Malware Analysis Report

2025-08-06 00:45

Sample ID 240403-w6k8bahd66
Target 2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock
SHA256 5d9b42712df611c6a017f46359523aeb117c136bdfe73613a29cb62306027a50
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d9b42712df611c6a017f46359523aeb117c136bdfe73613a29cb62306027a50

Threat Level: Known bad

The file 2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (57) files with added filename extension

Renames multiple (79) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:32

Reported

2024-04-03 18:34

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (57) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsIEAwIg.exe = "C:\\Users\\Admin\\fAkAgEwI\\DsIEAwIg.exe" C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsIEAwIg.exe = "C:\\Users\\Admin\\fAkAgEwI\\DsIEAwIg.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KCUIMoso.exe = "C:\\ProgramData\\kcYwYcwY\\KCUIMoso.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KCUIMoso.exe = "C:\\ProgramData\\kcYwYcwY\\KCUIMoso.exe" C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A
N/A N/A C:\ProgramData\kcYwYcwY\KCUIMoso.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe
PID 2712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe
PID 2712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe
PID 2712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\kcYwYcwY\KCUIMoso.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\kcYwYcwY\KCUIMoso.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\kcYwYcwY\KCUIMoso.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\kcYwYcwY\KCUIMoso.exe
PID 2712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2652 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2652 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2652 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2316 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2316 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2316 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 2584 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1608 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1608 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1608 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe"

C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe

"C:\Users\Admin\fAkAgEwI\DsIEAwIg.exe"

C:\ProgramData\kcYwYcwY\KCUIMoso.exe

"C:\ProgramData\kcYwYcwY\KCUIMoso.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1627298844-131678143313306368341720769391-2379356711920086128-110672310473201567"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYIMEYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49146393015261400-212520228811450186176352053241058945719-2900258491611855645"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEEsQQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1925263937-2057195351515624297-1547913706-5952695213102872991721922631953625061"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekYgUYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmggIQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\skQMEsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-112084610684894702-1370649712-1329002612135563303555949205210000877751537224710"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUUwYcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUEsEQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-186098104515085822201537874099-810072031427706475282946180305015109-28608263"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xyUoAQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VokcIwow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkUskYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWYIkQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1099047453-529802781-1187498521516602878-63389389918086262351329176292-1891656337"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\COgoUwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1082399419-1082356622-499279755-710670198-1589902662-97937004315892441911851718300"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOEQEMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1710783753616785828-503779777-918659961190009509-43797771-11782597411121966562"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUoIgYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOIUEoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGQIMAwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUgscEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQEUsEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgEQgUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMAkcAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sccIwgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1510666369-1756146145-72465884913005055981735683418-151457175-212085084836250048"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKIgUscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7404873761009631209-1407846499-14371072121358233165212699432720467370141090753530"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWEgswQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "24655685894944495-1897457453-1655495823-1736000610-1159394205-97986669-549958471"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiYkwoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAIAwMok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DGsUEwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSMkAUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4918905921666656509343238471825468657474507070-1322435561-9109861961059333989"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWogYUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6161409031227176790-10816263991399038841-1380353501-1272704774-1398295075-1994602916"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyUMooAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiggIQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2026633627-2238923911066452154-11057243918653063207799832031140066092-964578771"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqQgAQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYUkIQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1655526152847569909-2039711477-953970851-1182631340-6020179681442868645-606723151"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwUMkkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NisAokkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-771209974112922620207783142698026301843208827184542934270631632748087051"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JsIwIEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1519314381186581945868996921-17614620321206988575-1285929219-1968107276-911774916"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCIIEUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9317829793799565141487331081-82619397754402009525260707-1938981139726842533"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYkkAckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XEYwgYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15830652727238017861058808267-1853118730-871642219-15175491031416105573-39841432"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyEgAgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCkccAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-101168433468078495512658364188991184919127688692006606582-1161096912-1640201380"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgkgIcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EsIgssIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-87263161670151201367859739515742942661210428441853167761-1371842314-1203596778"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQAEUUoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2062518858-1920505060-6484153791796501177-9144486861402304085-1758183745138377820"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "201567352-651874808-11719033639024152018113743529726897887189990251078004821"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGYcYEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "486206210518232982621313108804791155-1202728341-1442515818-1154663045643377890"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWowcsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3284999991171071081-1280936231926860844-1477993981-419533825857324830-1761341924"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1964525204-1736415451754714453-5370449008654863541741989299194833503126405598"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1797881571558656736-13317358061146600818-1859954270-6501989234306965591383376516"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCYQwokw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSQswQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49490096511530479657156228271829259330-4020261751397002540-4525629-1103417968"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCkwEEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7738272341086824453-1176095088362404317-1897792353455164948308508131041419262"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucUQscEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11302793672758953651419436958-1022508247777216297-56637061930635419950069170"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCUEcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeIAwkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcYQAQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQAMMswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsYgAAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2110047290-213653641878894647-963025646-1914362595-19901774161892723232-759955880"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQsQogkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYQIMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6187954016137991402049870971-18794467866478881666699866411787883850-1985677264"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "771523551-13115544914241106302035874531-335689184-656116203-20632831451435243290"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEQwoQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-437992521-19159260952024256246557329509-653758060-1384649089924461299-1439788357"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1550068430352314821-1942346689700953426-5643411721168224966-8343086611885059502"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1973085023-948426858-133617942811566826201403361864-118879832-1001161454263677573"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ouMMMEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19697021971428295563-13286464786614658481270477393984838871458756534842172449"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OiccosAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2004156300349936920-169520975810124328622110759656-786486664-1732274682-1079700751"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1959350506112951843140960789747311472-679755319-1085291366-1643519112-1671156940"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1295259339-912173327-1492937980194464874493158459313791754-1314846519-104228238"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-190242561818990022722003826390-239259486-212463899111757498691110793256306111679"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWwIIMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1462610779-1592251846124095605-1960639089-8265652681819121220-2021870461977641143"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-312794014-2083183585-28586431779402387-479830171-3332171956749852611821554265"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1951766479586158364-14377094131774149236-1591281839-122214199410716281682000933357"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "354034112001298207-1505111600-2118233224-992447246-187212783516894300301805548018"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacgYMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "592753580-1555007026-18340997884359338792122263239-2656969-10012017422016886703"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "973858357-285644352-1876639321735313198-751338192500449524-7280655541957001453"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiEccQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8107450631003998117-425327028-7815005711606830055-2086020476495623612-1939904374"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1852840601-4804112731202216249419250891008607828337953473-999798230-2047672646"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13349122301472168484-193007744351177805017991080283806882451113274892-530897761"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUgoggMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16151126061235979757-1497467107-12448319041604636986-1776118150-21165635211463431307"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14925928475427524579473715932145550319102580801-678247229-18294438731805587395"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAwccUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-164938778312053970621575934159-10200789381034680436-80068270415726987041939767924"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOwskogU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-557837327-745442582-127983422412045493711383472235-19686915751275524414-1148062643"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1558351744-286894523-1712165274-88855265020243473621230166831166878922-1963613343"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-854454800-1887605116-523753997-1396600434-1796443080-675067626-1706549416950284442"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKEQoMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2108424014-9985422166037742861533536739611122072-2111173590-18206012931280728088"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1605426600-1560289471-1124507254-1148917765-1185892009413029231189926268-1609311578"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCIcEwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4766361632069783786-11178389081143366269-7072687768024279831177720691-1694567586"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1008746374323529343-1862098448-1277205170836881187-823919764-448231422-1704261268"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwYkwcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "140813442514764118491003031814691896671-322905917-404360023-560487552-1331230100"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "885043708-2065678038-3930925131109992940986645846-124601844246232563403574530"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15720362582036559248-662653521344073334499546101-12716772751419656079-1009631171"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1856594940-146297150811321605331902228282-20205109551710761765-161249217694665409"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\weAEcQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEoswUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-121853227198902023-1504127886-435532233991948186355566452-8617790251141369627"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15388594967218365171902468027-17271968374716501751388915157-13647446621150224289"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgckQUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "142736208-1335394545-220926903-1665831609824613408500379989532420750-1847712179"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkgcwkEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1921958302-288628725-828082620-16334355141820879831-804618758764088899906058005"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6671799331819160702-166877603-462967378-1847317331-1220217043697644432-449603551"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5736014631592994589723367781-1326062184-1490923664-128564153743634264-337900238"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsYkoMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1235618165-1607512485-7218910181757940833769209012-159281701616677330-1528263371"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1894832633-8031509062694312-147831831516705426012119712378878244820-1300438699"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fogggEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15747445473066269305553155575540129961950864229-346173554-16342714631689779619"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18522301953132465601839188321392791905-884065266113248628-7329228081238838874"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYIEMUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1849307071-1973803353-327485561-183147226712184404221568933733365698478882126369"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2032530886-163668887616263323371306216368122015142961671403054819408791646924"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMMMcAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-324922323-95332623-19123832992075687340145013895-1040898862-6996340791683802728"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQgYEkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1835762034-1352777631974815707-1557510323-1479307640-93083425735798269-1198843729"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gckoMAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1455202935312447723-718814161-1741641567-13774779-171068990347144202130016821"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5982706022081120411-11799012011185718641193764434976297101-405709169387588624"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAQkUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agsUEIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqIsIsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fioIEoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-378707430-2143931212337287475-2937578781421477116-1212067657-1444525531498183052"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RoMggUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "390461437-1511669730-530741213-14059265-588629341965477281-114243279-1611738805"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqYYQkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1189273924180569618-18446387871103627689-125261555417928020661179494917-276449320"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1507112711-499907882198231983610338931992071712413130699563218667783391573437687"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWIIwYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biEAAYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12523344371685260387-13279623781943110199750059222-1936444889754393196-2001500378"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aogUwwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "372814255-510552920802082816-21387108387257610532129420068-10217607211410372993"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1487507572181055948620975421141900826144-1307309259-3068849481891714495-1164341092"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmMAUsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1854262162-921876055522917566-1361609331-492725304283896278255241096-257152896"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqgggIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9845287161972970079-19331166821597125181887609138264216320-5263452511212091478"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1243377061-1367804628-20465725271259636386-786479734102497766415457873591292920014"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmEkwkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vykogAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmgAAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1192147364841152387-169089220828825788-1029625573216417884-1250233174-338085219"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkAMwIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYoQgkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGwIMQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-513876251-18651339481732979127612378895800214899-7375201132830405161742520360"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5112685716051083751331625887-377068158-519182292-604315513-1547603175645304116"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOwwoUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19520764765563234151445252112-888220601762384275171489021161558554-1775813659"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5281786312659172481123482749140389681138240044965469810277105299937324755"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1071280857-2027904848348898933-476151060-138457643817915355781075925896-1953310488"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKsIMsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1190248847135249475966454437-554133139-1468418589469484682-1849145057593165953"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuIwAAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-115408461910386487661719543258-103877542510542282422036516978-665420747522825384"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21377973391862324624-1372356449486400857-741269231-1927997101-1380351641-850321400"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-303814630-74269821912153100361840345290901569475-982427007-18751914681994874209"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOggYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15692494421453026255-532076846899660940-42797025-1898758144195859426-1149139254"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCMUkcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1756133379-893780645103823361709230445160027140318996181301121971965-1285786084"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-762628510-346398228-1138439041-158106642542591618-1011023341633076149-1525558453"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1549682458-833686495-2039153334-176234845712120903371947049681-1466330198-991858126"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PyYIYwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1927300859-693134925-13619694691463153564-300505915-198751910727910357-1515767640"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQsQkIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14569237541036611359652738495-1305560564822325697-1685959961-13803289001949677311"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6722377368831586431396673844-1657674228-117977579491906572213254105031670424894"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1561469280129634677116916558742036677499468453520-20281969521838789465165502149"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vecYUcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1159420075-2003358226-189921675620061185191431249672-2033884154-20239464071047324657"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-725410938-16486686041649202374-1324529514413521325700375898-2061078525-1410475963"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10887189901199686897-260168696-1357516547-1799735952-678705231501670051266720346"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQIYEkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "453555210-8167215811354249046-1177383756-993560103-1544637982-88943026979127172"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1816678376760952078-1781888518-355850365-1566987923-120910986120571645771095160252"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1995694874861121599-806388395-2015688295-11477985271791700485-1827846954-811148245"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-148792585-6931598896533701571635109201101882755813436056691765002907-869236794"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgUIEQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "203646143093283235037830321913766494961896674013-787680429-1156033910-1537425500"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "716680395398018311150855003-18624089392045426677185278096436117372080702349"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-249487784-1928533325-3782788511786418510-1623588579-1487590870835603627-1766643915"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIUQYcMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-42265536726057298205501491-201022230-13346411971553165753-4129512221567775578"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18736294461957979489297221293-769561854596348275-931159901244166732-1740742928"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsowUgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8868836021753866129-1881280619-19650456691219851238-920264798-1409634665864890354"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1324171521-924400111-1958704759696806311690904202-1401535525-1836245257709773775"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owEcAwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "22845721845501136-825163887-68513254-954047751049868135312989431-1086293060"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoIEoYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "146188981326906678849309751213266461641219374597-1255057414-10997640011920977411"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2117731368-712764985-1129082145-782724904-921440031510440163-9406994621203198910"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-434353659-2038979341367407893-213646894812456883132067045260944596104-928138304"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1990518031-549305888-1273402982861646470130887143-697114841-1907741464-1099718771"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUcgcQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "186039155710866146943807426-338629921948092673-1930188983-759415718608663514"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fugQgQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19555404611690570430-19259569491398380891903107501498860751-14771403321118277978"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1692962795-4836297361498646901439673240121520726-1400560937296496618580404797"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEgMooQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20975390971492702706-884654087-57663986715664397462048504247-1214835130-168161415"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-447410082-30733936752758019-1355432295932819964-1165367041241043518-1429974759"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuEwcocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-430562983552122865-1891947343-1588456651-750722245-7250089831611558113-396738707"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "443296453-77846003410849051201287761715239369713-915574217495112255-202460319"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsIMsgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6626432861557371442-564179352-281509075-91785847-537697321289785356-92722748"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "930675380103263023429430505521455242353742057081573225242-1049158073-2009631627"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "701348360-2138290791895274619-748814695650971173-1954908705482322961-1298407600"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEYYAAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3860109781259772752-1124813973-4012982291093575554-11510920752026041028-1993200251"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1602674157-1593960936778576441-2097924738-321914965239135336674842160-685433130"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jegcUMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-103092713339677001-783146439-1862172648-833498921465515357-467984043-383590555"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "640918623-13922940263962474521154482912-2982012741674699657864526588-1670927755"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "56294220-738043336-205222542-2141823510273836646170997887-1405412517-1755858118"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xokQIEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16166893541370483679-19800084681658117035444143658653227052-1616287097-1372999987"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\taIEokkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "101231305-227757530726841387470680003-2017989172184043411-1590792996390361109"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWcskkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "161809975617344028033560715651958269462-1530862522-852986174273373087-613084648"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "442679493-13974157831616891958-447894590143330633310341149761716739542-316062672"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1162195529302895697-1379913690-1914661319-663820506-162781876-167859674449698259"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEwEkgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "761406232-2085215883-12266644807514167261762942440-1859818505-1753587846-2054990167"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-712297717-934777865-113903216187543821312602789661001830134-49046894-1210886042"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2055980963-1342925636-1549059767-12412150332041244131976611960-113844494-857890106"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6755098171208681108-1408567611-185981138112935279915912388251758678744787203757"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiUssEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1561934173-2024324374-1263229861-140536413-1753304828-1959715749-268080738219048104"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1539225313795465433-1662769667-20998660871935691113-1320582213-1609002330-327184780"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAgQogcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1252340983-9305211991164250169-2008405618-148016138341631073924272102-1661581448"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-662282068-135300522651684303-20002766732099897892-998829046876538942-1085560689"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1040191196214782910430807980-140136801692909797-6855931131780975647-703462616"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xucAokgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-623062061639571151-1085956946-1872806996-269512262-1481662533-5193998731688782029"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-939226381-395192563-8713542371360909642905736164-11642022531870106039903060930"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2712-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\fAkAgEwI\DsIEAwIg.exe

MD5 de82f4f85e8af70c31ab886cd5c693de
SHA1 6d8c47cf1e73b6ff0068eb7db94a2efd5989da0f
SHA256 03c43a8f3b26c9dbb70ab755baf3ef8063b065a83acccfa2030f0fd0c4914829
SHA512 910477dcf7fa6908c2e4af094215dc1d993436d8e389d5e5b7cfdc3228745973b77740ed282e62186e705eb31dc33e481d1cdfefc0787b2fae90f8956d7e492b

memory/2520-31-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2716-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2096-105-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2800-104-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2800-103-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

C:\Users\Admin\AppData\Local\Temp\sycQAsUE.bat

MD5 ba90590370da30190f1d29b0a103a130
SHA1 8928f081c194a0e7373fda48aa5324682f7b1594
SHA256 79a4c025f49052707445eba7ce2943aca487f61a62e96d06d472ac8d11784299
SHA512 22daff266265fb9df73716d47ff8f827122327fa4188041a375f9b047f3de6b2ebe747b69c26af31505c8db3b360c1498ba2d40cc1145d5e10e6c1cdbe5ce5d0

memory/3040-128-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skQMEsQM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1648-153-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2700-177-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2580-199-0x0000000000300000-0x0000000000331000-memory.dmp

memory/3060-225-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2756-224-0x0000000000400000-0x0000000000431000-memory.dmp

memory/560-248-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2384-247-0x0000000002260000-0x0000000002291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jksMMIIg.bat

MD5 7e320a811fa751fe59bac7a875ba498e
SHA1 fa9bf043a21b6683fb813989dd53d8a3777fd491
SHA256 cceb1691c952b1d9f7185c6d167ca77fa9e2fd3a9f09e556d4f3129b1f1d9a3f
SHA512 af1f1746e629b7a65d501fe1c6ff554deaaf94cd7e8fc6c7c3b1182e76d22eac207dee208cafce6e1f729b9fe2062f8eae3decab7ad7cba67a3cc78675c23236

memory/2348-272-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2376-295-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3064-294-0x0000000000310000-0x0000000000341000-memory.dmp

memory/888-318-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2460-341-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1900-431-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VQYEcIYs.bat

MD5 59d82a38204a31be1fc2432e30727767
SHA1 4898b36832a7155ef8effc8963dd91eedcd30832
SHA256 e49db557e7cff24cf9c3d024af18133de355d30c5e531d37bf4c4a22dc8eb6fe
SHA512 3125af1d2480e71bcc39aa25df977d489e63e6e071f663d6dc838e86025ebd137094334e7120f6daf537f77dc7bb7fb815442840b84ec4de88de173f8fa9f179

memory/2676-456-0x0000000000400000-0x0000000000431000-memory.dmp

memory/360-479-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tCIgskcY.bat

MD5 bd73b65cabe790b65ba2384897cbf1a9
SHA1 fe5f239be2a060166e060c6b714fe0b8be5ed091
SHA256 9797cdc6d0412dc6f36f8d4c41f2358d9fed042de18e350d6c4656aa950b8146
SHA512 5d823f777e8446707ab585bcd3beac1e847e2335e53c566d3fe44c69808faf53e0ef8cf07dc2c7609aff4940671a5427998cfd8ea13acdcb9a006e990a540790

C:\Users\Admin\AppData\Local\Temp\GWQQIEcg.bat

MD5 d05c61c7995804be46e510a5a70397b6
SHA1 3d3c9d8e9966037a9058a17a50688bdf6807b513
SHA256 13f988f26fd42396171c2e7bb96d56cde81c11fbbcd2ebe6875a678f26e2e988
SHA512 e073cae0827ce2996c6742c86cabe511f4f4cb35cf4f39a357ab85707d581dffe17ef1cbce526b0ec450208152a122ae20e7c54387c5d676a83f92b97458285a

C:\Users\Admin\AppData\Local\Temp\WeUckcMk.bat

MD5 4b52938b66c79f3d112ddd948d79ef35
SHA1 cb825570c28579b36260ed199999a3803f8a3f4b
SHA256 68017cd22e7c534c4da8a56a5ab2f2c1315d98e3bfba11f60b5e5e32396e8ba7
SHA512 cf1dea19a912a1b5c6603582b032b928159fb02b756c41f47949c98b3d45291cc2a59feeac778acf21d217d0bf2de44eede36d7e42f4d28aabdff5eb01b6fbd6

C:\Users\Admin\AppData\Local\Temp\GMYgMAAc.bat

MD5 a170cf65347a0433d4917486ae47f48d
SHA1 263c7531fe9df1345aab947572bdd777c7b616b3
SHA256 8324664e6b40839dffe839aca080c6d01d42170bcf010ba09251be431c6836da
SHA512 354d803091c5ff4c2061e0a85f864377b8514054dd1f59f4516ee2b55d05dc8d3a51b89fe8b5c6ab78175f619e071dfefc1c7463fdf1bff2f41fce30a81ec15e

C:\Users\Admin\AppData\Local\Temp\QOMMkcUA.bat

MD5 73019a369e98c1695db2277c5a805a75
SHA1 9fe2e648992743b5b43b95e09d1c9ff6b560e997
SHA256 55abb01bd6efe12e1018c161743bb304ca14993b6ae6d28d85a1b04152c5476b
SHA512 f2d8765564e3077042c1f7c075811e9c59f2e53c50e5c4624306d955d77f7150deca5ea0379661c54c692961f5d0d8578597e1d4932bf17ad5c08864edf577b2

memory/624-478-0x00000000022A0000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIEsIYoQ.bat

MD5 beff839e9878ffa8af0b9612936e708c
SHA1 7d48c8450893b8075e8c2c9454b49689332d5a71
SHA256 d96e3e5ea7644e30d512f259445375e063f6bfb26cfcdd218baac7a33b6b8a5e
SHA512 79a01d8935492da83a465377be70e2dfe699a280fe0288c716543e2e25ae7013cb8276d6d0c86ce4eed29c2cd5f7c124dc9b770c9fb502175cd8949495d87f16

memory/1900-465-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1668-455-0x0000000000170000-0x00000000001A1000-memory.dmp

memory/2956-440-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSsAcQEA.bat

MD5 446e326cfef36910ff6b92e1b277735d
SHA1 eb1227b591e270f8025c410a00ce7fed21dc65af
SHA256 61f3f98b0b3df0c37cde512196d356f31d6cfdc48097c3d72e2d3a179c264587
SHA512 bb6ceb3fd88ac72bc91b2b348e8669088dcd4b61a03acb6784a74890667e3d96418e539802257aee618f7293ebb9c5c0d02bd49f726db64159fa1c367437f826

memory/2744-418-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-409-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dksgswYk.bat

MD5 dab3a69d3bb97c117fb053a0812bb2a4
SHA1 8475334e964f32d135bcc40437c13e70e0f2a910
SHA256 c879227d40908e78304b4c6a777316929bfce824d66cf813887c1f11d435daa4
SHA512 c1610211df3f74d8972ec875afaaea336d19f841829ec6593b75a4c9af27498a5e1ac12397e6df2b58e5d517fdf96fbc8c51a956344e6229ce72eebf608b696a

memory/2580-396-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2744-387-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2868-386-0x00000000001B0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NaAwAUcM.bat

MD5 eb2be101cdff52b1bae26adc336fe15d
SHA1 28f09b2801033694fa6995574d1d027abaa4a197
SHA256 5d5abd6c0fd2291e9d421a0f83bed76b26c7670dcf848c62929546a5b7a233b4
SHA512 91d6e528d60e27f5a020a31bda0ef1f3a124a46e4c0eb9ca0901da9ebdd251f915fd640e441bfdc5ac2bceebb89a08a81b868c5b9f3ba91532998b7c382441d7

memory/2460-373-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQksEgMQ.bat

MD5 b3b74af0080be76eaba9ec453377e52a
SHA1 bfabb72fa96950b37516c023ee08545af51fea5a
SHA256 760939106cc0d5a28792c67367f519059574b2aadd300c0d24743c59c4f9ae56
SHA512 385bceeb331cfaef8b5350f9bd2023a072d5af2a541c4154bbf5511616016ab98dddf468d07b5b356af2000bc763aba194f2430b8fa3ae2fa270087ddfe05cc0

memory/888-350-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1520-340-0x0000000000190000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OgAwgIss.bat

MD5 e05dbe1f10acd284710613805e7c31f3
SHA1 e3ad0f238784e6e359955db7ac565985fe963c78
SHA256 e88490828339dd83be273fa11d4267c709beda17a3df4129afe45eea538ed030
SHA512 0b8bc9369443265d9ca3fbe8421132138847cf9f9af72312564d9f33bbc47b26003ef4261515886f2f8f8f14dd2022862fa95db66a5274329160eef2ec1cbc22

memory/2376-327-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2472-317-0x0000000000260000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YCgEIwgc.bat

MD5 48f6fd80a3ae8c009a6435301db980c0
SHA1 1f58148e689bcc11c4f7079539c88959d43ac2b0
SHA256 ca85ead836f3dffbd619f50ea720a48754f511de854ea370828ff8297a1efcbe
SHA512 7c9469556a87a190edf7d9ea502fea333c296d7c753dccc353ae36bbf4b15012f081cdcbb7ae2de237dba1ff7c762235e67d9b847de06a1d8f31fa06413dfd05

memory/2348-304-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UQkwEMAM.bat

MD5 1bd994bf5872e58fcb8a3fa3120303bc
SHA1 a8535d771f7c090b75a65d593641f397588f4a74
SHA256 ca317e6d6faff9ff34a63726ae2a9c3a8ce2ab59ec3c5b252bfe380928dace44
SHA512 53b3edc319973125f09871d164dbfd56e59602328d61ae2d93179205734f64b93a52978e3c0b793c23dc75b8c0686a9a5c0ffa378ded38cc967083b2f6e3b24d

memory/560-281-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TwIIIkEE.bat

MD5 fd9be8bd322da17c1fc0c87bf6ecf9c4
SHA1 35a2461360a32d7067c725440c946f2ecbbaad1e
SHA256 67087712dedce9f17428146c7c6778ddf32394bc9440af28948968586e00adf4
SHA512 e1c675b5cd09d18f543f1dcf8bb1211d333dadc81c7e2942b69809f028a866467a21ecbefcc5416487fe91dd4dad0c6bd75750a3a9b19bdf2cab02be4e30f21b

memory/3060-257-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1636-234-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2756-223-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rgwcUcsg.bat

MD5 53b6da0ca6c0142e7cc5b1fa853a04e8
SHA1 968c90d91b28561f932fec213c873e9d8d70a637
SHA256 36edd4ff1dd82dd741a2bebe89d0f6bdfac3e1a4a0629b0a65b10f48197ba881
SHA512 03ca10dbd1b864777a8231cc5a0fc0627ee75323a79174e9b4a4dd453dd2944e55742328c6143e40e8cdafdaccc23df3590c1f33216f475851ed80005d032864

memory/2700-210-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1636-201-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2580-200-0x0000000000300000-0x0000000000331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lcIQMMYo.bat

MD5 6045727763db5dce5a8f7db457df4b42
SHA1 d6e0138387ec1c5f10757d7c2c9b98e13b084cb7
SHA256 85bf0f4ee02a1853b123a003416a682ea59bf40da2fb0397dc1d5522c48cf493
SHA512 5460a0dce7412754eef9ab5445450f3f5d28d5fba88d646903353dc80929c23aaa4031e3a346b769fe27fef9112427d05f164228f6ba12fc469b8817aa9c4c9b

memory/1648-186-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2460-176-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2460-175-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jQMYUYMg.bat

MD5 9187cdca1fe4d2d65b8dcf9cb0bc392c
SHA1 63171efe068c7dd96bd150af822f95a4b7176183
SHA256 e86a14602642c0d2c927cbb7c2aaec25d2f05c38f62c873ff7424f0a7947fea1
SHA512 e082f2091af62b9bbcaedd4ddde32a77d991cc7209a81883a4306ceb20cf97b9f659db177a7dcf7bf48597786b90f02148f93c347251a3c86bb3ea0396b27419

memory/3040-162-0x0000000000400000-0x0000000000431000-memory.dmp

memory/888-152-0x0000000000270000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yKkEoQks.bat

MD5 23fa351f1854877f67648f0f20472ded
SHA1 4f41d92ac363bf5e3544bfea146cff6b38699aab
SHA256 a9fd7fda1d01dee1bd7e809290769f9c2487624e3861118c29174e872f9be1ac
SHA512 75c42f1f9e68aa7d60be5ee3a3131c26727ecd6e0470a2c612938d7014276906bd56bb12cb71d93c3ce37d8a92a7686e36b7098519971e57138cfd1e182e55ee

memory/2096-137-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2120-127-0x0000000000190000-0x00000000001C1000-memory.dmp

memory/2716-114-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sKskcooM.bat

MD5 9831f8ad57d309467175e6f5c31c3b52
SHA1 ffd42344dcb9e58ad6e62914ee7063ceede2ae49
SHA256 9f7ec34da2ef5dfea81fe5d1e52c550d7f81ca8229b4af66b30cf72a7f655d3d
SHA512 96fa9d03cc8fe7b0bc32fc937192a9e244e210eed7e3be60bcc971fab556ac9cc4735de18665ee309679b554748e98d75fca67c6cff2ceef1cf881407e9a2408

memory/2768-90-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oecQUIQs.bat

MD5 79b79b49aff710d3676540b5e081ac5d
SHA1 98c049967e66fd6d09a7181704bbdc9e5ec1ecdb
SHA256 f7d4776ffd5b552548e5cdfae5c80f5e9704610580ac9fe9815b4ffbeaf0635f
SHA512 3cc3de57fdda5d1e4037f2a56526df3837e564ac51fefc3e577fa71ac0730dbb04d1f6c4b1174b1a6a06b59f469472b91acb3853901ae54f67aa9547d4820828

memory/2584-68-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2768-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2732-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2732-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XgMMkUkg.bat

MD5 7b836afbbd35874e1e6b1b0f5b5d75f5
SHA1 50706dfa4ceab1cbc4ed947b33a9ad83cb8bbb59
SHA256 176e86ef00dc519100ac0d35c88e75c052987e08142aac4e683b1db1fcd44c24
SHA512 6b23e4a60e8244a2dd8c00f715ead26e50e532bd288a33cbb5c6494f238e6720b33354e959a6a9ce3c794e31185a07c7d875ab656b9c8750b5dfb217c85e9eb6

memory/2712-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-33-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2652-32-0x0000000000120000-0x0000000000151000-memory.dmp

C:\ProgramData\kcYwYcwY\KCUIMoso.exe

MD5 86d9ad531c73e89ed7a0585d874c8c58
SHA1 d0421e55c1768d50b9733395fbe8b2fbffce1cf3
SHA256 6a6cf6bf7c206669e4d20104a908cf3c5704f1777a4f2fe37e0b88795f3f3c03
SHA512 2dde4962c3f78f39aa6988d31ed07ad9260918e15172e45993177d6254fd3c656f2ba923f9459b07be4e92c2806150bffdc532a02f176f8ee16687e2b47ac6ea

C:\Users\Admin\AppData\Local\Temp\VewQMUUg.bat

MD5 25727994636998dd6a97a47d50e68e56
SHA1 1eb4971429b030739eaf613677725e1746c1bddf
SHA256 1f37ef28c108b2793aa36a66ee6522dbbf3233ab48ea8718bd652a38986374a9
SHA512 3f66b72de6c680eb4300570890d74eb994d1076b2905fb75ae5bfdd290f132153e8cc80b269879192d8108243ef8e6c535033c70a886b703ded403c956cb4e98

memory/2712-21-0x0000000000460000-0x0000000000494000-memory.dmp

memory/1800-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2712-12-0x0000000000460000-0x0000000000490000-memory.dmp

memory/2712-5-0x0000000000460000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zAEwckow.bat

MD5 2827be5ea0ff0c27f7680e238d95597a
SHA1 345e20e5a6003381e879334d9aaf6970136c4a3f
SHA256 f0496721c40f370c2483a445157302d72b608224cd3208a297969abaa3377832
SHA512 07192120e60174082cf08642daa5a9b2b1fae9805ce71e3af4b113fe09a093d655de58e2d817fff1691aea1e7a6407071d830b94a74743f61c79e133ec31957a

C:\Users\Admin\AppData\Local\Temp\ncoIAMYw.bat

MD5 ed20d63242b1c723b16c6330710c00cb
SHA1 baa93b0fcd5acd538f34e13906f7bfed309bb768
SHA256 f6fdf71a35bdd2dbd64401226e81f6bf31c71b00d6b1a5b53bdb2b11176bda78
SHA512 92063ec93600f286d55797534ba13828378181691b872b0d24eb073b6ddbf66c71dfca43b29a4edc1e221a56cd903f56636405def2ae8451dec5d9d460ceeca1

C:\Users\Admin\AppData\Local\Temp\NUYYggQc.bat

MD5 65cf3e69cc2b77fcdfb9ddef7391f4ba
SHA1 5d06bea1f2898976607c645b4be2e60a664931fd
SHA256 5756a00d5482c85f0939dd6ae17ead5379c5019466a50fb3bbd220c5802c57e3
SHA512 3a628e0d34387ea1ec5ee25008381c015caec2db764125ec4d9b2560673f16b5bd9af27d5cb5aac4b53256df16168113d5dc093a2b9450e2182ccc12c8609bf9

C:\Users\Admin\AppData\Local\Temp\lcQgEUkw.bat

MD5 83a93f245891b3254fbe5e2248a9db23
SHA1 3d63dc491c7b3064dcc0c3801e3c5599dd30fed3
SHA256 8fe851b1e4a026767348012874993536725b90f48e465d34feccfc0d59bbd6f6
SHA512 1959b1f9e59912257d66c3b01bbb37fe888461a6fbcd2421d500d5d06ead3405f894bfa6e86b46a56c51fa319f6c83155b74f637194e4446dab62e5fd82385db

C:\Users\Admin\AppData\Local\Temp\gOMckYEE.bat

MD5 9e98272d75df25cb9543449c4d9af446
SHA1 b6e1a94d08f1811b9e22f3a1cd9e70f16fbf5b26
SHA256 e0c3ef31768a6cf6aafc5521d27d316eb3324260b492cb6e8edb6105cdab20fa
SHA512 f806ef23860d2624b117c7ed3f4676c1a75038e96f6486629736f8c3ca9cb53b6c460858e638464c806a90ba426480f2686322d7fc693b49acc3c71207cae63e

C:\Users\Admin\AppData\Local\Temp\wUAwAQIU.bat

MD5 288f0ae14e31d590f5d0fa60b2aa61c7
SHA1 4ee0b16a358a82a965fd6294dfcd46c5f0bedf6d
SHA256 f78b189d4146092df453be69f58fbfc6a6d55cd142f231d6dc9f400e508e061c
SHA512 6b555007db4ab09df6e1b8791395ea91737f70333685445c19f757ef30992ca37b31354a17d7fb38c68ba557dc5bb0e9f14ed4d00bdbef3995ae15fd5620be62

C:\Users\Admin\AppData\Local\Temp\SMoYswgk.bat

MD5 61933b23ab2a66e6d1e3a2c5ad1866ab
SHA1 8c83a81eb80e51fd791d476bd2dbbd9c05bd7fa3
SHA256 387c0ff690bc47718e11e78253dccfd8788f94fa23961d3521937dd7b395a1c8
SHA512 345cbccbd07c090a781c36925f8487d6bc43766ea2df682016db838bdda3cf13c6f772c5782a642b91b70198579d2b2fe226bce0f25e46df2444b74463a94770

C:\Users\Admin\AppData\Local\Temp\swkk.exe

MD5 783e77f9a41062f9ae0c941a75fd302c
SHA1 34c7d49defabeb01bc7bab74eb1347fa3f9f9710
SHA256 381cbea5ad7d73b7664e29e5edf6935cf5b21a61f221f45c9057a86a8dcea030
SHA512 83b0dace3f6d923f2cb2fe75223dfd140f53c548d077bd83848accc8b11d594882b11194d8d0e8b87cde5453b2fb29b80d7795fdc247b4a28e03fb4eebc4696f

C:\Users\Admin\AppData\Local\Temp\dgMMoMck.bat

MD5 ef72bca4bb906ff1e3a006b091bcd909
SHA1 76172f02d0a3d941393fd47f731485b790a94999
SHA256 2f3515676c9b33987386204215e5c2c9bf9b0257e6c0f178a24b36a779b7b565
SHA512 d1feee28a6e8e69b958af2dfa269002f2c6213a73bbaa59aeb41425019fb26ef11dc04de7f5182e79b624c0d690bccae571b51912b3ca5c4a3eb15e3a480370a

C:\Users\Admin\AppData\Local\Temp\aOoEEQUM.bat

MD5 2c8e1d94af4580ade7068cf922de9215
SHA1 243e20239716ec57c242a2a71cbbf572c43b04de
SHA256 9efe43319f8d5dac31a967157fffeb66ec0b113eae0ab12e903782445e4eb03e
SHA512 c0c593ed2782aec71f746a69385afb23734228a8cba2a0846f90d778594c30886bb5f3393849391e1f2c531272be1fd7d260e2743a2b64e6344c11361efe08cd

C:\Users\Admin\AppData\Local\Temp\DOYwIEsQ.bat

MD5 140077836003f601e77470750ec74ade
SHA1 6ebdbf604203329a3fa278ae108e30a4e94ad929
SHA256 ad330fa68351dadb5ba4ff11d6848ec023b2a50ddd5c8f50f692cb0ee2fcd010
SHA512 ccb2fbc714858f4277ec5651bfd7c4647280c6de3b56d66179481214fc517a9e392ff290afb32356aadce207cffc8ff85754211d4c2e880f343e3a5c199789dc

C:\Users\Admin\AppData\Local\Temp\jIUkMkwQ.bat

MD5 7c3906f494762dbded955777356f2412
SHA1 fb7eff6ef512b78c6539e266de876419a9bc801f
SHA256 a1ebc1ec05d8160075bf7e4b638d12af80715ff971461fc0f0cf0e86193bd3a6
SHA512 d8365955950e6a93a1453475f2f6476da124e89e8c6c7b995cf84c30bacb3fbce7c56f84ae8eee1f723323b1e6f5dda9ed4211e6c556df87baba17995db57737

C:\Users\Admin\AppData\Local\Temp\nIEMgosg.bat

MD5 ff66d2177368c71560839ecc5146693c
SHA1 59ed5e47851f6081b14c1887dcce76540957f466
SHA256 b5e3904df3044d069c6c9a0810102ba8835f13bfbe530e705fb22add4af50f2a
SHA512 62f7bec611eacd467384ca456ca9fecb6db6e1cdde4eb5cdda367b843d4c4e5ccf603eb2e9850c88fb62e45b3f9a699fc075596839125dbeef951cced85bd5a7

C:\Users\Admin\AppData\Local\Temp\GCAAIgwY.bat

MD5 780c29234023a155b6c5d0bc178acf41
SHA1 2823a7a2983a9c269adbdd988a11e2617cc7a711
SHA256 88e0ab6d4a3740dc3cc9eff8d6d1699b2cdb81fdd0b02799f65f543e4b163b5d
SHA512 5591c670aff4701340288d3d302d42ef1ef52305cafedcf56e6e49f68e3a8fa8578214941601a1f55b0cde8c2fd9d272b536fb306bcec28f37af4af48a863ce8

C:\Users\Admin\AppData\Local\Temp\cGIQoUoQ.bat

MD5 333f2bd8c4a96c85f41dcbad6afdec74
SHA1 6980fda85bdd5a8788987e319f929ec3937ed98b
SHA256 965db32ffbbe1707a9118a7a67bfe462b48f250ff457327d66270f290a4e26cc
SHA512 8fb99c5c95a4b5d39842083f3551b74f9c1689a6a13739dce2f79bda9f180fe7412a78cbad1732914aae9d3051fbc2b6e19730031f324f2a5b2371b2d42e7dd8

C:\Users\Admin\AppData\Local\Temp\jWgQMkQM.bat

MD5 43e679bb97f0e51ceb923b9e553f77dd
SHA1 a2da6f6d552861fdf5845cdf6537601bce58920d
SHA256 31fed2e457df6cb0ecee0c656a17c29243c622e9559ebe86a634f992eb429463
SHA512 bd412e59d889d279a7367d19d957ebbbdfcff2d58c4e8809c15af055f3b7f44dc3c3865b8a88bb8dfd7db153523be2a1c465018e2e6dcfca001a27b8a9ffcb05

C:\Users\Admin\AppData\Local\Temp\AgIMkAII.bat

MD5 34b7165e0b2a9ce14f3af0295d28c4bf
SHA1 8ac35267a5a171a6568f9c3e90f68f00bc78fbc2
SHA256 9f81f33b87604a945468a425831670cd1ed4b360b018b176500f95826e3bf7d2
SHA512 c131b0c8a118b85f45ad78bb7f57492653c2a7c6915c08613490ec8ca27e61f28f9d72e92bbab458e99d788848d66f22a7c78c19c754f4d6b85b8a75778706f5

C:\Users\Admin\AppData\Local\Temp\mKQYwQwM.bat

MD5 dd4e8530061ebef720777b2b8c17eb4b
SHA1 be8a4c4d31a7e68cc0e0cf67cb7c186ba5048c11
SHA256 871320a3a52ea7a6f58b20b1779e3be1fab0f2efbcce64ae7d47202edc82bd02
SHA512 58830bf39216bbe3e04747441a4d9d1ef1d81db7456ae8852df04c675d81ccd6cc9bd80ee8033a5146142ce8d2b2eaa31b8f2de01ce8a17b580d933cbfc1cf53

C:\Users\Admin\AppData\Local\Temp\hKwwMcUA.bat

MD5 b6993d93b131b8ce25c440e93931ebfb
SHA1 0871d272808d4f0a2938c89c805248a667e6804f
SHA256 1fe6b8f0c654783e60a9aef5f61bae9830b528595dbe200ead6d9afa0eb922b6
SHA512 078851a2b184874ac882f6110c18cff7143a1a8947ff3ea1475447e3ff841fddc3e5f3fc2b69f399e34ba9e033903ed38da3db3beea8f8949ff4feb4c3f952cb

C:\Users\Admin\AppData\Local\Temp\nwwkAQwk.bat

MD5 362dbfbb88dac2b6ae26db9003beecb7
SHA1 361d3f2cb446e752c7aa92184f150bd26057f7ed
SHA256 a65c8c200f49910241e975cb4c9bc5c80041a2f491b27f7313be84823065f028
SHA512 04e4d518b920a035339970bdc358dd55387e2e5c0c5d1be2c9bd13509a90c1b80ce42ce45716d1438ac24b940202be6607ee2b1fe166a8c9534250fb39c562bb

C:\Users\Admin\AppData\Local\Temp\LOokYAMM.bat

MD5 ad13f6a446b32d0a6bfb40c518a7759c
SHA1 229f99401bfb64efd84d7b8c3414821058c9d06a
SHA256 d53e413966f9997e762bd41de9d01a8bc748c295ecfddf0400d5cc8a0512ddc1
SHA512 c09d1c73b311314244a67d39494f32433ce3e20a888723c2133ad9b72ab696f07559eb1d70ff549a1f5ffbb312fdc8f29ae85b2e3e89ec0b15ae9903cb9c8d66

C:\Users\Admin\AppData\Local\Temp\Nuwwwksg.bat

MD5 0cf412df5e81fdcb00f705fa6bf58f50
SHA1 7f1b92c46b381937082900c7416d30dcbff67dbe
SHA256 7a7172847b38d3912a02de3f74c7c481f593586f768b1eea40266517363c752d
SHA512 5a2de5e92aee64dbdb11b9d4e25b3c91288e7687f502b5de438bfa1ac2192cec998e33c1fff2490c6ef83f9f350ebffd3a98074451e149e915d0437ead1e5924

C:\Users\Admin\AppData\Local\Temp\EyoYcEAk.bat

MD5 10cdb64475cd791df33be544de276eb7
SHA1 dbca8a87ac7c5d27957d5f5006a7216bdd6a272c
SHA256 6c5dea0b402b041160c7a89f45c27d05dfacabe3edbe67575db80c02526e2aef
SHA512 545c8bb47d5f4d44e486654c59cb35085c03b37d1c66f4b4cf9ef96569a7eaf06d9c877cc64bb92898ef9b31ccaccf30dbf43d5286c18544873d4bacffff053d

C:\Users\Admin\AppData\Local\Temp\asgUksUc.bat

MD5 eabc37f6038190382e8498b562b32a27
SHA1 46234ec4adfdd9c28ac1781bbfe81b340a5976ea
SHA256 14cb8613da0b3b9dc021c8459044ccebc59fb0fb31937d758ead8eed12f8efe0
SHA512 d98db82c1275585b18b7bfbb092d84dac2dcd75192abba852f335e850a3d0b9d091758f0c134257f8cbe4a77e2e3f4c9159ffe48165d022f2e34f6f1bec5497d

C:\Users\Admin\AppData\Local\Temp\KissAsYw.bat

MD5 d61fad2618362cf5c2392d4880e3f4b4
SHA1 4dbc43957024c86f07374b147dcca5a43c62318b
SHA256 79d4dd13c51d4e8ee66c1052402c3d97c70982e9e6091ae6846fda2c867a7d90
SHA512 ded677cc8f8fc25053ba7fa433ca2644c679083a906c65532479c7c7ce79dbca949cb6381eca58864bae8285ed1e785689aea5146831354f5eaae5be4742997f

C:\Users\Admin\AppData\Local\Temp\GCwAoswU.bat

MD5 a48b5f4cf102385568769b164b31425f
SHA1 edb5c8a9eb89fab7555b632276c1cf71f3c758fa
SHA256 41128cdef9c732fd921f793bc6ebe524a04dd281bb0773ca9018ef49a463b04d
SHA512 5cb2f243f587363e73de579f6b3e26cd0f89a8e958194d945d1088e9aa0083ddb3018b2b15b1a9366049ebee94574588fc41efed9417eafd0180d531bfa14e15

C:\Users\Admin\AppData\Local\Temp\SsQQgMAE.bat

MD5 9a66e3e8916def0edbf3f99d70803b84
SHA1 e044efe7679895a675ba0c0d12559f66a8727d51
SHA256 633c96cb197240a61c39934ba67572e3d5c94c0dc6df3c3624dfbee76faa9367
SHA512 547120ca696dafe30b9c5a336df5b6a2312ebd17228e68510a080f7e50bf799ee6ffc68b12885b8413baf76fb98674035efdf56810f8a4ac3d37e64f40dacf45

C:\Users\Admin\AppData\Local\Temp\yIYMcEUk.bat

MD5 7b0d41b6d487a4040cb90751a3cb60f8
SHA1 edb9438c4d1052d7b49bd4be219ac588c4e4766a
SHA256 912b6fcd1ac5e96ae3b85d43600b0cc7b1c6cd5784ccf754d2909ad0bccd1922
SHA512 7c32240c1cd8401619fc0be1189f7058dc978fd166bfe0be616eb99a2123c7db857a049c7385b6e4a421a3242e5ae39be34678bc6e1dc9d206e63e5c01aed698

C:\Users\Admin\AppData\Local\Temp\POskowYc.bat

MD5 7198afcf7f05232f51bd044e4b32859f
SHA1 ca9c2c525e9fce0ffc3d22dba1b6356775f8c116
SHA256 6898b0182d316fd118d884631e49337497aeb411699ccceefb0b122bd19670a4
SHA512 56c03603045b621a56e6920517b30c3546bfdc6337c6ccd106bf0c10b4abbc6b7207938879b4ec373eb80e5edac9bbc2b41c05e705be760d792bbe5353ddff84

C:\Users\Admin\AppData\Local\Temp\lgIcAYok.bat

MD5 d8a74fa59edcab95a25b05bf771359b1
SHA1 03dc97b18ee4f2b2766a0c7a828512d0583b8481
SHA256 3b6d767bc49d7ad8988d6ad6461ab235e6c405ddc7bb665b7826604996e65439
SHA512 7b391b52841778da86d6a095feba3c3d1f0afadad0462e617efd0b3aef0fcaeb991920dbef2585e0f388279fa94cc2a0e848c06695874bee0bb3d8ee09b09191

C:\Users\Admin\AppData\Local\Temp\rcgUEIwc.bat

MD5 2ebe07977fffc53ea05e06773ce7e75b
SHA1 f24ff350efb4f76e82408a0359a43741e3f83530
SHA256 96d70aab8678e1d3392114c164978e99f9b653ad08e879cf9a235a431eca1bf6
SHA512 456762aa645b4f3b66180d7ae3fd38cea0d9afd65c23b31ddd056d7696bcd16d92ba8dfb3b7a1720405198c90b6b5d9f221c02bb47cae833da22417e0a6b9707

C:\Users\Admin\AppData\Local\Temp\vWcEwwEo.bat

MD5 7b9809ee305ce170021ae74e7ebc8698
SHA1 31dfabc5ed1135c118c67dd316e0446c2cd0a7c8
SHA256 9edbaa6213ae9b2f3723954f90838221140400ab52e4a1b5304bc9b977ee80cc
SHA512 187cb1049ca235dd0ef428d12ee360a79fa4396ea2c4e82ac7d9cd4660a8051cf489ba5448bf94bdef81ac4bc2d727a4811a99298b9d7bc4bf90d8a072077f56

C:\Users\Admin\AppData\Local\Temp\uEIe.exe

MD5 71e381bd180d593fed11a73cd3a13e6b
SHA1 7c45a2f8a30df4e9ec1d24777de1e765ace36faa
SHA256 671c45f3d04ba88f7bd2f0c5065de0f85ac83fa7f0e218603f2467ff0debe9f8
SHA512 e7771e07b29d01fd72c98a463171ed927f313865faf309c7a379638d4ff012790766355b0226212e13367a411df17491e7014276fcb219a9396932aa58c985e0

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 92d7b34428ebd06586c791e09778f3a7
SHA1 7c5867d0072584e25e56c720a302d9da2c4a8058
SHA256 d47143f86bd8cb702570a8fa951ec60b2234f09c3f18a8fb12363ae47a65abef
SHA512 d2c388d57593f654cf54705982fdf90528bdb519bb0f37c71922b5d3ce3101418012c0327616fecb6569d1b18d6d3660802c22f6ea8984b17a71a49042d4c9b9

C:\Users\Admin\AppData\Local\Temp\GIwy.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\uAcY.exe

MD5 a05b834d16e9de8d4a94e60ea4ab7320
SHA1 36eac3631d564e34a336aa1f8330dd61db6684b7
SHA256 8f1f99adad83e618153ca09dbdebc57443c86305018dc4bf6b18913c27dbd3c3
SHA512 5b2886a14fde11a10e506498975d2252beb6f9113414a6b852542bda842811978b566f0a082bbd64568a37855de006e6372ea8c8ccc477c2e1eac2fb103a57ba

C:\Users\Admin\AppData\Local\Temp\QUEe.exe

MD5 2464b154c1df9ffe63d0e2afe120d7c9
SHA1 fc81a077043e272a23fc611972d8b91d339b13f8
SHA256 aa213f118379fde1db458a461f5a31350e13109bd2cfbbc48fad509041c8bb93
SHA512 a161e53a129ee816f406c669dbf941fbf398bb9c01da65e284c7f019515de621ee7774a44b77db43fa95d33f4475a775879adf5058b97dfb1336ecd137eaf54f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 9b6267487db5fe09a9f6c24b24d2db51
SHA1 80720ccb986c491ac5f3cdabfd8b49321a9f1105
SHA256 bd001ecdbe3b11a1a2b9a9cb20e4d26d413e45d321c8d6c1914ced9c94e83601
SHA512 89974cc3c056e1a654cb04e2676ff103006579af491a880eb114bf618357fc2102ad272c45ef744253a0b210e9fb1c198240e789ea497301f3425cb69fdd9bad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 3e7c7939caa42b5bd53316806f6b7139
SHA1 59324efa19e499003012295e7f0673e135f5aa05
SHA256 fe5284948eb05d4a9a7ee47e5529567b77d9b1c4c9baa009fdef03b417164c1d
SHA512 e963fdad7fab08b42ea2df81f5834bc1ecdc552e813fd94e96bc760f515666554d46901f3e6457e872a9e7a98e3ce260c840331efe00adc38d38d8f15e6ec232

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 53d61b84f855f1f6336fa299db90bf54
SHA1 a0bb4ccbd753d73ffb5b8696e10116ca12f4f6af
SHA256 fc0bf7ea95530f81976f95cf2ab9aa3e3d8d28628a649acadf95f24e2ed29b21
SHA512 ed87bcc0b13a3b59af0ba1c76652cb7d310dcb0b596de8256e3715e42f26143d24c6fb76abaf2b92b063c3b7e522ad3f28f15de3f58c213ba0e5505d28063ed3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 3e0285ad3ce5c843daf38d3152e562d5
SHA1 615e53b4fe701d3db974559471fff6b6de876221
SHA256 846b4b2afbbc12c71ec33eafc948260600da18a299a5261622421b73f97e44a9
SHA512 fa735b558a3323e41c0a972edf35e1fdd704c505e58485f25840a157b26ba538308c6f55caae9f76d9ddc9893fbc6d3e8c48e756164deb6ec490c04576a7383d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 c164c645be28f709f872a30c1fce5d39
SHA1 d44b5847532e3f7b4afd2d77f45194f1776518c9
SHA256 bac71b82cba663b6cbdfbd2305f19877dba09571e9b95da366e6f830f3361926
SHA512 2ac9815833409cf22a67857c528b04cf7730409e13588e353b985242735dfc2f9c5dad4521c40c294cc96723fc95c3f978be04a1b1e7b456636f9490b5b5f418

C:\Users\Admin\AppData\Local\Temp\sccK.exe

MD5 ab195578ab71dd728c68d8e1f662f267
SHA1 c810b9a2be07e219d01faa132b4eed8b18be90ec
SHA256 6c254ec52c2abfdbeab8c976cda2250083919d8ab302be9e59ad8777886fb50e
SHA512 f600d5bec9d44a0db158909d56753639b1346ee070d8fde242b3693f26d5e39ea7f4681a9946868a91870ca77b3b5321895a16ea7cc5751c7aa5011195429924

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 f3f26f04bbca0b187771ee873451c6e5
SHA1 96c2f40a9ad7063cede1660e99c7de4aac088347
SHA256 beec50e780e599e2b1c7d51db16a6a6d7b2a472eb4fe2c82d3a661eef3ef517e
SHA512 c4cf7d919fddd7ecedd5df6f966af111839ea72e75e64ebf5d939984ffc75238242d5bbc4031bdaebcc16696a74025277996a1374ff00c8b20fdbf3ff660895c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 2dbda9b62e34d1b3505470be7e0d64aa
SHA1 61b3654717c2b962aec7176b04084a37bff558ec
SHA256 60b79e1466d8c70a6eab97da6382f9bc55ac63745fba54b95565dff3d11ccd7a
SHA512 d8059bf989356dc5e54f8dea74d01df21940583612b643c6ddd88345361567d815a2d21f97aca68b808207bda2571be39b1075c40557208fc26fbf1a2e744b5b

C:\Users\Admin\AppData\Local\Temp\CokC.exe

MD5 483caaa3242eea7dbaa2d5b636903385
SHA1 088cab88f400f7fbb710c8295cdfca3b9e34756e
SHA256 e41489822028f9144b3b9dd46f93efdd66eb514ba4e0957be9d2d3b5aa8395a8
SHA512 966dc3ab64d9ae5e10abf039bc2fb3f1399ba898aec0118185b4623de7a1c8fb4508faca73f3d1551221d7d336c4ef2c159feb09542436f2c46975c166eb15c9

C:\Users\Admin\AppData\Local\Temp\eQou.exe

MD5 74e634726ac5e0f27c4e514070c08991
SHA1 d1d7c66a4daf04e47c5edefe14ac891b2a542663
SHA256 bd75312ca03faba8c67709c35b5e91e7e8f74dd6cf14f735fcdfba9c095025c1
SHA512 880e2cdaf5df427706813c6d41eb0ec413af193067b037e3b1fc879a2d197b7830a70b6e32b1bfdab0185a556bad0b0b70f38379f8332cdbac309f5c70cbc0c3

C:\Users\Admin\AppData\Local\Temp\mIYi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\wyIskcUE.bat

MD5 431ceaa8876e8461c0bc2fac7f3ce277
SHA1 13904ebb32e1ec19852ae6143d569405d23cc04d
SHA256 405f39b4294c19b0dbe3d03236eafaf720c6d2be9963c39578fd555ed33a2faf
SHA512 b19d38deb7e4c4fd73eb8afca8f8970b394b015c28d754085db26b1975c3c667ccec195b3f64d482b57698eaac6a36819379450c96da69444cd0b5d0e3b62b26

C:\Users\Admin\AppData\Local\Temp\AEgw.exe

MD5 1853cf989c444939a9c91f19684cd918
SHA1 57ac9b05016f5b3386f2fe2a5548cdad37002ad9
SHA256 289d11aea5eb1e3a72f2355cb2d3e7bd72598ebb484685dad5a3667d52858472
SHA512 94de551fd1bd32605d06f80824c4d216ca2d551c7aee9adf78d2dfc12f3465d7e4a8209b48e9431a9a442cab152d7754363cc71e57f1a71ab09ae0c827ba8b5c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 7d96154de2ff13d524db0f18e1446047
SHA1 cb3a37e263664c4fe81ab0bc8a6f2d51ec3ec85d
SHA256 97ed23dd13cfa60206e0e205303ca07ebf339cc66c54027f6eaad311566a2186
SHA512 d4c5d19343e2aa49ffd42a53f424ed3f03d295e6d9b36384389bc352dc8f701ece21661fb23384e41083d0a4f6003c5865770537c6d42ea5155437a6665fa35d

C:\Users\Admin\AppData\Local\Temp\OEwq.exe

MD5 b51ad72c8d32e2d1fe1fb99a4c038208
SHA1 2e807e22a268e16da9d0b5d25829b725ff28882e
SHA256 75cadb09e48163f472e54305eb049063f183eefd102c767013c898efb43f9e40
SHA512 25c95057d0e6475b9b9b180a9c8bc3dbecd96360f6db812e541e75e79ed2bae7f4fb577fab9318ca1dde3b9a1676eeb40731f291af8a83271f45d77808cbcb64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 78d1164bbcc6b13d8cd3aaac2a62669b
SHA1 408ea42105eef8dff049b0f9ba696d4583780963
SHA256 770f32fa3dc11ca6c8f00fca2d1f6bc4346e48c264d2e6fe5400c5d5e2e17254
SHA512 7e31034265e6ebc87b3a6d3b8e2d82c4bb9fa419301ba00e493092ce3d09da440bd468bd8c99897ee753c2aa2162c02d291fd920c1c73963e8bd920a8a97e726

C:\Users\Admin\AppData\Local\Temp\ZGMowoYw.bat

MD5 032821a0748152191b42632f655194d9
SHA1 0dfe459a656046eb528005fabae0622c6279868d
SHA256 2cc83cf3a9d849bf11e10b4ed29b606e507adcb557528073a61eeda076787369
SHA512 ff755b0e3e44d47775dcbb71d7e77fdfbe75866882a0bec199755a2006fd27ae26dc054c9da9dc14ae8686e8c922ef0c23361dd1b19bc8a4bfec9e9d495ce9c3

C:\Users\Admin\AppData\Local\Temp\CQsc.exe

MD5 13e9e550ad7677afaa33a4d4ed3a7615
SHA1 767c9e4c9189437353d018e7f59123c2ea366aeb
SHA256 a461366ceaad048841d28f8c3de885ed88ecfd8256d4136ab195faf028f154ec
SHA512 d831e1dd084c453dc38ae95cb734accc3322fce7f93f8fc2d689d5a224142edc751d385af54a6505acf8798939d6016b099d7dfad6083231e6f1ac1d66826756

C:\Users\Admin\AppData\Local\Temp\KMEC.exe

MD5 fc9799a6c5c5bed703f139dfa7f52837
SHA1 a332d4cef7f75470b79dc2100aaca15ea2de971e
SHA256 fd9319303b3ce8553f78b3e5de23e1865b3794fcaabf6db9ce4f384921cdbaf1
SHA512 384c04f4386ea7017fa3f52e0da380df51602a927065a5df06edeeb4aef5250e0fd388b5794efe1e6cc837835d0d1bdc7b2f9384f68891aac7bb3f99c13556bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 51f88ef20c3fef4d8ea11432bb6c7ace
SHA1 79600de5273599fced3031f7e04fe5140b7328be
SHA256 63a88a97735eb68b6fa74b79fd21b3db4175e521ac12bbfa99234d513873d6b7
SHA512 eaf7e25e4e0451efa7d0f221851671b68a72a09feb1097ab202f1389ce5e71ae22ad452600d2f39d3753fa281e75a29b8caec3984f202a1eb2cff83809157920

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 6e8bdaa2be28b5b98b7053e48adabd80
SHA1 eb9ac7dec671069215e699064bc2bc8af0402b51
SHA256 2203be859fd5b38e8d4511578e8009964c4ebd1a1d015ae29e3d3bd75713ae89
SHA512 b88c3668e6765d7da4635d1a141e4579f72c819789e9f2da86fe37b867c76c64d7ab0e1ef26918bd9e796e91ceff56dc8e1853f99122cdc93a8b43e1ceb9a8e2

C:\Users\Admin\AppData\Local\Temp\bQQgUYww.bat

MD5 08ae8d828d929936161a2d1122e24b9f
SHA1 b5f9e5c7576acdad5a774010844a5c870e8e78ee
SHA256 14d30c232bed61fe316bea86cc2b01bc518fe63f6715398b6ce32f33a7b08bfe
SHA512 e8a38a048b4ee07b96f5dc8cf708d5883417b9a56ad4d0c39208db9031a441fdd78e898196f7d64e1f9d2b9a6842af4519a31785de3c4dbb6d7af31a17484775

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 dddfa878dda571d6db5a78615a124a7d
SHA1 d3b2ac18ca63326d9b9bb1ae6714b0d69a59bb94
SHA256 1431cf8c90168ab27420e39428b2e83fd795fe17272dec9ff24c6d7a4366715b
SHA512 655cf383e7bf07310ac7ecb311b96b215d24941589400ce0479fbcce870d1b1c9e50a874575cc3638c26b27299975f7988b9232bd221f39cb1ea46456d33a3b5

C:\Users\Admin\AppData\Local\Temp\ksog.exe

MD5 ed0b9746db76366bbcfce5e3e9ec5e33
SHA1 f908cdff49277bc7f2786042da3d0783e8c0f173
SHA256 a7f6000540b247032ccb70c876f06d924766c92361007a5523e9f2f0bcc11553
SHA512 f5255a5eb48fb108f59ca553686e44968407326090a2e81a140b15b4dc401bfabe886bbda5d5020b43842868ed10a161864c0b9799e823b288acf8af85da3fe9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 e9751f66427e5ca77ce665d11783bbaa
SHA1 6f2d92efc5fb8a29eeeac8a13ba1cff0a4d12f26
SHA256 9b568e4a7dbecf42a7906dea7a65b9cb1c6240a00bbaa06df415600452f192b9
SHA512 37c66a3ff28e9ce31c046d069497ad699b5c79c5713a85f0f66d4a7e7c70d7de22036c319cc7daac70001ac24036314e16af157bde6afe2f28ffecbba80620c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 dfb4c25e1f2e7b51c800262fbbeefca9
SHA1 441f6d0f148af5b03401232c50b45ce5d0129983
SHA256 bd10b4abea2439ca6b2d71755c05c120fcc3b834346e9027e6bee48fcb7623ca
SHA512 b3b49e1f1f40fb1f8d2fcf7c1e4fba45eb536b686c2cfdd6abc8d85cf699a84d2eadc334ae10b7f0fa9fcfc241c1fa85604c7011a7785034d0142d10e0d1a05e

C:\Users\Admin\AppData\Local\Temp\mEce.exe

MD5 f96927608d8e3e564ca5a4b3afbf0569
SHA1 3f2f6311a14794e3d081b31801f4c45cd4cc3461
SHA256 4b6bc8611ce1d59378a4d77462402640d58ea7bc9d184ecfc766ccee77ebed6f
SHA512 84905d44ea4c700cf5a7340e181525c2c616083adb99f85fc270659cc94db04ab08585b1329adff4281a63e41685856c7b6e10e5eda8343d937c59e27d5a7f0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 9dd37741b9862ba5adde251a169ffc55
SHA1 a66e09c56bcd29de590db49963ebafab01f64cce
SHA256 7d439694f3101f7d2405eaad49e966fcde57b08449a72196cf102870da7a03ca
SHA512 ac17557686b12e79b19aa6f8ea7caae36a37981695dfb4e205644d206dcf4bc5ede67f4a037d259314b4e76f7fa2c3a33f96bc6b2c89f8e09bf5ccf8fc2cc032

C:\Users\Admin\AppData\Local\Temp\aUMG.exe

MD5 7532a561c2ccafd3081d34a8786a1ad2
SHA1 bcbd0e673d4189c45515327018aad82f8f3eff39
SHA256 3761053f811c3a258e3a489f9b3ace24a27d84a8867eb1405f93d23b6d160e93
SHA512 242848272a51f735940d61a3ff080dda4f83595e4e00d8ce356f54ebb304195759fb7a40bb7c8a037219f32f1a3f09a0021e4be5a040bb53fcf686f8fb2ab745

C:\Users\Admin\AppData\Local\Temp\kAoY.exe

MD5 f6975d16d1ff81986ce636729508ecbd
SHA1 2afd66d686afcac59b6d7a1cf722a25269b3c2d4
SHA256 8e580bd99eeb17febad54e0941990d111b2fdfc423ac91f79d3f90ec97f96f81
SHA512 f06c2faa471862f7d96c23a22a53927f93fa75eff7b018a4c0850dfc7129bce31daf3d8a974207d06d8d6d0e831d9c21c45731770bb2145140fc61eff25ee72b

C:\Users\Admin\AppData\Local\Temp\Ucwe.exe

MD5 f288d7171549373c1b6918e52c9de72f
SHA1 5be7e2dddfc786200f4e32897474c798a1876be6
SHA256 281a93959b1e49547c37eec60ec18e50abde3d15a35608d756af79cd05b52cd8
SHA512 8906d08b7d7d1a12f06c4d0241a1dd3b2a027a179954b8904850ab18ee565f110a64e17d1e3e50a826d58bbcf84b9f6b9703a558288e810f2069a70c250eb30d

C:\Users\Admin\Downloads\ConnectRestore.exe

MD5 a5278caa5e2cfa9c5ed422db91291e49
SHA1 b8a09e563d5d9828abeb5aeee9f3af71c63d2537
SHA256 2ef002324ba2f2975cb3d1da58d2fcdeaa51352b0632ae7d6d34823e73f52272
SHA512 a4ab2b787950ae5bc8ba5436bdaddd8f7179950493fa611562858ac17cd6986a25e8b77c578f44983bd7e0d36b17bbd80f576adcf181c33af821f5a5dcfc010c

C:\Users\Admin\AppData\Local\Temp\PawUYMkY.bat

MD5 17cd9fe0b8ce52a674bf2cb520b4115e
SHA1 f79736b9efe17466aa1654b7e914cd3846199efc
SHA256 8b5b3c96fe1c4c4982859a2ea4a7ea53913bcd6206885d5aa1b1abd50dfaa3f9
SHA512 176f16df9729a38dfa3ef4754a4f67031a09da25e2f8360f90bef83bcd22fa1dfb61c0a84ccad0e1b747d58de22bf9319e7790eacd28d31c407dc88b3460749c

C:\Users\Admin\AppData\Local\Temp\awkq.exe

MD5 c51fba00dbe4ddde8d8452368c38aa76
SHA1 4374b933ef3d7ac4316a6c7ba4b6bfe572ffac90
SHA256 2baa21dba30f72a16da7a3e23ee00106bac2d121229a278225dd81d1da96d790
SHA512 454984e67d10b932503e0098714a5dcefc994be7e082412ad0183988df6c66a4b3ff3b7229501ed465e97eef820c914026b4a4ae3b70cdc8b2524b5e97bc1c47

C:\Users\Admin\Downloads\GroupResolve.mpg.exe

MD5 af8ea5f7c5bcd06fa3e51511b4043d9e
SHA1 aa960f7367494b0be6c0ae8abe32189ffce871bc
SHA256 534e5687011e01cd58512c0d131db431b39f490b6c70d031991c37a6cc8e6554
SHA512 7e4db27d8e4206f8cac2b0047dbbb5cb196521de657b2021a3682c38375fd91c3249e92f6739f87feda5509bc5f02029a6f8faeed125b52afb3b594923c99932

C:\Users\Admin\AppData\Local\Temp\iAAc.exe

MD5 aebc4de3aea97a281c90719b83ff09b1
SHA1 d56566eb3dd99d871bd7ab87e8140a95c4900c1d
SHA256 eb99c12774447833f60b68d71715a195c0f9f7f64ce905f809686520c3642df0
SHA512 34d58e8c6b25543013216038f122ce939e49bedac3c66b3a2dbf7a08942e6c326c8b56abd71763aeaa42e549333a3ca37784eb30a1053d50332193f469ff139c

C:\Users\Admin\Music\ConfirmConvertTo.jpg.exe

MD5 b454d9b38562e2713f9897c288b77efa
SHA1 bed3aac93af65b272dbbbc2d896ae6d4a022a867
SHA256 040ee81c816753474c7555b7375312e4b0969ad9154652b09f918211ce54769b
SHA512 598e0f8e543f72704fcddfad4316c488130c9015dc9f298225b5c87c512436b632f70142e3147a9f25e9aadffb847dd5f6e822087f3dc8966b6694296cf3f2d7

C:\Users\Admin\AppData\Local\Temp\CUYs.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\Ecok.exe

MD5 2761daf2a67e45597452e53f6019fb46
SHA1 9ce83e5ab4588b44b8e31045a10f1e45067bcef7
SHA256 f8819edbee1c71cbf9c7d34da8a7477ad8a3d453bc2b9427d71be49ecf3a50ee
SHA512 668ab17f741fc00f5cc0890a6d4c02d3a94246dccd54677c11572175cb0c3215d5b84ec252df034b885794d796fcbdb80d3a7130681e7b8ed9243a3ee3023c1c

C:\Users\Admin\AppData\Local\Temp\aYYq.exe

MD5 27d93c70894e363e057f25e476fe2901
SHA1 3597de94579383a0bbc3b8538ca30956ed3b4b17
SHA256 4ae54e00437c7ca6de626f946b801b92ee67df56365d448a234f66393c771773
SHA512 5071b3e47fa7619edc00d8c62a14b21c20003157b4190e0909dc3946d5f05d9e60b050d4f8eca55b685d8dc4cb7f7a0b66257403ab2e34c511aeadaae7884ffa

C:\Users\Admin\AppData\Local\Temp\MoMU.exe

MD5 4832cf72a92dfe2f557d5ab138931be8
SHA1 bc3cf747d8c8f59ef330105abbad7dfb1c0651ab
SHA256 3a5839427261ee820a5921cdeaa8cad149ba1b5c012efd65395173b54a1e0909
SHA512 08564ee5565f19fc8115e4ff41441230d55d00c937a6d47601ec620c240b2eaf9f7f5988c59f076c2c7cf88b0d1f207539c63717d81a99dba0a133b13d123a93

C:\Users\Admin\AppData\Local\Temp\cEsu.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\yUkg.exe

MD5 0cbfa9976bd72bb9bd8e0c3f9c217c3e
SHA1 0d51db3ea325bc07d9aa3324cf72266a3ee14511
SHA256 301123b9f147e75b2b17f054b5f0a4dca093773640f7034ea3e71d0ab9632012
SHA512 4b9000b542631f7a60dbe82b33396ace9aeba01807204d287e784faf4bb2a075d017837e59b7d13c161e3f8479f94b491d8c174134f2983529de5a93229157c9

C:\Users\Admin\AppData\Local\Temp\wgwC.exe

MD5 c9dbfbbf55ab9ee096402cfc2315ffe6
SHA1 6412582f6930432ed02b2d5913e439baf4dd3b77
SHA256 d4f542aa6184fd5065a8c03e9460bc359c431a6c79a7a64f046d961503b99291
SHA512 ea90f3e42a059cbee0fb8d905c9effe9302de31544996b533f9ee4cd3c6358db70b7aba51bfa9f6aacfa5c8f999fb1bb418e8087ccd1643cb5787152d40b47b2

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 e7b0b432866cde50ad2053aa8d0f7b8a
SHA1 6a6cd974737a353c6d3baeae8bc4fa138fca81a5
SHA256 7d455c7291e38a994f0637334a864e0309108fc11bf9fd3dee053ae2dafa4621
SHA512 75cb616021e798f6f7046bb7e5a96dbd81c10ad0a056ac8864d65e603fb1211e5ab3c52290b14a8179ce4af3f0acf1f73da86d9e1121b6cc8639add5f726644f

C:\Users\Admin\AppData\Local\Temp\SQkW.exe

MD5 9220cf00bdf1944e42816aaa0e204669
SHA1 4a62b6f47cc92e4466996fc7ebdd211c6420a17b
SHA256 8cd3644b97eb4193e404297adb9aa297c16f7197bd16c7b2cb7bbe0c006a9a08
SHA512 e8c96f2e2dc3131733ad4e5a6eec344282a5642860e1f72725b74e2a1aa1d66c29a47a14402adf7b61258aef4a8dba3fda57661186b9c2997743fa6feff4e087

C:\Users\Admin\AppData\Local\Temp\QscK.exe

MD5 1f3353768c427fdf4a9ad11f22ecbfbe
SHA1 b4ba3669ed825c583f76a5e06ee3ce3f808dd5d8
SHA256 b85561d25f71e7bd8f5ffb67bd0909f262574c264420de62e9b159224b723d8d
SHA512 ea3a0f9de5544493197a7a72b1b48fee85e95c5625437a449aa28884157cd37aa46445d9dee3948eab8872c1113d8cd21b3c03e27feef33e5bf030c803db532a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 ede245699f7b5d8a333acf96cb2e95d5
SHA1 1de3e5af0c8649af25c6485f7a5b3c3a55d10f37
SHA256 d5f49d212a3c0ae6b1b5834b83912fe41c76d728c4b491991fa7fc3cd01e03c2
SHA512 0a4ac4a4e42417025913320e3e5ddc370a1413b934c0cedd8dbafa9f01557ca9907df8c132bc7804d45ef5022fb04d5af6c52530e4db15859c5e7736e1cedb99

C:\Users\Admin\AppData\Local\Temp\PMocYYsY.bat

MD5 54f71d54bc5b09ae2a44b3e72248c144
SHA1 185891789adfb96d982ce8a311e7e2e661451324
SHA256 dc8013642f63847f9758590fd5ee0ea39c8dbfb6f2090675dbbdd5c7a749daf8
SHA512 c14a40ea271dd31330c7a9aac33401f0187bb21ac5e4c71726fdbfc4ce42bd54ca029a4c53227c25f60ccd32f8edd6f9e47982a374feddd5a07bb86d4712998a

C:\Users\Admin\AppData\Local\Temp\tkUkgsQo.bat

MD5 2c40bd271629e89dace7633fe3167670
SHA1 97a8d2ddc73dbf788a88906acc9161d25a457656
SHA256 b3bcb81ec1c32ceea12c86315b0dad753b8a143a59e0beffe2519c8d3ec5c91a
SHA512 0eebed12286083ca49b6fa828242198a6b9b2cd60d387065ae78a278a37d38f35030ebeebf395255ec7331024edb5db823aad55c2dbd338f872615fcc030172e

C:\Users\Admin\AppData\Local\Temp\GkQi.exe

MD5 dd836040918b0f157f392d9bf3c7d5e1
SHA1 7b1a608946700dde8c51021cfe9ed2ae6fc60d38
SHA256 0a2e9076b9939742b30e904602b05d9ffee39bdb34bd6377dc1d39f2ac740cf0
SHA512 b3b847c14748c112adcbee0020ff87dc872779913931576cdbdb3c54afe022cf3e0b224d2d4552a98fc9743b40b45a148a772d72949b9071ec93d4cb6dcd32b0

C:\Users\Admin\AppData\Local\Temp\Kkgw.exe

MD5 2fe4a8ff4d2deaf8daa674d5f1447d25
SHA1 a92a4f60df3e057f343f4f5f2067824ecc0bfd1f
SHA256 3f25a8c72e07956a74b2283b979f51e59cd9038908660af82f5f9b41f4fafaf2
SHA512 c35720fba69b877b6c2f555cb5a359bc00f78322afd33c8bf04bdaab18dd6c8ff657ce066454c07ca77182aedee3cf1acab71eec6e1eae3bd4223f98bc5eb1fc

C:\Users\Admin\AppData\Local\Temp\yYokwYIM.bat

MD5 13d3c0f7f02eff8840f96946a11b8869
SHA1 88d399a60e1df8e921f9f8e308c479f7b19f7211
SHA256 6eea586919dcf4b417f2307cd58bb2f02743be65c9d0ee14af4e539565719482
SHA512 49d5e1bee75bca05491ae95df54f6ee05afa340b0ff97fbaf5518306a7a60432c50e26f1e58db328b373bf201aafac7d21960273e041c776b82bb33a652712bb

C:\Users\Admin\AppData\Local\Temp\QoMi.exe

MD5 32917d40cf2d151d815d62cf42a7b5a2
SHA1 e1a37a517f8e057782fc9652bd59d9f9ddac0386
SHA256 a6a8e3c331b39bd81b19fd641f614fd1a3363b6d140249bd324c56bea17534f3
SHA512 03a14e8bc6f91847943b34d7b626df19282f641625e6c43159129c78852705b360590b2b5fc7a294afb5d89f4d2f7e295164c72f6b05b81b7471acf6f0f73867

C:\Users\Admin\AppData\Local\Temp\YKQAQsgc.bat

MD5 0f52fcf7a20fb6bb1df1e1cff829e1f7
SHA1 a5da18bdf6057462b0a74b9b69e124684d9fd1d3
SHA256 a3177b10de719e55a8ae5b0a86f244e3a9e483d2f80212b60ab83bd558744bdf
SHA512 c64e1ef7f45129124f127eb20c13ff60af707d54422c93235142540c8f515a47ca7f4d574d9b14b9254967ff2e4e64f18656dbe1347e93abe400f40dadbb925a

C:\Users\Admin\AppData\Local\Temp\cEIUMIsg.bat

MD5 b3c45cf21c7cec30aa1a97c12708e63e
SHA1 2ae6fbe7508efd8e9e1217233d7de0c95652b0c2
SHA256 bcc1ef5486c9a222943b215618d540ab28b0410b7c57e3a877791a9936c68df4
SHA512 6d4eddc8fa9f9941da5a07300b4d7f308d4835cdc6d50e47439d2a99fcd6c44835195a7e7b6e1be7b32193242ff2fdb9ac380493e88cd5a0ec2b899f550601a4

C:\Users\Admin\AppData\Local\Temp\cEAy.exe

MD5 d78d812297535a7d524c3526c125e178
SHA1 11c051d834ca7432504f21588221d26a070abc58
SHA256 faf8a7772952efc79c89876d28b1cc71120ceea84530d068cfdf8d269ad98b96
SHA512 3ddd1add41d7469ff130485b39e621a66d5628334b829854abc6ce25fa4c905cd95f754cd2413cb6a2d3795d55e09dac87033916fe6e363b4f7960171b3147b5

C:\Users\Admin\AppData\Local\Temp\amMccMEE.bat

MD5 76767144ada705ae2ab7f88acedca991
SHA1 8fb873fb1b73bc8ef8a5ce8aafa6989d7b83911f
SHA256 ab648d4dc7b12e2f604f26825445f3e6fb48f7e08b21c968c5c3b25a3f5797ba
SHA512 78d84345a627487c2e446df8e79238899680743f15489630a87ed013a80f0166532d19c79b2695b2fe3227fce155d73405191d1ee96f2cc9afb357967c8e6167

C:\Users\Admin\AppData\Local\Temp\KQgMMQsc.bat

MD5 23b7621cd5f4f2d684bb6aa68056f29a
SHA1 06488ae2dad082e4ab1fd4e1653c2a3f0f8bdd15
SHA256 8d754c8ba945df1a1c34e9985d00b4de8a62098170b84e7f33adcfe88f09cf58
SHA512 1e1b9c6ca4c3a5d378b0f926ddc5318ab6a78802dce61ed486f9d4e8ef36ff901bfaa462b38f517407de4d461c43d89293da99560844957988b8a9897e3aa0b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 5d4165e86d2e6677c7d8c5d35f896c6b
SHA1 fa57e0155e13749dc04d3d14ce2bc0a8e8233fcc
SHA256 001394f5a705e5f79b8fdc6353cab946aa643def93d4d183b9612fa2b95059c7
SHA512 d6538c7f907555ad72583737d9fd36fa492a0dec15bef9547f4d1b4f92ddd904030c2816e08866b52cbc18f1aeb1414fb3e075dabdf85148ead2f9c61d3f880e

C:\Users\Admin\AppData\Local\Temp\McoG.exe

MD5 4fc10f4ea231497d33215bfbe5bb4a40
SHA1 f19dcda6e6456a199f38480c00ef4ef8bf46ab16
SHA256 7ec33aaad655b69b6ad08672be07471271ad0e867748a84bcfd8240c6f409e5a
SHA512 ae5bc2615c408ddb754e7302a8dec2b7142089847cd34384fb81e4b72a721758dcb01f7b4ce197eabebd928945604d7e7846810007b8ec057006ed10969a5de3

C:\Users\Admin\AppData\Local\Temp\Yskk.exe

MD5 00fe8d39cf34385c59ac85e18ccc3386
SHA1 4cf6ef7e975def814929df96135257c184e54eed
SHA256 8091b5a38da693ddd271ad10529cd4c620076fa1aa894746dbc2178aef49b620
SHA512 1d3df735523d26524e980a2d22024214fe4c265e371dff38da1bcf541172c578e5ca13dc9e8e3be4bb6cbe78aa69fb18f45c374f1fae9cf544d284bd4ff9f7f4

C:\Users\Admin\AppData\Local\Temp\hoAogUkk.bat

MD5 f9c0cd4bf107bdd5a9899178e5ff84cf
SHA1 30cafaa8d28833fcbbfe83e2dd0d91bc979c13ac
SHA256 4df54a6f7dfad9748321013770e4c69c2875b3d1f8f45f536cacd92722162cd6
SHA512 e69c1b52d0b01cdc4a207e83012ff4b2980baa06b85b8e84244bbd8ad1d61bb429ddc68e32f21e04664a1e0f056f8e3fbf839e9e300cb5b31677e25e2f829256

C:\Users\Admin\AppData\Local\Temp\kMIe.exe

MD5 b5b3b355f2a0c0c65caf5eb613915a06
SHA1 35088661d597305c6c91605326d33f9f527bbdea
SHA256 4bc7b33a2f1fba18c10db053b9bd306aaf5d4408f983dfb5a1a2a491c18e4b3b
SHA512 8c72d3b1e7c99c27c561b7236c448ca885c0bad404fa6167f72cb8e8111c6e042276406b40ccad04bd5f556c0d65eaf1bdb6c3f80f3f3b8a236d4fbb4435cfbe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 542d27b141b5a4d0e38e9a225b3284da
SHA1 3244931f43ada41ccc0959d8bcbdc8c5509fc3c4
SHA256 1850e86700aa72ee05c483db75ad440c0e450c66b124494d4c3a31b29ad275c8
SHA512 348f0fb2866c5161193fdf1f138bc6ca04451c0a54c910b8a3ef7db5a02b583e2eabefea0c5872df8ffa8baeba95c0cedb7421573b59b05b9d20f3d4945bc3b3

C:\Users\Admin\AppData\Local\Temp\NsQIogsg.bat

MD5 67a7f1bb58391b0bb5e33d5a7bf0d6aa
SHA1 51ac5fcf4058e4a88fd1ebede3e1956cce1c5634
SHA256 deb9c47faf52673610aa300e55ed17f4823ac2561a35ea719f165f7f5a5e02a6
SHA512 363f6c0317779a0396d85f7e31f8e3110002b6503eb9b5880e4fa741de84e09656972440b5286aa5138265a4632a38f29932874ea3e25dc71fff96f6a46c8e63

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 7c21e78e869b0ddcbdbefb549241a737
SHA1 c62f8e75c4f565477c4f3bbc4c8762063a30d730
SHA256 b701d347d61d6f98999b404df57a4a402d538e90dc532ea65e56db10036a23ba
SHA512 ed3391be5a72359d735ab4f22dda43ebec91c460c217885637e385e09dbf78f5135a8106725b83bd6865455bcfac05fc1f81d02db63edffc06061f17961b48cd

C:\Users\Admin\AppData\Local\Temp\KQoG.exe

MD5 47d195166dc403e22a8a6c7dccdb57b4
SHA1 5d3ec903536c48f12bf9634e4a05c320f921a4ee
SHA256 60aa997f8359382b9174fefaac24db3782cd933e54d71fa54396ef71bc7c286e
SHA512 063a6a0184b94c80e74d38c950ef1b67ed036a6720a2783e85b9e4c77676601201ecb4e6dbcdab86bca41dbc3cbf4c457431b5c5a315ab39924f3c78e6204704

C:\Users\Admin\AppData\Local\Temp\woco.exe

MD5 f1e601e5c45e648a16b514275acaf9d1
SHA1 f276bd9be3ae129c90ce70416fec2fea570a50fd
SHA256 1c65e5590432349847a558a759c762c58e889759cce9e11e2d12c100e1068723
SHA512 c7c9fadf4e9fb30b57edc8f71b9f53e2e83d471e7b485c3f33ddba352dcc095db429bf7fdaacdd0ebbd034821e86dacd13b8dbe119f1b8530da985c237d163a9

C:\Users\Admin\AppData\Local\Temp\HAcUcQMU.bat

MD5 0c62d291a898ffeda1893a6073dfa46a
SHA1 93928c41e2f031c006d60a18a0bc37961c39d9ea
SHA256 844221d59f76afe63f919b568aa72b43dc94f36c86c16344f429b408669b1d11
SHA512 fc1cac54ab9ded8084abd05cd6c04a49b45ba33cbabc61b3b7ce492d8c21979f5d35a523930b5a20499ccb88894ec3e5a6d7391f86950755435c430aa7b42287

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 6fb3d9bcea392e2b7b20b09919794484
SHA1 ba49e3c190f989f32a4be27144e1942c32986305
SHA256 47abd9359eef229e2e0e8dc4772c85c71aa3841b6ef933fc2c115a1c33807da0
SHA512 cb2f0eba70da56142434183b479052e218704f1dac8037e0f7bd932f88f992af0860147c4fabe03e997804d45f2766a220e6992bf0a8900f744641e3e72483a0

C:\Users\Admin\AppData\Local\Temp\wIEUkUwI.bat

MD5 1494217d23c27fcac5c952de7275ed7d
SHA1 001d4f2148a7dc60941b2caffb7c6b3a66c5d44f
SHA256 375cfc41491d0cf538c9f2102092bc00eef473920b195504ba9c9efa109c6ef1
SHA512 5a78d353d255ee032bc69cff01dc677cd654bcadea25395caa11d7d12795248b796b4f0b53d3e39f24d3b707d2af41cacb1721832991f6df0db04ebd20ba0917

C:\Users\Admin\AppData\Local\Temp\csAQ.exe

MD5 789a773045c04dd958191c5733a83fb0
SHA1 6b86672b58c42d75cf857968e456838bbe845771
SHA256 c4fff945b9ddec3cf9b7da9cea6065d1e483a42c9a28f84df8eb0c99b69389a3
SHA512 0de4c2b410d6034520eb57757bc950b665ed0a0a69d08dc192269e0ed453a0ef06e41fe4e4ba2a1eb8cf42cfb4488fd98bac67d0f719bd6aafe257aa96aeab66

C:\Users\Admin\AppData\Local\Temp\usMIsogQ.bat

MD5 91564532d43127ddbe606d64080a2b29
SHA1 3afc5b6de02c61dac12b75455947276e0f75dc0e
SHA256 0396cef7fa1427c478586e376a2bef425da550370a706ec500d088f53d6556b7
SHA512 e869fba3f9c744ca818f629d9ad5fd0b5b344c61871db013fe008663b469effc2499c24d1ec22a5ce9d344f6764ab69ff0ab36ab9957f68662a2c0322524d901

C:\Users\Admin\AppData\Local\Temp\myscMQcY.bat

MD5 6a99ed3863220425a839dbbf5c6e3a69
SHA1 6ed446dcdae4116df38453eee465084465b58084
SHA256 75cf02ee61cc80ea0b81463ce7a08f912fed39a1bce884e1b397a755e4f4f9eb
SHA512 876c05f7a9709999b1ece0cc9d23e7d7716cfdb69f9be45b1c47f73946dbe521a31300f5c05c24b3bec61539a6ba27a3888e2e881aca297213a7aa71453f651e

C:\Users\Admin\AppData\Local\Temp\cKwwUowM.bat

MD5 4cbb141463f052fff8793f18f275c4d8
SHA1 f19b52e2e5de26319fa34a36d5cd6319ff818193
SHA256 cddc23c4598741588dec5a624daf1c2f039ef3efdacabbb2afd189f5ea9f5c1b
SHA512 642335094107735a3ba7cd517fefe9414f62e8e0582a5bcb792ef2ddcc817c7d8893ad7c4984aae1ca5a591dc632b2a71368f288c096de9aea896589133567a6

C:\Users\Admin\AppData\Local\Temp\cugoAUMQ.bat

MD5 8254153e34ff878a0296de38eb05fd1d
SHA1 2504cdf0e5d8a42fea4e9a919fcef836dd87dbfb
SHA256 3067e9a893b860d966d5e4d97ec12518a54bf046b1d6d38e66edbb1be71276a2
SHA512 1c920c2cb262ca199eedbe0e929f41625295d0a234e0daffb749ff5bac6caa8764673f66c268ee395d5ed6d677b7a9fac58e1cf99c001556a6a79eb94e5e3196

C:\Users\Admin\AppData\Local\Temp\lkcUsUkY.bat

MD5 fc98147d0c8d9ea747440997c807b918
SHA1 6b7c1413718a948797220b3c7980d19c4c41066a
SHA256 11380b56dfcbd6b2f92e98dab54312ea82d9f73e4abaf14d20056922d5e14817
SHA512 dec90a046cccbb0bf209142e0b2297b9406695a36a9bed6bf8920a2d1c27e3fd2176fb1d910e53395c6d7959688a9db85da63ac05b4836ea262a435ed06fe456

C:\Users\Admin\AppData\Local\Temp\FgskIMog.bat

MD5 9cf4ad71745d98ac1ac643838932a489
SHA1 bd04123a4e3cb4addca6c3dffd817f11c49c847d
SHA256 dacc245bf41100e13a06a54dc85f9515ec442d44a376d1151e1fd2294f9cd166
SHA512 1c32281a3ef46f9d7d23aad95c90e62312245936b46c4b1075bdfab279d8a1a7676cfe46db895859e2aab5fdcfa47249c1061eda9ec31405e918dbe460c8581a

C:\Users\Admin\AppData\Local\Temp\bkEEYkgE.bat

MD5 2486297b37d42a0ea514147fa1e5d003
SHA1 bc6ad31cab5741fa387fc215ec84567157a93f36
SHA256 9e7d1217696e5c5d2fb531c1ad3ca7ba941ee0ffd0c493f960b56b64c7e6ed3f
SHA512 682ef07fce04df8eb6a1e556fb95cc5d91832c4391cb4edc50ac910cd035dbfe4e332535f951883518bf1cb3c51369b9554fc5394467ca06e4253e1f8f1cb64d

C:\Users\Admin\AppData\Local\Temp\bGwwYUYM.bat

MD5 554d4b405fee1e10d47a6753228fab11
SHA1 b8016abdea8964d7f4ee841cc928fde018c2d136
SHA256 0cbfa32018ee69a7f01fd7fbf1bcef5e50f8d92badf9b86e00a710a8c14cf87f
SHA512 d1443d04d0ba853b7ff24ef77b323198e96a9d32454b44f28e639d642494e1fd799f7a2233f71d9dd39a1b7bd5fc054daa60ffd990300a3b7b1fd2e970c3d1de

C:\Users\Admin\AppData\Local\Temp\LOcgQAwE.bat

MD5 26b3632394efd896d1a2b584fc7f9622
SHA1 63f7cceb1e3ca642bfa120bde9a98de5349fe0ea
SHA256 c26b2b1cda561785dccf39fac8c4aea02c3897f0b37195fe0759009f2c80138c
SHA512 ed28c38ed36c7bed8447195e844b74417eb470d231b6eb51d1648eafd6568570f8aecb4d8c2b1627b8abb627322454093af0bdba9355e5ebd64eb6ec6c9452e0

C:\Users\Admin\AppData\Local\Temp\KuoYUQMw.bat

MD5 977cf9d7840d742679af7bfca851a8ef
SHA1 adff7df1ef4838fad5b61e794170fea1c7f64d36
SHA256 5329c56404d0e37f1dc01669869603905daf97477be919e0232e66dd795cbe30
SHA512 1a74d3b89a82b9727e43439c557ac6019cfc16a4df17b463fa770ab8da175346f4ea22e5e85715959c8ecf6f9f227d004ff2a89a9df5d4e1da269462c2408463

C:\Users\Admin\AppData\Local\Temp\OkwUUcck.bat

MD5 658ff9c1441e3fc39b1717d236076ab8
SHA1 22525115a93a086934be347244c3493b18139d69
SHA256 5c0017b9ac5fdccd789ab38e338107d3367e88ec537f686d09bb63ae83f7dc7a
SHA512 0f5ae1bbb2ecccf7c42d112fe91cbcf3cfd1aa64be67af8da7afc76ffb5e35a6c693f87c3c485e31eb87f3a8ca35bd6cb38c1b7ecf4fabe2db0010453a7e5968

C:\Users\Admin\AppData\Local\Temp\MOYcAEsw.bat

MD5 c5d352fedf435afd7735ba18e4adbe56
SHA1 5c0d17eb41cd08ebbd29e31cd638313ff1670309
SHA256 ed5c743c596ebad794e4b5d1543b90cc369a54e58f4287a02f98671d89730bd9
SHA512 9abaa496043b537cf9344a00fe4f58c74f2ce535135013402d6e939f526034889bda08c5bb14fcb3d08e47223b1f367152efb679fdda331dcdf4387675d7d3d0

C:\Users\Admin\AppData\Local\Temp\EmEswgMk.bat

MD5 5cfa8a61c76dd2f2cd10eb6c53cbc1e9
SHA1 f92cedfc0b166f1103e9889785b44e2657540522
SHA256 6973fad469c7d59a3863466b793549b2461b7f7c7b12d3c2b99d1d140799b167
SHA512 bc06fa0f038c309f4fa032bf850b47ddce970fad620c3a90e4a2c5a108941a731792a56858537ee229d432d34d03ca9096fa825b56be9d4419aafd69d35e2553

C:\Users\Admin\AppData\Local\Temp\EWwogcQY.bat

MD5 991f1a898d0cbbf0b6d842df62ebdab3
SHA1 346aefbd21736dd676b87d3ee19138e335f443b5
SHA256 ef1eeb3f6b93ea4388ab917d9ac612961d25e94ac79b774d371bef023cb089ea
SHA512 5023178f8bcfa307e53325fe9c273d21c7ce5ab1b3428d4eed5536c4adc826f55547226e27c1fea83b4bebd25d9ae0758aa8467c19afe709b7761a43589d2d0d

C:\Users\Admin\AppData\Local\Temp\ykge.exe

MD5 cc690d5a967cca2e21b270300a117c5e
SHA1 56eddade85fdd990abd8752b7748b66c9bd483dc
SHA256 b7334774e868cd6d8326fa47cbc601e07c46d9808510dc8c218bed0d77f84955
SHA512 9fe40279bc4051ae3fb609e22cda44265fc302bde42e18e0721c268f6196047893c08b8c0456a24ad2851c845bb2aa4463e8a1dba31847249d885f1a6e555e11

C:\Users\Admin\AppData\Local\Temp\IsEE.exe

MD5 69c6192d0b61aa53c67c7d44d3880df8
SHA1 8d5bb3a99b85259abba1e13d6c8df2916c526bbb
SHA256 f46ff233b15becfbaf2ac8d398e143aaa29f9759d438946d2504e683a223995d
SHA512 ab770da7649e26a578399854ce8f0d67946e6356c0ccad23cc6e1c724343016a3e593ec389875e17a089285d145c9aca0ee0b0537054ace5864ec8376bc4bdfa

C:\Users\Admin\AppData\Local\Temp\DUgwAAYU.bat

MD5 4fe7e92c9dc3ac6546947eea260ed639
SHA1 9364017e1253a209524ed5fd08fa15cf09b86244
SHA256 5ea8b02bd92143540bab645dd724c342365e9509ffe0482cc9e113ffbdd4034c
SHA512 3b58975ad3d292309130e74562cea59c45a6aec1d0108a0da4f13e911e55996330214f0601bd93aa5e8176373d4d6470cd7c67f4fbbe6df33d0eacff01d387a8

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 536b42418ec472cf6e031a0c237469c3
SHA1 caa51093f00e830ab9a285d24eda2d2a72aa1632
SHA256 3f2f344a407909740b82f6eb048e5d6cb12b76a8209b6d21f48df5821f8bd8c3
SHA512 7b91e926ff2f97469c09acb69d3eb6b10b9ebcad17afeba0495332679a5cf8cb092c42f5840f56a2510e58b21744ed19752b28166f97fd8513c259182ce5e936

C:\Users\Admin\AppData\Local\Temp\YwAQ.exe

MD5 c004a33fdc0a323efeab67a2c97f23c4
SHA1 41293cdbfec003f4af0148d1e68bf333354db835
SHA256 7bb735e07930bc5c0a451a8a78d20dcd761d6503f212dfc44af34c9a2e3e8a5a
SHA512 7d1017509027196c41caf7df92915cd87870cf73859eb478294a35f92d2213b8d7b347876a20c8b19f0143ca34734065f667049b718e5e83b519c025752785f8

C:\Users\Admin\AppData\Local\Temp\ZgEkgIcg.bat

MD5 8d96b326dd1fb55cc21c181db79561cf
SHA1 45e85c5623efeb4968bffb01a6b340e80348673b
SHA256 d5947c7686987805e19cb6484e774f5153baf0fe12663dc9f298c1dd11aca41c
SHA512 cffca31066b89c09f6f55b88d72f7de75286aa3b440774fd7b0c8a6f9539808d0372409af8ecd4e8587fe13226055c670e044d579006fbf5b0e66fc8f3a201d8

C:\Users\Admin\AppData\Local\Temp\KQQG.exe

MD5 1838c24a52ca155ce2bfb38a978220c2
SHA1 a93fb61246a54d1df8259eac28fae1879247cb01
SHA256 8ebe6f4cf8f70e1c48375630a9a31d5e78cb31f984b23c2428e0618e4f70e389
SHA512 f85dfec6a0ae3c63770e813735e7850e094eabf0d3b2cc48679f2f858e463d8ef9462c1e57037183ed2b41b5fb0a17e4e43965ad3b534b70947ec0ee7644765a

C:\Users\Admin\AppData\Local\Temp\awkY.exe

MD5 80bdf41abd5d32e6ff2e705da5853ca4
SHA1 268912c5d6e44a55eaccdee06cf2624fdec60061
SHA256 99e9ce3c1738d3232f6bd859762aa301744db77c1a122f86f24085b650a779dd
SHA512 4c332d1150dd2af480cef0cd632efbf31654a11539e229a187cdaa828ae49a5b05869c76d82a434f1c12a7af43927b63113773de902c0147b30cb621404a35e9

C:\Users\Admin\AppData\Local\Temp\EYoS.exe

MD5 e4247cd645c5596bdae177e966e484b2
SHA1 b9f4c14b6ca4b6a3bad6b18d07dfae8bbf9c5db2
SHA256 7ee75317cdce99ba4690527d8e68fb35ed9b408dc563f60da1f8e0656fbef451
SHA512 6c95f23d2e4c2b999109cccc9a944dbf573848e48b194ce2504a607886a698f2d59dffcf6c071ea905b26f25f130e87f6505e091942d03a69b929982fb6fff32

C:\Users\Admin\AppData\Local\Temp\PUgMEwAY.bat

MD5 8ddbe523495f7897662b769ffb41555d
SHA1 855ab914d7e4033004484a100ad82a353c89ee90
SHA256 23b512d359361a6d60ad666a54f8ebcdb0b4b2d17be64c0bd73644f7ad749344
SHA512 8a1ab1f4dd4dea8e421d9b72a9c82884c54e0a4ff7dd34a250e47e8e80f861b61111e72e29481787e1b2fdf7d7b58bbb87da731271276479ba3e8028f90575e2

C:\Users\Admin\AppData\Local\Temp\QYIE.exe

MD5 235fb17069895f7a5099a97572055cb1
SHA1 65e0726bc5b751f12abd8d2d4df75fba84884dc4
SHA256 a528d68a6782643d4a699c718583a56c7c4609286b936802d3a93695f956c44d
SHA512 132eaf32b97acf90d9468ea84be9c9f61d25711fed14dc55c520a582045d4c9529a86c1e49d0365630cb96775b31ee60ac4c20c4e33ee1a54cd947131dc81cc7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 4135fe8131d379e9b4d3a536a9c720bd
SHA1 12ccd2ba079aa8373aa2e8f96aea5261645afa03
SHA256 622e0386333ae3e510c2bc0f610848efdc8866eeb443d4f5a7bae4cd59916546
SHA512 4c6728936e7ad54ef503a3e9fc47c13e306fe08dfccc0df16f3135097baf7f2ed9246d1efc9fad3be9a67a6436210ec8b4c37efe249b29110f5e0994101bbf28

C:\Users\Admin\AppData\Local\Temp\hGMcYMsg.bat

MD5 f5f1cb5cf7b472e845073e53ef88147b
SHA1 dbcc42b51ba42f9f412eac050af7f59f9238ffdb
SHA256 ef59eb413e23928a7347f43b6d5085f6d466cd2bc96acde042677797559ef3bb
SHA512 d330df92b2ceb9dee821cf0f24dc5625052e3ac214062bf5557beb64162e957fd4cc9e8d54e320e44d68ba3dc71288c3705ef18971bb8064dad9e2f6b06fb7a9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 7a181ba5d1c205af6f6f98d90e37862f
SHA1 ef9322fda510be514dae77d881fe2aff8c9b343c
SHA256 f1cb0d5c511355d1a1774591078ebdd67ac0dcfb78138e94c9b23705075686e1
SHA512 6a31311cfb06c17ac221628df1f6a8b20c4db39a7ac9c233f4fb23d980d659d633c5fb986011d95bf595a17821711df0d59af82cb9f024c01fdd6d95bce9a739

C:\Users\Admin\AppData\Local\Temp\Mgsc.exe

MD5 33fc76679c4911ce1646c09226e9d3eb
SHA1 8fe62f44e140b7a2bc53d5e37f731ca3d5312c66
SHA256 574aa4c08711f01f7fe20de8a5b3c3f19387572f8f2a1e1bd24c0b849878dbbc
SHA512 2ba5b2811ca59ceef2e680db1b8457378ebba9749f55ad42ac923a2899865dcebc1c7dead30634f577cd679907c50e6abe184cc1ebf00ac1bab6c1d84138f36a

C:\Users\Admin\AppData\Local\Temp\aooq.exe

MD5 3e50f53cfbfcaa3c515507c3744c0d77
SHA1 ceaf77b706c419710a7ab7a2882386dd949db21d
SHA256 a5a80435cb03bd7c49c3e4d79f6ea8fce00ec1142b969574e1a62bf42b12f208
SHA512 10872d967ba56ae1a16f9a53c4c83df7c7a1491923073d3e3da30e88258324fec68cb6068da1945c4c7f1501a9f0547015f18ad955a2ea3cbe5e1553ab62839c

C:\Users\Admin\AppData\Local\Temp\oIsIUYEo.bat

MD5 d46af107374de33c53987f5551cb7e2d
SHA1 ba349f6cec4238f09aa9a5bc29a78e366223bb3e
SHA256 31709f3bf8c55e8c5ed0acafa1c88206ab1199802e9be98796ecf36f0284d3b4
SHA512 23dd440243f28abb90875f973b4729918f9e9c2d50120291f9a14409c621a396a4dbb9bc006dd1b99a50285f56d1cba632a41aa3221b0f4172277ab32fe74456

C:\Users\Admin\AppData\Local\Temp\oYEK.exe

MD5 1cd0f6a5acec5019f5f9a67a8adcbc3e
SHA1 1d4e45fb8e19b4689a2c7097b85c797d13e74840
SHA256 93a547227c93bedaccc5c22e9ba4cf9c08abbdf513b17484d22d42deda1a0291
SHA512 d63c48116e7ed7caa6185b3119188a25e3ad1c88b0b06fc6ff5a1083099dc7efaf4e0362d1fed3b0b1933478a0377ae580f8587c01855552311d98831ef4a193

C:\Users\Admin\AppData\Local\Temp\akAy.exe

MD5 20a62eca34484c5475bb0c555fd0ee5a
SHA1 1e465af7fa9f1b08c44b36da8c6666d8804adf5a
SHA256 123f8c04822dd8a6bcc6f295b4162bcf8b5fb3c572bed3f31c89db38ae9db209
SHA512 0c712f5236e983b8aa5f45e119b0f2f0f7b22da2d120fdc418e1877210160843b03d8b65bfc0441656d1f6778bf3b1445a554565002c211c73724241c021468c

C:\Users\Admin\AppData\Local\Temp\umMkYwgE.bat

MD5 0ee6cd5668aafeac84d38c7d4844a534
SHA1 cbf73dd4998cf4a0f41fc1801796e69e356eb05d
SHA256 dfab6b276f6924df49dcf3c00810bb314a501c5055908e90b490ed2d195d49db
SHA512 1359c1cf7ea998bf1c22874c1d61eb5138a162ddd3472c4ed2656256830fc3c9ba229b5423009c52fc01ac934c36eb7b9a8cf2c1f77053eb7f05ca0b330b5d64

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 a75af92d5d7a3cea74198b6b64a589ff
SHA1 8e6650e85282f788d349844df56c0cb79a220a6b
SHA256 f5703966c50d737bebf69fc59fd0159eaa8781cfb4df182c5ea6d1a7a8abfae4
SHA512 3080a98f7bc4e43b528ac9b6f2b89cc4a861533421cc6c4c4fe8bafefce497d2504bb0b611298276068aeac43bf173d94f3a1041b19498321ff4fcfd768bd2c4

C:\Users\Admin\AppData\Local\Temp\ucoa.exe

MD5 67c5f46c36eb75d6929adfebc25c3ed6
SHA1 9833dde020c91f21f7a7a48d1ffef5174135d4bf
SHA256 17b6c010b9bc2a43fd93125d0105b44c5263a9e77556329050519b46b35a396f
SHA512 96337878f8c030dd87d3893edf2db1f2838005930fe9d3bd9be80c6f68777fa147e5cd4a6fccb57b23f3fb5d08a82fbdb32258e2957fe40284edbe3d8de6d6da

C:\Users\Admin\AppData\Local\Temp\ggsW.exe

MD5 ef12405900b23fabfe39fa961820afe9
SHA1 480b5bbd6d59dcd44962f79ba0641327b0974d83
SHA256 8956b11452111270660fdba71235c7bcbb07148c665cbc8ce0cea47a9d47f22c
SHA512 e3a4a9172b89cc772f2a34a1d5a0a8a3b4883bc7111cb5d70479ae4bab94b0a4fcd499942abbba3c72da8b09ca7fcb601fedd5f2c1e38fff1a9c4677b76a2550

C:\Users\Admin\AppData\Local\Temp\UMQE.exe

MD5 87613188e705c9bf87eadcf322137fcb
SHA1 4582d03a46b4cd6188f21673764576e532dec022
SHA256 b01558938437e4eb8e14676d543901750c4633e291f55f925b2975b7359f71dc
SHA512 74427474f9ae1f0b5199e444c6d475d374ecc7530c7b9bfe5475502a8f1f3627758645a17d1f00b049fe9b9417e8a4d4399f35e73ea66fc9e9fd7a26fa2f6ec6

C:\Users\Admin\AppData\Local\Temp\MkQa.exe

MD5 0b0c509089a2686e5271078a49dd98bd
SHA1 84f8065b4e208c94087d07955ca28363190ac146
SHA256 4c719589fcb9cf40b1bf581f9f28d745962de32b5fe17a1ceceba9abd9ebf58d
SHA512 4a9299d4047cdc055f6da54af039b000afadbc6e6972d367127a3a78ee61922cda5609a35db3d399539260c42478dc0ea2aaf94941e2d25f219927476ea979c5

C:\Users\Admin\AppData\Local\Temp\eAoc.exe

MD5 9d32079f79ffa07bc9d41b0812723672
SHA1 d84e6e18d153eb8a7af52a400778e0d09818e75e
SHA256 120dd2dcc5abd05270fe1a021521d59776dd6bf066bfb215479fe5b19bdaa0b1
SHA512 a56649e026f3f7727d7ce5724f524c7eda383cf8017b0a89b401fa050a323fafb15d7a92a538d6a73d8723c4b3266838d8c95e02abc139809d1411c376b6e79f

C:\Users\Admin\AppData\Local\Temp\CAokUkgs.bat

MD5 ea95bc5cd27238c9afba211ad724614f
SHA1 45b1abaa10d44b0fe1170ac881de2c3de10fd75d
SHA256 4669a460b9a0f5498454f260481e3f015e64aa46c563b56cf968935316263608
SHA512 50a82a1870c3830f2204080ac8eae6892a5460ccd1c05752632432dc5225e075dc9f48fead24bf25d267d6c1a15d610f3dd2dc6a5a5d2dff99befe02d58435c5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 eff37a7031be000149de10874e745403
SHA1 dbf5cdae9de06d2d308b3f5bc4bd823d60bbae34
SHA256 52ef50650adbb6ca70ab87b7a817844a09e9fa1eaac0f52f31df0ebb0dbc7d71
SHA512 f532a8be97b0846e64284a71e6a0ab44bd4e1ae95c7ff17a4820a4331571a1f6910827b97516848bc7a7d7a86745562464ebbb4dd99855a8853ccea67b5c64ff

C:\Users\Admin\AppData\Local\Temp\CsMg.exe

MD5 5712317adb27625736842e88d3771e21
SHA1 0b6fe93eab0ed21cdcf775082d71ab6e869a25e1
SHA256 01693fe8ecf4b60557755e071f5abf2395f4100fd1b19a267a160e0255280df2
SHA512 702aff88c432dd7029cbc96b3787dc13f24a9ece294a549d3bb2ac9583988aa722d90fa4bcb88ef25eb8110fb3fabdf815e51017cd1ea4bbad1cfd2ce0e7c3ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 734ad17fc89f440814eda0f5f42b51ae
SHA1 4aa09d1ea81228cda535a4cd03a5acbb56ecfb7b
SHA256 0dc3f8bd3976c36460e9784a54019a0c5ed20ab7a21b2fd589ed17f5a0a2bced
SHA512 4799c88949c786df36dc492195f98d5d37115693876a725d10267044db89f6c4c59a99b9571478db382c0b2dd47df6d0d86c098312a5c5838aba14ec387fdcee

C:\Users\Admin\AppData\Local\Temp\wsUw.exe

MD5 b32ca3516582108fa3cc702f07aa756b
SHA1 6f27167b4db8eb0489df4e72a3c1c31fff73338e
SHA256 0bfde03174234a08c40f29fbb0d32c0ebbdb52eb0f1eb8803f6782b669854964
SHA512 f8a81722865e9afb8d393838e507bc5aa413984dc6183604c385ebe24c5df6836b58aaa18d0b593db97ef6d4d7e76c17964410237ab3ec7c8561356894e99f24

C:\Users\Admin\AppData\Local\Temp\mokQEcgM.bat

MD5 d588b1268587796463be30f3e1119d51
SHA1 0240cf54e5a59eac224851df7ffc19c65cce9dbe
SHA256 9a2cfb42000d1762b882e90bf8b8578aa49b92d6b404f6099d5c8b2217584033
SHA512 56e99f75eebd0e5dc6e7d85e896a8d44dbceaaaf2ebcd101f9d3a7fe24588c0d63260d7d64765b44c872fce22edda32ab3d10be48e6e586e5d1c83fc61113e7c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 0a375c6dcd1a4d77e8d39f611d96df7b
SHA1 dfab3745baa11a4d8b5806f3f63f28948d141706
SHA256 8a504027056cabe7bf9c8fcf459cba3b729d30ca9aca0e7d85662511b4daab88
SHA512 73e6ebfc58d30ff637aa62eb9fa75613fda0d6680c0bebff354ba24f98fc0f63c044cc6457d3064d3de37e4b128ab7a02f07830825e284315af4e11c05b7f1b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 5de33ad50d5a41c3a12ab081d014544e
SHA1 f2d2d298617f1c80f37d77b575fb03ec17ac6e10
SHA256 c53028df27874987361c405160cc0c531ca7de2d7a0f253cdf98c21b0e948883
SHA512 083945e635868091043a22be6b14c10d4e61f539593d3c6b129dda1d6b9dd9aa8f971d8634d5799546cacbf7c33fc7945d7c19d199c12d7c06d29bcb95b8a7b0

C:\Users\Admin\AppData\Local\Temp\MmskAMwM.bat

MD5 f45c8502139501430cc9957091dcd698
SHA1 6dda4589b392431220c8e781e685124e335d19a2
SHA256 6ed7b202d4ee968d49282e77aae3bf6788e63113e08bd6fa43dbf430ff1e2245
SHA512 4f667c1dac5591867638eadb0910cd5063d539853bc23f42eb60eb70592dc2a3f0a0b595fa3bd178bdb9353a5b1a3de7889ce1926c42bfdd9f669a4139ddbf35

C:\Users\Admin\AppData\Local\Temp\OAgW.exe

MD5 39b9f3f4418fc7ac121b5e069cf62314
SHA1 9a5df8d6fad5122b42cb70e4eff71f25cb35a4ab
SHA256 9d4568d790a86b3e625d02358dd7eed3005410477177bdfafa4b963b0e51ce6d
SHA512 1eeb4a8fe6b0ddc13cd164a486ab2a9e62884731d12304dc73953434e2cbae058706b0b047b381d0562a3060d974fcb58b280430011c2e874fcc901bba27ec0c

C:\Users\Admin\AppData\Local\Temp\coAO.exe

MD5 cac9ba7d3564f042721a806133a62121
SHA1 f5a5b4a3cc94b171e8222e67f443faa83945f9f1
SHA256 f4f1c7edd74205bdbdceff576ca1ff1a87686b2a5ed3deb749f874dcb9b9bd7b
SHA512 f22f84e67c3273af5b6b34482ac5bc13b16c932bc934854dfa3dc4cd4c22a9b347c6b555ac6350021218f762cc66c0c1face13952522a1d33d6b7ae4f49c4c2f

C:\Users\Admin\AppData\Local\Temp\fqQUoUog.bat

MD5 d097c1b911f120ef80dd9779fa01c166
SHA1 22c2dbbc1e5108a5b150f0bb3f6c115ef06f0731
SHA256 6a511238b24d9f7f98a8e278514fa6b390b71bdf014b2eb8b1012c56fb2a49e8
SHA512 68625b664290467267090109599b1a9c1c2bcacd3422fe2502635cf843ff51670e820f5ea7f1e129935d6dc76793bac652d7cde6d3efa4cdd61fb1ed46b53104

C:\Users\Admin\AppData\Local\Temp\aggm.exe

MD5 34c6e194a38a7d5e421c3ae364ff359c
SHA1 1cae09dacb68982f2e93f5b687ce74881f6541f6
SHA256 143e6c6bcfb3945648f727079f9ea29c889867b34dae2d2d9dfeb8fedcf5d9d4
SHA512 63a7e704423e36f4af7a70c2008e022278122023318604062ca9a114f8f6d7cb0201deec669fedc1241c7bf9535daef5fd4017428f6e3cff49c1cafe5a392355

C:\Users\Admin\AppData\Local\Temp\EIYS.exe

MD5 5748c96980b523b73c870d4073bb8f83
SHA1 1f3abaa38d4a0cdb6d79856a449c6e5c0f231466
SHA256 ce82f4acab61ad53d01497972277c4deee8b835afdc6219a5db6879e3fc289ec
SHA512 91811435704dc343ddec85e55d2f379564f6f59a7bf99d473b5f0da3da79b0f2ac2f36c9163b76a408907f17d904f674cb3faf68a0d79c3101bb33db1a8eb101

C:\Users\Admin\AppData\Local\Temp\SkMoEwMY.bat

MD5 0b91aadeb8ced76f7cac8cbff497ad70
SHA1 d473ae11eedd431d38a02d9ef5fa7cec2a84c7ba
SHA256 4198625f2fc7b56d178ae5735c757bd222eee8f1fc809ee5d62bcefa2b6f1b80
SHA512 df946bf0987fc95a968587f68f9ded7d7728d6cbd22a2ee419c24f87b72ea9cff26dd2ff724190753c1abfdb13b48d120d459e887938fc01ab7ffb0954d2656f

C:\Users\Admin\AppData\Local\Temp\SUwY.exe

MD5 aeb139ba0da7c7c6693cb2623bdf9c1a
SHA1 013b069098461659ce5c8c902ef0f5c4ed054023
SHA256 1b7df3a545668e605bf2d8404a2e8ff66a64df15ab98749053e2309f6c1a2f4f
SHA512 18b0ba890fb7f8762088e84118b9a859e9a1ee20218fa71e0259d4f9e61547d09c2cf5de90663a9af4c71dd5b99ab83687ac6a3390d80a00f735434844ec6c2e

C:\Users\Admin\AppData\Local\Temp\CoYIEsUY.bat

MD5 9f94692f31ac2130aa9b5ed61e5ed263
SHA1 5d6a581d696f7fd4bc4fcd2857352fefacc200ba
SHA256 8563c7ca2951e86c7e5ff4fca3458096bc52ed34d939abd318c0f2cf3d302bb7
SHA512 f453da61ac1acc4421a67da842e3b029cea4cf53822e38d8bbe42cf1839ef038f29379ae2147ede5918d7f25860e87411986a68434dbbc6cb5b1cc4cec6cdff8

C:\Users\Admin\AppData\Local\Temp\mUQk.exe

MD5 83245d8b6c4d7e4cce5bb2fd97f202b3
SHA1 4461ffabd66a1500c14053905ee8f96a67fb4bb7
SHA256 6a0bd789b9de039e1a0479a88630c064949aeb0118b7bde731be4ea4132c8d9c
SHA512 e1c7fd14ed5d6c3a0825ff6e2fb85543e6cec58e18c6ef96b3626ced34edd94d520e97f653e3caca408f243fb7c60c8af1465975ead3bb8ee00b1602daa8f8cb

C:\Users\Admin\AppData\Local\Temp\yMcm.exe

MD5 7a46445d851f82760e807d25bd944100
SHA1 da0d15d6b078fe6b5a9f0c550c51b99ac5f74d7c
SHA256 ce9246a14776817fc4ac3a5bbef38e35a70e5aa7571af08f18f4dd7f88c208cb
SHA512 8232e2207e2829924d3ef11abda0ec6f06e68d5b029c102e7ca9772080c9e4fcd9384e9b424f100dbdbec7ae335a7898824f80096b3f869f6cc510c1e9ee4be8

C:\Users\Admin\AppData\Local\Temp\WasQocsM.bat

MD5 d98aec7593f8d7ed304330af49794b50
SHA1 87183c667a4dfb6f52fbfa3c26022a47cd4f0880
SHA256 3b5e0efcaa35cfce3c220df493dcc4802d8035ae49a30208a116a28f462a5af1
SHA512 b446bf8a14183101f491c647deb97569aadad926819ee83371b16b1d4858864a4af96a8a9d184d78d4fb3ac5f92765322b334c89856f28fd8f6d09bf3cfdbbd1

C:\Users\Admin\AppData\Local\Temp\kcoE.exe

MD5 629017c85bb8e44d79f78156ef69d9ad
SHA1 e8d66edcb2df98f01d2b491f36d0065cbe4f03be
SHA256 febc6eafd81fc7048d235900975901921b96a1a4cc116773632cdd8dfb45796d
SHA512 4ecda2594b4b75b7329ed8ea57a74f169385eebde2bbc5446748f6f4cb1a83013375186bfe0537c2a83a10c674dd07c02c7ea736fccc962a72c43e3e5d3098f4

C:\Users\Admin\AppData\Local\Temp\esAI.exe

MD5 974d9c1b051e026bcb5eadde49e688de
SHA1 182e7a1f7b6d56bd4270f56a0e6dbc41c3c4ccb7
SHA256 d65bc89efc987e0eeaad3f86f1b17d233adead637a8685b696ae85b31abefcd9
SHA512 484d44fc1d164fdd116b629fd73167497f621dbe1a9e953734cc3a4f3d3cdc3bf1894af88ba7c1c1affa8ee004485bfc0261f48d29e38e5d6280981933d0d498

C:\Users\Admin\AppData\Local\Temp\IAsoEAIE.bat

MD5 1347f6388e55cf1044add2b432e8577a
SHA1 afe6aec209decca9c26fbb14bb39284ae689643f
SHA256 fd07b49657a350b8491a1448ebcdd726ad3c311e305396e126b9fbe020dfae1b
SHA512 061cc028c7f24b2b8bbe0458e14078a57797e29888268fbe5734e3bf13fd2dfb2dad1e59af94e151351d5540feacab6207a0fb33620f024bf42cc41b75ad7d12

C:\Users\Admin\AppData\Local\Temp\cgYg.exe

MD5 5ca6a2f1a55194dee19f0d089bc3355b
SHA1 7f964f8cf1ee13c6d1185994ea8e149a9d2f2777
SHA256 699a541087b8c42a406d7a9b89fe5992e820618678b24cc60fcd217d23c81164
SHA512 d7c562d9042e9cdb8beb4e31764064ab922c4187c2edd4d1830c0b895c96145a35fec7268a4f4ed5102eada8715a236ebf238a16ad16dad561844bbf393c526a

C:\Users\Admin\AppData\Local\Temp\OsAw.exe

MD5 5f44169db00bff14b2e72b0483458857
SHA1 c235d2626c37b1166dd3a6ff5eb2ef2db3a67dad
SHA256 2c4a5aad5e48b30f32fa548ba363329bbcf53df696bf078b0a2738874a3c5be3
SHA512 f1369e17ce74e1bdf354d56632b2ff503648420352a868bc374abee1e6f87e6203b548a69f1aa7255f7a81bf38e7c6dbf2631521f998871a50936ed276e2e1ae

C:\Users\Admin\AppData\Local\Temp\SQwG.exe

MD5 301b82f368bdb055dc872648f86858ca
SHA1 78f06d511ceb1d1fcd8ca71110362e10633e524b
SHA256 a3532769208b9b258711d3460fe03c1a3c94a4404b1007bb038802a663ce5808
SHA512 bae3740f560bcf71b3ba3b24f06de99203cfe78fc6cee7513545e6536e24972ff7d4edf02c15b7a67145befb621e6c92326a0e900b489dc68a2829984ebf37b2

C:\Users\Admin\AppData\Local\Temp\wmIoUwgo.bat

MD5 134f2553135569aabb227552880538dd
SHA1 d5f40defae0e35fa026c2066658cccd8efe972b8
SHA256 c5442f256b24067c5b671c86c559d8a7d5e16ea7249daeebcb18885d4727dfde
SHA512 99c5362daa05a8b0f7e2a1e6b0f1df2f5b9c2a8c519e2e6abbd62f0394f2b682422d6d3613c1844ecbbc6336912377d6dd2b7bc7ff95d87667c96020d34725f9

C:\Users\Admin\AppData\Local\Temp\WYYC.exe

MD5 2331f4ac23f0e190e04b63b9cdd78eaa
SHA1 4af78f5b9fe01eb430ed663b83fb51f047639552
SHA256 ebe472255a5b83f8fbede8f861eadd7041e0180aa95ca169c59036cc9ba89411
SHA512 2d4b7cdf4935df040bf0e5422dad67665d2e6a854df48938d03b7f2fd7e34cdec55973fd34806d5f601ca0cd3755b865f93bcac806bb32dc182617740a1d0e62

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 dc8c59d30dd97a1e732a6876382712e1
SHA1 ae7cdedb0acca57e6ef5071797f26fa00071c180
SHA256 5399a4255830617a6a700296fb80de7a173bdcaaae3c8f91795465d2838bb6b4
SHA512 5d828b70e8ebe295470ed7a4d1b4f24e65abcf59d9a28076310844ec62554a0413d343ba326a54a50756584fc7b126a44a1f21fc69c1f62b10d619e6e391302f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 bff0dc70debc57602b7ff082ed76ef42
SHA1 80d96b7acf7548d88097ef225b98cf61f1b9bda8
SHA256 e4707520b8c7918b8860b32abe2b4c0730acbdc0b3a0790bdc54adde26594369
SHA512 16d29cb8cefe55155a6f356939f0818cf08ac9fb65b035884b222b18384bf184ec4260d37aa62aa85866834dcb202a2d5b19f8b91ab6002b32f8db8b13440483

C:\Users\Admin\AppData\Local\Temp\ZYoccgwU.bat

MD5 73f5a6e2b3322032ddd69200c35eac05
SHA1 239dbad927ec637197b691e7853d821de39aa4b3
SHA256 eb0d011fed76eb2178b968138d9c656fa8b70d107a1c2f787f970d5c05306c79
SHA512 56a9d9f6e0aa1853ebfa2587dd0d721af4f045f490224bdf03a2d67bac8f37e559f3622874b93e466635a1c56131604b315cf21c15ba073d7f1f43b0844115a5

C:\Users\Admin\AppData\Local\Temp\oEMU.exe

MD5 a642f87c9accc2c7d8587d639f1c202e
SHA1 f1973db4a87068228ae747cfc7888b3173d641c4
SHA256 900862c6d370f180cb723dbb1bb6390afb9598d94d094a179d8b5d0debead38f
SHA512 a43678dba3af8b04f23f63d3f8f3fbd6e103bda17790d29325b84d6b203221ca047932d68e46a21b59963a9f1ecc21ac68af57adb0c297c6d12af87aea9d76f7

C:\Users\Admin\AppData\Local\Temp\ykUA.exe

MD5 0d94c8a3d959b06ba1adab056c5ea6b5
SHA1 49004ed1d1ae4c87c78fe63b2b6d415d8f2f7e73
SHA256 4941bb90e3b9035c37479f6054d354ca32b5e46bde1d6375631b2bbd6d5c94eb
SHA512 7db2aa5e657624dce0bf974031ebc978d7219e574402224d65a45d47b60bce5b720c75137179a3eb61f0a4e95754edd94e6ff25d0d0915627957f71a52984201

C:\Users\Admin\AppData\Local\Temp\uAQy.exe

MD5 7c0a13d110ad79bca043e114d9751d48
SHA1 55f5aa221a2ac598360d653b2d49df95226ed175
SHA256 3b8176d381b92113da818df4b625baf779786b812185eadf51bbaf42c14ec849
SHA512 e71b125c3a01a3a769196f59f16d021afc3457caf042f0500d59a610928435c30bac1f4e2ce238fc12ca8e2162086365697463bc83bc754992c279c3acd20ce0

C:\Users\Admin\AppData\Local\Temp\mgMO.exe

MD5 48cd467cce1088b0199370781ee8062c
SHA1 0ac8c828116c6be6c51567c43ab5ea4ee88f44b4
SHA256 0959a45b94dd0b71842a5579baf08dbe19befa4dc7c3c5b2647525ce5fd25a3a
SHA512 74ee17f5c9e0dd7fe04699c3d8626d488e3eb1d3fece19d1a6d859024814cff4e24297bbe305f80d004fdb4c037880d7c03ad4d8bd9a2f0abe5c63ad49295dc6

C:\Users\Admin\AppData\Local\Temp\UAQy.exe

MD5 d943c4e868ee348f06934c1f6b1ba76e
SHA1 e830332fb997df683e9ca6aac08802a9c3302c9a
SHA256 86c47365e8eb1dfff368ca4bf2eb1b2c1d80c99657f3a6d50b0b1c0151af7a58
SHA512 4239c64407daf6b88c23f36905a2b49fd2f3628297ef3f6549d268f7e1a2f3e2072a3f7ac39281d1978fcfbbe898cf1387e9257ad33fed75429f0f477c8e92fb

C:\Users\Admin\AppData\Local\Temp\AQIq.exe

MD5 f9b8147bb6d6433e2bd19790392a2fd9
SHA1 06787c13c3d3afcd9b4625d9abcf1eeafa3fa902
SHA256 481470c45a1f9f1e54d49440aa1be30ffecca91b3bbd8e5721a24afba66cd48f
SHA512 eb692c2e5f2218cf5270c851cdb045a7e34001e8e381376dff2f10a47983d12e725a15d3321610ad06cdf7338da529c2d4e7c15ec782bd76a87b80e60c112f63

C:\Users\Admin\AppData\Local\Temp\ZmcEMEgE.bat

MD5 82db4930edf07ca267bb4522a417b437
SHA1 cc5b8397f7e94c7aff2745027d265d16128e5fb6
SHA256 4c8a85b0bd7bc6cada96deb0155349740209e1ed2022efa615d4975f64748d06
SHA512 740a0f868a9628a1512ddf6f7dc252fc092970feaad6dbd1a163488fb4fc3b4a58df45f0101032b8bc341ef39898d7e0e508aa4366a7e9d62f531b823d2b965b

C:\Users\Admin\AppData\Local\Temp\SMoO.exe

MD5 81b19ab7ced18023bd8a17b15136d139
SHA1 87ae2dad57a7d783c87161da23268cdc19a7adb4
SHA256 5e81d03567decc2931bafc27fab4c7d2e9d52a52b750cfb425c6ba549b5654a8
SHA512 8b20638cdcef97d6b8d98000e7ad299f90eacc8ffa502c39a9d95c018ad595a7f1ca42d6763f13863f9929c196dcd92747896cc4c8465e1689b9d6a5a4805eee

C:\Users\Admin\AppData\Local\Temp\mAUC.exe

MD5 a7e8f7010547bd0897713bdad0d4bf8f
SHA1 74f53e1fbc99d2c55a10b460158f2431f84b3c9b
SHA256 3754a9831638041b777bb570d481237b84353b90bf58b4837a3126aeb4136f85
SHA512 8ba5b153831d6e8d3d049ed693064fd234af01e05e83057efc66377c3ee115b6515747c6da3456f7d8e319cf40b3c7e4afaef168cc48be0d8cb2ca719a5fb804

C:\Users\Admin\AppData\Local\Temp\lmEwwQYs.bat

MD5 011a964d32a62cdd70866fd8d031ec15
SHA1 37ade5b95d7d3a8793d2edd3716c58bc92dd0f06
SHA256 f0ffbfbdda664f51a5e62a0e204b69c9d88c35a0e5819caa9a20de8e350b331e
SHA512 bc55403dbf31a875588ab3f88551cba4daaef4c3a57c5850a8fe760cb7e0994ffce93af690bd8c76202755e971845ff5412b585a96d92baf59d2c01c194e86ef

C:\Users\Admin\AppData\Local\Temp\iAMi.exe

MD5 a60cd1a3253af174dfabc8018e832328
SHA1 c3040fd107bda6ff854155ed87c8b3925fa63e2e
SHA256 b2d478b6ead7ade75ee35b31478064018d6e819fc8b224c07efbb09c3834fb80
SHA512 93c454992723e3e5eadb60cd772ab44cf126bbb82e1357adfd9b29f33e371a234cecc3719f980b91dfcb23b86b96870669326772e4f2e51dfca7a576facd9af7

C:\Users\Admin\AppData\Local\Temp\KMge.exe

MD5 cec6f7bcf617f1739a13ad8ef1befbda
SHA1 90c7e12d1e73f0973c1501728216063eb1a1c148
SHA256 1e06595fa52a56de3efccd34c9a8285d2e33e5925fbfc6ca274dd2411bc8b4e0
SHA512 9499d96024566d0a74c8bf33422418adc6f5fb730a8572b0e817ca0877b7ce8bc28ffc74f39bd334d366c54a78415980596d32239d02a44fa96ed5077a27ebc3

C:\Users\Admin\AppData\Local\Temp\aMYq.exe

MD5 b7bd53289eba0a42261d1b73d77022cc
SHA1 7982351480583ea028d92363f081749a22bc2714
SHA256 087b4cc3cf3c655f8d02187af8cffbb2d609637799a4ce0bacd763bdb91243b4
SHA512 29358af40f2493aed185193a640835979819f8fa9c224dc7e8947d952e484f37d8430804de687e1299833b56e26a8f0319443b02edb62f3b20024e7c57be11d5

C:\Users\Admin\AppData\Local\Temp\aKIcIQIE.bat

MD5 7a07acf05560f5c594df3f4e29ec009b
SHA1 1662b0917c3663e3edf5600f5effba08a638021f
SHA256 eaf61e462fd498ddf509382eb8fec6345944c838638556f3b1f304a13b5fb368
SHA512 138ff3163b358003d810e4448846a5d7ee82e74eff4d2a4fcdba042531efa347cb18d7f371cd72d01be9fe9aff886173207df162e69e6e0593bf98f6802185b1

C:\Users\Admin\AppData\Local\Temp\kYUw.exe

MD5 8298ed85f8af01a16256932602691816
SHA1 df1adad97c9c914c1b55e8fdde96e36a97aa8f58
SHA256 020651e8e3a0b29767ba034a648db969f93bd35d0a6de74f9ea02a0d982e8654
SHA512 b0dec6e73f47436a6c087a0d687264356010c5020e12fa7ec4485ef31f85491600fc378d1c87be7628d30c72bfa8064333aa6f9cae96d984caf39dfe050bc910

C:\Users\Admin\AppData\Local\Temp\wUYsEkkk.bat

MD5 06cca0f8868e8388c88695a86e2aa4b1
SHA1 3d990ad7ee6ef8a2dec25e0f6256ac203b1a0b3b
SHA256 f1d7d557b64f6f904bc9a976baa42d2301755fd58f896d8c51d991e31933b45a
SHA512 bae8d46a1c1807bdce70a56e8ff47c0a909ae45346adda56545e4114740fb4208c0db6fde5d425a85ede9d43d44e62c638ce8fa20167f439849bdd3e9ec2df13

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 139496c4d27c5ab83fe782b5922d85c0
SHA1 314b72813a7ec3b9506eb556e6c7bac9f134c878
SHA256 5dffa52bfde25c146c3c97d9d19793cd3f1c0a5da5f41bab9306cba493a65e12
SHA512 91ad3ae2efd13f73010c9d090db6152d2d10bb9da93b959193bfadf226a9957d0a42b8b920ba7318caa41e9110895d5f33857c490c3e6650f8a212dff2fcd454

C:\Users\Admin\AppData\Local\Temp\eocg.exe

MD5 523a22fdad23c25c33ab43c2826fb4f4
SHA1 2d5f9bf86653432dec4b13c47ff2062796a05418
SHA256 9de48804a0ed71773df0d9fc77818dc847ad536b1e603913b2c74db3dfc4f84d
SHA512 aa1eeda15a2154abede08256556cf9bc3fbfb2c6b7b4690529c1bbaf0a65e04d4f8a2cee5db18c7a3d290f3cda0cb8823e907fcf0079a2e5485b76ad75c2482a

C:\Users\Admin\AppData\Local\Temp\GIwq.exe

MD5 a487256b4bda30ee64090c79caa16f64
SHA1 7eecac6086e290c47c23f13633af42adc937a05d
SHA256 4ebb22104248f95c5233ab7db9993d1199e3024618f6b40bdaab4b1d5d6d4487
SHA512 e29315eaf477e9087ad72b647f607869e2194f3b75001cb9610532855ae4ea2273fa7bab4ef7ba18407aa08adfc6400de673a988fe805d47f1dc2238087eefd4

C:\Users\Admin\AppData\Local\Temp\ukES.exe

MD5 54529e93584ab5b456f153babcefe72e
SHA1 ad2511549fc30032001dcc9c14f4c1b832dde550
SHA256 59e5ce171368e3f5ae28aae3272f80192032e42c3274c7d096ad4285f412349c
SHA512 b6a75597a70640cce3f905097e17872e485294dd481f33e5dbeb77b00378a64dfe9667790403440a3bc3d6d461b53ed62ed29966fff09c6e8bbfc597cb39a20c

C:\Users\Admin\AppData\Local\Temp\QSsEYoYk.bat

MD5 8738c3a450d0759945dc1600914a9379
SHA1 a417631d8cfcd8ac54574e0e0f3b18a7b2399946
SHA256 f46af16e6ffa5668176879930ed11309cb3f03dd039b78515297ae11be4ec387
SHA512 5ee6937462f2eb20f5450f4f4396abf05aee63cf418a6da2bce00164435f193150193c3eb704f93d5782423c211f44a7538b69148209f76f3da8f26bb7f764b7

C:\Users\Admin\AppData\Local\Temp\KYAY.exe

MD5 4d0cb7eddda18e96e528eb351d1a2e9d
SHA1 5e5acb0196ed68a1fd0043746663f616c9e8aac0
SHA256 8f5e4c0e16e33fff58f19d49de017ff071a3fc9fbdc9c8e30925036488ed6fdb
SHA512 809e129054551dffd5f97b70a7e5a2a57ec674f0361293f7c2fc270f199dcbbee725f546e27258fb7dc4081b5064fdc366fb76c01790e47a3e60f80810a0cab1

C:\Users\Admin\AppData\Local\Temp\wAIg.exe

MD5 a0bce0d6c3cbf038b71346b372e5f13b
SHA1 b655425edd1bf149ce9bc368796c9ae6fc940421
SHA256 3fb1585a7d36ab7bef49ca7e16ab97bd49468fab523237159cce9f6890403c6d
SHA512 d2edad3eb59a9e2dc4e15ac6cc63170df6459cec791ca1362481c5a440eb2a9e8169bbd880bdd78ae82547e15ddb68a81d0be20cbe9637853aaa4156708454f9

C:\Users\Admin\AppData\Local\Temp\ugQy.exe

MD5 927f4d643172e1694435e20e340f66cb
SHA1 2249f4475848a468ea4ef7c056e9c74b561008a3
SHA256 1716184628fb5544cf644ed144071b59510581e25b3dbac9508aa97d713d36bb
SHA512 b443de3ddf404bd29c1f82f12ad25fd423ec5ebe3c051e3b47c3986221b0bcab8910507ec0731ae7b6f343422b155340d52577ce233db0e62be8c08aeb0c9613

C:\Users\Admin\AppData\Local\Temp\usEcEwok.bat

MD5 30df0f0d3c3d0f1c0d97b5df8d3cbf15
SHA1 874d7c4f9b94f54ecfdf2a43b8bcf499ec37537e
SHA256 45c5bea92920596e1befca1b3d9adb37290ce54861ba045a49cfa0f160c9e93d
SHA512 20ed70d782d2987b591d248b1ae4172ac6ed10a54828ce6bc19dbd8ab33707f37346b9e709c5ed819d6d26ff4ae69f92779eb117017ea7a7501f7a86c9d29d51

C:\Users\Admin\AppData\Local\Temp\aEgI.exe

MD5 f2b6d7551f0dc64908f64a3935f65763
SHA1 24aac31169dddb52d68fe8f5d53024900c4eb2d1
SHA256 bf47d0c2559db471be94f87aa9734be2527a665e9c2d7ef47b88432294f51533
SHA512 6f16ba98e48568edf2b64a0db3804b7b289235c732dd78e27bfeeea21f52759bf162f4386e9147652526de1b39370141f799310ad02710ac47f9cede56621933

C:\Users\Admin\AppData\Local\Temp\aosq.exe

MD5 0e10ff7720f066bc992c40bb2863027d
SHA1 aead9d7e2102fe7b9d91d132d48d9f182d487a5c
SHA256 55eac7d4994441c4bda82131ddf9d62bdd80cb0315f8115cacf76d7f4e6e093b
SHA512 0cf161d55de22c809c3bbb9bd46d5a23d389cc79e828148b466f5d341286b89eb31009d17a79aeef4ab0ec79cc69d6d60f359d0112dc2f3e1792ad5a4871aa08

C:\Users\Admin\AppData\Local\Temp\uIAe.exe

MD5 daac6ec61d298e704bbf0a8006cd6cfb
SHA1 9c8d06b09d09c3c0667dca52550eb26468d30f01
SHA256 f3e4f190b0df4310e7cd48a120665b41e6869ceb3dcef8374b8e6dcee75cbece
SHA512 c4cef6299d3f86fc86d2c9b595737a27f9cbaef774371cf874697a1c1a0257480d88a75e122581043859bc6951d5fb0aab4d4781ca71d207a09cbb256ce31369

C:\Users\Admin\AppData\Local\Temp\AwoMQYAY.bat

MD5 d10bc9801dedad8f721d283d7dbed8e1
SHA1 aefe5bd9cddbcba4554a9296c85e05949a5f32f2
SHA256 4d25f521d483965c0ff513465fe6ed18009cae56355b62fa3d5658e4ce9729bd
SHA512 0c3e847837df6575309700c3aea3766a991929c4522ae6eedc76b295ccada5444e0e4a0d658dfce1dcafa5e56635e3dd63a078eda91f14da471fa1b1f17ba093

C:\Users\Admin\AppData\Local\Temp\QwAm.exe

MD5 e5e3d8ee93b942b2f2858250503dfee6
SHA1 60f8d9f99c3c8fe12e65cbaeaad5d354403b5085
SHA256 30bc330df0955866a3ccb4f8de6e7f36d1ade29591484e4cf3c7831a4c41e5ce
SHA512 8a6f00575081b3740adabfe2fb1aeb43a5ed3ae1e480dd83e88055349f3af49f7c359cc4d26490abf52f71449a826152f376e0d212daf5662cf2b5da482ebf45

C:\Users\Admin\AppData\Local\Temp\Kkou.exe

MD5 9126049bef641b2d3a43004cceb92b43
SHA1 c64a070db7af04d0e32920734c65efb7d8860e94
SHA256 658286113ec58766424d98aab47b10233000124f8f9c776c89cb280c7d2d40ed
SHA512 06a5196a371502b4449d23c0460a77e8a0684808fe2e4953f2b61d605967c0688ec1f8d37ff0847921cb8dc3a8cf6cb3531c0d7921246c5e2098f34833997491

C:\Users\Admin\AppData\Local\Temp\DmIYAIAA.bat

MD5 342fd6feb41848a155b044ef1c37b2e8
SHA1 98305148c3ebe84cf716303a5f731f2c8c44a858
SHA256 63051281e6230e0a27913b56843b1b469a956b0e8295d9d53b15f3921effa09f
SHA512 7211613c48f9e52c8ab9a433093a83c53fe105841efa2d6454f275b1775f4cd035caacbb09320831a032e334dd289a0d4ddc10cb6435f2b8f60341fa0c12497a

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 75116f238d2b4977bcea3b033c115448
SHA1 531d60ed3d86410f27bc2bd417f3e684a2aa41d3
SHA256 cdfaa52d6d96df796d1c1a565b5682e2f90a2a691c3eaca9c58f79e9184d41f0
SHA512 b228880c514bdb316bfec4fa4a3ab4ae60023c6f2b3aa467d99000321d61078afabb4dfb130aa7cc812c70bfc016462745b05b804f3f3ed5473013fb5900134e

C:\Users\Admin\AppData\Local\Temp\XQYkoQYs.bat

MD5 0920a173d43452191519da813fd74a23
SHA1 2ca6aa43599951d2ebec6b2836f920db3c3f3476
SHA256 2379ea1614ec08a80453c90adbdac220355872ec02f0fa6403f5b23c52f4c259
SHA512 38b82603edf7d89ab2b76bfa18852ee45118f8ba15422c9e6440f9adc66707ff16e3fa0ba8070fc54225efe3746f76c3602f9b72550ff5f8d2a88214fc8a1866

C:\Users\Admin\AppData\Local\Temp\scsK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QAsy.exe

MD5 e155eacc62a9352040a9cbe9bb210446
SHA1 5d887de763faf5198847bb79c05f2223ab2d3b41
SHA256 95c900d6e20db4d8d0754706e56120d0458186c0112dbe1e1102008acbab0336
SHA512 1e3d01fa58e298e9b8ee559767406cd305d9d46b44cd43ffb82ae2573ce11e220b27d380f1f5d981f51165708b245911c0516446357bf0b30daeafd2e0cac687

C:\Users\Admin\AppData\Local\Temp\ocQW.exe

MD5 58704f681cb8f25892425e242c786b17
SHA1 018d17a8f1e9e0f6b20a7e21318e05775754fd25
SHA256 3274c067de58c93737c234144538d8aa2c1b496b4026a9d4eb3036769bac2030
SHA512 c9930c910ae2114568019828ee24810e49ed553f8c1ae491acdf11f81ddf62c424dd71a8c2fbd2e4ff7dcdb87e030f75ceea71b523904c9cbe6861bb5d05e07f

C:\Users\Admin\AppData\Local\Temp\hWwIQIsI.bat

MD5 5a3adca3a26fa58cab5be7aaf934f42b
SHA1 57ee1aa1b613bbb46b98c25b2c0bf58751c1cef6
SHA256 a690cffd6a29f38affa404a92ce7e2c1d7a0155a92e1fddacb7a682d801827dc
SHA512 869c36bf9b3c71384c1e521803e2b11f273e9a9d590a089fb1b467f2cb95a2fac1c93490a445f289347c25cb62600f2aafb8d0a5867fb5ff5b86e18cc59d709a

C:\Users\Admin\AppData\Local\Temp\UUco.exe

MD5 cb621cb63e4139dee86dfb271d04607a
SHA1 a9d797301e81ad8c60fe72096a2378fe86e978c1
SHA256 e85ad9cef6e7afed4e8daa14ddcbc7a00d4c9dfe679eef4723ea715af73a09db
SHA512 91402707560244e08d819026d3b5c5ced0ecb88ab28d5063057a8a2cfbadd749e5b5de979f47fbf70560e398dc2c7b83b03f70d6aa12e5bdd16c5b366ec611da

C:\Users\Admin\AppData\Local\Temp\QoYU.exe

MD5 408a9ac200fe85c75ef2b5e1e911e5ce
SHA1 eb6c06c91ce3fa14c7e60cf6bac73a51ae9f3c57
SHA256 b04fe2d146901ce60951958de3816281c7199e5cb966ad82a6cdc15cd4caaf5f
SHA512 6914f7757700e0337bee6c9f6f7146edcae1a99ad2745b3d99bfe8edb1dbc9ba983606e1a226ff589e8896ba2141827ed177bc86a68f308d731dc19a18c7be2a

C:\Users\Admin\AppData\Local\Temp\UUwo.exe

MD5 f1314fcb9e137a9507c72a5daef2d22e
SHA1 f25237c97512f0a10856cdd76f74d8b3925e94f3
SHA256 dadeb126473073a8fa89e88116156a2a774413db238d8767c6d012fb1380e6eb
SHA512 12ef31e705400c139331476609e689db13d03f7709eb474b8f0bb586ec0bb0a74300848ac2bf736c2e7a83f3162b51dc9584414410d98af36b19354cabdb3304

C:\Users\Admin\AppData\Local\Temp\fusgwUwc.bat

MD5 c313c50c700e5469c9bdd6d3650bdf58
SHA1 8ff601a228fbf0b0e7e556fdf7ae3b4e8b89dfe0
SHA256 8097b6a3d207a26b8cd33a415ffef527be00adc912b5d7c9afccbe27f22853f1
SHA512 34f1dc1cdd8505ce2ced026cab521bab0e76a7040bb2fc235732f86b5d685d0506afebd97e7d5d97603d729d9bc272760dc7e9157148da716f2503bc7e3286d6

C:\Users\Admin\AppData\Local\Temp\EwIg.exe

MD5 ee065e1481e60ddda3331f61fdff27a2
SHA1 52f8b623c5ac65aec9d149aacb5ac20d8b729ea4
SHA256 a7396388780b325258c5ab82549833f5d349141b06399eab79c2096afbd4dacb
SHA512 20f9f01d21102e7a3f3fb657c3768c666cf4a2eef281bb651b5f10ed5ecc403ef07e02317edeed1ee25d2bc339a795a15ff2b8100678797a4c323f7993125093

C:\Users\Admin\AppData\Local\Temp\YcAA.exe

MD5 f63a914330d4bc0e630dd5717ee61595
SHA1 e85b13fed64d86e0a5379a01c84c692a3599b922
SHA256 b0b50f09e86e49a9eb1aac2c28001961f0ec64344fbd722bb2641a3cdd8f9a5a
SHA512 1fd602ea3bb076945d06e880a006e14121b48d013b836626e718c4e81545acfaa3a9d6863f35099b50ebf15beed191fb6cd62c6d13451d0f14eab9102b386017

C:\Users\Admin\AppData\Local\Temp\QgUQ.exe

MD5 c76efac75de57c604dfdad5641bfe7df
SHA1 92ca92fc3085fe905f99663f2cbb6f01beb68f32
SHA256 52774d8b4471b563129cc9a316d525665257de3d1695b69a69294a1a4af00782
SHA512 7f7f009d8805cc6b04241f2435a2b8b71a935dd361643462265c39df6f8f7eff626139c20e4a918acfb3efd531759edc7c1e9a959557a958b69102e50dbb1e58

C:\Users\Admin\AppData\Local\Temp\ygIg.exe

MD5 2ae1ff34703a3a85c30462e7c6619034
SHA1 65e134d7c0be8e8cacd7a4ebb3e96e85017b72cb
SHA256 16785353bdb84a312e66aff9327349aa720e0a89109302668e12a9be19d42539
SHA512 ee56bea23bdb440ab5be5bc790a340e030b233dab737ff8f5ca31d9d592ac3de22102efc68bef336e2c722459c553135998b62f64605d71bd7329788169dca46

C:\Users\Admin\AppData\Local\Temp\gsMo.exe

MD5 d30956b7c491912690a19fefddc8b0ed
SHA1 e973fd235730914ff6ed3707de0440a6a73c34b0
SHA256 c34c9c8a27e6497ff6150ec6a46f23b8ab502076d6963ecc6a21cf1c1f89e0f9
SHA512 716c0126fd3196c970e224e65f3c6ee5b4359cefe768e5ab057801d74b09f55554cd8a4f8d8b9528de93b75857577ae13ec579db5fd0dc84627fd03321b1fb98

C:\Users\Admin\AppData\Local\Temp\WqYkUQQc.bat

MD5 8a2031db7439dbd631f0ef2d1fb368ce
SHA1 a6b2b4bc3ac7fb4278b644632b8f0df906ee9fd4
SHA256 994cad75945f90048c7a1b1d560ab87c28339b1e6a86597a093d15c2e7a3300c
SHA512 3ade4bb3a201d7cd4d7d0a981ce4165b73dc32e82feedb496cc4f3b654560cc0c222d3f0e654aaf5ba66219db6bd104e648e88cac423e3e6acfd58991c03aad0

C:\Users\Admin\AppData\Local\Temp\acMM.exe

MD5 1a6909661dba41297f4bd83f83c7c022
SHA1 5ce7c23759c58c2ac1b985dab4f524ef8e3a24c0
SHA256 b31c9b3865a2fc71f8e1c4622ac360b8c0daa8336a985ab77a46b745ece73db1
SHA512 170a3aacbfe34206d7f76522e0d4afec4588a7b65669ed25fd8698372996d8751b417f7020bdf2ecd96a6104132c3092a81bda7bd7710f7bf43cd2e4281911cb

C:\Users\Admin\AppData\Local\Temp\AsgkwQsA.bat

MD5 fc818cf5f89df976a27c169d6cc84563
SHA1 2e300de591250c6892cc2d049bf91baa1c662587
SHA256 b4e2252f2720834c4454b35312dbb81c385d720506485658ff0521a3c1175388
SHA512 25c18e89b44eea811b61178d63b58dec4a04fc021c00205c5d6b698be99f04561a36885fed616a91719b2c8c1ee5d76fab40b85cdf8afd967f851f2bbdc6b9cc

C:\Users\Admin\AppData\Local\Temp\kCAMEsEk.bat

MD5 4bea69fc0f5f7380d421ff59d90a8efc
SHA1 bbde97eb978ae0d017ebfa8f5230ce84ac7c40e2
SHA256 85f34d4794fec131c0610181f9ff764744133143b7abfac3bcc1ac0daf7400d8
SHA512 79cfd2cc3b4fa8b4f7e426748816f28024979c9c716cfaedb55f21b9b2675f1d24ddeeb22d7126f3c834707495fae6952fff5bfff2fa14588c5e53de4b3ce305

C:\Users\Admin\AppData\Local\Temp\aQgAMoMs.bat

MD5 1334be8b4f2d63855e756efaa8dcdc2f
SHA1 7650b86b290b965639b42854c662af3db3e8d614
SHA256 cc7f8dbc70dbe5841f3d8dfc4ae48dfafbcecfd42eefd31295459a3f317a3d70
SHA512 fe488052dbc841637926055d635b1bd6b56c4eca7af2522bce08e187e587de75c887399b8ada1c068a36a54b17ff0e4d07d3fdff6d3bcec14cab8d8bdcce10fa

C:\Users\Admin\AppData\Local\Temp\loQIkIgk.bat

MD5 4be2a69c2f8a37d9f4ee2851f7d8ba5a
SHA1 47bb235257701198828966e9ebb5f7ffd83113d9
SHA256 1f3127518cda92641ffdfb03938d1874784e51d05b7e4603fffb5863a5e313cb
SHA512 4eba20317c5f46db11a18586b640c4a046a56cca979ab1dd3b17047ea6a0136eb65007c1043de79386c40b9a9dcf7b0ea7046fe59b556aaf605c46f918540909

C:\Users\Admin\AppData\Local\Temp\daEwsAIw.bat

MD5 ec8329cbc5397e58ca4ed74e06971f4f
SHA1 a7c4a74da1ea5d113b664bf23499cdd383ea1cf4
SHA256 529278c60ee2943e2277d6c813291b9d7b3971554436c72ca1460efcf6e27cd1
SHA512 65ef3ee637bb30b2a279f980e2d04ab28bb78601f420af2577738f44495bc3a4823269227ade6f6decda1f90473bf4b4b7e1ae72a5f9a029347cc13a37b7406f

C:\Users\Admin\AppData\Local\Temp\zQgUkMcE.bat

MD5 e402adb9c1e5d2cb8c64eebda2c48f6e
SHA1 66f9d93bc918a811bc44d696dbe41622696198d9
SHA256 47dc8ee0e7dbac73b9f412a76f59bed983477c589fbc80d1d0216af272ec29c4
SHA512 411ea73853b9f3114ebd6bf31ec55fc0962ebaab26b65e0cd0e82aa2a98e46a30c3017b7d7481f050c5f3afcc7bc8ffdf950473d985a22fa7d4341658a5de9b3

C:\Users\Admin\AppData\Local\Temp\qigMAIEE.bat

MD5 d9cb0034598825c960cec28d456b7545
SHA1 6882dc6a11c16832c0b0f792903576d3414afac9
SHA256 15bfa842dbe2f95c4b266dd4b0296722aea8d91705c37d6c63ef8a1479e144b4
SHA512 a439eb5f4827f3e3f235d6c3db77572f2dbbcb7cc1c2990ce689557668d0b56227c0c29264971215686c2542bf178e65162344d8444e32e056087f22e22478b2

C:\Users\Admin\AppData\Local\Temp\qkowgIAM.bat

MD5 af14c393b2ccfc68aff5dd12fc7ad59b
SHA1 88d48e40c38644c51dc6e41d2d9bba2ba7714d5e
SHA256 3cc5149d9509878d082f877697174eded8ae81713c1d12fe5f214eb5ef04aedf
SHA512 16a9d5245aa70fa29067a1af980ddbb137a1be11957082a12c2ec3cf70e6e6ebfe1eee49bd65392d7f13255d48b747f49cf155fefc5d07653ada4b08ba42552a

C:\Users\Admin\AppData\Local\Temp\eWAgoQYU.bat

MD5 9e3eae37d511b941ff595c3672ecc907
SHA1 809384520f909841804681575bd815f1ffa699e2
SHA256 337b6946bfb4f41570ab0b217a3d6ecf99d02bae040b8c57ee93a0ecd8e83276
SHA512 79aed7723cbf2685ad9e099104b65d7f1084c5dea13f42a7d24bfaf4aaa6b7dc29e83cedf15d6f08f88f36659a272f221ba6b995183c28628bff56b8a8c955a8

C:\Users\Admin\AppData\Local\Temp\xeIUMQgU.bat

MD5 a410bfb6858f78e13b936d073fbf3029
SHA1 1b3b6487604bb22b4ce8b72ceffad234c2f21c60
SHA256 4ff63a2b9b0a59b91dd823eec7ab035090b0307d6b5db06f9c9dc6625ab39fb5
SHA512 29fda7ba28c890e61978e5f0ff1ffc81dae03f4e28b10b9cc665aaed85c8dd19f1ddd699012d95d3c1a36cffcce7838b4ff062a84d86ecf2be601cbc6cb3a7f7

C:\Users\Admin\AppData\Local\Temp\DuokIMEc.bat

MD5 73c09bb63ce2c9be113390c22a506248
SHA1 69b7f33dbdd815fcc2b5b2c53d3462d2eed2769f
SHA256 9052414d120d9d7f76f24bbe00d7560c3c66efed307fab41d7c9c379516d90c4
SHA512 b6d74a6d96fb586edc4aa29825d179d6958785d795e173caf44ec344df17766d0fcba0990a5d83395deda77717a44e9b8d0d1a16be22fcc63784e60e620d62bc

C:\Users\Admin\AppData\Local\Temp\HuoYAgQw.bat

MD5 8f7fa097f4eb8543d3917134f66253c2
SHA1 c32489134a7e711962f25351d68b3e2483db75e5
SHA256 f444cf0d44c9dc50785009ded2425b9a503a87adcbcbcabb3b659835a442882d
SHA512 eed682317644254bfbc6e85cd1f830acc4bc266440a98098bc894606d5d3af67bc846008c0e2b9bdc01bf9230ba4bfffac1811c95f459abfba75f54139c916de

C:\Users\Admin\AppData\Local\Temp\vogkMYUc.bat

MD5 887d40b8a9eb25c91470b965c4279d37
SHA1 6696a43606db9d98a0e144bc0d31e4cf283ad614
SHA256 88db45e7a68b75000134ee4f137ea2b40aa67a1502293e389c5e428ef0f4b3c6
SHA512 8c9e2dcd75cd4f5bd6cb26771dbea9e1ef3e5fd32fed1f79ace25f625334b7aedd04d0a71d3694419324aca838d230b9a5e986a70e1585dd35b49f46dac55b0f

C:\Users\Admin\AppData\Local\Temp\ymssgkIA.bat

MD5 75c234d60c60eb20301060c5e6accb0c
SHA1 75a6ac867fa9622b54136f014ae663d547eb9a76
SHA256 2ad44a6d6bbbea99f40fb86b8a5c3fe079e04b9343628effdd9731832d5618cd
SHA512 97a55d27e5d7cfe3870db69cfe0cccda98d01781e9581e9a8778a66a1b90b2e7ad70ea0c4ec2c42b93a4cbdc96dc308707541ba2461d42267380d74d88d9f1dc

C:\Users\Admin\AppData\Local\Temp\aQowkwEI.bat

MD5 66075cdc3d4abf265aaf81a860a1095e
SHA1 3a27be0dff8b9e9ed821d395d1ac403177eb89ad
SHA256 247e5f0e409c899e383fa650b0e9fdf31137ad37e3fccbe3babffc8b202a2173
SHA512 dd4b6605d4e35c4fe2b8fed77cb41fab7f035ae44621ae691ead2759b54c0ef8742426fbe94da2341ae709bd05745a959f075fb30e6cf5fc37edd8c3e2c6ffae

C:\Users\Admin\AppData\Local\Temp\keMMYcIs.bat

MD5 fb79f5a1e56f3c95f31cb23921a3247e
SHA1 3858e8f2f85b6f4b62a537d83f80c32e87f8d9c1
SHA256 a65c88728a59fd6b6df0646a87dcf35163ac58e72b69d9938ca16b4612d78694
SHA512 1b703b19fb63f5230261b5e9bc22ccd9bd24a1f8871c42e725ed420ebf0c8ee02a4337882d80ddd349203523cad9f81dd6fa3c27f79fcd4164e103ac11b0e3a5

C:\Users\Admin\AppData\Local\Temp\fyooQoIo.bat

MD5 8ca75db329f371a08988147d677ecf2a
SHA1 283ce7d6a47f8fd78f0a7b5100ee6ef2fb7d1781
SHA256 0a0c89c78858a9ed0b70ca6ffee7b49f970e97e2ca1f19c49086347844529e8c
SHA512 41744fdb785d1bf1ef7a074c38f0ff2b8180b4b8e69cf65d2c44a022d869a57487c7774fd89f315691c124087a4a4a43ec55eb303c71edd19feaba51e8377193

C:\Users\Admin\AppData\Local\Temp\fEUwAoEc.bat

MD5 0c31b350e5987902a677e170e808b993
SHA1 ed672634e1096f894117105261d38d4b0fe5532b
SHA256 e73f8de9c06b02cf1fd6c8ebfaf4e51176375045e9533ab45cad7c617597c463
SHA512 5d2bb87be5a4d6dbad8ff2142c83f1e9d438bef6dc53a98b45905525ba14a0fb6061233d4ed72bbb097530229ff9df8eb13e9f7e7c9a061f0c29eb196cabf74a

C:\Users\Admin\AppData\Local\Temp\tYckkUIw.bat

MD5 56ba9664616afa359f0976ba273d4131
SHA1 b891db784ccbd7d576804bc853a7065dc0609903
SHA256 ef8089f9827b94ef0391e888153302f7002aa4e3e83a5114406a377f15b1a408
SHA512 16c7ff21151d2e06510e8d42e39ed8c4e2c5fbbead933efa1574c8f9eee4a87c3655ba34c50c8ca40c63379842c9d0ece53bf2283cc09608a71e8a8f2f37c2ab

C:\Users\Admin\AppData\Local\Temp\fScwEQwY.bat

MD5 9273a0bb891a3d15be53f7b590a4fb1e
SHA1 bb482ab79b032aac6f29bef52d6ed7cd67e3a9de
SHA256 2d36c8601fee74ed4e44b0de6467a0909f2b99a42d062bb4c4491cf5587dc7b9
SHA512 eb7a9e598fe31445262b165260e40720a73e924e92972f383a67e425ed6512b9f93ba0fbca083f96b9ec1b2ba6c81936f6e562f6ebc4d4403ef23004734f6870

C:\Users\Admin\AppData\Local\Temp\moYUQwoQ.bat

MD5 2bdd03fc49f31346070a103404d2b220
SHA1 846753d7d8c4f504927587dbfb728c26f232d8ef
SHA256 3cb049f24c68ebad95884b3800b006c1abaeca48037d9e674f976e791bf736a5
SHA512 22ced62a0d5cbe96a22af01ec77a171add140f09a77dae44b300db9c2132703bce7fc29d71cd97d58491de3e0a2ea0e6c7b06823ae0ec505aca64ddccdc851d7

C:\Users\Admin\AppData\Local\Temp\ueEwwQco.bat

MD5 f1c4cdf86e3e5952820919fcd7fd96e4
SHA1 4ed13a3f19a29792dafc9f3358de7b58619e5f3c
SHA256 2581ab6aaab56dc1e3d88d5df0f261b9937f01325bd2d4c49d7c3244112a06c2
SHA512 b40fcabd9be9cd3a7b078178008897e7630cc57371fbe803384d83370a6486020a328f92cce0b7feb0e6164ed951986655d61bfb783e050e75a206a4cde7574b

C:\Users\Admin\AppData\Local\Temp\KYkYsscQ.bat

MD5 a7e376d813bcc45a21a40babad310c3f
SHA1 e8073803376b92bace5dcb5ba0175e05bd7d5d23
SHA256 03a08e18a944b4e44ea4444146fe1266b8b42853e2a890dffec4c8db7c013184
SHA512 4412b673c5cdd5af36ecb43088bffbbb70f47673c3582c2e6d01e12f47c1cbf74fbaefea053ab885d72c955f7d896e42423700fde88c7368df9a0b9ad9550da1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:32

Reported

2024-04-03 18:34

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (79) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\ProgramData\yqgssUcE\riwcoUIQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\riwcoUIQ.exe = "C:\\ProgramData\\yqgssUcE\\riwcoUIQ.exe" C:\ProgramData\yqgssUcE\riwcoUIQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bIkgQgkI.exe = "C:\\Users\\Admin\\vkIIMEAI\\bIkgQgkI.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\riwcoUIQ.exe = "C:\\ProgramData\\yqgssUcE\\riwcoUIQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bIkgQgkI.exe = "C:\\Users\\Admin\\vkIIMEAI\\bIkgQgkI.exe" C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A
N/A N/A C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe
PID 1572 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe
PID 1572 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe
PID 1572 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\yqgssUcE\riwcoUIQ.exe
PID 1572 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\yqgssUcE\riwcoUIQ.exe
PID 1572 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\ProgramData\yqgssUcE\riwcoUIQ.exe
PID 1572 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 3996 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 3996 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 4204 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4204 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4204 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5112 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 1036 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 1036 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe
PID 4632 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4632 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4632 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4900 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4352 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4352 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4900 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe"

C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe

"C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe"

C:\ProgramData\yqgssUcE\riwcoUIQ.exe

"C:\ProgramData\yqgssUcE\riwcoUIQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isIMYQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAkcooEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pioYAkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmMYoMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYEUYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQQQgssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGEUoQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikMYgUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwEMckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmQsQsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\secYEcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucgMkscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIEcwscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekEQcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XscEwsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAEcQwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwIYYMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSEIoAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCowAUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scAMMIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmokQUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUAgkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqcsUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGIocwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywcggUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUAMAkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKMsgsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe aded6c85fcdaec7a48a45a09c3ad4b30 uAUnx3/KtUS+94yhgrDnEg.0.1.0.0.0

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUcYgkgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NookcAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xykQkgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACUgoIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWMYwAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgEkAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsIIsQUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayoIQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCwIsoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEwMMkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIAUQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCoQQEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwYMAcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEQUEQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIMEUkEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOAwQoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwYEYQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv uAUnx3/KtUS+94yhgrDnEg.0.2

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQkMcsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zussEEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsgMYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSkoAAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcUQkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWkUMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcIsswIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYMgoIcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIwQUgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 181.11.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/1572-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5008-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\vkIIMEAI\bIkgQgkI.exe

MD5 40326f69ee9517c918e74f7fedb03be3
SHA1 260f1e071e7f38a40d8a6cf3d6a6512a58f04682
SHA256 edb105d940d781f6d81e9f3b88cf73346eecdf635c56fee1016ef2b966cfff27
SHA512 1ebe627a7dd2a369cc233619396ff900cab6c17daa2129cd469316d4e142b36432094a313601686c0d5aa3cdebb63399237943341eee8b9fe187f0a25c467cce

C:\ProgramData\yqgssUcE\riwcoUIQ.exe

MD5 c4d817987c7c5ebd7525e50ed89589dd
SHA1 23502288b2904e3056669015bbe26d37ee88aaae
SHA256 7b174589e20c91c711464f046bb9781974015d77d57709cf41c56f085c28205e
SHA512 76635aa5feb3f2fb352d42a7a05bca77b5f86d188da4162da92abd70a563d13a4a1cbdb77bd3f0fdf9f20e1443847457bbcc2f32f43ac1ccde70ade17938e98e

memory/4812-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1572-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5112-22-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\isIMYQYc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_2654b33a18d9a692515f7b0b1fee79ed_virlock

MD5 5f6870e505406f5a8e8fa594b6d5bafb
SHA1 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb
SHA256 f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a
SHA512 b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

memory/5112-32-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4900-34-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/4900-47-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2612-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4500-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3712-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3712-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3384-96-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2356-107-0x0000000000400000-0x0000000000431000-memory.dmp

memory/368-108-0x0000000000400000-0x0000000000431000-memory.dmp

memory/368-118-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3964-121-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\yqgssUcE\riwcoUIQ.inf

MD5 bbcd33a17d6bd993856be2b178972345
SHA1 254f78cb5503c196124ab32c9afecad85c821784
SHA256 d9d502b4d6215f7e5c7dc33b00306a5412939668c7e16976c545eddc9bd169db
SHA512 da8273cd9a87ce562edaed673f6d0bbb353555498d1d1691dc3406e571b873e2ba619ce699b2dd014429601cc4546aecbc18b51d09ea8750cccf65dc75c709a7

memory/3964-133-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4968-136-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4968-147-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-149-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\vkIIMEAI\bIkgQgkI.inf

MD5 646c4f168d40ba1881a936b6137bb427
SHA1 4cc061449ecf00edc954e68e4b68382a9e6269d1
SHA256 ca890b54fbc705a23bef389b6facbc0022d016ba4861181a2388649947bfe136
SHA512 07ce09efa83cee1931d876f6e61eff674401023bc06aae19ed898b4314743fe20b7530bae27c8e07aa410d4f0f3f5f09513f131be18037a5e0e328b78158f98f

memory/2084-163-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4448-174-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\vkIIMEAI\bIkgQgkI.inf

MD5 c9ad6747182ef3d2d465330b58051a4c
SHA1 76e8ab122aeb0266f3d5ddcf663b6ff1e5833f68
SHA256 4ee0f435aefcb562a2dd6d87fcbe21c0948b44052658197f7137ef14f7b9c44e
SHA512 60f965029f6720470cd68b504c1f4fbc1d84f2d2e8c85b774568311b2cf06b6d1fc55409da1a23f1b16b9a28a043a5e8e1247d9608b04ba1be0d95551e4c2f77

memory/4052-189-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3076-188-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4052-201-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\vkIIMEAI\bIkgQgkI.inf

MD5 97561a85c343dd6a16e178d972ff959b
SHA1 ec209097e7aaa14a77d43accbc80c5f6ab6b50b7
SHA256 7c65d650b92ce7d99dc26dc30221a54720b23a585625a60015cff03a682eca8d
SHA512 855aaebfdf2ba7b75f149fd243520e8c197c494e20ab74794f519ca0c800c3f5bbce3e14ef0bb223463d561b3e2cf8ac04dd388e08667fc28d5316601eb14843

memory/1332-217-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3864-216-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1332-227-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\yqgssUcE\riwcoUIQ.inf

MD5 f3cf304b6de573d81ed28617437dac7c
SHA1 64e54fd80fdf8dd95ff75e10c01c920ea13bdec2
SHA256 58c28a9be3b50c2013a747f8dbf613b5e12042a1a8f1f2160e556b15abed9b51
SHA512 a718bad8040f474980f834732684b1e0c55aa2688d9ef42f6ff776ce0e2b554eb4d358cfe832bef9429f85bf1f40f01e86915c1cff31e9c934ed211f6776ab93

memory/1240-243-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4480-244-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4480-252-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4436-260-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3780-263-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3780-271-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2420-272-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2420-280-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4324-290-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4776-291-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4776-299-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4524-309-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3572-310-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3572-318-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3980-319-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3980-327-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2484-330-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2484-338-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-339-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-347-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1436-357-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1684-358-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1684-366-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3104-376-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2716-377-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2716-387-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2784-395-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2572-405-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VcsS.exe

MD5 f8c3cb3ee5f9cbacd04dbdfcc30a39a5
SHA1 0d00460ff213ffb5a11d3313e14b1924c233db59
SHA256 2b30b00cf44793acecb08203f74e1db4df8ad2faf2ba6a402f86be2c3d43934a
SHA512 3de24e4050b5ce963966a3a3292ef31daa7d67efbe8b2408a302cbfa0e94b68eb119d127205962c6919c40d7bd045846ebe10e16f03bb5727613175b06447638

memory/4196-422-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4196-429-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3488-439-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-447-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4024-450-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4024-458-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4788-459-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rUwo.exe

MD5 1a6eba676ff2da6e59f57de4b71e6b07
SHA1 20547aaff0f85d3ddc5f4f787872b89546418cc0
SHA256 0c28fd130af17f044f822168aee2fc79a7321869831efbe7b2dd76f5f00e1c0b
SHA512 50cc46e57ba913fbd8b9afa1b4882089555c37a34b97775f9bfa2fcdc8b78c8ff3d19cdee10c63977e70b72461d1e2c4d161864b1de8dfacfeb8874f72b74300

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 d1f0b2f4b666dd2fca828c52c740528f
SHA1 6f7b564fe4b535cafebf9410067aba0c020005e8
SHA256 ddd6be2ad5fb39604ea592317045830c7191bd06dc04ebacb405542d97ec01b6
SHA512 30826a778fd4ba79dee852d5687a3e238d403f76c0bb1c1970f8f99d58ed92a40b560617d75434aa0df7e86f46a6e197e1519afed1e92bb753b0073e1d4ee06d

C:\Users\Admin\AppData\Local\Temp\FwkO.exe

MD5 18eb4dc6625bb6da634a8ba2fb1c8803
SHA1 0ce87e9365a73907da54fce361549340e30bc54a
SHA256 ba7a38a11a80e1cd04524272090aa40c81826b03b248b826cbf5ca9b91cce1ea
SHA512 9c1927e6e18255d707ff10330e58b35c9b90600e77a0a64c0e7393818a5771c1b891211d3c706b1c4ab762b898a4b13a8639bf1985e98ae8b7ad7d028b0bee74

C:\Users\Admin\AppData\Local\Temp\HYMU.exe

MD5 15aac403f8b79726943d828b10a8d115
SHA1 81f0e51e0f564edf6d92ebe35728b82218278b84
SHA256 62d55b8ac2d3cdbd9268718fb70b590b096bf56b9235fb414d27ae2338350dc9
SHA512 0c9025666d5aba8f6b4145149af2fdbd530bc58e498b2638847d481283330f571e21d46f891041d93d05038ce42e92e85f014f4ca9c4989d0f03443f66170061

C:\Users\Admin\AppData\Local\Temp\OsUg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\dkEe.exe

MD5 180ecc3d171821e9fbec0b429da7b30f
SHA1 ae9cff39f789b2671a93d21ad1ad0dbf01ac7b26
SHA256 ab93f769a47fe9049d6020a9989525961035333f7daf73f3a272781d0d6d524a
SHA512 d23530a1fe5899545895d48afffca0790b4a721e8e135945cad1a94669dcc27ffe5bf17ffa16277766b4b1c27a131701dd259c5256146d278110abab78ba53af

C:\Users\Admin\AppData\Local\Temp\nAAE.exe

MD5 b0dc9c5d10c05acdbfcf0bf76e96452a
SHA1 7c13cd032cb34af2b072036de0500fedf631fe57
SHA256 03f4e0ac26983b9681326516541746985fac9c4706162241a8cdc564d82a5c55
SHA512 19466dba84aeac34a76d0d8d807249ed10a1a3736feb6ec0fa719970f1da7704bf3d718a41072c891b3b34891f612fdd6a29becb2aa154aff59f76c68090f27c

C:\Users\Admin\AppData\Local\Temp\Nogm.exe

MD5 9d7156321d77a45a7a29d5d3e38a7b92
SHA1 2c9e26af0705c3042b0e1f8f9c8e4b4e854b1889
SHA256 e573f5d1cd582c9957a79a4cd09d2a60a80f0f6a05814eef9db7c68bee63a47c
SHA512 6b28b343297b0603209635aa6882a88c2a2cbba40c9e794e091253f681af1406c91d564ae2cef721bef182426d95bedd96a4e06d95166687c28cf22dd5b8f62f

C:\Users\Admin\AppData\Local\Temp\FoYI.exe

MD5 6bd58a70a0b0d39268e3e0fa18ac2e17
SHA1 74c191a80e33c6ef0b660ae561ce9ca41dfcd2a1
SHA256 7c89e91b1864dbdaeace34fecc40d410a2718239a4564b53578db5dba1d0cd82
SHA512 b82992501333eed5ca69638990d90917f3c1a27e98ae1e479b05db333004750c541ad3fda19fe220417e12ac483e2c49234028f01b9fe730eb14eacf5ffb472f

C:\Users\Admin\AppData\Local\Temp\nkAm.exe

MD5 ff7addf606e2d6ba0a9f82016dedb399
SHA1 04c6f012230e30300f7807c7bf24759928b0d4b2
SHA256 45fe47c42bd158e8fe470b89059f2cf09ce6b31453dccd63281a0ae2749d8fe4
SHA512 c2d7b769dec3b4b76922807f4ac92bdbd174eb6334d8c64a043be1c73836504ac994927915f4da03b3ccf892e6c619ca68fe8a2ff5b46a5db1b66bb459b92591

C:\Users\Admin\AppData\Local\Temp\mokI.exe

MD5 41fc2c1be3be3e9217b4559aa27633ee
SHA1 d45d9b5ee0fe8e0ccdfaac14f0dd6fc0b3b49163
SHA256 551d9a1982ed4c11cca1e2d6545084185b96f0697ba8301270a6e9cee451d149
SHA512 55944e9c673d20fe7fca867050ea859352e6f83973b5c93fca4733dc0ec2541550bbedc43ecdab4f3f677781aeca8959f6372afc58315cd99eb801323bdfc813

C:\Users\Admin\AppData\Local\Temp\vQYo.exe

MD5 134d088980b84913c085feca58e656d9
SHA1 3eaa47860e9947b06f64161ec4367e961da236e6
SHA256 17dc054f669d0acfa699fa41c0f07443704b78e4770619df4b1ee827121ff7d6
SHA512 333444cb0127641107eae9ce5e78b953ab67698311e1a993977471339c61db147c9cf9acd28f0bbaf930cee0278678c559fd88a865f8ef055b5e87f7b1b7ed21

C:\Users\Admin\AppData\Local\Temp\Nksk.exe

MD5 3ea15b9ac0a6448b69dabdc3cc8f1ab0
SHA1 6614e7f34f235c7513182384d67e1f36fb6f08f4
SHA256 fc0106559d126816a6911341f3f599cffd6845b4c87934c55680907672850793
SHA512 6986ba1f73478c8b3f04b321d2642b1778bf6917edf2f2a941d323e63ac19eb4a047607236be56b877b008c73a745e4bf89ad8a43f2518f74aee4d6d0eaf9aba

C:\Users\Admin\AppData\Local\Temp\XgcO.exe

MD5 20d890b6b7d716647c1e5d85bb25fd78
SHA1 7a0e5c7d6c8c7d8b665671f0d4cb8f6ae8b470cc
SHA256 2515aca81ea8fa069365ef3db95247b5e9467a25574612b545e1091fe68114fd
SHA512 5028eb7832fd923b863c9c7762adfd206b1d594bf42042f2ece41b4a2a79ddd0b770d628d0f7acc8b85171c2ab3eb50e990348700f6c002468b7dfcbd76f3067

C:\Users\Admin\AppData\Local\Temp\Swka.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\SAIo.exe

MD5 cd134a700443dbfcb94a69df3cd03f0a
SHA1 ad154d03d1b7fadac3a5f6621ca6b4c4731db6db
SHA256 c7d831ac830fbe074da6406f5077b35b4fdb25bf02eb936a37307e4d9cda8056
SHA512 c5f976347789d0a45b44e6f30f0695bcbc42cfae3641792cdd8f2818673c5ef5dbb17b35d59f9c42a7c265d4271d62e024a72aa574519eac2d5dd6ffc0ea566c

C:\Users\Admin\AppData\Local\Temp\QUAk.exe

MD5 1f6353ce151c6d2d2c93369f41ecacd1
SHA1 fb0bd189df797dee5efff62fc0bc346029e8687e
SHA256 371041e0a257cf0bdffab8992951963795a4585637fa5ba97d6a6e1b3b0d6155
SHA512 8b8d02230db7a24225bbde044c9496fbc2aee1bae71e3ff1610f50458fc31f153c0a4b29ca23808adc3018f837012a3906b6eaedb5c375929f4c317a0e8dbcd2

C:\Users\Admin\AppData\Local\Temp\yAAQ.exe

MD5 ce300c0e4f576770f96920c41e104691
SHA1 4afb71232de4f714b7932c79e94c2001360d95c9
SHA256 1555aec8447eef6f10ea6227b0c3438d8cf6e0de9c5cdc45ffdc5ffb01598ef0
SHA512 c8be78962d2e67591cbafa1cf50a84e43cc57ca920df17428fccb23b19be8283df184dd6db325c41928da35b1bf20c49019a693f7d88bc7329eb308b08d7db1a

C:\Users\Admin\AppData\Local\Temp\igQe.exe

MD5 b0dc15e8b2f351fe27828db7ef1c58a7
SHA1 0f02617f776d0d2524cafeba99fefb781867dc6c
SHA256 7620915df1214e0bfd79298472a4da7b1b382b828b00c19d2b88c8defbd71794
SHA512 c20a416e4c9060bcb035e51e5d80300989611c0e92301bba0fa895fa166ef10a213582377d46e9f37cca67850f96ac5cdc3cae04760d095c2be14d62becf1e7b

C:\Users\Admin\AppData\Local\Temp\AUgY.exe

MD5 703318a1d9eaa3a3c01a147b24353d49
SHA1 c5ddb9ce078cf42760114b045db1d5fe0ec92763
SHA256 b66e41aba542ea2496465d50c5d243b2bc865acf048da02d6776faa3006e3973
SHA512 58838532b54172abaef23981e339e0525397b86d10325a11d26c7c4cecdc754785adebe3ff36d01fd68724ff8664e412b956185fb56ef0a5710859fb4f3df940

C:\Users\Admin\AppData\Local\Temp\FQsI.exe

MD5 c738b7f7f9f4d5c59801aa96737aa9d5
SHA1 182fcfc86b1501495dc37e599e127c69bf27fbe8
SHA256 b5854bd9ade28fb382ff0beb7113d0a8157c7d3ac0102813b05e82b95b22e29d
SHA512 1827baa189e9b6c33ce708a85a71ed6a46ace5022aa4a11ecd4e708b74ae29d4dcf88c1412560e817401fe2a959a99de56e0d1b3615292c93ae19d509e78a418

C:\Users\Admin\AppData\Local\Temp\Woss.exe

MD5 5812d0ec5f908711f12a877dc5839132
SHA1 23a4ac7299b12d8cb50abc3bb560f43a25be3fd1
SHA256 378abd8f2b9a72943e65bc5812c48b77802a90bdd89da615eb1d660dd9a4e303
SHA512 26723651ab6e8cdd4fc9dc5540fd5cea41c199853c3961f012ba005090f6aae7d6c5969b66fa283394c5b24db99974bef4fd35010785ba28b3f8ff0bf45735eb

C:\Users\Admin\AppData\Local\Temp\wQgg.exe

MD5 54230d17365a9e8a216b7cbcc5b85df4
SHA1 f7c8876dcf0dd6a1437a14decb27059c52407e7c
SHA256 df156f1803d2e26f356c4e53e1f95b385ed3b4c98161c0c29dcc8143c42376a1
SHA512 74bcc536ddcaa80312f25716ceedf2979e3e3cfbe67d0b25d69adc93aae596654b2b08f7447f2f61d6ee78fdc4a20ea240310d74597f6b0550d8f07e20661f4b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 7a6f185aaa21605440134755fa4435e6
SHA1 e0b706514d81a3b9a83f03be39dfd389dd9b892d
SHA256 5739ae68bee25ee15686c4b519b71935f8bf22a407c160debfb0bcadde87116f
SHA512 4fffc29dabc5563629577c42ece88aff1005717af879ca1969c3f1e3b916429ce9bb60f18bd2bd385dbc6dd5e991bd1ebf6a7964feaae7ff65c136857073a6f1

C:\Users\Admin\AppData\Local\Temp\CAMC.exe

MD5 d0169de789e89a3ac755f45354b80cb8
SHA1 5cb09a704449eb9d43ec8508156d8995cd54529e
SHA256 74a85193ef075a6882d1c85770a1b17d010c88c1943d40e7d0a11142e2afb3f2
SHA512 42ab2a31cbfbf3a2b383fa081a4f8ae07154c1fe5c909e9271f586d2ba4966c33a380755cf88da82f036232016958734b4bfe01138c931621e4d27fc4fdf4557

C:\Users\Admin\AppData\Local\Temp\kwUI.exe

MD5 6847761074c0fb0c8aabc70e29251d5c
SHA1 9b6cf26846032d5f0db793c0ac476b227a9542d5
SHA256 98a902bd89b6daec2e973d4567d7760a20ebf5667e20dc2bbef9d1ceef66ca85
SHA512 4096a55b2fa3171d0105f87d12ea89bb452452c524974dc8d671f2a7878df5e7185081222dc14fb424403b6bccad5307c57b787fe651aa17b9a767a22a9d5f02

C:\Users\Admin\AppData\Local\Temp\kwQY.exe

MD5 2cf240c0028635642545ffeebe9df18e
SHA1 f1a3b1f3b1efe1d2b79b9ca302e137d773b8a3d0
SHA256 9c83d9b9b0df5b7a512279264eef4aebcd7e775541cc4a8c07438ec468be41fb
SHA512 c86393f3eadf0e11813bdb5f37c14799e1d1adfbd48763a6bac06fb438013fc72f0e48ede6a439cbecac7f903c1075adf929aee12e2a25656d4f01b0a713cd8a

C:\Users\Admin\AppData\Local\Temp\OYYw.exe

MD5 30aece67c975436245a398523010f410
SHA1 c3927e982f7dea8d6ab5557d396bda8be2e46a84
SHA256 d452076005c75fa568a9070c68ec59dcbd9d7ece687c8da6628648faa678fd5b
SHA512 51fe26ecdde586181c3f4bbe99ee74cea76069a584bf1f52e0c7fa2f9e78fc39d5f66332847c781a60a0113c3def1f833e1c968eadb604e56e1afcc94bc6f8a7

C:\Users\Admin\AppData\Local\Temp\jkQC.exe

MD5 1286d4ddcf71d4d46753f5c58d035ade
SHA1 e7614edf3973d1665f33b151a0f7a6ace7ddc727
SHA256 e2f709eb84321312c370ee8b0dcb4c23fdfbe43317da09a08e12a0c71a4f7c03
SHA512 8d323b0d2fb697ec938f4744e33b3162bcf3401fb7c1665b39ee4d369286f8fdfb59f3b4154e7c046f648305d802e0205eab08facda718dcf214b05fada7576e

C:\Users\Admin\AppData\Local\Temp\EIMe.exe

MD5 12b1615063b1461f73f8fd63c1b081bb
SHA1 6f2ad616b2b8094f49e0819e513ae4aef0fe3d5b
SHA256 7f836132ba9690f7e715bfe369039e2f62b00a147c8dfca2a4e2ccb9dabff04b
SHA512 940fa8a5c2e01d43038fbe9c712573d081b1472c40135d834430416e6a8cf674e9574ac6be6b0b2910f900b125a2140f52d15c231282e311c71622262b086e55

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 55da9cc77430f4c9f5991dcad379a6af
SHA1 ce01193e7f3af6b177a3167ded349d177274aa77
SHA256 8919d06af05b4452bc3aab2b0476279d51b6b15158cfe8cc25d070bf067f161e
SHA512 1de58d9ad1af06703b18d14aa91e91cbc3100bffb5ce7b14c953aaca8ca6d59e0ff66dcf967c360d5d1eb952778607145ab2a7db065782b9673e8c9dea53a1b5

C:\Users\Admin\AppData\Local\Temp\JoUi.exe

MD5 d6712b961640683250a41894c3108eeb
SHA1 95d6ce7cfec6b0730b4c2bd8b48be527075cf93a
SHA256 4a9ff2e13c4893eb86ea0c673b4be801b1d31ec0473fd42a9c775694f9851c1d
SHA512 d927f1c7b8611c98958eb826154fb099f97a01f498fcfa82309ff02253622d9bc58607a007a9c00db94835fd7da6ad571daba434b031b40d4d11742c01e7f5e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 43f7ce5f8ddea8e88c5a8608ad511750
SHA1 4531e9591a4ff009da89086ed1024c3e86c3dd47
SHA256 1143b867c3da7f82b6af0914d9d184c040eeead2366076cedc5165cc60795c6e
SHA512 22caf744e922ccfb3727dc2b924bc4094ae472b7cea4fc774fcaa2e620f67c5c4126c913a3a51bdd6264e3c03aeb45d77ea9b90396a5d89e266c1492fa6d439c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 2930dd1b8f5f62b2b1308bce478c655a
SHA1 d6e0c4ca9f1dbd579da221e7fc9ec078fb056ee2
SHA256 8634bcc74cd1fcaeb376073a1f792f7121b74a05b940a886301644e7cbc1fd7d
SHA512 8ee2a60be2976bb1ae02ee72699e82f9af3a2cc7f46864101dfa295a51a33aa596c46ec131c9e1c3a63197867ac22c49561d7d58f1856c8597518ad4cb6983ab

C:\Users\Admin\AppData\Local\Temp\tYss.exe

MD5 b1eb44b0981c69ef9899a69bf5aa7cb1
SHA1 3897c00f7b2e14ee48a9160a66be8f9f77ed6f6f
SHA256 d39c75a35def83403271b2a16c0431bbb1a1876a09fe9b20adacb1afaf5b71e5
SHA512 de4ea842423294d14a12098c36fe8f6f2b2468280d1386a9cef5afcf6990a8a1d5b9eff7b952ef67e2548a32ffac332fde535f45f38026edcf71f42a33066fa4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 0c22ee5c37207ca534eb32a2a827185b
SHA1 b353d0130808b48fc535b91663c8f0247dd48111
SHA256 8b18138bce154b9e65f06a752b06c2425f9a6e9eb30f6bbabf51e4351081a93d
SHA512 14966c51d0086064ac93854635b318bc83b693b6c8bfe32cad0de859578070e1c533ceb865d23feb0f4b6d4dfd38fdb49de9ddc4b26492aca996195098a0f0fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 f701e89c6426f06b07bca7f4b02f3ac8
SHA1 c74d888c6a3095abb4c1dc38d63d7897c69885e8
SHA256 8fafbe6f6634d92b3827fc0936c682945a218b31a91a23310d679b6d463cb28e
SHA512 7dcc58dbdaa28ca1d2c9a7e9a21b8b9139f5149cc4572b4097f2b6d75cd6ea23864ca0b08e556da74143576de806958a7c3434db7cac5e1c74a763b57d1c814c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 b1f6f09d3fae72d71a236561543cc471
SHA1 64911157bbef47ea8277e3dfc4fe080d632669a6
SHA256 3932e54a9978bfaa1788088975dad5d0a54f87e66835d73c3f774b94d20f59f3
SHA512 6bba747cd132fbba38e81d09ccc463f0b5c0433ae71e0791a70bbb312e86e6272aa91159e4f96b53b311b48ba3a51c2f9e920b850785adac1e976c724398ff4e

C:\Users\Admin\AppData\Local\Temp\gkIu.exe

MD5 689f44f2729691a3447eec9faf04913e
SHA1 500624a3f19564eba53522453cea3bc60b7aa4f1
SHA256 29ecd1748964e97cdc7fe68cc56f3addeb2bfa6f31c0621d9848e179381d15f2
SHA512 fbbbe4504fa968098cfdcb37e02f59f6d031ade9ac36de2662f3bca22b875dca3efa450d4d4a1754557140ae586a924f22855e2c9864f8718eeba36c23a9d47e

C:\Users\Admin\AppData\Local\Temp\GUYu.exe

MD5 69f045112e7e1cf1463bd877ffcd4926
SHA1 e48b54686ab38af3ce3a21f5bd085f484db8b79b
SHA256 f681da88b7c78dab289c3a7cf69ebd985e7bc7506ffa5eb71c482a7de283199a
SHA512 fa8dc4b31badbd57cc51c8589ac73b9bfbfc2a3c4ccf1afc19806969a5219c9cef2d711c831ea86b345f69972f5d2c149c7cf0ccee95964c858bc4aa1d8eda88

C:\Users\Admin\AppData\Local\Temp\WsAC.exe

MD5 fcbcfec81aead995ad1d6060b0626b4c
SHA1 9b8a465b3f1e9bbff4e3dcf6e34bb3b8d12555c0
SHA256 d42d745350b4b573d1a1d6a11fe916b9a10bbab8de5e33265721602626ca3245
SHA512 6221b0e3906502c173513759dd330c52175617ef3f21f96884d0f89e36aa0a45a81049f3bea8383490038288e435cf5570574225ab264c2d187b191e9e442d6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 dba781a26c253bd1e24c641110f0e319
SHA1 777232a3c4c11bc009294a515e1d67102b1d088f
SHA256 229c3fb15ebe95fb1ce33ba049067a07b9a17194bb78dfc1be3d709df595ac57
SHA512 ef653a41ed28202a9fbc9e42ee670b7a6e4910c651a2b920b5bb13c145a8db0b2661979c8f372fcf5be68f4cb893aec4e2a3954b06c825caffd95c3a001beb61

C:\Users\Admin\AppData\Local\Temp\eEks.exe

MD5 f0bd0959c609fe3890deac24e1bb72c2
SHA1 f0908a5198d8e336beebda47f1dd4277c1c5554e
SHA256 7ee1daaa3592b755ff4e499387444a0929c49496f5d37ea06b2083607592c3df
SHA512 4014b075432730b5f29561226be40301c8a454a41436387760df0c2c05cab9653ce536d54c22aea00248eae14bf85ee36848b14c3d545dd91aa27c5cbe82e194

C:\Users\Admin\AppData\Local\Temp\FcAU.exe

MD5 c29fcedf04067513ce0c52f6eb11c129
SHA1 f37f759c699f142ac14944c9d3f6b1cc8fe612ca
SHA256 37b7160613bd77b6cf6611cd053bdf75152e9e115c23bd59e6dcc017277f16a2
SHA512 a9fb9498f54269d78238c3b837794863e887a02413e65f05f268679bcc32f6d94959affc1d2cba1d7928b3ee1d94d9c17718d8718e1a5931d4c994b4c9656fcf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 3559250ee78dff76ee069304db821c7f
SHA1 08b85a4896517ea7fc77d910c95fa7325a564775
SHA256 67640fa0a0af1d8cdbf189dc4c8da841fbbefc6ceac8371685eb5ae878381a14
SHA512 c577620d6f9f2f018ec6b92fae9587f077227d51af3b0daa83bfd05c89219f6a732432e8d708afa730e2303bcbd16ee8d6538502bc05b7afa1122f0f0da6d68a

C:\Users\Admin\AppData\Local\Temp\loIa.exe

MD5 8d8093602085134f1eb7d6941375009b
SHA1 2e6a1b3f967e53f447e475c55aa18b1ca6e6fa0d
SHA256 908b17d615a6f5baa7654f20dc2f6c99fc379088e187212b4146cdf49e701cbf
SHA512 ec83233bf1e73574d51a7264a0b101a85234271579a2d4458cbf330f7d4ef6841c743249de52d110790c104ae59889cb60c6cb867e9aec0afa25e57efef54bfa

C:\Users\Admin\AppData\Local\Temp\YEsy.exe

MD5 792323792021d34f72b528170f4a392f
SHA1 0cdb63902bc72e28aa0668d04e558b06f3afe2ec
SHA256 823becc348722aea03f357e347cabc0bba64ba8bfe0584092f69e155f6afa717
SHA512 5c7f5c7ae387ed5026246e799ebc9cbe737fb06bc3694e6c8ef7e0689d8b38dec3443eb5ea9b3c4f9f0edfce33da5a94ba0e7da3814966a03d9b63422b3c1b0e

C:\Users\Admin\AppData\Local\Temp\hwgs.exe

MD5 06a310148526c0a6b5a53fcea3e64664
SHA1 761c3e0498599543cd1fcaf5a564b6440ea43920
SHA256 1265e15a5cb81e5055b51d6c513b7604c8742d246989bd1cb3dc8f11d1fe6a22
SHA512 e14dcc683e636bd801659277c961e2b68e7a229d37709937ee96e21ebc5194b7806cd4b33c30b33a6a470bedc33c09a2d25701688e6be98b060130b8c6032877

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 00c136dffab6ebadf46cd93b4397be41
SHA1 3cff571c8b4923979e6e95f1fa643d489504b22d
SHA256 1b9289ab0b109325a2f8f20c2e974959c5e8d4e9f2c824933f4e8ff386705408
SHA512 0c803ead8213d7009f9fecc19f434ca1cd3be75c1a442245fc296ec4fc797bd0ef7a5e25a1721e6bd3d6071b4ccad3844671d0eac913578e9822420ba932a906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\128.png.exe

MD5 37897e724cb0daf45a33492d9e090d20
SHA1 6305bbaf71547dd96c1196b83132f1fddb34283c
SHA256 8a18a66bccb8b16f69fb3bf4eb30ba080bd957dbd449fc7081e78bf83c6652dd
SHA512 16b4d48ee1fc27e8f84c8dc826a38f14d5079591cd2368e76b6633203f4d08d21c4e27f79dcc64bc8c679060ac96d7d38800b37356a699420d599cf392724c6a

C:\Users\Admin\AppData\Local\Temp\GQIK.exe

MD5 0f59c49487a9b3234e2be978737a4e1c
SHA1 8fd09bb7bda18ae399417696c5f5bcd63499d5c6
SHA256 cff7fbc1994f1ff5cc8b3b2e857d576106210db0672165a8b47b6251a61187c5
SHA512 c14bb0bc4fbb7985373fc14ca36e64950af144713da25fafdbe328534161385705e6fae619d97127c87c1fa65e95e31aedca70a33fcc5e42cbe5e049447e51c9

C:\Users\Admin\AppData\Local\Temp\UsQG.exe

MD5 8d139cab7bf3b6f9a56f415a1ed343d6
SHA1 c20d5aa12513eba7e7844083c301145aa543ea99
SHA256 258b8771b176a3eb585990bf46b4b10b4e9b73608d3ee29f95e48764e32510a7
SHA512 268a5a3ef99b10d4d51f6c0a02f30f6a309f84f179c3901e71123e01d9dc42eb474d73a596c44c4020b2492f5926e68eb8782cbd4779b1230e604a098e8e666c

C:\Users\Admin\AppData\Local\Temp\coUS.exe

MD5 578fcdff6930ad351fb6e954b424dcf6
SHA1 a61450a72d26206189fe1741c2bb8fcf48eddb48
SHA256 bbdc4f3371950a78bfcc03739e75eb86b506c632bdc4d70ee64739086ab8dc04
SHA512 73da8bb458a56c6ae27c4a7afc3e81102306f9d14765aa3f758dc1efe72c3ae50833c7d3254580b6c55d939a7f72d7368df3308258318e52a39f475be0118801

C:\Users\Admin\AppData\Local\Temp\loIK.exe

MD5 7e985c92bd19178e99500360c2b99f55
SHA1 0a231d41daf601aebccfed70b93808ad3e2b61c6
SHA256 e0df4c5ae8b0357ee7922958bf2449cf51740c726a316f3c36e986e8d12fa69f
SHA512 cddbbe391eaebac149e4cb02fc3e09aee30812a87384b5c7aace48191d68745df58face538f195f50f1e8ff98090adbaf2d594027495dfd4269fb8e21b46783b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 e5c540ff8ab0528d326b39d0a77a7d42
SHA1 b9e1a79c519ceed6c6cbbf3b67938ebf77129fd0
SHA256 c2d691ed36f26fe114dfdcbd554e6f594721717e7dd3ccb0596d926112ede97b
SHA512 b9711e710e29f853a1239b2029fc2c2bdcbee795d1ce388149b7a87001fb7a463380111601e571ec816950d2952bb1ac5b14c4fbabe33bc86b674d290d0f7da8

C:\Users\Admin\AppData\Local\Temp\pYUY.exe

MD5 52031d0d8ca670d622bc55179337d73f
SHA1 34db4af31e77afc50fde0f942b34571d7b022c82
SHA256 8d98249772ba4326f42f26c5e4f125769747bc07c0196f4cf4480fc9503c5b9e
SHA512 d8127aa715d07ca41988e33a08c8fb065dbc1c57c25eaa351d53859c3563c55e832e0d4d165e616b720455d4a34af37bb74e2efa608681539b0ea3619979a4cc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 92f32f9d9e00dc0cff372e564a8b99f3
SHA1 c64dc544d24df2f4809c2bbe2c1c426a62442bb9
SHA256 8552306a5bd0f2998da659a7b6ceda7011a2eb4d8b8b5ac90163b00667a95738
SHA512 c5b6616e914aa52116211affc950a9f92b9b09799ddc62c3fe528cf6b3048b102c1c39bd376ffbbf8f4190c29413905876f88bc92de04e57fb9b5d69a56a652a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 161f37e4cea2042c0c8ef2da67add0c6
SHA1 a28b7443bfbb59254dd3ba4fb725540d0bb3f225
SHA256 c99306109a25cc7df74302fe23f004c91d2c7fe6c95d2e498068f565a4e4a882
SHA512 ee7fdf4685ddc6d0ff781e2299acb6c05371dd845675163f83fa5c4f81593382e63c8e32aa385ac3ee9f0d430afb172d4158631bcb16f728a402cc55dee9db68

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 85057adff60ac826c220c3e5bbbe2e3c
SHA1 1e986ce2be6f9e71e826d05879241ba17ccf57b2
SHA256 74fedb8baf4c28de9859a23f0cb463c33654b1dc16caeda3bda3923d07842bec
SHA512 8cb3c08e69f69156ca50c6bd1cf9b07dac72786fa76b6702285f4734a3fcf05a84615d9907060e5115a5ad9ec7efe98347c7f3f2291cb3863acf40a51f9ad00d

C:\Users\Admin\AppData\Local\Temp\pEQi.exe

MD5 e52da3b718b52d017b0dc41eabd55d95
SHA1 62d4139e9071a1a6f7a3c0db75a1e1e30deb6667
SHA256 958cfe32a342fad555f22927c451aac0a3b75f88656227fc5d8e3b852a987cad
SHA512 937825f046d4bc4e5648534b30eb2ce6b52939bafb4e1e165a96a7408abb43a71e96d09dcb8459458452db14b1c8d0795a452a26740eae248c4d013fc7199b2b

C:\Users\Admin\AppData\Local\Temp\mQwU.exe

MD5 5999774214bc6a6647301362ee99409f
SHA1 283184ae3faee977789f67d5253b2dce492d1aa2
SHA256 cdc295dd088344f58f53d35521d917a6580a4a6f7e1f6988247a2d63ba79969a
SHA512 c83285cf8f18b978711589ae505e2dd22f7e951308b2bc13f9399b03690456251e1a1335368c564d320b428a60968b46af8f55b08a3eff123ffd9ff4bd6223eb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 12fb48157f9bb0064be0cf93430350cc
SHA1 46d2a3d71521b89562c3f221456c5cd289394406
SHA256 68c24054d16fefbf8c5a7607041c6d96e8a496d9c115ecac103221fa289ab7da
SHA512 7da180e87bd4eb3ba4422aa8b803ea48dc7bc2e1df15e0b54b896446c2348af8abb0402c273bfc028055f8b79d2104d086cefdd979af25f0b415445a109049cc

C:\Users\Admin\AppData\Local\Temp\pMIS.exe

MD5 d58b3c08a9a963e8278fdbcd89103ec6
SHA1 6684957696e8f74964cb43cef3061c3eb15b0957
SHA256 0c124be286f8f67b2ec27b8d7eb574b1e3e2c38deacadf55ce8bbc5d8c0ce786
SHA512 049b35cd4b395cd4776755801773ac30dec5463b140c1d682040a771ab7e13e9e46185cb483fa097b74ee573f15f99228ff80f5ae418e916b9992fe04f26f0c3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 db9c645e6c796c3de81b5d8b80933a71
SHA1 57860019a00c313df231b0b5fd55f1365093bb58
SHA256 7f4cf12a2c6bccbf5365eec2222f5081f553f16057ce31796373d1d27994803b
SHA512 b9803b02d0053c8268960eb801310d231dec706ed3dce1985a08f8d38995f92b00e8dfd7dab64ff84bf30445328f431e339096d7f026b51bf158ef0d0b89c438

C:\Users\Admin\AppData\Local\Temp\FYgC.exe

MD5 7ec6a3fafa6c6766c6a18037d8216848
SHA1 464b574b9991a3b67b0cf81bbd497c6bad489109
SHA256 d8f12456a481e784b420731c35aaa6ad3e4e1e86345b8af59c2efd8dc73df266
SHA512 2fbd343ec40b68eade786d9c6f1ce247f318b768ec089dbb50f94c468c405a60a1eafa49e9028d25da576ac0614920ebfd359da350e1c8440d40f5bd03480f08

C:\Users\Admin\AppData\Local\Temp\hUoU.exe

MD5 b2f20c5d9eb6ef2f8a856482fe4400c1
SHA1 b3f1d290205ae54df31fd9221a1180bb7e5210aa
SHA256 519519bd0d8982a6781853384841dc0b0a09c00afef1411df8e6f93d7fc2fae1
SHA512 be0314d618cca57a9ea20dfbf5aab25d1fdc0b37b67a3cd04e01ca6473e208a1a05942c7962e0f131706b527ae14a0b3405485061d525e1341de182f382a778d

C:\Users\Admin\AppData\Local\Temp\jAcI.exe

MD5 767c65d1713d61d6588c408a5b34f756
SHA1 ac96b26d9350f60bf0f05078033404cff2c4ae9e
SHA256 35faaeb142f72fb1b7590ecc69866fd59bd8fb1aa53cc535b2ff271ba62d9305
SHA512 5fa0cfb8b797dbf08a5cb8889bb0005c8d15d67faba2a550e07272d1eccbba62f5aa47351d456cc75fa515a46193729a315d0b6c347bd2b8b64da097de2c7677

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 5417e206b06b7494519e9622583d114f
SHA1 f7aebe83fd2715c36189c33f53740379d7949bde
SHA256 2a487a949818aa20279e5444e36d7530d2647cdc44fdc456a627e15ed68c83ea
SHA512 cc11981a4b8484de729d2274d0c102fe1c4382630acb6ff7ce8f63ddc08834d1cc298064614ac78177d68b16fa915852f93a83e4c2eb74f47e9257e8b36c243f

C:\Users\Admin\AppData\Local\Temp\mgoQ.exe

MD5 84cb82aea59b896c51fecfc804a84535
SHA1 4ed9e31a921a551af83f689e711670be522938cb
SHA256 7a40c9f035eb7b48d63f10126999259d674926650955b9c6620e55345da66a4d
SHA512 8ce3fce35b55f08cc609bb45f726b57005915a50199c6719a75c98dec66c735f4ca9757693dd7297cbe956554ed1331bf5e4b0ad43f5ac300536098bdb4ffa3d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 8afcfff8b0ee17c40a0c06fa0aeb8f58
SHA1 b9bc9b9cbe02de76d86343bda0a9f5148b4e9c4f
SHA256 c61b132f69a9afa0ef4abf9dca0f315154fef5112e8e3cc2b33c68654e147334
SHA512 c065b65d4033c6bacf492d2700f22013df507dbebefecea07eacb9b5e2f4faab38df71bb140c42b066ea897e882d534722dae91862b35ecd90a88f260987e3ef

C:\Users\Admin\AppData\Local\Temp\qQIe.exe

MD5 ebede07d3acbf326500ddd57c5883974
SHA1 d3c8e082179eadb8d8ab81409329cff9958eb9d7
SHA256 86450772af76dd3501afca33e44b8b3a42f8283c1e8ca3951a1ba6ce01c9d16a
SHA512 ae8312425e535978fbcc7e201118ec9b70e727ec5050490b2c8a0b4cacdcd0fb1d1c574d3c2de6cadf0e995c9aded9e5f9b29d1755c7f1d3c4e53496f175336a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 f7c129b1589262f8e27f4d1f1669389f
SHA1 b74872a7fae3db2fda9886351296be70705450a4
SHA256 1f26f8fd6ce82448b1b7a5ca1791806c9b7b91b66989e7adfcd4dad72036a8c7
SHA512 b9be949c2f41ed67c93592f3f530a3b93190f80b6fbade118823de43229f49a4eea386870c611240f2716fd6806e5335e98911416944d35ea7743e0e74a4367a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 07e30c5d561aa3e2d7b56725cfdd5df6
SHA1 7441e1bb961340bb3c825c56bf178a3125d0b8d0
SHA256 c29d5817c033be4a2514d2bcb7be49e376c9b7702b54ff3c13e2583bf16b72fc
SHA512 d3baf298b096cd852e52f910bdc408b5473a5990d212910bca3242a53d789365a395310ea1be29f93607d132ea30a0b6f4e88fa4ddb1e86956d06b09e826d266

C:\Users\Admin\AppData\Local\Temp\RQkc.exe

MD5 d6fa935038ffb5cb0fe536e737d26ca7
SHA1 060db4c00b4004be24b2cdcdcd2cae06e8f82bda
SHA256 475e638e3d182bfdb8f29c940d25af2aeb11db71cc954b76d423aa069c88ecca
SHA512 81b7f56ba1cad29ad9ef9d4c252d83bb57a4ba0bee10c1e4654a5eb54463be6fdc6d9ae2dbb690c733bf25bef4b0f2a62d68d3cf636368fba7417a8e62a0da31

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 e66b613b043ed9891aa484d3bbd82f8d
SHA1 ec3717cf77eb3e4cd86d6f407b5682880ff7b8da
SHA256 304713b9107b0c40e145b670ff8f2df7fe90059fbbf3e91a13b96ce09533ac33
SHA512 38496ac8318e3623d2c942b333876f4466a2131619d4e8f733cd650a39d1e4771d44673f4697cc94acd219245cbcd8b392674f07c67f98f7df0ff5bbd740b025

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 169f2bb97b948797e04558fac706577f
SHA1 cd60852bfd2f1fb50d64eee4d31c800351e11304
SHA256 ff576efa4bb6987ce7c20d736ecae0c474ab8e4d81486b783a396c152b5e4600
SHA512 607ef5707090d3c7558ab9ef7818f862df4c4e919d76881026ddca0906a1439134dd06c6b0847c99e1a9e340a3f7773bfa73ad1c4ec05d863df331c5e2cdc84c

C:\Users\Admin\AppData\Local\Temp\Jwgo.exe

MD5 444de564b01aae58b299cd8a4c8f9236
SHA1 d82cdfcf3ad6613db17ebe6ff02dc8448e6dda0a
SHA256 ed4f7ef09d59c55d9c19651355b4231ef1e2043ee86d029da53f6671b085a557
SHA512 9fa19e5a15e6ae4787672ffbcdcf92dd9a8355b9373981e2a52c1791f65ea376804962592109b67135a06cacbaa7709b923c111a64cdccbbca439a3014b0b9e6

C:\Users\Admin\AppData\Local\Temp\YMAQ.exe

MD5 e5f31e0b370f3888296c5b313580aa25
SHA1 33fdd1379c436a007499e8b70470bd4f6c69467a
SHA256 249cccad90bbbaeb085695df4d9b40cef08608f05075f67ee9e87d54b9656995
SHA512 178554886abac73b25d1fcb28948f2304b75dfea31088821d49a8332e71fc9c8b6c50f52c9056723601279db44b1963e28bd6204df7ce887f4c83766bbd836c7

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 69ec1ca57914be54154be45f13a88593
SHA1 4da5f9421ae3df4436aa2d3aee0d964871966567
SHA256 7242865bc2825bb1e8322144c000d58e042486c699770e81795ddec1fcb2a0fa
SHA512 ce633602ed570dd69280c7b769c9fca39506ece7ddb9387146511bbaef0860f4116c915931093463b4f844b1a15ed282a8195f10c72e2fc98f8538d158f42be5

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 751a066827f143dca24ff5209287906d
SHA1 4877c726be137cda2be209cecde63743df313255
SHA256 03c7fa4c7ccad3f57c35f331e10f68be2bd36b0160b05f0796d3da9c6d55e31e
SHA512 bbfb5a5018189c10f3e6327bf2ccc7a218c7bd32d515e69093f042fad72a201ffb2d6305eb3938ae7f163a7cce604d5bf42574e02141afdbefc859a97b26c037

C:\Users\Admin\AppData\Roaming\ApproveRemove.bmp.exe

MD5 1681dff15ece132ce4d344d8bf8abcf7
SHA1 f2fb4c52e3fbfabc0f05869d21cc0170f99245b9
SHA256 078ff8dd3a3a80272d154070aebb036c4938fc106b1dca340bb197396e52605a
SHA512 6f10cd90823e5ea13b819d3d523dd5acadea1adbbfdc24fb36a03960c698ce9f4672d66cc1d70d554063ef222e84025de1f139fcc1da9bd257a484aa718f76b8

C:\Users\Admin\AppData\Local\Temp\agsc.exe

MD5 19f687dc7cd88339873bf460f9166805
SHA1 9f825816e6e95886841cc01cc7f25daf1084aa18
SHA256 1f986b13d03b3f8e1e2e48b69ebca41bb371a5b96a485306bb3b888bb4dc7cd1
SHA512 a998eb1ea4a9bc58edd1b0e938568f350f0f282740e7f3af806df8e319b061147200366eeefb5db1035458135b0804dcfabe1f0b7ee00ea8a86f655a38dc6729

C:\Users\Admin\AppData\Local\Temp\dIsG.exe

MD5 2c073da3ff1743534ec16d8d5139fd59
SHA1 01b7fdf83c663cd6504061a780375dc8066dcc58
SHA256 3cf6cabf8d0cb0008f7d3a1b0ecd263ac291bb86cbf2ddd0513966d2b2f930fb
SHA512 230c18b499f12582ea225d88b5ca0f99064666e258c2dd10a8277039e2939a4151d011de3b92cf1d0631246e7be992f15fc8c2a51ab326c95382f442a2567b5c

C:\Users\Admin\AppData\Local\Temp\sQIy.exe

MD5 6661c9b31bab14422bd08b024b0f1976
SHA1 88df8b12663f9d1a4f57b8e7b8315b06ab828d76
SHA256 f9e50296041c639918abbeb3f1d26025f5dc4bd8659519c7efadd41607a86adc
SHA512 5700c83677f33a438c955838aecdb9a0e27b2c05f72202d2910aceeb4a275ccdf6cb64d013520aa1b4c308fca06fa38aff148879b09dd54675cc19e71dcfe381

C:\Users\Admin\AppData\Local\Temp\Wsko.exe

MD5 edb949f38da539302294532b6d045296
SHA1 028e57af93605d7196d542bd1f0b41edba2c336f
SHA256 f76d8510e06a0bb35359a64ef706f3cc079c2088f921341c50dbc63855af4be7
SHA512 d893881dce8a3d2d87bb3221318d311a535dd851debdc06d804cc1d949c58840740689fa7c668e0da7c5a9efe0a641bad1aec8a5b87d9844a1d46e11fa6ece02

C:\Users\Admin\AppData\Local\Temp\fYkC.exe

MD5 ee7f415e84f226fb450830da35287728
SHA1 4052a0040019c3eed1d3584e6a964843636b00da
SHA256 5ffe87f56a6f8488a083c4094631724954d91eb8244a983fd900e5fdef347901
SHA512 750dd3771277a05998dbce3abf8e62f0e54abdcd22a2f097e91a7289db40e5c1d4a213b4f4d0a09d1e8a6da55e16efac5435e176954c3a2e6ba9c80a0750a95e

C:\Windows\SysWOW64\shell32.dll.exe

MD5 b69d05a578cd5d9ebf87bf7e2a3cfb45
SHA1 2f52ca10c5c663dcb38f6375579568a992443894
SHA256 858336241942a892f843a1f3aeabc97eb6793cb533236e985c16b389695d7d04
SHA512 e57e4fc433deeedb91d58cf2897e1ccb13c020b2689f2b10eba9f709bf467350569329e192497688a73adb90c9d45d57b19184522720c409375f3e4d447254e4

C:\Users\Admin\AppData\Local\Temp\sYEc.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Windows\SysWOW64\shell32.dll.exe

MD5 95f48e222863a351f422b96f02851808
SHA1 aa5bf480f62e009b1a0ad4fa2ca63b9c1e952b4e
SHA256 9d0c6ed17901c0eeee2db0d31885fdd7b5183a907fcd889c4919cbbaed6aae85
SHA512 f5cae4255b1797bb412d7217a2d18d9754f08cb7bfc85f24d9dc64c8e05e930b43a3ad3d7d2a8ef680e03ffe9f35cf8a356c3ecb4b09f4e982a5b74ea0123fbd

C:\Users\Admin\AppData\Local\Temp\kcQi.exe

MD5 35394e216687e9a3d1091d889cb6db86
SHA1 0ce364cd1587008890ff31613806b41ef7f444e3
SHA256 ce893f1f0e628c87a41130bbb1185d91d95c099084cc308dd87febadefbee662
SHA512 483ab16408cf4f82b831f67eedca2c466322fdf437812895d670c724a435d63ad72c6dbc38d893975690d7da9650e24de0c050f2b72a4460e2a823989113564e

C:\Users\Admin\AppData\Local\Temp\ZQIs.exe

MD5 877334e9ed4a35c15981b83721fbd0df
SHA1 fcfd52b9030eedd8b29a823147cb23c2a509ace4
SHA256 88416c741e6ed95186938053ce97aebad86b0ffdebe2144d26dd6274c9a31fff
SHA512 e3097df1078b246a7201146b2f50eb101d0c37d4a0426b6b9ae7620db7eb24c03e42b16d87c3e23a6058dab5ea4ee43e3847512978ff3ca1a8d971b570f79ae6

C:\Users\Admin\AppData\Local\Temp\pIgc.exe

MD5 39e4a9a1842883540058cbb37607ac1f
SHA1 5a3782fcb5ff126fe67c50ad8d39b9e5a31a57ac
SHA256 a801abe5fbc6a14865142200296b8a49b59e07168fe7a15b32f50a616f3d5afc
SHA512 09e040df1e5c9ffaf8c6b515142cfb27ab083752a4b0eeb5ef1ca86084cc1055a3db85142eef7a7a17c2e3ecabef8483ef1e6e5ef92e39e3b9a67c972d2b6206

C:\Users\Admin\Downloads\ExpandOut.zip.exe

MD5 be8ad710335e5ddc268d4a0df39f1f70
SHA1 931c2d83099ab702cb16be4cebefeb4bfdb724ef
SHA256 2ec69e8c1e10e424835d4ffcac726bbab81a51f54a914b70e68a3493f50d9dd1
SHA512 8097d6c5d10fdd20645bd765d72f5a3e6312c995b307177fc2924918756ed8b51979679cbf19f6c3fd51b3421ec32e96c3d3f737372c94e5859960c827e8b595

C:\Users\Admin\AppData\Local\Temp\EEMe.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\StartRemove.mp3.exe

MD5 b2cedc78ca372ba39cf19fb18b06aec5
SHA1 948ad9a26559d9badb2f68b6e450817f04b8857e
SHA256 dbad77de6abecc2247f1d73ee859bc908a4bf36cbc2c00b48ea52cac2e2f9a12
SHA512 20360c13fddfa55617c12d9cf6e7cd84e37c6a4fcbd2eb9eff3fdc0a5ad7d298a30984c8be1ed9c5a8835ae326fa903038639e4d7ca2a01feb1cc06dd1426930

C:\Users\Admin\Downloads\StepEnter.wma.exe

MD5 c54f4efc9c789c70491628486020842c
SHA1 8de46a7a1a3859cb90e1e6342575f73314102ecd
SHA256 96940dd5b228dccf852e7c164e5a968752dd671b4ece3cd58e0b4461aaeae011
SHA512 03c91847a4dc9e86b72e5ba2692e8cf93d567f5faea16ae722eb631c97ee93b29c2b2b55dbd8a7ee4f3d2fd53b28ec7cb7e9fcecda811114d7c8806f354bab28

C:\Users\Admin\Downloads\UseBackup.xls.exe

MD5 d500bf185f6711b49c00b9c6998a3bfc
SHA1 1cf7db01644921c97d3aef76bce29f30880bc7f0
SHA256 25367a5146b176f7eee5fbbe39cab922a6e22ed935a66d1452527ab60a260c47
SHA512 7b83a82ebf75f629980a59d74524682521ea1c9f786391b927050e48624be9719b7fba10dca7e6f657326cbc1333b2704204a9f8b646c6d1db823b7763b7d31d

C:\Users\Admin\AppData\Local\Temp\LAAC.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\BUYY.exe

MD5 6d6e85e5905ed55520937dd9c9e89f73
SHA1 f1f994424b2d8ceabedf6c3d3c12e5f13483b772
SHA256 a7fae3295a830d8a967806dd8205632a95b5a039787d41087576973928f7d8f5
SHA512 e16339a335b1425f830422ea33a1f44fcac4e0de032ccb3f794d5efcf448102cb07307fb13ea1fe93ceea5a093aec0e9b0c681f6c836b7d206fe85b8ee5e7db5

C:\Users\Admin\Pictures\GroupPing.png.exe

MD5 90519d07b4c2a1f5825e158d0ddce011
SHA1 9b106d1d4d52e5b3a613be40f4d306f1d3cf0abd
SHA256 3816b1e4778e1ccdcf2a435ef82f1eb2fa32733a695d63571ebeee41e46fa647
SHA512 ce849703db80eff6c71adc3ad7c003a1c0a20eccabe6694cea7b53e16bc30068f144b2dd5a6dc2cfe07458cb2adbb1ee44ef9eec343040ad41bd79001f569afd

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 8eb516deaa17738256eb81bebc3a9c03
SHA1 fe1a84741db8272a1132a5b07f2cdd106daf208f
SHA256 9a923f98148274fbe7358dc63b4715f4bcbfc40f0c59ceb99e38062d4bcd5513
SHA512 c3cb8244c7532fa24f3c2b3dc6131144296f23681fddc930ca3ad5341f831a27f0c0ee56aec3220fb546a1161141501e9851a35223bc8151ae11509db1bbbe38

C:\Users\Admin\Pictures\RestartWrite.png.exe

MD5 7f4277d964bcbe515bf7a89f86bb3466
SHA1 3738f678859fc2b99b826bdb27a5ad6b82ca23c3
SHA256 f66a3749212b4b812c9f51bace1783a1615d99999e2721ae58ec40d0cfe1f96d
SHA512 0107cb14b5569c43ab20a6697101c9110f1b8c74b63bbe942365ae11556ab6184049cc2323b0f5c3518a9db6758caf8a512e2e221decf7c92ae5138ef6b4b56b

C:\Users\Admin\AppData\Local\Temp\FkYu.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\WaitEnable.jpg.exe

MD5 bbe9a256ba665a23bf65c7dcd8d34718
SHA1 7d689630f836f4ba1294e7d92d582b5e4eb80601
SHA256 6c40f5acf78ca0d821187c51a2663cb2bfc4c7caff6f59c570a4ca55a885b52b
SHA512 c52ea9662502ab5beba44adadca03e8e738bde83c465114d60dad892c9e76c8a24f6bc29b534b34e08bbb4c6ea96219f8de1eacb4389e8322ed67034160a3717

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 0661076b03631380a50cb055b9994659
SHA1 8c131be31c9c6d964752ca50d8f1430cd5449df8
SHA256 2b56ff28969f6e114e82161617a971a8561cf0562689b1c02364f98f3930a37d
SHA512 e09f7d91c6397f906e05da0844322fbcca215d6636d6b841ae97f396d90d8852117de28c3df01b69347e82f3bd2394df2bb7616884d772e331a36f110ca62653

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 92785caa61f8e5250a67a3ef5a68f201
SHA1 9e3edb173c8c46239300a9bc27e4300c19d33b1b
SHA256 3c4bc0ca8aa8e434e87d842477a99e860a64e2de12f3e13830faa3e5fa60c158
SHA512 4ba990c33ab903cd4784792cf99a88c15fd9988f5349ee5d816f26ff4bee9472b8de4d35c0569d3d4b2dca55bab20d0a41ea2037ff1fc838c0fc51b7977765f3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 cd2a037a820cfb7ac9667b3d27fa487b
SHA1 52f2b1db4377d91f680f09d78b24a37bb27654e5
SHA256 3c231fc93a67274dd7fcce0e3011a7344adaf30d5f5d0336e5d024a0e57d4efa
SHA512 a86ff16df1e093ae72c27b5e1c67aaa07335cc9faeb8a020cc02169c19e0c31f9896e3133b699ec298b51dc024d4ecc83afca82582b337a8bbf16f8f6d96627c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 a140e5c0e0775e7e8021cea604845004
SHA1 0addce7c57e87376e14dd0bc410fbb4aaad2c19c
SHA256 7368751dfd8942fbb20b8bf77b1542cc201a8a517f1d026063e2a2ff3b2a805c
SHA512 94ac4ba4ea9b096e4372e42fcae09c316b85fa78d6385d87087eafc83d0ca4da123a4c02dcfe7f7a9429c42ed093dd124962a51e40390e60284de93472869813

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 8ff52bc38a4605f25263325047565c85
SHA1 bceadcb5076b99e41071a94d10b3b691246ec415
SHA256 0a7d00385400a51c52d41cadf2bf40bf510ac1542d1145a7869fe5e668c0b67a
SHA512 0b759d1f8f72b55b895e5e6e45788d7c102d668bd224a20a439f5157e4e36e76beb6ac1e6323fc4ab4ff28a02e12e8629e4fb61fb1b6fab4353785ece37582db

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 1a532a4743852da8bc9a26a8ab75e271
SHA1 94a6014e273614efacf7444fac63d823ed7bac5a
SHA256 8ff52fcce5b7b324bec2dc6ce6b93e36f389727eb3e38e1a99ff9693550106a5
SHA512 e48b8c0dd61651d59049765bffc3a2f92d06ba196859d719916041e6dffbfc3389062baa1d20bcccdc17a59e52303c3577005e2bbcc9421ec0189106cb5915c1