b55d2606b937a7f33786214439c21a32f6a03f58fd471fa5879a47da08

C:\Users\Admin\AppData\Local\Temp\moIk.exe

MD5 b86566892656b0e13622e092b0744a86
SHA1 1e51c0daf30201c0c7eab61d2298d4b7280abf5c
SHA256 8646c06207874cd53993771ffce17bd72d75e1e25c1b10f5c2b2dfb89adcda6a
SHA512 3efae7354090f00b0e58ea44df5ecd34a4fc8b1aa73df4339d9e538d65b50de5e462a4490384984e9d3a96a0bdccffb7f6f6274c78b385dd2f8356cef7a99171

C:\Users\Admin\AppData\Local\Temp\yIou.exe

MD5 e045abd74e1e00069fd379ca0180aeac
SHA1 2efa1dfa3fd01f9f9d5ec83a16ee8b28ff979f4b
SHA256 9be3cba70c0185d393c3489d77eac5682513ce83a8ff6604af59709f1ca368f3
SHA512 f24eecff060df5e56ec97676493461aacc9d40c9fffc03b52e22fa1f3346ac3e029398e1d0e8f4944639988a90a988f59e40fc155b20f4c5a54ff03dd9da9186

C:\Users\Admin\AppData\Local\Temp\yAgY.exe

MD5 38b426bcfaa0ccc3e03bfa4882c1069f
SHA1 6320991e56c03a6fa5061933d680492cd2bfc6ed
SHA256 108a50dc8ad599aac58d086575e33d974f9ca80b0f4c70893ce0bfb7c6d024a5
SHA512 c4b26b7de5f15ab2836bc970cb247943733651367ebc9aa0a61cf3339cc7543a43074e60704ff4e921749c521107fb6543c06fed8e8e2d1c701d40cfd3072d67

C:\Users\Admin\AppData\Local\Temp\LEow.exe

MD5 63088827005e6fefe7ad2cc38b87bc3e
SHA1 2f5917d1cb860df28fa30246e77f66fb25d8c712
SHA256 cad553be26237b4318e6d3442b59ad0fd7af689ca32007310af3e14ad21f54ee
SHA512 b2a3c896ab4374a30efab29a23b3a4235f609d33d1a81a6a62d0018d43616e3dd371405182c8c94ad181d6f79d0a27c9988243506279cbcd859b8428125d6c7e

C:\Users\Admin\AppData\Local\Temp\yYUW.exe

MD5 e284c73ae051b75652132f19e81e2578
SHA1 10f196e2425ce93db9df5ea8a6ad43d52ed2d097
SHA256 9d1ed2d0b51492dcebe28437d819746515bbf6c4e244580faaa06ad6bae72c69
SHA512 2a01dee3d6ab509b7c88c7d69ad8f274f66d053afa0b48baa8d34c4b76dc65ffeb3cb94b3a0620f944958e9947ed34095f2f4ec22032a47e8b82bbbd813da839

C:\Users\Admin\AppData\Local\Temp\Rssm.exe

MD5 fa3017f33401cae1d339e4f818a3d815
SHA1 4dcbb3202392b05ff6d4ef6193b48a210754ac47
SHA256 c7ecc52e9b5c72575e17dd7c2c9cd12336d5c4a5f978236af473b8c488c7f2a8
SHA512 1251f47bce80fb6a5720892549396337619b9c25128875715f0821278591c0089b2bb802973ff44a9553f4ed6f7766ca1c7d044f8a9a79ed704d508e77a06ea1

C:\Users\Admin\AppData\Local\Temp\CEsK.exe

MD5 22dae3152accadc493498859a699496b
SHA1 93f80ff5e7e64372d09faa180117153c0dba9dd8
SHA256 eaf56a08df20cd64a7626865e8d08c1772979f8cb4d520c47b192521c87cbdfb
SHA512 cb6343fa2b34f377fc8fa4aed595a94e994543cdb57d6c3d55dd747fef20f2623e4a7d5b69aa827558488aa74a811bd6e99e34facf2e94a7cd200e87b2891739

C:\Users\Admin\AppData\Local\Temp\AUYe.exe

MD5 fa3ff2f4d20f54cb03fd0f2c9a2933cb
SHA1 fb8c4f713a8bcbf4246ed1a03ef5beb5d2897918
SHA256 c5d4f1b6f812b4e1e99f11e2b7f738feaa4dbec2c92989ca9470b7af4c1449bc
SHA512 0e47324a9935976b652e8e58b4e0a97b1a5e7ed1c3ce4f06208eb49b41c1cfa02981451210d6d44d90d47c217f49defdb6428eba8030e57d6692e812c92e6da8

C:\Users\Admin\AppData\Local\Temp\PoAE.exe

MD5 7c1470b4e39a468a53023c87c2152d29
SHA1 ab283836aabc90c85e01f9fd001d232ce1ea1e50
SHA256 3a1366a3f730eac58d7160b3f54f3a5d67b1021995a161a1f71e4ad029022ab3
SHA512 f8613fcbd7774334af1a705ef9846717d0d7b7695ca963153e61f9c489d06be754545e77a225536a480e872bfd131a990cb7baf89b8d882f3fa0d011eb89d1d1

C:\Users\Admin\AppData\Local\Temp\wQwk.exe

MD5 3fb6b7c4bad98484a3dc1d834807a743
SHA1 c548c9a25364ccd3dc547e94e4f7352016e5ad81
SHA256 030217cbf2fa54e49654314b83c54d9af68a9568e17fc2b303600fb9d1711249
SHA512 0c87dbb5172fb1ce855d7c263034b059d9502a3ea0a887bd78297905a9c0aa0fd6e56d8aeff38d41391e37aad56ae5297b75e82322fdc4c2199080e39f31dfd2

C:\Users\Admin\AppData\Local\Temp\VYIu.exe

MD5 63a1fecc947ea060f034460ce1761ef0
SHA1 f93e3d39ba9080bf9993b7e5e19947795933701e
SHA256 0910cf912c4c3f292051d184af70d532fa9908096f9c631d87569a0328f00779
SHA512 242b902e3fad8fc7f3d193920389ccd86d94da23df20b228ad7522316e865911af716ecbe2e378651ffb40228447e0faa89aacbc8b3f9c8ca1364ddae7bbb13e

C:\Users\Admin\AppData\Local\Temp\skAK.exe

MD5 1af90f2d118317a9df1c0c2d41f2d488
SHA1 1a39ba6dd288cf117a3a4fe0f716a6dea3d03c52
SHA256 c0cbcb7f1131778b185153edf7cf3d52455c129322381575ce1899b07e8d8dc5
SHA512 c251ece54e1274b1a7d880fb28203d4fd19a92903ba5e715952851c9784b86896d33a9e23cd5983b3eb8f5c64eda5100d9af4efa2a2025fa9716f756a6f086aa

C:\Users\Admin\AppData\Local\Temp\wEEM.exe

MD5 3ba2a89988554c52af09bd892530c3c9
SHA1 700b4eee560ebdafd401d479d5c59c8dca201aa5
SHA256 a24a0cbff2976a75bb394b39034073cfb644b138ddd9a997561086f4b7fb253f
SHA512 ad60a0245b068dfe569f09c929c6d414203396fadd0d849b5df6dbacb815ed9740d9b6dde5de2944ea9d64b53cc14490fa975ba69e4619565138230a057d72ae

C:\Users\Admin\AppData\Local\Temp\rMku.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\xYQE.exe

MD5 6784312f2755bfc627654501c2f3124f
SHA1 0f850bb78fc17805cc5f9fc7a589d592ec963cd0
SHA256 8ea2cc28e0b9423abf79c382c84b75f1546e54a4898b9df4863f95dc6be01278
SHA512 3d237febc492ee24bf411e9711719a3c89812b24ccd5f3e207695d7a43520a3308554a4b06e50beaa3a8eccc94b85472df9927be3adc3fcc3442d11ccef30f50

C:\Users\Admin\AppData\Local\Temp\IgQu.exe

MD5 853014e61b39919fdb745519aa8ce516
SHA1 e9c7b5e784977d8e6a6a08283c64cfc469642950
SHA256 1c8f81ec3bf0ecff3cce00a123609f0ef24357ae69e5736b72c07fa9d555aa88
SHA512 f59337984eddfd5bd588721d0425497aa529128aa7c0e938c3b0a5af6cfc22a632ee3d34438eac66d0e59958bf64c69875e3f454586b192efcd8cef0772824a7

C:\Users\Admin\AppData\Local\Temp\CsAo.exe

MD5 7bffe5f679118b975c413fba814226e3
SHA1 94a54f30fa5e6bcb8a3383bfff9a69885093c13b
SHA256 3b16bf492a50f3b1296ee18320fcf0f37d24ccc48b70c24722ac3a008f3432da
SHA512 67d17adc8a9c546fe4224923d2b5a97c00aaf94107f5a43dbe5677dad79a9a4d4aef04016ff08c19341fb9782d47a4aad368cd13a60ea788c2e39aab96cd0cf9

C:\Users\Admin\AppData\Local\Temp\osUU.exe

MD5 e256882fde48a050d37b8afb4cf155b8
SHA1 455c0a1483268b6d625f99b9e134ac05a48500b6
SHA256 afe8d389a256075519d63c5b42819b1fdbae1e297d34c14e96596152a394549f
SHA512 daf300d4a41c0c7882a35f3c52a6b2fe2e94475deb35196388e08475c90478fa74f398c33bbdb2e1f8f1604211ab532985ce61154722cb237a13caaae2f58f7d

C:\Users\Admin\AppData\Local\Temp\EwUW.exe

MD5 e69d22fea1a3363a8347de1c610c0185
SHA1 9bb8ce0086ab44e9a13baa8b5e74210c0bfa6fcb
SHA256 c7248be8d02c8c8e671006b23835eb7ade536b84963d9e1e07e24e46ce8e8be1
SHA512 00b251dcf5b68b53dd2ea17e95a12b3c6f041fad07a392a1bef6f86cd402ddd729ced7e2318481718125f0006e794fe7dc318e73b81b330680af06b7e75a50b7

C:\Users\Admin\AppData\Local\Temp\rEse.exe

MD5 3f1fb10a6fcbafac6a8251406df1da24
SHA1 d6438bfc446e1cf8d3def12c2a30958e0a6deda7
SHA256 0f850acfbfb86bc9821f0931bada1d1e830ea82354d420b0475450f8b263a658
SHA512 cc39af01049608225db2732bf5adea3c1ef5a0f70d3536c1cbcd44e50ed4153cf402388cdba24645b62c5dfb4d3288b92a881d48bf0d846c43f5e7caaca1ffaf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 816ea173c7773eafbe5ba65dd6941c9b
SHA1 380da07b5cc0cdcb42d61f66e470122a6044e081
SHA256 b5b2160e96945cb963c989e622ce409cfead7ed0eccbc9d71c79c354b3908c46
SHA512 7da9ded4a67346c1d80db1a98ae1dfcff8cbff1c80bd92260a24efddfa68d29b7fd39bcea0f598108cf204c4fa3d9aaddd1df981e503b5d473d8a04c03b075c8

C:\Users\Admin\AppData\Local\Temp\JcEs.exe

MD5 efb4261dc0527b364e49391cc42ba8b8
SHA1 4f844c416d9bdd053a686f2a1cd918102f5f9fd1
SHA256 cc7c90381ea0edf4cd3899bd5f32b9f76a02367da89e10c081e7de87d74f9750
SHA512 ad049be0fad7cacb25a806e8875960992c615cdae092b51f9ec7498ca9ec9c9660bca10b5ed29982b5babfb9a8495dbf5c8d6a98cc91a3a206711f0661af63c6

C:\Users\Admin\AppData\Local\Temp\OIkQ.exe

MD5 6790e1dc633be9f9ebad6032307ccd9f
SHA1 39e8de6acaffb1a2b6095cb8f23b4d4fee052d12
SHA256 bbd6589a7c57532d8c9da405e0a1f94d15801bcfe068809a82ca128095dff35a
SHA512 50b5484c46c0115dcb96e9a291dd1a62c12a2d93d44d3af5028e551c5b7cdb3f9f4c860c214521bd223b11f560df140d213f818f0d3deb9998ac1c5a1dd27bf9

C:\Users\Admin\AppData\Local\Temp\DcMK.exe

MD5 93414d5bf62c487480b8e4218e451a18
SHA1 d4201b4fe040a70fcc58fcd556fcfafe54acc164
SHA256 945297a75b7d8ae550aa8a5f14df485e9b89fb113b5a15a362a6abc8822d792f
SHA512 ba0ad42882d07ff58ce7c0b6db286b1ce0f74887400d8e57ca356f386017a115d606afd236718506a7c406dca70b390b67f75c0a8e84c2163bd87f167b0723e5

C:\Users\Admin\AppData\Local\Temp\QkMS.exe

MD5 df293b00ed58597840ea01def8fbf99c
SHA1 940ac50bd1a969409bec7e231cce8b465c659f1a
SHA256 8e7a76c67d957d6e265880937cecb6b198cda2c0b361e7579d611d1f5657bef2
SHA512 d745b640efc6aed950509130808f24b95a0b4004c2c397ab31f4f220e780625932afbdafbc43de8e4b8e86662e757b8851e4867bf263cfd5c35e4084d5b5b00e

C:\Users\Admin\AppData\Local\Temp\LcMG.exe

MD5 1c454dd4a0883957eedf49bd9fa7cccf
SHA1 f1669ca0e1633d159439f933d4cb78af4e7dcaf7
SHA256 e2ca31ca31520927db10fc4382afa46a6e310662356c7f45c59f84de97bc134f
SHA512 8bf1017d3607c85bacc49328fc8791686fa02440f35ab29ed88f04cba3d271e0a3beb1145588d6b6271f354ac76943421b534859137d7d0e9f1f9fdf3305c21a

C:\Users\Admin\AppData\Local\Temp\dAYM.exe

MD5 16a7adbe1fe42c5692a5d6ba7fbddbc5
SHA1 914b3c16d21d32928f2ce1a9a837f09529d0d566
SHA256 947e99b194c9215e84ef58e626e450012481a557d675ffd0fb1fd96e92bb92c6
SHA512 39b32a7690928c8e307157ac461ad8aaf8033d38ad0a69733a8e8da7828ef9b41f896328460d63e957156634e66c4f730571cdd54f174d62a5ee518c59499b00

C:\Users\Admin\AppData\Local\Temp\CUcO.exe

MD5 3e48c1293997cb33abd6a90ee7fff287
SHA1 472a42c8725b27ab25348712ef98008c28969f8f
SHA256 4fb20e910925463f66a877bcb83e803d3d9ad5937be570e1df8de2b9858e25d8
SHA512 a7e83c3eef8946d24b8ac9d063cd0b10e4c4c141f787a3d7c490ab0d6c27eab16f7eb4d59f292bcc8298809f524b82925d5f537e991fb4b28b678f0e2d5328e2

C:\Users\Admin\AppData\Local\Temp\CEws.exe

MD5 a5404b8676c18606c064cb60435149d3
SHA1 d12f06cf5ce778fdcbe7f560cef2a4cc707eaeb0
SHA256 5059368eedf2ad7b16e12105bb20203c30810302a9283466c37f71b4c704e74f
SHA512 8dec90819652ca766dd954f58c7dcbebc95f85c657a9c005dbe857f032bbc9393e9a941cad5dfb8db6a11c0cd847ce86c8a6920108a26f4cf76de1a0a7b952d7

C:\Users\Admin\AppData\Local\Temp\gcAE.exe

MD5 99bcbc46f5913804b1209719f7a52b37
SHA1 c5296f7fa4e96bf2cd21b55a0e28df925a252e56
SHA256 77bef45b3c1d5ee6641344e8b80272ef46f719b44b4b69ea9b3ea016ad006ac9
SHA512 0e9286729b3ba5e7ca5b76c09aa460601d54b0b4936980fb1e1336970549272eadc8d8a4f8f0b6ea84036bc9ef2dd9eff195b3b60f8bd465c467bc383c182bc3

C:\Users\Admin\AppData\Local\Temp\Bwwy.exe

MD5 82a7ed108e9f994e36174a764bdb3670
SHA1 749b464daad9af36f3879a65d35e1b7df41d0b3e
SHA256 6967fba6806934f7c475087644a7c4f9ed9f23405a7e9f4688bd7b8eba0ee1b4
SHA512 72fb38a85f12e2711e319db70ea3ad1bad58a4e063ae42ef01457e88ac7b6cbb1ce81091803557de51bb4bbe922c29069cb8b5c3ffa8e34e132056d0bde7a749

C:\Users\Admin\AppData\Local\Temp\SoMK.exe

MD5 3e3336faff2924740cca466b372a4411
SHA1 3c234989faed404784ec8ce31d87d0ba469ad488
SHA256 53a075745ea236d23c74c8e86c18383f9f9a9f45b92a6cd212b22e076d8871c5
SHA512 27c2ecd402f82b49e4a9cab5778ec4423e9339366bce2e29fccc6c6db68dd3bc5b161a771afb2204783bacd9f8980714673a38da18a1ae2b8d2da8f83d7d2600

C:\Users\Admin\AppData\Local\Temp\CcQq.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\ZMYM.exe

MD5 27bff923bcac3ab05d2332c02da34e75
SHA1 81f2f72642302e069f09b34addc55cb4af3aa297
SHA256 05b93be1b0398aa59232dc5284c1eff584448ef9f905733a855a3d8db5484cae
SHA512 6b8ab94ea5b225d82a99a3730e5b683c8897ea6635bd0f7af007806de6c437cef02d7e9efec8722202f1d48fdb5da353f43f9f5735064a2cfc2ddf538b475ee7

C:\Users\Admin\AppData\Local\Temp\fUcC.exe

MD5 938c5bb6d6d92f04684baec8419aad82
SHA1 ed0f43fcad41d84ad28cec635a05bbe61306fea5
SHA256 024f938968109e9326704380fca23bd8e7aad86a38804f8dfdb86a0353e7e02e
SHA512 c6e6737bcfd2b30f6c36f8f659bcfae3e46c96e9bd83ec88c85812bcc6f10773be615b6d81fd9aa60d2d51ffd0a3cdfd988080d548955bed1e01e569d8e51165

C:\Users\Admin\AppData\Local\Temp\RgAC.exe

MD5 199c351763d125f099d92766c5809750
SHA1 0cb0748b1f17e3f0e6fadac138d5a3a4e71eea7e
SHA256 bc200efa31640923df8729e418a623bb67f7f99c4af5e5a14369666674eb7633
SHA512 2eb3cb544667f7e90bac71015aeffab273f54085ae82d4ea1ee35ce6e6bd34875d4d8fa82d90d943a1fc4b064d9de22c42e7b13147413b0adcb20c2016fb1d5d

C:\Users\Admin\AppData\Local\Temp\IwAA.exe

MD5 030d86d37f2cf3e2cf925bcd1633ebed
SHA1 a9fe48540bd92b8fcd783ee9287bb5ad93642cdb
SHA256 22bb5601b674595b8055c77383184f9ad3b01a95cf11f2f05cd0de9e47c562c4
SHA512 f0e3575bc62bcbcd504937c2923bd020299d4aeb397a582caa2713df41ec213f2737d2a55ff9a7d425f3b6033abf3280314b730a72226c9a2a475b12780aa821

C:\Users\Admin\AppData\Local\Temp\EwQC.exe

MD5 7ccc7d410107eaeae99872826fcfab24
SHA1 a7674b9578f883be8a0f2039fd44a4bf7da11ead
SHA256 82df1ff9003f9a2a33f7210c5e68e73ecf9f3c4733a89bf41d2fcb319c120f56
SHA512 02631f1c9f3df44317eb507ecfb3581c71616f212faa5bb8ace27bc10c1bb8073b850266bb164fdc390a6f36d0db99cd64a9de10b208136ec77cc9da3985ea4c

C:\Users\Admin\AppData\Local\Temp\WQsE.exe

MD5 77a473902c225a6c2d9e51959f88c584
SHA1 a610f896918e3bd94f49abc276305d58e78435f3
SHA256 aac04f67e35e914184a798947f5f8ac5ff41213e9a4e15f54311cc75a93bfd48
SHA512 f9ce648590c8c269a95b851f5ce6b094c958d7bc4ca652d6d2b45110c2a7451b614377e11ebf016a760fe000546e7f810d1320073860fc6d7816be2def4d151c

C:\Users\Admin\AppData\Local\Temp\EcEe.exe

MD5 8d7650ffd22fdd0e5e13b4bb76d76385
SHA1 79ee815fd4e25832bd7432bf08ddf14fac27a5cd
SHA256 e26d11affa4ea6db527bcb4270a0db03d341616f93127f82817b62d5d8865242
SHA512 c459f36e75426da3502849420d5c5ed2b7506ad72810f71ed7538c72314e5cbec27b8924b0492a0c45c7877b14428ef8bc0106c25426e65bb0f2a8f050866161

C:\Users\Admin\Downloads\EditProtect.bmp.exe

MD5 d32b72fd2b30e54244036b5728bc6d5f
SHA1 eb18ac6c60985fa018a2a3f48dcd687f1bea1d36
SHA256 076b7ef6088327f43e6c51939b594fc9cd190d8d642c819441976f96c49e20f1
SHA512 a521c91b11006f0ec662e9b108d192f5b3e06ddebc2d23b417c0bb562e7ce1298c5a616fda70cd09c18f450242a5abfd10f7a52f2c83cfe5bcfbc106a1dced9b

C:\Users\Admin\Downloads\EnterSend.xls.exe

MD5 c1a17959e84015245ad5e72a0ddf302f
SHA1 ca7e5450c143bd0f425331de353d1a4f378ead4a
SHA256 46f0e72e02223996eec4399428a55d721a6dbaaf80cde0009e37465d6d37ad48
SHA512 a7de4628b5a67e899fbaa82004d59ed2db92cbcbbb21fce59c515307182a30c35dc9a7d728cd0846681eb7b0f2126fc81a398a2c6cf2ce09b604598d6b3993bf

C:\Users\Admin\AppData\Local\Temp\ZUsw.exe

MD5 d6c2fdd764a1dd30f751e134ad397fda
SHA1 19b932c14212c2677ab9c8a5eb6c22ce9fa4d2a7
SHA256 688d1d396a54d3fcd3dbd604075c68f8340ecf7e603dcb5bec0113d2e50c0f6c
SHA512 f613702cbdfdf2ee69e2294ae6a6a0648d7db35b65eb2e2028435fe6e1cd996309c2bb24c1e16b7bc09036fa272c5928375c6023b726f159a7b6831c191920ac

C:\Users\Admin\Pictures\ConvertToPush.png.exe

MD5 5941773fc9a6d75beb85f638a98707a3
SHA1 694b42f91cd231355d5e16d22833e1d37183264f
SHA256 4ad1a3d660b9f7980f3b12958aa575ca0bf9c9f645620fe0df8e485b5495173e
SHA512 96b02978c44b07277b379c618e44b8ebc738b5e7cc7a319df58a897a7ac59a8cdbb9d2f744319b3dea4450a2da160dcb81a9db6b7e36e53e87fa5d8c8ba3d118

C:\Users\Admin\AppData\Local\Temp\lggs.exe

MD5 85f9a586005e23a21c1e68cbcc712552
SHA1 c2913b722389f30b9173bd8c9628c113a31659b6
SHA256 3d3d799f734372387af6f2f34b6f6ce44a2e2c2e911eb463fd10b054b8776c44
SHA512 e6ba6cc9331bd160fbf21136c77de7dcb7238c6502c78caae67af32e926e854d4422ef440aa7d86b29c94bc850fa72a506322be369e9ab099c968b6298062a26

C:\Users\Admin\AppData\Local\Temp\gQYS.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\hAIg.exe

MD5 f4d55c986f5e80ad2758b0c405268933
SHA1 09ada049a55f867547c33ae2fb6ab1945deaca5b
SHA256 1db72545d8a7dff0d782759eb23185ceb77c561d664eb21c3f3ca168bdbca62f
SHA512 30eee79470487cc73f3c56f088abb3fec652305c0790b989222d85522530d9b0a8539df5907a84d3bd8d00bcd13d113aca4ffb220ac5c2558dafa56b8e04eb5a

C:\Users\Admin\Pictures\JoinSend.png.exe

MD5 5d097edb5f0a92f345aede36bc5da810
SHA1 0ba592450ee5cb848ccadcf7d704fd44064910f5
SHA256 314d4060f7c7be0d8b94199cc032430560e9dccdd141a2643f396eee5376d476
SHA512 661102f7e0dc90cee3467c42abb83faa59262ba033301aa579a6317438dec17ec3cf11ea6fb49eca07de6ebdcc07ca3065bd82b0324c6d3711fad614273114fb

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 eff924f5395b3d36e80691595bb95245
SHA1 b8a0e9e48602a9378df27b2763f1e56c4b11ce8b
SHA256 41be46c78e6b183d680d0a24d9395e287038dafa0777a96b97a0597199d6219e
SHA512 b4189a85fac1df97e02c6671cea1e67de4f1fa3516210a5aa20d4375f2add990f8757f9df01c869205d5262f8837ca71270fd71c6b5cef4dd39193bb0928db96

C:\Users\Admin\Pictures\SyncStep.gif.exe

MD5 c5f93b3737498198a6e2b41c33ddc5e5
SHA1 015fa012e2b4628cde61c5c22ff89eccda1df13c
SHA256 8238012eecf44a04cbdae4b3406253fd0342e2d4882fda820407ce153dd83062
SHA512 c4523926293f626e6144ae05a9856e32594944f4e0b860aee3bde21a6e96856a12c30f43fc07a2e54df9b4bf3409279670802af560575715659b80e2d9299619

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 1bb41a04a4de8779bcc8def044a74e19
SHA1 ac7a4951aa5f45eadd3cca77eef5de9119522956
SHA256 dced877c1eed4749ee29caa3bf0f987d48c46c8485e2386f6150a1f006adf063
SHA512 a4384bd913f97f3f84884e4865712fa75658f627c0639b4cc059a270991fcc5ecb7ba57b80c5928f225b486d5a409ff356b3d6c4279a29f22b84dfad979faab8

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 e6c4cba51ba1ef5fe6ad815a52cc5bef
SHA1 6ac1c3d5c7a0646dcded1293d8f5c95ba7101aae
SHA256 352ed4bee08314046ee74c6c7cb7d15796d98c8c025ef2dbab889cc0a822cdc0
SHA512 45e9d19c8877a8de4ee3c52475df8d6ddec4f0c372f6671292525861acc07067fbde758ed09f99c368bb64af4ce635b9d5a89429c6e191290787267eb5043db8

C:\Users\Admin\AppData\Local\Temp\qckk.exe

MD5 0acde208bb5044386110e243b147ccf9
SHA1 a56bb5fc166d8505285bee5de1276ca40ec9ca52
SHA256 88aec4a7b22273139ba9cc1b8ee851eabc4bc65fdbb4a0c4b9f04a460dc94697
SHA512 ee885398ed5b80515cef7e914a84d0a922f8d96daf646395f5d344e8fdc81204a2d2f9abfa158fd9784e7aa39c9eb45b43cd2474b3ad4d1572bc30ee432dd7b4

C:\Users\Admin\AppData\Local\Temp\jIAM.exe

MD5 4388e1507366747de205af40eed36397
SHA1 548b80eb2bdd217993c871d0a6a7a52491ad48a2
SHA256 9b98d19be5171f6a4b8626d6ee3e6d97c963712ff3e7a60138a34ec455cff686
SHA512 66e3ac796d941bd714c78fe8587fac10f036b61373dbd735e9a1ec84dba38bb3ec28218b5a3da676ab16a8371485016b7bfb1f220dfd494923bb5935bf8da227

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 6c494b029866de253e26dc4990d804da
SHA1 a74f69bb01a2b8476e182a1fa5dcc388f4b7ec29
SHA256 29a97b0bd34ac9d9053ea5f182d954c2c8bb2927bf2b7dbd6e18e3bee051b8c7
SHA512 939f36dd317b93fae5502254d853710c2a6a591f16022366d571101be643148d10009b390379bbab896c0b396b8e79dc2546d569d8d272e9d530c056714c3075

C:\Users\Admin\AppData\Local\Temp\uIYs.exe

MD5 b2235d6732409fed88d390f380828449
SHA1 e3c05d0c916aa8a9efbe7810239376d9397f618f
SHA256 4a29e89e79775aed2e7363ca0457307405ff19d2b30e56165393679ccb7602ee
SHA512 c6409205676a8b82770a0fa5fd41dbbd1c604113436cb7d5e6c65baa484888a03e720f0e20c61c3059343a3e72e1b709e28b9372e0337a3547db9b5126101232