Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-w945lahb8s
Target 2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock
SHA256 6d361226ae035f3b21c1cdbc55ddd68ae2eed78b9bcaaa3ab7373d670cfd70be
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d361226ae035f3b21c1cdbc55ddd68ae2eed78b9bcaaa3ab7373d670cfd70be

Threat Level: Known bad

The file 2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (87) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:38

Reported

2024-04-03 18:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\dgUgAskI\OKwckkcU.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcMEksoQ.exe = "C:\\Users\\Admin\\ZSEckcIY\\mcMEksoQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKwckkcU.exe = "C:\\ProgramData\\dgUgAskI\\OKwckkcU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcMEksoQ.exe = "C:\\Users\\Admin\\ZSEckcIY\\mcMEksoQ.exe" C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKwckkcU.exe = "C:\\ProgramData\\dgUgAskI\\OKwckkcU.exe" C:\ProgramData\dgUgAskI\OKwckkcU.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A
N/A N/A C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe
PID 2696 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe
PID 2696 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe
PID 2696 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\dgUgAskI\OKwckkcU.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\dgUgAskI\OKwckkcU.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\dgUgAskI\OKwckkcU.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\dgUgAskI\OKwckkcU.exe
PID 2696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2628 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2628 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2628 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2696 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2860 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2860 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2860 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2556 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2204 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2204 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2204 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1888 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1888 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1888 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe"

C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe

"C:\Users\Admin\ZSEckcIY\mcMEksoQ.exe"

C:\ProgramData\dgUgAskI\OKwckkcU.exe

"C:\ProgramData\dgUgAskI\OKwckkcU.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGwIEkck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bokUsIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKEowQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKIMsQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiYQQMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOUAwAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pggIcsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcMIYUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGccIsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GookwoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKkYgwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcEokoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOMMwYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEYsIEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcUYMAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSUYkYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsUwwwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pKAYkkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgwwQsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGEsIwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiQkkssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSckIIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2142783471-8029253616043677342034622114-12658676011784358415533093181-1522564222"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIwwosgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSkwgUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiwAYgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "95470153710204956984437390291881099195-925015797424519353-1964202276-1676088264"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\msckIkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\msUwkUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIYkYEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEcQcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsoAYAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1990079325-44807779-403689826-1391752238-2071453337-1957928869411304374-82918045"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1186188339-261443222035859847-1430033247-733257158-15683554041314378633-340582281"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEEQccgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOYYUEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1227710879-169577033712768043171929914024596079538-6371855836504700062004212773"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqkMEAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "571829285-596523376-827352353713618456843033803-347485962-559871818440949765"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOcckQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAAIgsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1329160121-983843579-1815393333-12086417-20531523161897667108-1776724180120851639"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2085635697-1076151923-239156039823777981-13916322831837427447766148793-165713950"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XysssgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSUgAEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUMksIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgkoMUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1982822850-1539765124-2086494092810080450275316333366049266539523272-184173530"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOUIYAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1639553927-539612453-1742829162-3316081521433949768-4609915451276137178667539250"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaAcAAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wewMswAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGwsYcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "459929360-17563251122054062451-1722790945-13516764126121405-432045236-132856433"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jugQQcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1019235665-6303957851752513324545642846-3584164781979036703-33118046523766041"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOUAUIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkIcAQsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-116400677920856390291033031056-818726158-1384862811-2091435273-3330779391782315133"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\peUUIEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKIwYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESoMAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-139884162348665513287203215-9219279584965711489495481925287614201230246026"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "832937951823891697108557128-687074236-1716892433-818567512-65537501684640005"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMEkYAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fggAMwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGIQQwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCIwAgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOskkcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWUoUooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQIswgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeUUYgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYgEIYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQEQAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSYMsEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwgIscYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEIEAogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOQUocUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYIYEEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AecoAwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOEMQEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOwkcgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmkYkMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWgsQMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryEEUMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2696-0-0x0000000000400000-0x00000000004B4000-memory.dmp

\Users\Admin\ZSEckcIY\mcMEksoQ.exe

MD5 bbde6831dcf7bdb788ee1c74659848d4
SHA1 6e6424cfc5d60dfaf98f90a4b9906696e06df918
SHA256 26cbcea42210a3c347e6ba4a8bde02ca54c5d559b29934823c174119ca627bc9
SHA512 584e332217dcfce1f25e02656970c8dc9396dc93f6e9baef0349a4ce2d8647d5a1df0698b59c7973f184134eb124ccd8d4ff82e228f41a269d04813648ed75ed

memory/2696-5-0x0000000000320000-0x000000000033C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tCMMQAIM.bat

MD5 7d00584a653c0b27fc8e6ad546c8ae2f
SHA1 7789df5a0a573193d673093b7e4b97403b6eb7d1
SHA256 decd0ac0c58be5ec3711da83880a6d25934f6bb1f86de0828f2d9af83bae51da
SHA512 fa22b34b17585fea74fbc7ef9b9b23c3d5a6db8dc49306ebea2e76083894fbe074dc000f73a5ea4746511a57922f796b3e31f0dae03cd1325c9045ac1ecb57f0

memory/2696-12-0x0000000000320000-0x000000000033C000-memory.dmp

memory/2696-32-0x0000000000320000-0x000000000033D000-memory.dmp

memory/1768-31-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2828-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2696-29-0x0000000000320000-0x000000000033D000-memory.dmp

C:\ProgramData\dgUgAskI\OKwckkcU.exe

MD5 cc063e66f763f3d2a14cff635d3bc9b1
SHA1 da8eee94ab146b9f7d1d12398008b64978a42d47
SHA256 db1b715b9cf98b8d3f85fbed6a9dcb1427334843ca56500ba4605e3f602ac0bf
SHA512 3fe0e6ce4f2a70f5390b0647d230258844bcc2c653bdc2aac2e5e4b3ccf39e1e32f403da48ae584d67a7852f265d3c62d881b6f403176b0965c81fd20878a206

memory/2628-34-0x0000000000270000-0x0000000000324000-memory.dmp

memory/2556-36-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2628-35-0x0000000000270000-0x0000000000324000-memory.dmp

memory/2696-44-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jGwIEkck.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\HewwUQUk.bat

MD5 82e623342cb9bec3ab3c19b03d8f87c6
SHA1 32d2e15cdb2451435b41e2885c3f4a4b0a21ce68
SHA256 ad8a4ac3323f1c7cbd39f7b0226803d984d3302d0cb497613229ff90ff4e260e
SHA512 fb2ce31e1c291c37aa6d81b53ec0308dfc0db0083168ae2f777e8de19432591953ccd1abd92bed2ef5df8ec8a968e71df5d23c9d6b09f0af71d77120a720622d

memory/2204-57-0x0000000000270000-0x0000000000324000-memory.dmp

memory/1596-58-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2556-67-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScEwQsMc.bat

MD5 6f6f8cb98961d6ee8cf89c54057d67af
SHA1 682c7a265b269b0cb77b187d709ed772959575ee
SHA256 74cd1383bd70d340e4112227a7f138a44aed3117071a45dd9e6b6e0d521d6c41
SHA512 1bf6ac643fc2f9ad455fc1b8042a7998e4e645307230ff587d56f6798faf588da012d220e7bd06a0c2c154f4d2115d59f3b5fd945b2608f893757b4e5e0aad2b

memory/1924-90-0x0000000002370000-0x0000000002424000-memory.dmp

memory/1596-89-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1896-91-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1924-81-0x0000000002370000-0x0000000002424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogcgEQMo.bat

MD5 f413b5bf6977a23388b369abf5ad682d
SHA1 a10607c8c5ffa7729d0fac6c0a1d511ea7f51437
SHA256 bdf9ff3303d36bb9e0a6cda15887d9a1f1e4f3956772cc59fd4c1db7de53d964
SHA512 c26a6a75b97c60fd6ae8f5b5234525a6044fc1b1485fb51bf25069c0221de924aeb7a8df46775226b966da4c43131fad556f33032e846ea6d95d39b2e07787ca

memory/2256-105-0x00000000005C0000-0x0000000000674000-memory.dmp

memory/1896-113-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/540-114-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GGYgkcwA.bat

MD5 b024b4e936355540fb932bf645dd7171
SHA1 c803bec47a1fefda15c3f70463b5c24ab9dff97d
SHA256 4523dde900a4755b60e0e3469afe4cca9684d709db43b4cc00bf5421d785ee9c
SHA512 f448fe80a381f83e2245ae91ce62f1627db7de2d65b483c6a59df3aa654bef71fbaca11e4c97b88b8c47ab4e8397528d19f3d1e698c558236a0bc2c9239ca169

memory/540-135-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1512-139-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1500-138-0x0000000002330000-0x00000000023E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uaIkswAU.bat

MD5 5110814455ed1dbf566893dff7a43fbe
SHA1 20fecc148ae86a2d152353f2ddec551cd655ad10
SHA256 eb11d09b314326ff9e7436a9953f3cfed002c479955908d5463d55257e5c853f
SHA512 dec19a83573fe4a6b39db497ae0664baa02add9ac76c23d651de621c6f2dd6838b347392f6f67dd31ae03952e5ff90fb0c9f34ec3489fb45b63370f9713a89f4

memory/1996-150-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1512-159-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LIkEkgAE.bat

MD5 e0d44cea511da95cfad829a4a483c6c5
SHA1 c9b14584d3f57a38ab496a616b06b51830960d17
SHA256 73db35d29fb9395fabf3c71aa1d90f85c5d68baa40b0df08db54097c9683b27d
SHA512 0db82060827838cd5ead7befdefb054b76f5529491a566a13aaf7f89dec60cbe0a84f07457f03324eaac7378eeecbb649f1312af279b7eda5b86164951d81ced

memory/2344-172-0x00000000022E0000-0x0000000002394000-memory.dmp

memory/1996-183-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2744-175-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2344-173-0x00000000022E0000-0x0000000002394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RIUAIgoM.bat

MD5 e286d7d329e31a86a698024ec5dac302
SHA1 fc2b059d1f25156d1955036b53f32a641ad20374
SHA256 cd7e45a586582631b07395db9bf984a2576d16de86f8c146a16b82dafdfa0614
SHA512 cbe201caa1a36994acb4ed97d998ec6be2e39f2c19b11c5ea514d952317a35e6efbae49aeb91613da87cd8b1842f4edfa10f7a74aee40e5d5711faa691f723fe

memory/2628-196-0x0000000000250000-0x0000000000304000-memory.dmp

memory/2744-206-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/556-198-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zOgcIAsg.bat

MD5 9812c76d6089b5febc516945dd35bdb7
SHA1 80e02e5ec18d8bbc2bf912c8d1d1546ba57e646c
SHA256 455876836d02a8ca0b0f4f2f7e5efd49f3ef6b88edce6c18c2f53d503729d86b
SHA512 610adf62e6c907acb2abaea5287af8f1f0abee079c6baad74b9fb3da499c9204e6584d0cec97f204750c76ee5998b039a4251757f1ea0b90b1b377b31cab40f7

memory/2708-228-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/556-227-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XiIMkUMc.bat

MD5 69b5762b54a64d3d3ba7680f64fad72f
SHA1 4dbf2658caa41c41277edac621abc9aed2fa84b6
SHA256 d4c63e40381b59304a49a56e5e13dbcefea0b096f31bfa53959ae8971056d514
SHA512 a023c8df399a6b1df6a8c0387c5439187d89842e46f7627da15f1ccfce766209c551eb660f1bfdfce77fbae1e5f6562cc31fd3ed2234e726c2d62fad7efacef6

memory/2260-241-0x0000000000430000-0x00000000004E4000-memory.dmp

memory/2040-250-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2708-251-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WukkcocY.bat

MD5 3654ee289114442ada43ab4281829024
SHA1 6f98ba612bb5f393bd761e85e94e42a4bcc62c93
SHA256 36b426414f3492c42645aba775983e9b3489f64168ed009405c14677d73241bc
SHA512 4af9e73f696e15eeff657fe541e0dd93a2c57e6f5207cb8dc7e0a92192d94894f83f1285f5f17ddcb7e9c430d7cbb8fb5e85e19a6d686178ffd652e126020eca

memory/1256-264-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2040-273-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EukgIwkA.bat

MD5 f2060adc71159022bdd3161095e063bf
SHA1 c3f8ff3a337fb6ebc3f09ae38dbcb39c24a9f021
SHA256 d08b8facabce5beea8f0825114ea758576617e1e80bf67b7adf04f43f94dc479
SHA512 6df7e26ee1b09045201af57a31134710163ec5747f04a25b018d865ec94e02c0899535ac8f18c4f174058ac00601b382d6807d182ee7e39e1cac8d47a9a87039

memory/1060-286-0x00000000023A0000-0x0000000002454000-memory.dmp

memory/1256-296-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2856-288-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsAcYEMY.bat

MD5 65e2750acd707db26c3783524b4541e0
SHA1 c28f8ea7b7f6377b2e2e91a9ec4d9f6797c95f44
SHA256 165606546d9420b2648e3e0043d196bcf662e4fc7698d9a27f70170d8b8f3a84
SHA512 a92e81d5a47bf7a277f8646aee5c0d390f6be5cfddd2435e80078381380544846a5da6bb9691af9a34343d364b84429c6002a7bd40d0ae0b950172d69b6201b6

memory/2856-320-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2632-310-0x00000000004D0000-0x0000000000584000-memory.dmp

memory/2696-312-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2632-309-0x00000000004D0000-0x0000000000584000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ykEoMIcM.bat

MD5 06770877a3cc7febe18d7ac07d583ada
SHA1 2b1733d4844322524c11e039a7930dbd3dee075d
SHA256 fe4af97ee271b1e2f7b3162df8fd6bae8710bdd27b4dd10ab58eff541910d9b3
SHA512 c32a97e4e2f394eeeaf05e61f966b506595be1afca1c5d6367c7bf5888d6174ead24f420ad6bd488792536634946bffca3bf4a3fa70ff8ea3113757110ca3fb8

memory/1548-333-0x0000000002330000-0x00000000023E4000-memory.dmp

memory/2696-343-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2616-334-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jGssAIEE.bat

MD5 d638b402ecb9ed48a5e5eef4279e9ddf
SHA1 82d8ac067888d5c4b4a14d8562477da2b0dc03b8
SHA256 2c7345c2efa21c3c8d44446ff3a213c413c98428c1e7a6a37cbece6fbfd940c1
SHA512 9cdd75ab4053fca689a4c6c4c436c49061202cca1773a1c5f7328f42711cfe05f11eae9ed3e769725d4221cccaaca645b2c0629f65497b3c46d9f072498dc6f3

memory/1360-367-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2616-366-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2352-357-0x0000000002320000-0x00000000023D4000-memory.dmp

memory/2352-356-0x0000000002320000-0x00000000023D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jmosYcYQ.bat

MD5 41b78f82afc989ba07fed15892bf6bf4
SHA1 93bbcc9f0bfffd2359b0d3c70c1bd037f0e1ba40
SHA256 d21fc66af6820477e10520a5ef4923bfc3619275c5ae069d93d5fcbf6f521fef
SHA512 7604a6c0db35bc5f3e0dc45b1008fe9510aaf074f58e9b8f74d8dcdd4f2b37631a0977ae0d5817a4dd6a12de14833da38435c99def3b036576eb490f0d39350a

memory/1360-391-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1692-381-0x0000000000290000-0x0000000000344000-memory.dmp

memory/2708-383-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1692-380-0x0000000000290000-0x0000000000344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lOMYMccc.bat

MD5 fe654711c668cf96ce9aad982e81d2cc
SHA1 389bb360bcc41d4437e553a01bdaab7346d99e51
SHA256 bf2a83c41d40ae6896377a28ba60b8a793d872866ab0f11b92a77bdc826d8ea6
SHA512 9f84cbb60bc2018d22e3953de6a10f4622131293f4451aebb62bd72599107dd52581881bfed292e889339043e7b1192096f4b37d8bd5dc3e7bb92be127dc7b19

memory/1748-404-0x00000000004C0000-0x0000000000574000-memory.dmp

memory/772-406-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2708-414-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RYUQgMUo.bat

MD5 2ce5cf52ffdf46637d2ec735a0c900e9
SHA1 a3c3d9c4160d82a9ae958821c89e007ca768152a
SHA256 2bee1be8288fda6d8f138d3e8843dddca63168bc8be4e4a6676f94aee4811218
SHA512 060855cfe2d5354ef5aa7d8f086e88af8e3ce995100692244db36cc9580d4038cd76d4a0cd15eacefc35e5b91908589f60eae631d48fb1f3884b96c30023900f

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2760-428-0x0000000002350000-0x0000000002404000-memory.dmp

memory/772-441-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GwUe.exe

MD5 f0fcdbb01f483475b012853de70a721a
SHA1 cd54b9ff62ed191728eda3e6aaba51504d19a3d9
SHA256 48ebb905eca51309eb8c7decc4b510313f714e17f760db96a380394b2140d7d9
SHA512 e8e78f507b56009989d83b5a673a74d6a5c7a125212ac7575f0dfff1f1d4febe192cf67f3899c044c039c8655550ba36135ca0301c3210649a9b9a9265d7f9cb

memory/1736-432-0x0000000000400000-0x00000000004B4000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\NQAQkkgQ.bat

MD5 3c9dd500d185959d5fe7b06ecd1074d5
SHA1 6c16565655a4f66adca1a9fcf518154d71dba2a8
SHA256 ad0919aba91e1ae073db8c31a93631886bd8f93feb8159984def89187bba4a52
SHA512 6bfdb09deefd88e1f1ffce43ed23a50f1cf853ddf920eb1057d10915bdda6baa3048dbd96a3fc7754a251ece785cfcd921852656a48f1ba75feb9f8d84c71be2

C:\Users\Admin\AppData\Local\Temp\WSgokcAU.bat

MD5 65ec510ba79991b913b8af2fdf28533f
SHA1 125e30f800692759c3575e9e00951167a4e850c4
SHA256 7fd4a1ae8eb4d2254dfd7a8bd632c09e427563923f83dbce618165991b238308
SHA512 12a087490813155c4415b5a7095e1f97afdb84030e5cfd561b9017b8dd3274aea23bcd2d8b85a89bff76c00785849c51ddc78d51c96a0a045d2cece6e6651f5e

C:\Users\Admin\AppData\Local\Temp\ywYI.exe

MD5 038804a8f0197277fad1a556c8096b9e
SHA1 9a93bbfd4342e563415d9ac44e792885b316fafc
SHA256 8e0a37b3998668351764619bbb7eb28e7b895bedb5b49d8e063e2e34dc64ff77
SHA512 716700112c00ea014fe24c77c1d74c8cfc1c4f94980242c53b446f08472cb9d8497c6764b3ce3a03ddb0d6fb65ba0346514fb8f545d6d2d936526f0593bf7b69

C:\Users\Admin\AppData\Local\Temp\uwUm.exe

MD5 549c9a9fd4c9a96ee26f348d4430a912
SHA1 cae79ddba0f93ee189ec3b7dd0b9999b538568f3
SHA256 297d4fcfccf7c921b558a6727835676c6e214dd57483eef4a38620cda2e81b05
SHA512 5f22ef2ed143ab3048f3566e23ce662d2fb3fc3dd0742c92da5d5f186c27cd72199560c95b25ef647443c0e6e9ac67a1dbcc7051b47e126a33baf323c15ec623

C:\Users\Admin\AppData\Local\Temp\ewEG.exe

MD5 e0a787cbc0d2dc23187af22c47f4daeb
SHA1 968e80f079fea58516b2f61202e067bc7e59c05a
SHA256 df964fd883ce87cb1c850d9dde0e89edfc3e3a842b943d0141ef6f50d15dd535
SHA512 6dff9a63ab1a4c0fd3ae9fd69adfbda5bd8a3c79aae8e47be7318dfa4bde02eca38bb964b422e0b4369da7c8eeed987ceb054404364e549b4da4d2c60351305d

C:\Users\Admin\AppData\Local\Temp\KgkA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\ckwe.exe

MD5 c7f4f5e326cbda0cfdf8cd11d18056fc
SHA1 2a5d1b633d2c4312f119138ac979336a6000b03c
SHA256 f39a3fd32a2a96179ad92d2f7a0b5d59c270633352d5744b1afd8144e2f17fbc
SHA512 3612f104cdecb9fda6157da0d6f54987f9f712b56eb8c44e2ed24aca17327b122f75df10422f49eac6cd6215aa6f1f17156360058a9c4ed367b8eade0c9ff663

C:\Users\Admin\AppData\Local\Temp\CssU.exe

MD5 84e86fd002fbc97b606b7f8e1137f78d
SHA1 15522af41ce1bb8e7c2e13358dfa5129137d6f1f
SHA256 f1fff772ce4d7ed3d50604bd28c6c640a2f0a2b8cfd71da232c32e58ce357642
SHA512 9876d4b8bab2222ba95d4dc32b17ce6c244161b94716ec5a26d598e41b530603081d5242e5bd4fa6e3a9260b249221965f8a14573fd6391e8385b27c4396aba2

C:\Users\Admin\AppData\Local\Temp\gUsa.exe

MD5 b9892865c0491dd5398fbfc182efab00
SHA1 c145748355bf7aa887613d2b644e4feb7d7eb2e2
SHA256 331e0b2be80374cd7b3e8f58ca342d0eb6d57aa0fd274191be8b0972599480f4
SHA512 89a027d018c8257c9308293d3d04de34a12a4a57088b1d9e84efb47501598a1004adcdae14e4d1be37b88a28758037d0a8c0cd118dd3a73301113ad36247be6f

C:\Users\Admin\AppData\Local\Temp\uIAS.exe

MD5 749376809fd938ed4ec74bb5aa94e997
SHA1 9ecad7c3c2bc803e9c6684fefe9ff5a31cd0976e
SHA256 11b84a35fb5200d92dbae917bddd0928538f9869feb3bc186212b62c259606cd
SHA512 19ce5e06a7f43e83e9062d14baf082dfe2212390ab708e7a91b65d39a2ac2e4e79a4ebb57ccb7adcea83f924fd3391f390fdcca2dc98411a92536235edd35782

C:\Users\Admin\AppData\Local\Temp\UyUIkAYo.bat

MD5 b24028f5298d1152ad82de6eecdc89ee
SHA1 33e7e8f26104f52e23cab05f7dc8516c02eab21e
SHA256 06b02cb18b6b2f39fc37b4d9d15f48b3fc362c51e528ab8caffd6a2b697d3b20
SHA512 bedf01be0a924f506466bf43d58babc732dc934a4d960a6bcd16291e108bcf39dd23337eeab899a090bed1b6c07dbf2897b37650a9aa49ee1afaa2fe8fbb95a0

C:\Users\Admin\AppData\Local\Temp\UQoy.exe

MD5 849b979b5c4b1857341f9fa33fd4df37
SHA1 63ca2176b439d094e449513e1b6e7b6d555f0f97
SHA256 08ac1a8460a1e5ed607eac5f795114def0e8eafe01b585f8dfc82882ec77708f
SHA512 df6699e8fe8b5214c22a2e5cbf44cbbce46b30f73d7f07b8d044c5fe13c33f3807e8cd510c6224b1b90e7d622ecf80a2465a108a8778421e6140d9752b85bae7

C:\Users\Admin\AppData\Local\Temp\ogQu.exe

MD5 456e273cdbfae399e0bf7dd20257f9f7
SHA1 008b0d50da76e03fe8bfe2e20404a5f3d6ce41ce
SHA256 1986f9b0bdbb0fdc974348cc48e949b422e685853a0c0ff4cdd8a67cb053711b
SHA512 734c4dd3c8edb073d94f53352cb81ca20e40916489e8f961e1e6590f45b9d88b66d06a2849d35e465fef0797bb01060ef040a299b5a412dc496c2eb0bf6eb6af

C:\Users\Admin\AppData\Local\Temp\wIgU.exe

MD5 be47dc0146ced0fad52896d2f8639f23
SHA1 da76871851200e94e7363224c94159ba97611b93
SHA256 5a65b3945dcc12a89c21a8e8710024d0a9d88ae35ae60d03c79a3a2eb8f0120c
SHA512 a8f347c279918a6c0f3e71806c01c916012396646b2eef57619ed32d14d694a2188c3a69a94b696e61a0449f0ff34572a2771a392b53bdbfc7c7e3f7baaf192a

C:\Users\Admin\AppData\Local\Temp\QwQk.exe

MD5 57bf43e0a55f4c9bac84c68c8f16251d
SHA1 d5d4575a6cc25c34bbed6a1f0f1af5990793fad3
SHA256 061a0475039b83e52e9e95858d0d0be3a480a29497d361a7796f0700014247fb
SHA512 ae4d29f17e83d20d34c41bcb2a0ae11d730170004ec8eb6fd5567565d42f1db798012877005a511288f784957f5d4e3e7d759a1806142e88d188b0ab360bf2fe

C:\Users\Admin\AppData\Local\Temp\ggIM.exe

MD5 8c16ea49b52a614760a242b8027e2ec5
SHA1 c47a4251faf20d3a54d6847da9c249fbd371d683
SHA256 9ccfc62e289c92c547bf9e7f41c7977900cd5fad207756689b3527c3624f8283
SHA512 de9ba219e85effe6e574c4638d22613512ad20d6ced3b70623e3fcba4de985facd72932f17c8a8e97ea722a04a3fbad0d2244cde65c9deb4c964094adb9582e8

C:\Users\Admin\AppData\Local\Temp\wUMA.exe

MD5 d46bf94b091e1d2409bd235abb4cae91
SHA1 fd2edb993038b2460777ad2310fa0bd3ff2fbce3
SHA256 68bf0c7acd5aad8eec293026d4cda151bb270e59729e06069bf50f0ab7778e98
SHA512 4a359d8c66a96ff353c851cfef47a924ccaa98c01decfa35941c762f871347ef75c994800de5c266748270157b20679b0b93db7d011163e827559e6c663e0565

C:\Users\Admin\AppData\Local\Temp\UwIAEsgY.bat

MD5 6e1f31cada95ecc8dcc967b899a1c5e5
SHA1 7169010a91a42e8ab138be8934d7b968f472892a
SHA256 1619e70b2a7f2eb2f33c4c21b0566b6c74876e13ebced92a76b9ebcee57bbe4b
SHA512 ef2ea106c9dc7b7eb7e282029f496ff00d63d67444c6a7814fbde26c154f19691e879bdf320bad974e30ca09375d345c4422df6ddc0430c64684f6015b1b9067

C:\Users\Admin\AppData\Local\Temp\cQYS.exe

MD5 6d6ea91745c8146e2c759a586e26530e
SHA1 9a7cc871f5ed1feb796b0ea961d284fa20d0a1e9
SHA256 3f51bb5e97594ee56605ff90f8dbf719720fb7b86ac6501c327917210eab8cdb
SHA512 e86549ed9e1bd7f3146de5be0d8395aa6516a4629d6210504858f39a90a0a53cec5884de3ebf3b5a574d34385eae0ae84b2717969d354edfc13d6174d45ec8b6

C:\Users\Admin\AppData\Local\Temp\qMge.exe

MD5 e57c32ffe1f48e33e77c69c114452ba6
SHA1 a57f770f66a7246f7af0220e7df3e1bf36a55907
SHA256 c697f39270cbf8079e775aa8683f1def21d184e3fb9b07002ca4cb6802f2f3f6
SHA512 c56bedf662cfc6dae55103da73e11faaa56ceee8524900cbc245ee24f555633ccaf8f20aa0b5a2085e60b3050d8c7b10136c081ffc28f6c974fee67a058780c2

C:\Users\Admin\AppData\Local\Temp\jcYoEQwo.bat

MD5 28dd392ff61cb53bfe62bc3942b76b67
SHA1 f8941661c0c448d29a5a8007d652112dec6d4a42
SHA256 3a6a2501e921ad614dad26fcf4792331003e09b2e1b3e2b69ede81073de77837
SHA512 f6c37a966b5befadac6c70554f7c50e49dd46802de86439845b555bc2777b36dbc32e77a57cae446d26e43d2d8905cef80888893acde62431c72f5b7e4463f23

C:\Users\Admin\AppData\Local\Temp\woIo.exe

MD5 0001cece4574965ba9acd3c1480f5dac
SHA1 bd8d675599348f48f0d928ff8e88abe3045e3e5f
SHA256 2385e1b9b1c1d99ebb38dbe8188b07366fd13d0f6d01f28ba21394db774334c6
SHA512 66bcfe86a2171e868756d32122bbc6dc3c1edc0251dcf5e08d3bdec515cffa7c27c18488d908134b130fbaef0e667c7b821767e9d515b000e877e69924f2e77e

C:\Users\Admin\AppData\Local\Temp\uowE.exe

MD5 6bdeca974c224f279a2304ff4a8a4d44
SHA1 45a8766ffd5e78dd44ed502988f013527de435d5
SHA256 593437ea4c0a9540a888b0fc79e6ab7c61fad5f109064741e810c1114e7dbe3d
SHA512 350b4ce81a101db137f13f55dbb05ecc8a9775c813e54c7e3d38b583ed64b2a4d5025b824eed91a8560cf8a0a738467802899e7d0892210e9f647afabcfee6e4

C:\Users\Admin\AppData\Local\Temp\IQce.exe

MD5 b2e7f3719cc026e7f32fb9b5a682bde1
SHA1 f6e8aa7ebfca1428740d2dba87f60bfc567bcab7
SHA256 bba9bb23516ef54c43d8f194fdf1ec6d4b5527660a6c54a8a405180971584e5f
SHA512 1eb46c41f708be295683910294dda7dc03852aa2e4df98153d177303e4cc13a52f3a71cdf31c0e8c76d24ae56cf10365101c5ee4e2615b8c787f657d648f1228

C:\Users\Admin\AppData\Local\Temp\yoMY.exe

MD5 8f781127bacdeab7df8377cd7f763c40
SHA1 79c218e5b5b6958366ff9c13cb359638fbf54e92
SHA256 6c49faa762c29db607dbc6ed55ec7db818ddd976987440b1385c03acfb7b7add
SHA512 26105a0875b1f6cb60716ff23e2deefaae0ca8f8e633a8e908cf90c6291fb59d3e38397862a487b7b9860d32e74b4d6ce92082937a0262d09767d3610554cabb

C:\Users\Admin\AppData\Local\Temp\eMYg.exe

MD5 8656815cc2e29c62e636b1b7fe3f0e18
SHA1 8e4376eacd790e19d3afe1fb68c5cea14bfb0599
SHA256 494255181322048a326e8cf0e35ed327cf41295056f2e276088f512737a32954
SHA512 b35bfb2134bf0255cb15c56069998c0d40ae30fd10bb28d24092ce4cb832cf42e80aebdd5515d5f372b5043351c587922a64ea46ed51fc2f99a8022d5ce49337

C:\Users\Admin\AppData\Local\Temp\AAYK.exe

MD5 6a4cbd9d0c1d89a7c67a6bf2909d43ac
SHA1 8842d1011aa485673c9aa93f16d7653c6d4dcf2c
SHA256 7bd6a787066d5ce8dbbda4715e276d49d2c01f2430c27f2ca11358d0a0d30add
SHA512 63090b33a9d1e07a5761c1747b8b3f0795810735e108375b506f58362cd48f4da2bb3f13b9b14bea77723601ed70ee63c386e98cb9431b0570a86c06e4c8f510

C:\Users\Admin\AppData\Local\Temp\eIoo.exe

MD5 a7a9996efb55d01985aa8092a237cc27
SHA1 0df223986619f112f36f64e7d8a280323eb2d7c9
SHA256 cd6b1439d9691231f2d22a889b8dca09984cba241a7f5fcd9e4c1d715169f246
SHA512 9d658829ff4416cdad6c87221d05ed05e184478a68c401f8b74b20196f9eaae0ccf4cd8b10dd1ec86f3c4008bce653fb38edb8f59918c678f1f337c61d056538

C:\Users\Admin\AppData\Local\Temp\cQwO.exe

MD5 e5798b92c29ebddd54552e9d90a2cede
SHA1 6f04b8003401cd6fb602de978cff7f95b2775c5d
SHA256 b92406acd6373d376b49475f0f1728e9e16e2c560b312ff04f0175772defa762
SHA512 676f2df7287032c638d47f112a5c74d2ac3cc68cc809a03760fc999772b684666e1701c35d4cb1ed4e545edc288d9edea1b15c2a8289c60d382a629112f1c8c6

C:\Users\Admin\AppData\Local\Temp\IAsK.exe

MD5 cf699efdc8d238b94f9f381aad892db4
SHA1 6f574ced50aaaa8475c75ddf92dea67f9ddbebe0
SHA256 83f9acf8da31bc9a2d6b166e3dea3a0d5f6ed335ff07827b8b9db934cc34c511
SHA512 454f16f481f5176cc4cd0d1917e6ddcb12ccc108fcb99e56d30fc43ea8a9f7016849b63e0329c1f16f46c54bc062610ca4b4e3cdd1f0ce4737db3712265cc08b

C:\Users\Admin\AppData\Local\Temp\AYMW.exe

MD5 fc282a09cf022efc37387f552db3b52f
SHA1 a6e764c3c02ecd786c727d6bbada89a4f80e8cdc
SHA256 b1059420cc73b7a406e935700d5481713e74556ef4020a4965fda7259088eec6
SHA512 70d5f6c4f3db24f310333f95aa671cb500be5ac37bf38cf1c832f00c6378fdbd7fcdfe1b373b261c5d003b24abafa4b68c1b9b48577f97c2074ba5aced7d16c9

C:\Users\Admin\AppData\Local\Temp\Ggky.exe

MD5 5bcf8ad723f0b049e7544d04c9226ee4
SHA1 e1d6f23aca899add3c3c5026862844391ec6e10a
SHA256 a80bb22b87d5d12925f1f795007368060167eca3f22807114cd64c5b2c8b39cc
SHA512 092e4a023ebeb2f4a1ff6cbf75ed6b286c7989a5f1ec64f46d8777ee81c94571d74c1ebc9e78b1099769e07f7c1d3f452001d9e8f00ed08cb37fed0395a1b12a

C:\Users\Admin\AppData\Local\Temp\QowW.exe

MD5 54a245f8990c1ad059c355723b8bb928
SHA1 031e82b02dfeeb71837a5561c7aa196565c4e859
SHA256 3ae9234936583c367e934a0f78e10c0c1c9d58ede9f05408c8d4bd6ca1aba262
SHA512 3207c4b1eb8cef84248e46bbad0f6a40755e5d38b591db354866672f2921e33990b9c58dfc4975d97d6090246cfc722fd0d15fd11d01b7cbfae874e1d0fd22df

C:\Users\Admin\AppData\Local\Temp\BeYIAMcQ.bat

MD5 abb2853be7c05080f44baa9cd69d4440
SHA1 8c8912f91624ff7823af4d70fc3fd4de2fe4d6c3
SHA256 0878644661460d76fc009cf9adc0bc1821f5b4dc963f2e55e4002680f58c916a
SHA512 85347df5e6342b5929c481551ee35ce0d4cac2c488281de38623493b51945df1d9bd1c58ab0165797b0f38a78cca2d2bd4901af45d7a66efbf106843e4fbd666

C:\Users\Admin\AppData\Local\Temp\IMos.exe

MD5 894cbfc348bb130ed16f16c5d3c674b2
SHA1 ca8d801fc21155a8dd799caef332e39126acfcaf
SHA256 d4458dac4431a7627def87f9775d6b8a273aa160a9cd0add668a376225b797fd
SHA512 e6c0b486b39d5049e455128e9804e4199d6328bca4addf349a5605dbb458937a1354c3226fea946875a964f2ddb19036ed9957eff2c5aed7725c1841cea76e2c

C:\Users\Admin\AppData\Local\Temp\WkEi.exe

MD5 d3415d923e339e846d3a0d8fb9ca2e1c
SHA1 53519629a177ac19153c298edb5001b86dd5965b
SHA256 a31eefccc11f94894ec854ec7d7c4d16afc2089e293ee8f252cb56a4271f461a
SHA512 37dd26214140c6853df9d890a051a22c850e59fc55e6d894328e8a937ab52996a643f857ef033b1935e9f2ce86aec464dff1b150f6a16a5aa53a62cd94ffc27f

C:\Users\Admin\AppData\Local\Temp\GwgG.exe

MD5 ad4fbdd269ddc399a86d8b457ba70bf2
SHA1 aa85b6bac831914dacd427d57235b7e2d2ae9df3
SHA256 01e2d666ea53f55dd2858193e9f2808355c7c8eb0174b52cfcce3abee4e42d72
SHA512 cf53112fa8b32b89b44f338066826fd67cc258cb2e355a7bfa9e6031c7fa723a998ff2e1dd12f7b456e1f82d2445b0a5a3612f714d13e1c02d06c296ca58d501

C:\Users\Admin\AppData\Local\Temp\AQYs.exe

MD5 6e2f2aac1276b14ac0fe6d6ce3fcc84d
SHA1 a42e3c747dd982ab387677831ebb0696f9230700
SHA256 1dea646f3f461e96044238faa42ef441f5e890169fdfc524017b57d586f9d3ac
SHA512 783201fbdf1fda503408420ce3c4f304c5276909a1b9d2ed88c4395794b8a896bda141c1eaab0f35e458cf34f2b2db94dcb04338260457560d46089556544f5b

C:\Users\Admin\AppData\Local\Temp\EUgi.exe

MD5 980eb8796189f0486839625d3759684c
SHA1 d7e7aa88c3b99d774557cf7b148387cb4b6563af
SHA256 d1fdd5c7cb67e353e59bb1985855bf6cad3b8f0da1dcbff381e3f6a31cd768cb
SHA512 b997ffe943108dddf57ff62684b8b7c067a569ca7780423dc07079400819fffdbaef2ea79c6625c230790e78ca3b6ce8fa635fff696f512d3085a8d6b017b5ed

C:\Users\Admin\AppData\Local\Temp\oygIYsYs.bat

MD5 4ca353d75cadaf489215eaa4a4cfa444
SHA1 9c07455d083e13ac33dacfbd543e1fb94395ae2b
SHA256 dac06955946a1b1642911188152fe843895caf2ec8424611339a65ca19199cac
SHA512 f18994a05fcd0ec5a893273e96f784f57c5006c3b56242542f416d1fbbd4759e7ecccd78897b408ecee9fc4e199cb124cbf62b7492ca23f4884c97f806eb3827

C:\Users\Admin\AppData\Local\Temp\iwke.exe

MD5 4e3868510d68a55c9c1fbbd9d01c9037
SHA1 1330f49a44a51c97d2cfd9ba68498ced574864e1
SHA256 a14911f55590123d3300d00baeab4c88b46aa70416a400c795946fd9a2bbb695
SHA512 682e65cd1973b48d34185cbd0ff9a622be445395b0dcd43a41315f116e6c1296ec3ca11fe9b5417e8dd4782b528a7011f55a62261e9e00a62d477c3f2fb912ff

C:\Users\Admin\AppData\Local\Temp\UMow.exe

MD5 428e2c5ee49f9a5e3a613b1348f1d39c
SHA1 c3d3859420cd03f3dcc774a92c5d22141fb7de29
SHA256 c430e751db987bb3e3aea8c9f458a15961d383969c410cd691d0fc0f5d2f130b
SHA512 afb4c9fddbcbd35fd01742bc00a6f8e612d06d58a3cf04167230f263fa1e1d9cb654b40d51ab7349ce122ab2489fb2826c278b936bae74bf9c743188f04ff823

C:\Users\Admin\AppData\Local\Temp\WwsEkMAc.bat

MD5 29327325e66cce991da49fc6cba1a932
SHA1 5ab0030f1b0f5f0191436138553c72e10848902e
SHA256 738bc00de5eacfa000da7dc8c9ac243be6b84731147b6bd560cddeaa7cbfa76a
SHA512 56f8c744d52565725a6a64bd44b74906eb2259194840c7708425f4c5fef0fa342d921508a2fb006ec553528b579867bdbd621aeeb2fb1728f5f2ad6b154e8321

C:\Users\Admin\AppData\Local\Temp\GUQO.exe

MD5 faa97dae8d42fbd85a2b4dfa6af3e6be
SHA1 623879355418c9d5e7db4cf27aceba1511614b06
SHA256 c468dffe2b6cf5bcd96fe5b11b531b29302e0bc09dc2d8cc9af764b65987e322
SHA512 0cb5915539bbbe317df88b16ed9cc5f29bf31213221f1ee68f3e1a6300c5552a7e1a3eb468b362a1f189d5433920812c66f0ce523792a8f4d8d62ee2b23d6f7f

C:\Users\Admin\AppData\Local\Temp\Ucsw.exe

MD5 828f8c21439a7a38d70c652ed3280d8b
SHA1 a9404b888bbebb8d38c5398d8018fd4eb315ae3c
SHA256 145cd59e719abafa1d44fd4ccae71eeee4f15cc53557494850a350acbb67aa52
SHA512 320117741e080609cd5a528a4110eb05d5e4f9541ef8ebcb20d6997eed9124fad9a1bab487dad94d291e1469d90945085fd07b314cfad8116ccd73574808ff67

C:\Users\Admin\AppData\Local\Temp\gQwy.exe

MD5 6c00d44200f0c60f28aa12156da4b4b1
SHA1 29eadf84bb0ee319faccf0dec789a2ae7fe76147
SHA256 372006f1103a2d43ffb1a23c252a5f25d56b464cc74a3df65704fa554f8a8870
SHA512 a591ae79dfd0a60b9bb307b1815f1f41b7d314872bfc14c3e8a934825258f8c6c03b6dc401a1de405937560f053506639b19318cf89667e241c59dff8a45841a

C:\Users\Admin\AppData\Local\Temp\cMce.exe

MD5 f78bafb2bd8d0cad6020243a756fbdaa
SHA1 299b83dda9ab82950dd6976f7d4c1a2cd8766f07
SHA256 c745d9df3d9df11257555781e2c7e899a4ecc8da43b47ed15cd406024d381735
SHA512 692399561b6f202322ed190506fc98c7fb84d89fa16a8f255aaad2a66132dc447eaf046aee81f898a38425a13d7952303af548f41b7529700e04c9e6faded377

C:\Users\Admin\AppData\Local\Temp\amYgosMI.bat

MD5 e294c41fe381b74db493d51e47b93f3d
SHA1 e6f37f0bc55cc3e1603f27c3a882d35a9dc91fa7
SHA256 a7d150c38219bc9c78e238141bfdf65d21d389c7e558146c2c8d981fd1260989
SHA512 c06e1324015540610d521473dc38947b5ff057b57bd639cf166574ebdde707064dbe74478fbaadccbf9bce8469b547c85de694bc833d76cfd2530797a81a8418

C:\Users\Admin\AppData\Local\Temp\AAcW.exe

MD5 4d64d372c8683344067ca27c164cee0f
SHA1 75d60ffaacd58d6a75d4624c27f42f8c001c9ddd
SHA256 741485478d2a36e835ae6d5f6e275076e00e97bf3cb002062616470cb52f002d
SHA512 9b95246a1287d015d3cb642e90a86aecf73acda7ebbbe3d7dab8594f11fb8792041835ed5b07263e5b4a8ae6e2c1953362e71b4d7f965e3337565fca88c11f2f

C:\Users\Admin\AppData\Local\Temp\goAm.exe

MD5 fda447a09810e804b8cf9cc58706ccf8
SHA1 77e02d14f012afd0035f7dc4619cb1f2763f7ca5
SHA256 650157ff879a7be23e4d83909686796e96a8ea458afa5b62de616eecd9eb67f0
SHA512 059d7799624bc4fd8310a25f17bc0319561889f5e81a7fcd3bb3f3e07f8231b5e72c4fa589837c4ef7f7bf822b8f114963a6784065a13bec64c5fe21b6b168a0

C:\Users\Admin\AppData\Local\Temp\UIEU.exe

MD5 f0595c08630eecd9f0eff8fc2d588871
SHA1 4a95843f902d512b93f27455fde2586e09ad523e
SHA256 efac3d585fe8361d3465715eccea0ee08ab5cbe772f5f6a9a22cbfb605fd31b3
SHA512 707d705de5613184b3e61ab224df992a25adb2ac474243ee6933c881633b7b36d71f12149b34164ba52e4e4372d2209a561adb1ecf57824c14b39cdfdfb92e77

C:\Users\Admin\AppData\Local\Temp\sMYk.exe

MD5 aada44aff9aa969ae978a6341f157a67
SHA1 b3882fda4f67f772a07a1eb468b8c7c11a52daba
SHA256 99576e40b0c48d6979ad0060b0f3dbef5165095343193d50ed0d586c8dcbf3ae
SHA512 b6f44a37d3ff5855dc53bbf5f9f86c44cd79f5f9f07f9f3f9b035d3346b4fd92d4d974811791bb4d77b844b888132347bd0f62adc56a7db9f76aa4ab6c93c2c0

C:\Users\Admin\AppData\Local\Temp\KsUk.exe

MD5 29164d8ccf9b39c2128b70c7324af3a4
SHA1 66109fd7c9b7d2638e9ab21ca741173d386e26b0
SHA256 5b57e380a03a9107a8493e15e42b1c30d2bacf2e790322b63d5b756aa2333d42
SHA512 946b7681e87c515aac5cdf858dda9adedd6c8c1a7d78d8eedb7ebc74170b9229c34e07f4cfa10df2b5e1432bbcfdeeb4045bd70d85b82d69bcb9dc7db5c66dce

C:\Users\Admin\AppData\Local\Temp\WIEu.exe

MD5 0c0e58a99d7c174d2627f72cabdd812c
SHA1 5d6eb1bfa5ffd167b24d54fc29816e7d4ad3f8f3
SHA256 e86048c8c2452d4a8315b2762eeef89b8c8bc32b55f6599d0ca1973cbb120488
SHA512 9ce149036beb7b8a9e47648781f13bdd48fb8bb60b8a834cfd4797c4a540576f50a0caaf533a3d7ea97a2f0c97049118623fcfece09e9c70f2c692bbef845a55

C:\Users\Admin\AppData\Local\Temp\WYIk.exe

MD5 4baef7ba8f0f1cbd3a25b4d96939a387
SHA1 51f6a197268e47d01fc1d1396b23193f6db513f1
SHA256 36cd3391b0b6e4c418fb6d62aa7e0b05a089fb70d1f83c02316304fcb7584dff
SHA512 a05010a57d3482ab08ba254b766eec4dc6236be187cc3027451c25f30336551ce57c6834a0ed05cf5f58cedbfe26556a71f35f1a3f2d7f5864321a01220eda3d

C:\Users\Admin\AppData\Local\Temp\UgIG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\aYIY.exe

MD5 27c455fc0b7e0a5bdd9a4ea4f2b36f19
SHA1 b85516b8f2706eab7e6623ce5daf051e7dcf375b
SHA256 ca68264333e0d8ec8e508d1f93e21938ceb22637f1ff4e33f53e615f36b3d9c3
SHA512 344b4e5c25129a9237420e23e8fc1e0db512499066918e184b382d8cdeef98905b7abff21eea7b6cbdcf30b76721548b427a989d3ab8634e5b204c09b7334290

C:\Users\Admin\AppData\Local\Temp\YoQEMIIg.bat

MD5 80915ab95d7e5a89ed077b9fb0ae9e8c
SHA1 208b0ead0eb2797c879e34748fa315c86de32d7f
SHA256 3e72efd686fdc184a12fc8841751e28aa7d7d4ebaebe6ee42ed4178df22258cf
SHA512 e64636a196ba73e25c059e3702d9b20316ff444af3d3e2777b9619d0899cecd68dfe3fe884ece037b8264fb3dcf8128accd21d14e54048ba1bf2e102e7684f1c

C:\Users\Admin\AppData\Local\Temp\qEsK.exe

MD5 982c2bae5cc0a239854eef67d45b0626
SHA1 167bc065d1c2611fe00d5070fda7a142e75e1aa7
SHA256 ab63b6b6c312859ff169352a197cb981bb7c16256cbe04f61ee08e6a7d4fcc29
SHA512 3432ce564eb680400d6ef3818d12e25025c4dc7aaa8ac1f3e41eeff186aa2a64e68dfc8d02fbc1a0d8cb5980bb4c84755e5e9d8ef62762a03f854f728034e81e

C:\Users\Admin\AppData\Local\Temp\SQwG.exe

MD5 51b2e5404314b888683a35d4037033ca
SHA1 32f60374015e1b866fd84d7a945f3546e0860e7c
SHA256 c0e8e371d03f0096a012ca61dec1d9a81e10b570aa4bcc292a5a32fcc0422d75
SHA512 f5eb4bc659036f7056b7005b5789be8e283539f9eb516667afd244a21da78e63953047a2888701c0e74c3a75bcdd8d9405f4fb06de44c251e4e256d98ba0c70f

C:\Users\Admin\AppData\Local\Temp\qgQS.exe

MD5 52e32a564f72de0f49538d5b0f072a4e
SHA1 3169c43f0ac33191ad070c318f05fea0e60590f9
SHA256 3048737b6dfac9967d6819cab88da0a7b5eb71d3d11485b6ef70880446927d98
SHA512 9b0fcc51a5f4f0ea609f2567534dc3ea5fd10c1500f34f2dd3626eb8835e445ba50ccf7e0288349c8fabfd85deab28e0c7308a9909255bf51d4cfbe23b0d87b2

C:\Users\Admin\AppData\Local\Temp\socsMwII.bat

MD5 c9fa0de19e8c4c1cc273f5beef9dc9c1
SHA1 e9543883abf86c0982024a3e80dd5c0cdf9c894b
SHA256 fda25f2254f36c5481f7418b6ba9a4b7a4016fc1a1d2050b079f9cd4a488b53c
SHA512 ab34603388368a41cbee209f10ffc6055db53986a6b05dd88937572de1792b3cad9e274d22273e18f83fdd7ce20fb172ec10566231f1d889dd5f87c52d2e257b

C:\Users\Admin\AppData\Local\Temp\KIQO.exe

MD5 5cf0edae875e9c8eb45240287aa3641c
SHA1 b984777a4038fcee04cccac2585b316248c22969
SHA256 17cb3457795fcab2fe8782b4d68d6ac971c16d469bbfa14464417b6292cff025
SHA512 cb9bdf7c6f9ffe081a99998f00522bd06155bd2d04287eac2a6aea6bd4faf7491a4235f0e5d3f05f0ddbd764dbcc7fee739c01812ee9e41305dcc3b8cead3e1a

C:\Users\Admin\AppData\Local\Temp\GEgk.exe

MD5 e100605d794ad3ca78339c3298f6265c
SHA1 687968b0445ac34585b8becb30c931caf962a28b
SHA256 e0b872c08945132754d19fde238c9ab046ab964e0fa68ec1b2e8165c319f0fcc
SHA512 b2088157199029df531daa467521e8e96ff7e8f36ac7e0df59255800decc03e5565334c7ef0db718d3519c19440a63deb86c74115c7b046ed7e11decbea3d2b0

C:\Users\Admin\AppData\Local\Temp\Sgsy.exe

MD5 b19667e11e3e0595eb3e997d56bbabce
SHA1 d7e7e99bd09108da262a050287d5a5a51a734020
SHA256 b48700b35bade98670a09bfced35d5e7eb4ea1703910563ca25408ebce0c522f
SHA512 772672b1b54077fc25cf573f552ee0b40653af2b45fe85758930808a16abd356425e21cb6862e20f69d679e3554d71f9cd020d28cae8f3564c8e57dcea14eb03

C:\Users\Admin\AppData\Local\Temp\UEEy.exe

MD5 5ceeaf3ac4d4caf211cdf81cb6e3e11c
SHA1 e80cb9f996ae4a13c3e7d0a90e3a1410d80fdb68
SHA256 7a015cfb2e4377b3b22b9a51ccb5091ab72642c4f9b814242eb8b590b6e3f67a
SHA512 0bf789f322cc98cb3ffd301d7fd4c413b397281b06533e71bf5e96c99612e5164f86b6ad92412e6014eb0821a01b0c6d082d19bd4caf2df433e458dd066b5842

C:\Users\Admin\AppData\Local\Temp\wIMa.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QMUe.exe

MD5 b19c6fd24126f68d5efbd603a0da199c
SHA1 5dcb14e123a1b78178054b04fb989ab93aa006ed
SHA256 df1def75e539eb4f63f72a328896fe0c701805f9dc2b13f2213d7b230199511c
SHA512 e14a78632a5e49e4223ace2ef96cea8023a67b4c4ffde27f4d0daef789ad4915247c8aeadf13ad2e414e71d1895fe8606b98d034213eb4e5e695b1b72dca0f35

C:\Users\Admin\AppData\Local\Temp\JKEgoQsM.bat

MD5 c92b310436adfcaa05f3bc2e097e2941
SHA1 41602fd6e7cd6eff75e55ed455f8318040ce319c
SHA256 cf690f5009e44e8285cfd2b4a776797d065f985e7250e0d752a2b4a88cdb2529
SHA512 375d598a662fa1c1a5b42e0af7d1b14d05b946d69973bda6229739fd80514b8e1033befba0099bd189480cf6cbec8a07460967b5bc85c30941e1ac77b91f1f4c

C:\Users\Admin\AppData\Local\Temp\skoo.exe

MD5 d7eb6572095fc3567c4f85e27db04e1b
SHA1 736cf18c681640629b2555fab6bafe7f62afca28
SHA256 4b7abc2c18bb22aae46179323004b3e8fead907ef723668a768c9d44e8fbfac9
SHA512 2530b11cebc4e3295641ea84853e927cbb182b58579de94c32b1b754a76100c5da18599ab7ef7168429e78c1ab0ec0c5a7ec9a4b8204984cb36492ee7289ef7d

C:\Users\Admin\AppData\Local\Temp\ksUi.exe

MD5 9d709a5d87c5471f1a4abfe4457c62e3
SHA1 26c9ed15166b317086b2d13587ba8db662ec346f
SHA256 0ebd203f7952f55ff0f33c67f99bdfdd63b8912ad7391d276be178a9beb5ff80
SHA512 2aba70794f76005b7c53a6acd04af8817a01fd030720f4e436ffa9f0894eabfade6d59ec910ddb100a2ee2afeb9b5dd37908f02cfb12caa86f36508356d53b5d

C:\Users\Admin\AppData\Local\Temp\mMQs.exe

MD5 1fceda670dc437df1003cbe7ddb6d91e
SHA1 e45e1d15483cb6307056645d07111a4a2c7dedcf
SHA256 91ab546012a686e09f02946e87a6e5f66d8de7bd544284bf17d49c834d0eee5c
SHA512 e23c4e98df07210ad33df882fa6780e68762c6bccfe1c55e85770cce3d560fcc872c74e2b8e8082f9b0936cfd6fbd53b57efad7e8753ec59f4916def315762ad

C:\Users\Admin\AppData\Local\Temp\VssMYAMY.bat

MD5 a64fb0af0c0885ae4e3df0fd97ce1935
SHA1 916ba340302f9fff32b458864476572fc12841a2
SHA256 f2e3c17e81681c2ea32f180fa44208a99aea8a83ad6b85cf80acc6580d051590
SHA512 466fed1fc54c6cb0316be5cbc33f40c38f626021854626b705aef66b4caae197132e60ab1158c8b46e02b386a0036c8ce844a3e0e7a30122dce69b9dacf62b9b

C:\Users\Admin\AppData\Local\Temp\yUQi.exe

MD5 6b27274cc8e999ab976f29c1ebd7d7df
SHA1 6f380ba1eb7f90087841ddec5bc23110427953c4
SHA256 de4a4e0bd9923d60c4f0e21d2f54dd5f3d950e43c3550d180f40433a1e977518
SHA512 cefb68edd0b54199030a6b23e6188491583d81fe27898492b3b7dc0de25b670c236bab00d6e801b885fcdcd2fcde2ce3dc128b9ca2d41c2419d8d8946b136e52

C:\Users\Admin\AppData\Local\Temp\Acwy.exe

MD5 270f9797fb6b7871b0829834b37e6257
SHA1 e1ff5dffdbc8850f9d9afcb0e8a4577020145ed2
SHA256 b119bd68b90b8b01aee7f7501582882a3d9a4e1f860c5b60c5d65f9e3cc19b9c
SHA512 d2e520b05e36b96e5a73c40f31431ecbd796304090393ae2bc9d86b4cbd37b4af55f9ddfc106113df4741fbf7acad5f53a35098c928774aa43d91bd9e5e077cf

C:\Users\Admin\AppData\Local\Temp\YkYk.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\owkW.exe

MD5 305372d87857453a38139298b55a1532
SHA1 ecfcd474f8510934d7ee3e7e6d9ec1e6a0f4a33c
SHA256 34ca87fd200790f7de329e90435e2404e928fb7ea555ff15bce78ca8bdb738c0
SHA512 539aba3139b498a5a711b015a9911919961a43aed92800e58d38fe9101d6023f90a2208c61908b5aa851e59410f6407fbc367e27ab5f453f3715a850ffe4cc80

C:\Users\Admin\AppData\Local\Temp\ooAY.exe

MD5 f7b2af05fc44ce7a9f4785c024f3f10c
SHA1 ff3651846fc5d951e1c4c89e7af6826b09bf9581
SHA256 be2dfce6ff21753f66b71ca7394c71b345fab56aafae3230d77e6560baa56d92
SHA512 0a989effc3c94c312bfe86d1bb0cf8b1ef7ea4d80caab164ed9bc1887730bd527caf35267dcac3c331fc1f03742b7e219c45704fbada5c1764403c4b72411874

C:\Users\Admin\AppData\Local\Temp\SMcm.exe

MD5 5cc31141fda8a8ad261366eba976ea08
SHA1 58245c20f4dc2b560e28fab4a7b845b5d8c7f151
SHA256 fcf80098f8fbec5bea73c93f788dc409eeaf9c3df2a4150590a69c880f30a48f
SHA512 d7f8b5dc86544ecd762b47fe36c10cb40959a75139a172adbea71c24ef527c18101b13290dcc7e6badd6847392b44a415391113bd6e685f13107446c85ee301b

C:\Users\Admin\AppData\Local\Temp\Uwwo.exe

MD5 d1f63f050a614d1819f28a32a69b9227
SHA1 a45c87ec7367e94bffbc8d599c6ad7bb068293ab
SHA256 cf77ecc3ceb278926d0ea71f22e0e80f419890e5ac93fed5fea3b94927235f36
SHA512 258c2547b8283be3cc6b53b5d862af5fd8f7a94fd85134f221a521ed1094b9898cde79a3bfdac27ce2c9382b72e8b29da1b5555bb073dc2d37bf7403fd9de9f0

C:\Users\Admin\AppData\Local\Temp\oIYc.exe

MD5 a82fb3d85bb25e9f58a1667680c4f690
SHA1 efce68f7913dc22ee0287a4eb3969216e7e21a2c
SHA256 2e09022e71be6ecee03a7a28d003d2fc8f52c9fad8742f3ad49c70f6f0300cc2
SHA512 8c563ef29083239a761e2f0f53f587d849481622cd85ccc94be50fea19a1a729d5e347c813b01ff17b68c42d70de2e2f9c0df44c67cefaae3cccc6383115dbf4

C:\Users\Admin\AppData\Local\Temp\oIwE.exe

MD5 7934c65b0b18623476e873874f5dcc94
SHA1 65dbf5f9f3bdeab62aff63d4faba651984b42a5f
SHA256 d073c927e718694148e7f57ca1e28eb266e65d89799951e3414624b6419ebfee
SHA512 27e79652d6389c98d7ab9fcf07f43128639784dac36fa9fab7338a8cde0be89e2d85fc661b803d131f7b1b17b59c8835f1a00be5c5adef4187d213f54ca3c60d

C:\Users\Admin\AppData\Local\Temp\JsQkgIgM.bat

MD5 f28fcd68ebad2cab6ee53f5b24a7f359
SHA1 5b17adb71fd63b9f509f1ea80575cdd5d80f753a
SHA256 f219902a559b68b00c802fe4b3b4ee3c65a7893074e8d8429ca5cb42277d5e9a
SHA512 80abd43bfe9a4d3a1eaabf3b741cbf9db22b9beb68a72aa621f0a1068172ba7a9156fd886254689124aea8378ec436d2636afacefdae1a28f252f60104f47363

C:\Users\Admin\AppData\Local\Temp\koUC.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\uEYs.exe

MD5 9bbadded2446a2b6118f05ccdadd1e6e
SHA1 ba3dd2e962f5500932da558d56a8b030ac6e8859
SHA256 003376940602e371cd1250769d97ef88897e1760c4c2418fec06c0bed27e0ef5
SHA512 33f76714bc92f0cbea0dacd83ba9747783697b962e3ae2b33d24908b057ea26520b446cd8ecaa8ef4673d6359b76c95c929448a5965ed15e2523de6be129e9dc

C:\Users\Admin\AppData\Local\Temp\swgU.exe

MD5 f3de5562d144b8e1a4c3f11bb60f162a
SHA1 6e191ccf89f7ef6d9b2efbacfea3887e9e5dd4ce
SHA256 ef465a1dd9acdf19d51c7f9ec9130ee00be3099c3facf227bfb4e63c839bad4f
SHA512 b2e52488894ca4ee234db4aa9ef0b26747c8cc651d644dd1c5e0beaff0e7c008441243f61aa04fa94e0c73cff0e2ac126a3406fcadd37ad8b0c8b6fc03cf9919

C:\Users\Admin\AppData\Local\Temp\eYoo.exe

MD5 5e1d28e10b5635566e47c2cce87e54f7
SHA1 bc44f3d2f22bf60bc9d6a5ef28681b7d2ae8aca1
SHA256 4c3ccfcdaf90a4457168863b519347b596b2d8bec9b463f67724b7a44ff47ae3
SHA512 89eed2ff85c7ba2970445aeceb9ffcd21d7aaf1e991408137493df74e257a02d89f1916c791ea48bddeec6496ef3d089e415d119fa9dc45ed9942e7fb2ac1e84

C:\Users\Admin\AppData\Local\Temp\SuAkswsY.bat

MD5 ec673628d59cca577ff9c29dce7c692f
SHA1 140197138612bff46f8ca17fa9637529caa3570f
SHA256 e3c4fc83fce53304f1de1da7567e208662567de93aedb55ff9e08a317d48d339
SHA512 b92e3a63bed6758e8ccd42c5c58caba583fd361c9d1dcd8fa2f89a7fe62e3701eb72ae3046a2ff938409976400b360da69bfb9611de96f3b2673dfd9317fec74

C:\Users\Admin\AppData\Local\Temp\uQgM.exe

MD5 2a62f30b6bcce2490b2d466296640378
SHA1 33719b327f44c0bc15a19ff21d71a8ba5106b4aa
SHA256 c8c8f1a76f4dd132610a92d0d54d170465c03c7e790b8a4f3e915b7f8c40766c
SHA512 8f656763000c4293670f7c35c2e70c7534cd291cfd6370fd827c9fc4b71633bfe9742d7d59274ca5945f2f3bd03f4baabbc1065119c4e133381e8e84130822e0

C:\Users\Admin\AppData\Local\Temp\QYoe.exe

MD5 bc9a87888d499cb5f45ea351b29eda15
SHA1 e2208c9352a0be3676f8128b55e1ffc92743fed7
SHA256 4ed9f14ba6d9fb7cce342fd214fec3f12d60f6e9eba50fe94a9bfe8085f85936
SHA512 598a4d665d5794be5a0d0e6f65d2fe30696ec8ef11c2c25baf4f73d696d3f495cfcaca7504e95b59b3746a650a9e3bc768817a358fcb0716b98e3f5a1bb87113

C:\Users\Admin\AppData\Local\Temp\QwEY.exe

MD5 f15435869321da3d650b3d837cc7f61b
SHA1 c8fdb89deb59a3357a535c010fedb2a300b54751
SHA256 8a18c1893fa83d0047e6bd77cdbbf00384ae00b180e5219a23da9159a486fc01
SHA512 a1b04dd3c015859d19e61cd29e34d48783fdf00b5dc2852ca0b86efc7a26468a5485ee6f4ff378e75dd25b6cbebffcf2d449e1dbfeda39ab3ff91a59cc0e1ea5

C:\Users\Admin\AppData\Local\Temp\EQQUkQIQ.bat

MD5 903c0cbb79932c1cc64639b8060c4be1
SHA1 4b7cf73fb4ad71e6b725f7e4bab1f10076389cef
SHA256 3eb7a32390dd185fa9ff173770dcccf9f71f61c7b96fab16855b3b7068dd4ecd
SHA512 d46d928959688fe62830f03db1caec2b17f53653244b03963ce4316f2d04e44852393af45fa9f4ba25b7f7a23491124042cdfedb99084e8ad6a59b4411611621

C:\Users\Admin\AppData\Local\Temp\MwwE.exe

MD5 4aa6887c4927bd65a7eae9a3f9cd3820
SHA1 ca46b58e979bfe2e47366f31534e19307cbcedd6
SHA256 54be8c48ca0007c0717688c7d255e205462bf7d441fbcb49a7da2de49b49dea3
SHA512 2a15926b5d0181ed1c0de2309a2c94c498a7de903ff2a8e68c6015f99b4b7aa638fdb7cf51ffe38b015b1390288e62f6c86d01e3485f7ba26caaee143d5fa888

C:\Users\Admin\AppData\Local\Temp\YMAk.exe

MD5 eaebdd61abf52778a1d614f291749a2c
SHA1 17a9f0f5469c59eaa07d498a98bcb30b6091c4ae
SHA256 decd1e34a71565d7362f1c4a7e34eefa3dbd9bb4c03cc55f5726df15c4a80a40
SHA512 e3fdf1db65c547c934b8f77704e73fb98270d3a7f393cfcf98f76b8766df06b0b0e139281b32999e36c4eecc4e78e16673f7d33d1ef64a282bd06715d1a28436

C:\Users\Admin\AppData\Local\Temp\uCwQEQQA.bat

MD5 9bf71543194a6e340cd9e65172637c40
SHA1 9b75e7ef9a6ca49cb66573c6fa959ebc48217940
SHA256 c8e90637e6c0700fdacdeec3893a11374710bfd69dd652696eb52be0f81204ce
SHA512 ae3957e6bcc7f0a49695acf34b8fc19a1d49169ddb95865c2c0629fe6c10399e70ff3dcc7497416821ed421e4b16de7e4f4cb978a9170c1d0f2bdb167299da0e

C:\Users\Admin\AppData\Local\Temp\kscs.exe

MD5 8f3c05712ad3ce7cf23f3b4bc8d85b00
SHA1 6ff3057f6899460a19dac5f5d6084dc1aefd8fb3
SHA256 385da0b170a33b00493d925ecaa29139a3cc3bd93cdd61eb7589e9f0bcc2bdc4
SHA512 1eef3697fec165c3d8160035caa83c249439164061486630c812b5b30aaacd8d8ad311acdff6ac2599a45bd41457d0545544f3897a1dc0ddd460ba761d9ca254

C:\Users\Admin\AppData\Local\Temp\QCwYsUko.bat

MD5 1e6a0fe760e34143ad5c688e3a55b9eb
SHA1 e5ed469fc5d1ed34813163ab2b8f6924b70e1f0e
SHA256 57ba120eaae4a56c7217ba037436b3241db41adff539e5721bcb1f7106f4c744
SHA512 7e3f02d50b187d09b51e7e874c1f266e5e219776888ebb933484e8dd28ba63e4572e2b5e5e2bc44f3ea3c124ea85a1c89058336aa0e0edb82588b6c194572904

C:\Users\Admin\AppData\Local\Temp\wooK.exe

MD5 64ea315fa6c2026eb3a5b31f6ea197dd
SHA1 82e63a7e35683698d808fc3b2b30a9279ebe7ed3
SHA256 3dd950c2a249c248db64607c631db104e9e5313352bd9622dbf091eb1df766bd
SHA512 c1b6b3afc33db67f2bb9249aba570d467b957f93e1d32c487831ca46fb4e3a3c5601895309b8615a9b17de9f495a265fe8e1ce112fd21c3cdccdb29a100497d1

C:\Users\Admin\AppData\Local\Temp\wUca.exe

MD5 9b0e4447a6823004a392f3a90e6da32b
SHA1 46421426ad138669b2773feaf42c7e39b6d431a3
SHA256 9c5457aca4c11844a82973d7b4b0cfb89ee7b838a7980887c3aec934dee12837
SHA512 512b721a888ca297abb63bdb65b4bf892191e80ec1487638cbded3fb8cb8ee463a2c315a9ea1421cccfdea43a5e8e3c5867c89353501d9d8ea91012a07269205

C:\Users\Admin\AppData\Local\Temp\aQYI.exe

MD5 db1b02b882994190142800740bfa9ad4
SHA1 edd2c7d909bcec9619846dc704b1f628a5e2e45a
SHA256 ca47a651ce36ce4d643c48d0f3c519ed1e969110fb7761bd2a6bfe8da9ef65c8
SHA512 0abeeb0f76ec70dcb0627c62b0202d5cee99954dee7891c3c96ec58711535a33564eaf34d20267c531a36792d23e5f343c4b7d1e6bb2056cdf4f977ebb4a0d19

C:\Users\Admin\AppData\Local\Temp\KwUY.exe

MD5 178bf5be4aeec764d36340ff7189b2e0
SHA1 f836dc5b361d6ed700a8c19c7b0979f7da430395
SHA256 10780211cef66d0f062fc351f6aec29ebb9ebd48137e9dbbef41621e3c8f953b
SHA512 42641ee24a220391469b4bf43249f99621837f6385052179b7a41dadee7dc8d8929df8a6cf60c6ae586c33a8fe8b49f947aeb365f73fe543ce2237b7997af38b

C:\Users\Admin\AppData\Local\Temp\QQcK.exe

MD5 5fbf77a77c2a79bb0031aaa0df9db303
SHA1 3cd0e007f33ba1d04477dbd7e97c6243695e8894
SHA256 5c5502ef96e3be24225143284c7deb32a110f71af2a55d555487787e9462d33a
SHA512 9887f8f07b78ed2eadcf14af323f8bb1bf5e68a3ce84c34eb1efe5bf61ef5dee8ec3862e0404a4ee88bdec8e3cbe99251949a552c4c66d2ec45d0aea60854940

C:\Users\Admin\AppData\Local\Temp\AEYC.exe

MD5 f765080d4e8a4cf3748ffd592208b7e5
SHA1 895f601e74d1362830a3af6c73e7e1e2ddf64b0a
SHA256 dcb0d0b6ff3d6916299783d8d00a0c9d4cd5bbcca24946b0efb41bd95a6f11e8
SHA512 84b5ab4a91cbc37caeb7530cbddaeee364a7da1206f07e3ce22ff822de2e007d5b91aab48068ba66cadf735266c001797d3fe0f7f335b67694665063d90ba7c6

C:\Users\Admin\AppData\Local\Temp\BqYoggoo.bat

MD5 242baa51ab40ea2f19ac3fc19e4e5d77
SHA1 5b34beb980f2af3e828bec67bc70e71652439281
SHA256 43a929abd55af0c0d661f5b9319d6176cf49906916e317e95a86e139af7ac18c
SHA512 c5cda7cc840f862fe05c96236f42ffe961e38d7a822da8841d77e0392aa0129a91451606a0e728b356d27de634bf097624db57c46711e473e015ce01e1cddd68

C:\Users\Admin\AppData\Local\Temp\eQcK.exe

MD5 fb45a11cee1799c44139f53b5f789ff4
SHA1 e09ee907fb2da77aa86281c5ffc0dac3895b42ed
SHA256 a8b2941a249c64704342d5191d08a4f390ee52727cf4fdbd6fa60a9fdfa1f707
SHA512 0f6f61ad2a2cd0d698fac0ef09a4534ec6ebe1d4e07fa8aac6b9baa3a4bf0db4d036a43ba7874048c9ae1312e054a476ef2a43c26a6d5fe1d4f67498927ba2dc

C:\Users\Admin\AppData\Local\Temp\AYAo.exe

MD5 9c43d20b1c30b6c05261995551c26a98
SHA1 73eebb2f3a7658185fb9cbd5306d747f744a1f84
SHA256 9f74c60308fecd481b7700794fd00097393d37d599278a9bfa575451885dd611
SHA512 ffa5bc244c0f659201424704da50900933991b375eccf4fbaebb782411f78d28c12791f0a776e015a15fb8a79dcfb7f5ecf1f87d1f4495c867d710ac04b7d81e

C:\Users\Admin\AppData\Local\Temp\IoAm.exe

MD5 ef076220928814f70e7572e0e68a4c20
SHA1 311e8cc5497bfc6dbb80389db4eeb5981778d3fb
SHA256 ca4a36b20cc6ff4a524547e37fd4ab8047c368d31fce35c6e1c1f0476d84942d
SHA512 565ba3d08a88e9565f927468ec80bebe8ba982d4f2326ecd0aa3edeca1674bac06578a66d50e739cf65715d717bd29a6a1413e8b6bd52546142af60339f5d2f6

C:\Users\Admin\AppData\Local\Temp\TMgYIgcQ.bat

MD5 3ae691543b45bf1d577612284f3197fd
SHA1 b63463acbb59f8e5aa0f441494ad6eb27c0eab92
SHA256 ae8ce2f90964a902aa48870b98dcfb0b0948baa9b77bf3dd3df59372c8e6b63d
SHA512 ea6da3762f5c561c13462a11e8c68f4de659c720274f01c5708c096eb79ee00fad159fe921c6be89c2bed9feea3ee6538f354f01379316fe2e5998f461069790

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 1804322afd146f970dcf470bb4ea9e5b
SHA1 7a270b68702a2fb63c791831bec8cc5f198564c1
SHA256 851114fd8af050117bab60bf6bc0dd5e992385d318c163a9aaffcbc2efaac7d6
SHA512 34ab4f3bbc8223544b88a3564166ec5ca21a61354f1cdf52b248dd98215fcac433e9bf306679775bf4a02580fb2513a1727c2ecaa3e3a7ba342c0a80a6a62455

C:\Users\Admin\AppData\Local\Temp\uQYe.exe

MD5 40b3447d502fe7e575cb47bffcdb9e9d
SHA1 7e47eecac0a311ee8996f5d825cf970763cde883
SHA256 f904a638cc114451b79efd19d1e8f3390165bfa3c210c78133e73b3e7d2d94fd
SHA512 90f8ec8959edcf8ba7babd60813823c37f1603f36bd356173df206eb26efb4dfb7015cae2fc021dd71a6ddcb0268685c93e6c1dc8227bf68b2fe82a69c929610

C:\Users\Admin\AppData\Local\Temp\OUoG.exe

MD5 0c1342b93d8eeee0257bf3e39af0bb6a
SHA1 29c8653355a480642a44cd0d5e59420ea4ee960f
SHA256 9612815795f9c17f242626f07e706a89eeef889706544cd4c3ba65cf0e52062e
SHA512 30673903aa546eafb1affa7bcd0545912363bc1b3bcba5ccc0f891e288068d1528480f3360bd41860b7799d9767959a6f4045dea20d23b2516b671cae3c60640

C:\Users\Admin\AppData\Local\Temp\LggoAkks.bat

MD5 7ac6fd31b014f97ca6fe5429b45fdd80
SHA1 f13ea9e9b50e187e8675675a17a4c12416395719
SHA256 3b38c778a66ab9329e56d60376c9d7a4addb7e7d4e401139d869809886abac85
SHA512 7e47250ab8624e6f402454ed8832360930ca39274ea28cca7ebf50552c51031bc5166a25a07efa97eaa9b3b684e18f7cbae74c943407bdbea20a733f2de94eea

C:\Users\Admin\AppData\Local\Temp\ksoo.exe

MD5 ccf552fb6a0bf09d931bdb692cd8a8c6
SHA1 3047bea06ab24c29582e302b4bd2ef8795c73661
SHA256 e5f05c9136da27d1cfbdbb2934ce51a7179e023a8969d392fdfb9e4c764bd8ce
SHA512 5ba4231b42c3ab06d2ad34feb441260933066b9d2677a68abc337e729ed3b42bee0a81c5989b448a2db91f79e21e99515113f8dfbd80818e2408c6b567e0d4db

C:\Users\Admin\AppData\Local\Temp\Eoky.exe

MD5 086be2a88ff8c698589497ee262af02d
SHA1 7bd1855b130bf485f726e9aa893dd857d1d237cb
SHA256 3f59b69391e52b633977abe46ea33f3832f6c67206a660d9b5251062ba165dcb
SHA512 b945cf078f225e19c00da6dbceed7b6256e3d321a62d1ea8473f1a4ac7ada2dcf78f1ca8c90a3c57ae94416256d031bc09028d108479d3b950a08b9eba30be8c

C:\Users\Admin\AppData\Local\Temp\eUcu.exe

MD5 751abe48ca6fb386cc2b94c97bff999c
SHA1 c23be48d5ca4eaf313838e2d04bc48ad301a64ff
SHA256 f15dfefd1b0d5876bcd23069c2c2f55f118685f23c8e55d80304153099ad6791
SHA512 d1d1513ede20e7007032307a579ed8b4cbf10fd048aab6774f8defa0818c36014fe2862294d62b39cd91d84ba66a9829d06e3e35f0f8ecddeeba3a1fc57c628c

C:\Users\Admin\AppData\Local\Temp\MEQG.exe

MD5 42b9c0d424f6a429f1bc1a9c0da07ce7
SHA1 668cd83a0d34aa276581fd2426c989aa80c74444
SHA256 2d19da78ec17c0420bde1de427973eff94c6b99346a2317f0867d7f2768d4c82
SHA512 2c951eab42e0d15b81493822723033b0a0d4fc68c94e1cf8c80d97507acb41650f03c8c5a0abd23f6b30fcb9b4bd1fbe86db48f1070fb4b83af87eb2eab9d869

C:\Users\Admin\AppData\Local\Temp\WkAQYwgk.bat

MD5 cf6acc94242a21b4064c67bb0ec70b4c
SHA1 d4fe2359bff3011fa298c860d357ce0170fb53ad
SHA256 324d17caebdd8c79114fcac33b21ffb1d2fa7692c0870027d1d0aad127fca278
SHA512 af0b2c7d044e82d9b430e1542d0730f29364d2a6df02415efdc407ef3f12128f235699e01887278cd647811f9c5a5a7f36460397ca3dd02c0f2c5f233d4e6aa2

C:\Users\Admin\AppData\Local\Temp\mUsg.exe

MD5 669d0924441f3b3dddf60a26defb103b
SHA1 f01e2e1c7897e30d14c1d998d5f8fb458b10c93c
SHA256 becd1e48d218ad7d91d8feaef1607065e3222275c0cb40cb76ac1ae0672ddd82
SHA512 51fcba5274115b6da438c925f74f142d5754afffc5698ca3d0bdd715f5be2feedba6fad0b59a1d55c47887468f86c34e77e61ccd60f054d2f892cb0847dd1599

C:\Users\Admin\AppData\Local\Temp\SgAK.exe

MD5 3f9d7c985faa88004dfad17808536b48
SHA1 4de1ee3862b6ad900796223f7b62c2a1276904b0
SHA256 1078098210545130d4df92f089b6a3cf41efb33a604a930648b1296656d1cd34
SHA512 beaba689ecab5db906e80dce10d4a67931d83463c968c629ed7189bc8ab5b0c3a74eec2278eda6ecd56271ff0dd0b9e9b42147936d99b3cd365250162abf490b

C:\Users\Admin\AppData\Local\Temp\wmgcoUoI.bat

MD5 23d8c6138554385907e842bbdaa60fd1
SHA1 ad1b94e9d4557ff1e2f6248f35453552fb5354d8
SHA256 3b0ccfbb594b23fdb953b397ccb37af2243ef43d7b9ce8cb4706c101e92209bf
SHA512 018e742c7e21da86abd80652699e6097ed901039aa69c4fa79a9ad18c9d4bac8e0a46f8367d9e1a4415bd77333de36a5635e619969d4704a639364650f923045

C:\Users\Admin\AppData\Local\Temp\AMAU.exe

MD5 5488cfba036b6ec1571e2901c86bdbd0
SHA1 089cde12d9a8c77d52213726c3ad44a68948cd92
SHA256 da32f3dd681051bc430f21fd4c91a6e0e5c6338b4d1c2e7073fe8712dc547ab3
SHA512 d5b9acd1d57e7e585ed8e592fc82047d6f6ab2a707975337fe3ccfc0adf430146ce0faacc691413c161f214fa26774065ee6527f5ac355eabf52aeb5e7848811

C:\Users\Admin\AppData\Local\Temp\uEEe.exe

MD5 642bbc3fda9a72533f730734a3c80574
SHA1 368abe701fc0592aadc5baf5ec9bc46a7e8b1b3b
SHA256 0cee76989f1593d49812c0ef392b45b0bc10072835e50083fece31d6f2fdc307
SHA512 52040acf99dbd6f5b43b75ac0267c396260a4eddd9cc8dfb21074f8a5bfeb68de982db449aeae0cfca317b974caa86a97a18db8303f5e8d04155999854c4eee1

C:\Users\Admin\AppData\Local\Temp\QYQc.exe

MD5 7809cbdfb8fa6456017472c3ee1dc14a
SHA1 20578b5165c75d752edce1fd1778930e7f7a71a2
SHA256 99a786b2d45d7f9a691a5584cf4569aa8288631723b0c2e18e2aa40660a5d819
SHA512 4a70dda4f53f7d231bdfff2618a1b133d096b030761a1d3faaa8aa120314b47fa9cb2ad9dfabe66a5ea9a95869f35972e6710fe9663a80a56463e090c7e64ef5

C:\Users\Admin\AppData\Local\Temp\AIMMgQEw.bat

MD5 76a68cb24d1f819f7b588bf3c608ff3c
SHA1 feffc6c376afc60244163c2d9cd0ec2faad46d18
SHA256 7b245db3ae1363f04c9238226442f3bb11985ea752df12b4d201da66fb0b5930
SHA512 d42b4ae2f81d54d5e9330ddcd957b283bb0cf96513373ec5db56a34cc8fe61d73efbfde9dfcabb0c6d9671958b1710b6b767d92bdac2258754be12168a387407

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 0cb918eedfae41df73cc6321a162dd16
SHA1 f56208b46c44977d5d03d1af35ca90ada1510914
SHA256 cf15987bbc27c239ec38c457f88df43600abf7fe6f5341369816a5550a333d1e
SHA512 57659a7da3cbecfc8e1f4fe9c71dce0724ab441d7171e4ccff4da8126f42965e17319400621f662e64af34fe2b0db4ed6d7e6dcfb3c5c39f3d9c5938fadaee44

C:\Users\Admin\AppData\Local\Temp\oMgi.exe

MD5 9ae56e474a4f7357b914ad603a981361
SHA1 918b14559bb8c3c6af333d62784aaa946e730a37
SHA256 f4bf02bf94156a79ffcab8715191ddbc2e99351cd0f5abcaa7c0cdef286958a6
SHA512 3d62c15b1bb1db087fe366492727a0790f508f5076037df1778a6d4ec8418b2e7f262b9bd2019486151b67cfdfc5aca25628fa5eb6d3c98f09ba2526d636b4bb

C:\Users\Admin\AppData\Local\Temp\GwEMEYQk.bat

MD5 2957e0101cb5a5edcf682ae8a6061d44
SHA1 3ec039215ab709180d45bcf9c35fa27ffee9e2b6
SHA256 af97aefa83b3f099b05269c21717024139a624c9edabdd51ecf037377b1e0ff2
SHA512 8c0b6392b549eb744982bf474db03d4280c12142d742fd13f2ef50252a7de1b6e3f80bf58b624c6aae76571be7520c2be685c24968161b3ddbb16edbb0e52273

C:\Users\Admin\AppData\Local\Temp\EIsQ.exe

MD5 5931b845d7d3bfcc2a28874b0c5f7ba5
SHA1 7ff316d4f1d3a7b2919085f7600cdf26980edf55
SHA256 3f8a5524f38faf10c81d031f66e14672bc8a83082bb273a010a0da72ffbaeaac
SHA512 bf6f21f46c0a6f0b98896e0cbed78f0559e241442bf9e8bf5a424bfe75e8e99379342f52d0751d4563ba306f2beacf383181f0f09c8c0399f56da35868b30039

C:\Users\Admin\AppData\Local\Temp\uwYs.exe

MD5 2a1e9bb6a4fa159ebed35680c96b9d30
SHA1 7f98b91a12d77df04093cf2c331851ea52c9a498
SHA256 e248986a6032b1b39ebc4f469d86040f7b76ec7bb89068aaf7fa230403e2a4f5
SHA512 eb82d799b5c36bdcee83c43b32d878a9fc883ad0f72ebad9c2edcbd84151cf202f4ec9bb9128402aef72722d17897727c1d7156d9143e071dfcff052cd6ac243

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 fa5d291a498d91ba02bfb472de91ec78
SHA1 33ee140f2b88f807e0de2eb6bdbbd56f95ab41ef
SHA256 679f7331645d74344585e09262b7ebea52d197dcb0011d52a41618a308517bd2
SHA512 22434bb9ea1d766054ec05bc046758c682385067ee6bf81c5d617f53247a272071faa8a486a37ddf0cf139b0adb96e5e78a5a70e56508da5846f007d98ba83d4

C:\Users\Admin\AppData\Local\Temp\dMEwsMYc.bat

MD5 d5bc01334867000fe8fc560a0749f2da
SHA1 30438388bed7662949daac8cf98ecb366d2335e6
SHA256 c40b89af56a1aa9992e7b7fad4d250ee6748cc4640e8d86a4018ff531e43f832
SHA512 6b11db5ac8e4fa965b4e73e3d1f6b2323b4f6f3034b150c58d4b377a0419ee7c2b26013cbcf7a015595c4624ddc5e937a201d54f401b4ec738a1345449eca2bc

C:\Users\Admin\AppData\Local\Temp\qocM.exe

MD5 8c434c06beeef48e32765e06d5be26ce
SHA1 86bc2b61dcae5b47578dc9e7e4811272f373cf87
SHA256 d841f694e58c0ab4d7d1a763d311d269b2e787b68dc884a9014008d958fd2b26
SHA512 cc19618c2f950577a5433382f50b7eb31b855b9536f3af20e9a8ca6519a5904a7bf07f1178300a0f0e63f84c158cf7a57996a1d593c9d9764c4a06867fae57c1

C:\Users\Admin\AppData\Local\Temp\SEYM.exe

MD5 f694512930c4cfe453877e0ae3a84fbf
SHA1 17f447ace5025e5bfe5ef124076a18719593a08d
SHA256 2048fe92590954c19b568a6636c16d7842e38e2db16d06275aaca8f970bb0230
SHA512 b6466cb4dfa48db4105bf2f0e0564ae630c63cd6c02f4494af2e310d98758820e298e82001810a4a36748370ceb14b9825b825e14f94341b7a16c34090d4123a

C:\Users\Admin\AppData\Local\Temp\QMcE.exe

MD5 b1c73bf49e4a41d6b69204082850cc0f
SHA1 1df467b43aaed292f735f134e6f74e8d9e791264
SHA256 a9489fffc18e23eadec71630229db7d8f1d7ef16bc6e8641e4bbb7e73321da60
SHA512 b17d9f462b516a173e53748c107ebeb4b1e53506cc01bad8b6ab59be059bd66fd0d4f33ed9325e65e9351dee025e6d609304136f99327f9bb64bae2503ca644f

C:\Users\Admin\AppData\Local\Temp\nwAAgYQQ.bat

MD5 d3c725da2c345b4441f3830bf39b061a
SHA1 a82fc91100bdd4a18c63da53dd5244a91825972a
SHA256 f98ee2bdbe620b58eb26a16ca7ab38fc1a87c0e26eacfe9ddb79fed0bb42a761
SHA512 15d67eae55168c6eac26d624ef15ea0344c010c732dbc9adbf411e3412f47c8f235400c1bece0bea0640fc4dd5e298253b5352e54de6ba35dba0f7a544be8157

C:\Users\Admin\AppData\Local\Temp\qYQG.exe

MD5 bf77948793f25063498655961516cfe2
SHA1 b51247d053a49dc87ec6718959e9e97b25e0ae25
SHA256 f4df8562ab5f60f95112f147204f7ca3bcd9959907162396f6d06d2c547aa902
SHA512 e89e75b6f306e40ef03f60ef31ffc82cf0142f630e5000dadc1d15bd42a84cd412c44bfee2f944e6feabe8ef74d18915f5286dadb2a21e832b36350f64bfc17f

C:\Users\Admin\AppData\Local\Temp\CkAA.exe

MD5 e1a13291d3e294f3b288ae071b647ca4
SHA1 9c86202548d20127ba314f4cb72fcff23c7973a5
SHA256 0485f773a4c120b54546cfbe600fff0162dea4a50560a784bb58e8554450cde0
SHA512 8e5210d437c5c2bef04d4cd22900ce02a93fe8b482a101323747d982b6de37fa3470d2eca0806988b15edf3f38acf7948e444849cfebe8690e840a48c03f7054

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 053b7db856818033d1f126a9a07c34df
SHA1 f2d772746be4d6154b3570ba3cee0fbfbd838e04
SHA256 eac60d721514bb8533c427a76f7ce3d780840ce5b1addcfeaf2f88730be6bbec
SHA512 cc760025eb2c5746e9a2ae738560ed22ca0780fff1e8e76eaa01deed2eea527ffadde9965117e4ea769919bb466e31d189f6e5e550931bdd00c8522bad358159

C:\Users\Admin\AppData\Local\Temp\LGAkIAgY.bat

MD5 9ea1a9f592d3b604bfcb35f0d296e1e0
SHA1 cf7342c6469906c88b474456a3e0d2a4972f0075
SHA256 9f26e052b6c550397e76884682ed667c81d02a7f6650c5c07d95be41e8c15ac9
SHA512 77d9f83b39a03261b51f072c847ff6cbbbd407ecfe7fdd380b5432e6c49ab3324cb9bd64da3a604c59e06d3728d2bc5978434ba08812267d7b9b6f00bf4d9cd3

C:\Users\Admin\AppData\Local\Temp\UgkK.exe

MD5 a7328c82ae52f27611e1b464e5d33802
SHA1 cb9670c6261c2396e55023e81ba5d6eef22ee5f4
SHA256 022bda53d73e497c5577f1522bf591a07e63fbfc2dfeca258e4c6f103614941f
SHA512 a270257860023ea46ed06b872f471335b83045876de1610d47c3e7a639f40d09f3e80e7398e9b3d900a5b5b37e7628e13ae396e8adced34e32f52e93208e7891

C:\Users\Admin\AppData\Local\Temp\feowoUoQ.bat

MD5 a6717b31258e46f5bf8c9bfa7b2c6d56
SHA1 2d4cbd8d16d198816d0745e7fd34901f6611d454
SHA256 a5064462e9c002b172a77b1b4627a6db0c95a59dab309980a513fda48d6f4b7f
SHA512 a3b3c359d912f7c0098c2384ff14f9b037aab291e6cee923f05ccb1c2a9a1c09260ba1a92eb1cc285560cae57b312cdef4f0bef9b991b7c33366f2d9a7f2e1bf

C:\Users\Admin\AppData\Local\Temp\IsES.exe

MD5 89dcf4a98dd64ac9186d458ca4fec2cf
SHA1 c3bf799fe3209038644da5e84148f3352a9f4846
SHA256 e0f3b9e577cf21a2fa1fd8d9dae34d91eb5afb2edc46f417b9ee086d399d741f
SHA512 853fc66def7e6f1ac46397770a2afe66fd904dd7d0d5c9e290f7894550054322873afd18bb20140088adef570ca7f0cb0c800b2e4a698c27b96806578253ac55

C:\Users\Admin\AppData\Local\Temp\uCAQkoAc.bat

MD5 10349fe4a02c97ffd7195d7e042dc100
SHA1 5cbe51bad4541e17dd7aab456cccd4867da17e8a
SHA256 12e9ffb5b46897509e292f01fbb36e186aad92f623d61c8d960d265c3fe54bd0
SHA512 0a188e4c1f3bf1a5eae42e397170b1283e8f841000d29811497b2a91c9f137719bd31e56ab0175f23f0a0554234f7023dc09bafec8e15946acae8b085c7e03c3

C:\Users\Admin\AppData\Local\Temp\WUUU.exe

MD5 ce7bdfbbc4e581aa83c4d848e297bc1c
SHA1 2b8992cec99d91383ef0b25dcf97fa891ede90fe
SHA256 584efdf3887b4cc9803808a017c864a8a8128f854471b40d005e226de586f188
SHA512 b2fcf8001c7bbcb704e6b93efba07765d9aade8a39087d4d73134594846ab4c52193f0cd27865d6f24afc6b5ab354a35c4707712900d08536ef0b39c9d390ae9

C:\Users\Admin\AppData\Local\Temp\Wsce.exe

MD5 8bea4cb046ac32848dfaffdb48f38e7d
SHA1 608f679a0509d46ec8777675edc817302c1cc8cb
SHA256 1f6762a52c8b95a45598abf89ec2362bfc7f1bdbd29746a9123f3851c10a768a
SHA512 e8b9b7fb5d669c3997b7ad40afc44e9fcb47f9d7d20868d49989e668b474b360ac0aa74180aa4ffdf61a45cb683d63190cd16753944e476fe5e8e0cca3417763

C:\Users\Admin\AppData\Local\Temp\Occi.exe

MD5 b2a2ed38d343688457d2c58d5068ee0b
SHA1 d4bf6d7f2bbe4d2d28120ed0de3938f00df17a94
SHA256 6b6a5c769719951151b6bfc9022c61f6bbe7636c54e6d0cd573d485ea8335137
SHA512 0c63fa058a70006af17b657571e293ad54ac82c0fc4ef3e768dfd3c5afcfd7452ce2b9b32f6d05e21059063ad382cbe07616bacc0823672eed0ebfde6b661791

C:\Users\Admin\AppData\Local\Temp\oEce.exe

MD5 3c8c7a51a95f66455e1d22d4df871b16
SHA1 469938f1f04b349483f388cb4ceb57c410911057
SHA256 9faf1d76468f5f13e7ace86eb2d50cd4641d2793dac8329d2224032e437c7d52
SHA512 024279344da7400f9a21dd41c5377aaba3b0bc161cd25fd3911b84fd61bf23033fb9e1232d63ab15bbcf8176ee1c6210df91b2dfa8ae127c5f6631783eaf32af

C:\Users\Admin\AppData\Local\Temp\iUEU.exe

MD5 3e249b509dd43db5e8b08ffbe3c76e5c
SHA1 ec40a094a84f4d1a159ca6efebe3ffb16fa34388
SHA256 6cfd54506108b657d16b47b5cd7f8db7ab2b64d2d87c98b74b2e426f061283c7
SHA512 533df2f2f897e3279db08e92548b91283f8ded8e8ed207e5ff02f82bbf4414d6bb9c82189ab1665c75ccdfc3f311c8af182a66bfe66013ab64022c0f74e7f122

C:\Users\Admin\AppData\Local\Temp\ycwgsQMg.bat

MD5 d70442e8f32540d7dca95ef9d3b6150d
SHA1 4956304834730fae6c41b740fcd8b693fcd034bc
SHA256 d5c6f3ae74f8bb39327c421ae6ec4731a8ce2185e3ffb182e4777166cec10547
SHA512 9ac91662da85d06285cb98ab812b8f1f6a7b05020dc9f8fa09310e620955457e7246e6907085f8af81d24adb7150f83f0f0dceff3cf141744fef706cc56c6ab8

C:\Users\Admin\AppData\Local\Temp\gYUc.exe

MD5 57a3044c5c973de33aa2e158a19bfe66
SHA1 403dda8356b65205e09e9224945ba10fb8e22df1
SHA256 d53172595b78ef18052cd206a10f2f4e9869d78ff912a6f809374171e860e4b7
SHA512 336adbee7f92da9161036d71f1ad71daf402c72407dfa38ac6c1585f87ac4057eac7ccb49da352d410751cf520b8433aab7e67da6e4964fcc2babd2ced3f9050

C:\Users\Admin\AppData\Local\Temp\YcIs.exe

MD5 458f00b30e43d413260bfc37d9517fea
SHA1 182375f13f760677c9d7cab19e94e1ed1e86685b
SHA256 6e707f49b97b9b4ebf037ab2981509fe12bbfbc4302841afa255bc7e5bfccfd8
SHA512 a459f843b71d6d8e82fb9f7c93680201ee6787749a26923acbded10dfe98d274ed8990c9ee2df0f3123a68a094b8f8ba7a1dde610802226b245104187fe65780

C:\Users\Admin\AppData\Local\Temp\ckQu.exe

MD5 d6443258c1057b73a47c489b97e32583
SHA1 f974a36c3df8cab7e621d674335792a0b0088afa
SHA256 676175533d57f33d67025eec28c06debbb947845c3fe86475cdcab2fe4b591ee
SHA512 bebbffcc4b6eb7ba1f85815d6244d10bcc1251663e8bd445dc51bf4bc1cd578e3a332fa694ae0eba1bb5b0ea6a9e54f45d4ca343385ebf61f85f1c882e6520ac

C:\Users\Admin\AppData\Local\Temp\qIQo.exe

MD5 74e6001df8bc02a8d4f63e96a8f65794
SHA1 33c212daf120523149b6a296f6b94e1324500fde
SHA256 fff97485f0625883de9e0855f4a958613adbe86718151fae8d263464e601be52
SHA512 5735c398ac692b34c911d7be6b3c3f65554f1d36076d7d39b91156a91af4d071fb859e1bc3a352d2d9820c52f8545511257eb2c02fa01c42fa32511a9d61ff39

C:\Users\Admin\AppData\Local\Temp\moIe.exe

MD5 f042442e4dfa8ecbef5312f234bd722b
SHA1 6037ee4c40c3084cd39bbdd9c14cc09513368aed
SHA256 e7400f61b0059a3db14ddfa796d60e5fbd9bea82aa2f1555bff26603fadb0d7c
SHA512 f625cff1becc39a3f20e8205832e7e69d66ac3149145a821c6a5fde1f88cb65a6c3c62792897155d88319f0be56cb6f8f8414e1be268f4e1e6e5cb711c0b7195

C:\Users\Admin\AppData\Local\Temp\iSEocQEM.bat

MD5 fb2920de7be90ba948ae702bf9cb1433
SHA1 a5554788059ef61c9e4cdc473e8738e4686d010a
SHA256 729808c40f3838abae95575376b77e884eac2515dec3968002acec8ae0e566a6
SHA512 666d7ec5fc4da015ca2fe10f85b6091f5642ac3472721879436722786423a83016d899dbbf5a64aa68b1e192356a3bf13a6336327aa611c6ea59ef5482370ffe

C:\Users\Admin\AppData\Local\Temp\NSYUgsog.bat

MD5 2232c8747cae11932621b6b438cc39b6
SHA1 6e974c3ed2eaea4dd294116e1243cc075f0254e6
SHA256 8bd8c286deef4e924438172166f824e19ae000afbb729fc13c2e293c121fdc96
SHA512 ccd7cd556f75312bb4ee8920c1df4a03394e1221c9a61bc8928949740260513798cbea0bc44f8a45b427612fdf6b8f1afbc536f380c1ba53f9b0cebf75e0160c

C:\Users\Admin\AppData\Local\Temp\hEUYQMYA.bat

MD5 91670f31fd7e90beccf26649099269de
SHA1 fe0b1f57213d90f357efcc9942ab8d32af9c6e64
SHA256 1b07c142ed42fe6a9087323711ddf524a18d725036fe388a10707f56d806bdd7
SHA512 4f308ba954a25f8a52243ac89c9814dd4ef90962308f9a64f8ac191e91c41bc9b932e4872f37c3d1cb7dfbf0246290f9a5b0fb56948d3bb52a9abd08170234e4

C:\Users\Admin\AppData\Local\Temp\dSgokwkg.bat

MD5 c17bf0cb07beb462264e9f19743ee734
SHA1 695d3a2f23be6fbdb03039d73d9357bda10a68cc
SHA256 d800a4a7a15201ea88062ac07c8fabbcf26b978d8c8ec644c75cc6d051b5228d
SHA512 2c1c3dcc2e49cde0e73136fbfd466d3191fd54170160fdf539e365bb4c202e93f1576e0d46d05636b86de5f7f00633b1c17b5f161e68ffb6d6c156af97941563

C:\Users\Admin\AppData\Local\Temp\FoEgsMYs.bat

MD5 c0f073d5569fd3c02d6c3f3408d29312
SHA1 cf1d5e5f567cb530f93f991882a5a9869c35876f
SHA256 ecac7094b20385f923f461d6d94bb71dee239f1f9368200a70543fab14401704
SHA512 57b6ee9410431490591ab3f7d2e7f35ea8bbd5c2d49b4e859efbca5ddec46ce1fcedfefc1c7b6f99e38cc683451535808cc159b9b60dabcbe9a6058940e57173

C:\Users\Admin\AppData\Local\Temp\esUcEUUA.bat

MD5 7b122660357b6c63081834911b5edec3
SHA1 ccc63c24d46d4b8da6bd5994d77d5ba61c0af578
SHA256 4b12bc6e5bec9721e79873a3058bf828dd7a526e82158d90d4bb4fe698e8c419
SHA512 dcf73fd1e9d6ef036b861ffc969e16ee9827b5b7274268fb89ea4d7a3ca8df5b99dcb7c433e5280f2206ba2463346a7d8b4ace89a13c53fd2396aaa573581598

C:\Users\Admin\AppData\Local\Temp\yMQQsccw.bat

MD5 ac6ef23e771ed07b817ce284bd78ab77
SHA1 31a7a63c709026d503e5aa9e6459272b267c68f0
SHA256 24ad9ec7705382c7b3993b54e8b306409b868d6bb4e6f6f0321f33f21117a8a4
SHA512 5abe3874ef182a58bc6e7d2bd967239c0edbd672159d51afd776d7c313da725fa8f7c6a8b0150551068053bbe7fb24ee9f83373f1be50e41d411dc087dd31df7

C:\Users\Admin\AppData\Local\Temp\IwwQIQwY.bat

MD5 04b53e93e4f2cb89c3e531f8ee571ee1
SHA1 83252750fdafb8461fccd0778d7f73c80c536d78
SHA256 d702a1fc3a5782ad31eed597ed82d10c662823ef5671549d05865e175e8648aa
SHA512 952f9dcac4a2acd16c6c5b54e8dbf74636f40acb8926d89a73e9d197c169ae5a95a96bbac342e2d887555540bac3d8927c2594bbb9b7712a03318609b6142095

C:\Users\Admin\AppData\Local\Temp\AKkcQMws.bat

MD5 1f70bbf50c471cf097860aa77cfcdb2f
SHA1 d7685629966f1c995eb3a12b6cc9c5ac830715f5
SHA256 ea9b3248b2c75c021d537dd724d29f6a42befa1ac4e210e7f889c46c094b82f9
SHA512 b58d66047beb9a418f5c193e835a415d35e02f5a2a5b1696dc966aed1caea33e99b55bad1cd67cbbd20d1ef3d654c22c92b6bd79525d10be7872012dea5e8334

C:\Users\Admin\AppData\Local\Temp\REkMksQo.bat

MD5 01c0a19cc2ecda6c70c2a99efaa65cff
SHA1 6160d6eeffaa3583091490305e777808e4f6b2f2
SHA256 46ae5d309a95457c61876826395da4aa9ddbb245528cd82305645d881ace5e2f
SHA512 770950d81acf7b730723c6eac6a0eecce7926aac82155ee265f8551e14817b29493b814f57c1155b3fac8378cbdd43ac0c7e776cc4188da4b442fc403d458d62

C:\Users\Admin\AppData\Local\Temp\dCQQUAQQ.bat

MD5 1e023b312b6152549d8438fa7abf391c
SHA1 565df4941b8a1c512600d0de3e30b6c0ec8b3b96
SHA256 2c4b78e61eca5ff59f77dca241890652ec50ade667a62e8c957fe8ba3b0984d5
SHA512 4d30e806e7a4b1fbc98cddac3e1fe79466aaa1d8f6cc229972a9f787eebeac45cd9bc25bb8cefbb5b618c81e89cbcfecc885b7a8df822592eeb5acc61867f983

C:\Users\Admin\AppData\Local\Temp\RaUgIQsk.bat

MD5 303c477522e1da68ade103de45df7f07
SHA1 43f5d14d902f6b22c2acf40eb499fe9bbbd9a22a
SHA256 a1260b9cbdfb375d5aa71eccbeb2f15f6a1bcd4a6aae3ff66e55ebc18a5ce051
SHA512 0cd7115e227009742334d59329f2052ff52e6a4eba5938475cec3837914b2501702f3aeaacbbe7c042be01652c6fa739aa032646ed827c57fdcf1cee5ea35e60

C:\Users\Admin\AppData\Local\Temp\FugUMEkQ.bat

MD5 537e3e3f6dcad46d0ed16da0c5b33762
SHA1 83d737b314ab211e56822467d702061fe36e9cb0
SHA256 08122cbe956d369cc9ad8957de498db9f80488a7a01b491f7eb911a007c2894d
SHA512 98e96046c334c6c28e53cd6699d031b519167785bcc32de74956838831cc4ac4e98326d125ff73b3d390043f1d8b0be11ec0593096141e2801e77337bbfd8f2a

C:\Users\Admin\AppData\Local\Temp\QIgIsUQo.bat

MD5 08586e9bfe8e07439c9ec211e23cb853
SHA1 001c7e95f236002df25b10fedf773cb15555c6b8
SHA256 f95507878e2405ce600a6298b9d5d0f6d7e06b254095f6bb27a78473be21342d
SHA512 3b21244a00a0a4018e9d3f42d1bbdcaaac80a24e5ce675fa7c0b060302a721a32b2de49e1a994a600e9871246e52c0f1b25284e41e41cf2f6093a22289a06d3f

C:\Users\Admin\AppData\Local\Temp\GQgkAscQ.bat

MD5 5aa9f242c57920083fb717044373b54e
SHA1 0f4bd41e29b8f776ca298caa038dc6f08d0ae827
SHA256 848e5eaef496440c27d88a386bee5898f734e7ed83a16c2b7152f1e1103b45b6
SHA512 31141714056ede830fb4612ab16ad89df27f094873bcacb37d69e421871453472072406612a83f9c3be784d93aef6dba0c9250c6ec910cb1338fc66e6064ac13

C:\Users\Admin\AppData\Local\Temp\MKsIQMgU.bat

MD5 14f713cc7affbf50a9de3da89766e1eb
SHA1 8052862440433365a698fffbfcb729059f0111a9
SHA256 e98366d0718180bc89d25fefa0de85be7405ef73694c25bcf2bf9cbc0ad79241
SHA512 8383197aef65d3a58da6905682b5653ca04b61eb233d5594fab6916796bdefabc5fe588b3041df7bf1ce354c4c254045983582d1984c632b5787c67d52f5e91b

C:\Users\Admin\AppData\Local\Temp\OeMgsgsE.bat

MD5 70f7d2b89703edafbbf100aea139cfcc
SHA1 3f7cc5478eb53b4f8a63fa277adc9591489412c9
SHA256 ff83483003ac06cc4b51a59085e7f0a94ffdf70f7aab3f32c0ab41e4cff5954e
SHA512 4e0834213e59d892107838505d04f25c1dfc3e9bbc59702f7f07a5a0a5659131a4dcc32aa7206f569408921333f0e814b85296772fa4a807698069d5c5966ef9

C:\Users\Admin\AppData\Local\Temp\dOUEIsgk.bat

MD5 28f8272f4799933cc6d75e37973abd2e
SHA1 0dbad0a3a724cbf4d9141a422be44946d8fdb5d6
SHA256 3cf506a8eaf19ad8bfeb7945e167e76618d9dfa5613edc79f15716e726243f08
SHA512 30adb5ae63173580629fdf20449e898257928a7310ab7ebe3d6575d4a5a751e5b28d39fb7238ee6a7ae51e8d70b2fe5a0abaea47152f04c1ee8c50f2e2521518

C:\Users\Admin\AppData\Local\Temp\tgUMEwos.bat

MD5 e2254c84f0e316c5ad550ba554e13cac
SHA1 e2e45fc7c41b1141042f8eea73405570dc4f1b6c
SHA256 c1e227771037e3594a20dbaf1e0a66b52a2a90773e351577efea0c8290e82fa4
SHA512 94f8290933b06ab6811c2f1bf42edc87fde9dc97c3afd7f006bfd06c1e3580ad24b9acd885f303911bd6f68cadbdc47d1a3e32fafdf0b1ba218066bba0624ab4

C:\Users\Admin\AppData\Local\Temp\TskEEIQk.bat

MD5 f2396f34315bb00963eede18168ca749
SHA1 69a8908dcb20216b1d125ca0da0c4569038c3f31
SHA256 7c290fd8ecf73b943e1b7e0f126d1d8c2e4cf58d99f5aa681a47bb19d9611919
SHA512 3a570e859f8bf57fec2066c668d285baf8ff1143a660c1ceecb76360906091cb8fbed2a19b683ab227783139ab9588fa5c58975a8272a554f6d611180a31e204

C:\Users\Admin\AppData\Local\Temp\XeckIYAU.bat

MD5 5968eda94211ea849b9479681a4a0c54
SHA1 56d364ef477b2b17c9f6bae158658377db23e4e8
SHA256 3fbc0c90158cc166bbcec4b9fa99ec18b1c14492b8ed219801eaa0946bc73a80
SHA512 65f80bac4ebd511724add0efe161c4c20ef9abac510686b4f0e36e2d12681829a23c2f60970643b788063396708ccc1a24352b069ceafbbdf3f1dee39318facf

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:38

Reported

2024-04-03 18:40

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\ProgramData\FiscYoIc\QIQsoIUQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUkgMMM.exe = "C:\\Users\\Admin\\IEIwMEkw\\MoUkgMMM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QIQsoIUQ.exe = "C:\\ProgramData\\FiscYoIc\\QIQsoIUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUkgMMM.exe = "C:\\Users\\Admin\\IEIwMEkw\\MoUkgMMM.exe" C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QIQsoIUQ.exe = "C:\\ProgramData\\FiscYoIc\\QIQsoIUQ.exe" C:\ProgramData\FiscYoIc\QIQsoIUQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A
N/A N/A C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe
PID 4448 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe
PID 4448 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe
PID 4448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\FiscYoIc\QIQsoIUQ.exe
PID 4448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\FiscYoIc\QIQsoIUQ.exe
PID 4448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\ProgramData\FiscYoIc\QIQsoIUQ.exe
PID 4448 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 4688 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 4688 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 4448 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2576 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2576 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3340 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 1900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 1900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 3340 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3340 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4600 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4600 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 976 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 976 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe
PID 2740 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe"

C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe

"C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe"

C:\ProgramData\FiscYoIc\QIQsoIUQ.exe

"C:\ProgramData\FiscYoIc\QIQsoIUQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoMAAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYssEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuoAIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWgkkYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIQYQUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqsoAUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgEMAsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCgoAooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkYAkMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWEQEooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSIccwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYUAgQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe ba1ef31068c579494c4332718ff9db2e StmLDFRCtE+K7Ag/ezBIAw.0.1.0.0.0

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQgQEgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWIoUsQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEcUUQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VksUUQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMwgQYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugYkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQoIwQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyAMsYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUkYEUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYsgwkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAcAEQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWAkYwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSQoQskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKAoQksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wukcggAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MooYkcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikgAYsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMgQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\posQwEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGkwkMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqAscgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WckkcUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQgskcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKQAIQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAcYsUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NggEgkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAckUgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCIQcUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACMIAoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwEcAwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqkoIgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIYgwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkkoUEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAQkIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyMoIIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIcQoMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQcAIQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgMggcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JawEIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyMQMUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgwIoUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYoowQUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IggoMgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmEgckYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYcMIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUsIYsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgoIkocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAUwUcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqMEYsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeYgkwko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUIwMMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeokkYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaoIEkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUkEsUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuYQoEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsoswkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwokoEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEQksskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McgIscUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAkggAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaQscIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYgwEkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeUMAQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYssgYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEcAUsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgksscQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmAcMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmksQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAoEYocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwIgIgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcogkQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOQIMIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUsIcEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEwMgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEsoMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOQUIscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOwQYoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQEYkQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKogAwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqMMMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWwcsAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCEMwwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEwYYEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwcoIIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOYcoAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEYwossA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQUwMkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4448-0-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\ProgramData\FiscYoIc\QIQsoIUQ.exe

MD5 2b8bdd16752446b226fc6267f0bdc654
SHA1 fbfee0374a8df284a379e1ec6f62e09b5123fd2f
SHA256 6ca45e9595383ba6902e1d67e515837cbfb9b62a350bb2b9e266255587acd61c
SHA512 a74d391b21a919c8a5ff34b7b9a2efc6c9ef5efeb8511b67afceaff16dc04231bc5a183b6040b06115b903bd42dd056f7f2f97a60f78ac3a7f10fb9e076c9df8

memory/1772-8-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\IEIwMEkw\MoUkgMMM.exe

MD5 4c29c5561cca29d3cd95142c613d527d
SHA1 1be19f4f50fd7e2c8e9e1d53190e0c5e14cb96be
SHA256 a2bbddd0a8d8a733b305fd88a692a77905ce42f0d0b525c78e55015cbce305a6
SHA512 da816890d4681923f44b2911491c86295077581502750bb98e4dc3698738cdbc48eec97be97c60618890468abc4f9253c3e154e2acbdf5460b10481d507c4666

memory/2156-15-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4448-20-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3340-19-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xoMAAcIA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_544db6d59b25248df3c9cf9b9b33b544_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

memory/3340-31-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2740-28-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2740-43-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4196-44-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/392-55-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4196-56-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1472-64-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/392-68-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4456-79-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1472-80-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2640-88-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4456-92-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2640-104-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3276-101-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3276-115-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3964-116-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5080-124-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3964-128-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4308-137-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5080-140-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4456-149-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4308-152-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3916-161-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4456-164-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3916-175-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4636-176-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4636-187-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1140-195-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3592-199-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1140-210-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1604-221-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1864-222-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4652-230-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1604-234-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1760-243-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4652-246-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1760-257-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2428-258-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5088-263-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2428-267-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5088-275-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4452-283-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5072-284-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4452-293-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1792-292-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3812-298-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1792-302-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3876-308-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3812-311-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2684-316-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3876-320-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2684-328-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/628-336-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4964-337-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4964-345-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1200-353-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4132-354-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2304-362-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4132-363-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAsY.exe

MD5 27e13b020ff55fd593f513651aa01d12
SHA1 34193776e4f0d7d7befc5014a77ae651e21cfeef
SHA256 b3799e1f43966120d9e25c9c43f9bb9d82d14f80727d8101ff190a8e07626363
SHA512 3a7da31a32cb924188d4bd1313a33db5c4b247f94484a9ef360c01027db37010a57a8f2c6a3763fe316050c6938fd12eab8e7195ed516948a19a4816d4438c17

C:\Users\Admin\AppData\Local\Temp\SMUC.exe

MD5 6e257f8dbbfc5013d88bdef33b2f031d
SHA1 e376a63acaba3b3f41fe54548a985ed25ddc735e
SHA256 ffd4032915ef383496f9d5e6d5e9d507a81097d6f675f83d0b9ec939836b4db7
SHA512 200e2e6f38da9cfc38ad056281a1d7b47eb1ba4528e1b7bb69406f59c9d6d405875fc3a1872ec39a9dbcda42ff6501c14a9f9cd3de0745e394777722eede3bd5

C:\Users\Admin\AppData\Local\Temp\EAIy.exe

MD5 aaed4e911a23480d040d1ab1862af2b1
SHA1 d657df35db027ac65a080e6f9cf75d4fc9bbbca2
SHA256 8d6226bb48f990c9d6282b8f7c4f9998aa5edffae0b7c7f05f3e152e0f133677
SHA512 6acd28d2e708bed40479311bd21eaf7ce6ede8452a3a1120a3f7e2e7290998f6ae5c0ee707ad94e0776480ae74a1575f0d08e84da0fa0fd7bd210f22c345b345

C:\Users\Admin\AppData\Local\Temp\Cggo.exe

MD5 9892fd9f738d96c64ddd9cdfbf3eac79
SHA1 d44fe9d5366dbf860f01bceb8eff8f39c41c0b3d
SHA256 6bcb9be45e570201c0398e26f321ecf8ebb03e26f54b8ba9b7a391fbee9c59f9
SHA512 09b67ad6256e12bd049ada6b8886f5bee19734a75bc5dfbec4bb56d7c2dbcaf7e91be2896defb7070e25ae3438c16154b1d1a34e8671b7631739ba1287e06b41

C:\Users\Admin\AppData\Local\Temp\OssG.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\awEc.exe

MD5 5e49f2d166c56de0d44f32dd1d0ffd8a
SHA1 67b77470f8f6ac87c19c6b5e14eb30cf57ceb36e
SHA256 5ccdcddc8658c69b635aee24aa2092bb965ac08c11214d2bf1e7ca8e108a2b21
SHA512 ef7430484311fd0c9c969a17b7bbfc5495b72d9e4b9aeb53aac05a2f4fb4a137fa992ea0b52830c8c853527a40f0cef5dd779f900f80afe0493d7186142fcab6

C:\Users\Admin\AppData\Local\Temp\yIIq.exe

MD5 0cb36dfa7c9928f08ad130c199a245ba
SHA1 df540be7557c40ec70f51e63294d17a731d0b978
SHA256 d7379ce3295926c15a40480cf7ac4f229ed27b686e245f852e9a7a1baeaf5e5d
SHA512 f1ff5b9ad513256c4f34a3b2e3b0f9b5552604f34b9c0c98545ba5c4dc83b9b90d3b3e442e8a84c207826c378dbd2b643b66854d9004868dc7ae0d5aff385798

C:\Users\Admin\AppData\Local\Temp\IMkM.exe

MD5 1031802572110dc962f21d87561b812d
SHA1 e5e5e860a27b0b4335030f13b7942cc83a90b0ef
SHA256 1618145784b5640cfe1e81c9186cf869772345eb86f663f7ef5a1d7a1c35c5dc
SHA512 2a4f81d74c5021f5b3da43a6d741f57c2fa62bc2ff61b39a008137e1c4aaf43e1d23003a6315c273641d8b91680aa48971157b170339e5ced5a665b18005f87c

C:\Users\Admin\AppData\Local\Temp\MMwk.exe

MD5 75e09f0a792c13851d8dfe0a73a28f8e
SHA1 baf105a1591ad022fcdac8f7a7e58e9fa26e504f
SHA256 706df0e78330a1f8867650ec58b72ea48bc5a869a286a797ffa57c5ba524f7fe
SHA512 e69a8da2b6ccf7217e5d2c944976b0102060832e5a04f47f26b623b8246d431e47dbb7c3c8614fcea43fd22309bfb90ce318a8089fe0d5683f117ea9a915059c

C:\Users\Admin\AppData\Local\Temp\OkME.exe

MD5 623390d6836689c74e013eddf3fb3bac
SHA1 bbb91397dcfae0ded91bf3d714675cbd1084ab3a
SHA256 b1cf5c5b4a05bd62c3809195b60a9942fdeb4ee5a3d7fd28a7c783f868a84621
SHA512 4337a936c41c9a45423dbe59fa720e44d35d18335ec4102d1d55c2543b600e7fa9044bc8c42bcb3d417403c44e5d3d6330df5de1722b6ebcdb332f1a2853749e

C:\Users\Admin\AppData\Local\Temp\yowQ.exe

MD5 38de82e0a549cc8e5eedb0df14f9ef4b
SHA1 1434a5406b7779ac50b226c92ecd6b129e4237f1
SHA256 9855192349e5c61495ff97d81b87b280f72cf361c2ffb7e39e2a1d986d64850f
SHA512 92c57611826a31eb997f6c91d9b319c61fded9ec549e31cbe40145b07e3b35842fae2a0660ef3a16314b73e330b9e8b6fd00302e94f5cd48e963b4ba82ab3f38

C:\Users\Admin\AppData\Local\Temp\qMou.exe

MD5 4de53c36d2be4902d9cb9a270b872e24
SHA1 8bd0aafcadfcea47d45c65ad1d5610cdbf1417d6
SHA256 0aab7a4ea28a36e42f8ad2892acf0da14111e40897b44141120a365525eb6677
SHA512 225ce0289aee71bcfbeadce027bbdea392a37e5ea9f1de220aaadba6abbf68e7470b5fe5fb74a3eb30b515bb4bdb4e47b68fa615edc266fa126cd91d18b6f1e2

C:\Users\Admin\AppData\Local\Temp\msIa.exe

MD5 fb2087ccee9cc7beec13a72ff5f94c9d
SHA1 9c4dad6d134b392f5cd89318b7d19b25369e681b
SHA256 1f0d87388e8d5dbb9b836bd633015a7890883bf6150c658d51ce197392063002
SHA512 be7f297b3bcd7784cc2c2c7f64bcaa223032647c1f263b5d55d70b007cf6b4402ead5043652a2aafb26fe3f0ce280ed393749817c71073f6e43c0aaad320c574

C:\Users\Admin\AppData\Local\Temp\MMwK.exe

MD5 477065def6e6ad02081d24b3c6428f14
SHA1 e5e27bb06765a06796507bf015216d86dd8ea5fb
SHA256 beede4f923dcdb6fdbc761ee00ee027acc553578ffbb2d64e281a28d7934d88d
SHA512 35aa13fb158f886f71ec5b77e7f698fd83450ae91d5f1f49fc9aacb96c16606b65b3925836c76720b891a7410bd8be2a9b03d0c5ba75469bd7b6bd8193f57b9e

C:\Users\Admin\AppData\Local\Temp\ogcc.exe

MD5 31f5ebfa99ebb66c5c2f29b544832f8e
SHA1 94426d91fe51ce0633887c21a7e114a4678629ec
SHA256 a30d0a78c89e2f5ab82baff79913e57f4f42d0f04d361ce1c0c826a6f3fa52f3
SHA512 267c2317b31e36898614f985ecd37c1e2cbbf423fd6256935962becf9c60833a08ec5da17fdb7976aa6acb5764072ebdda05f345dc9e6f9ca980ade7b0879b67

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 5418a8593a64f8ed851ebb1f5f0f4859
SHA1 69148380a52d38295be3ee867ce876e9e6a294c9
SHA256 666f32b16343944250ecb12f1f688f0f5cd7c542a4c773f38ae0ad7b1a211bee
SHA512 6b56cb83f8a547e650426f20f0aaf7cb6018173bdeadc4593c906ae39e4090b446ff8a420a3683e017dd98feb7cca43859250e496c28d95de278bc70554f7f2e

C:\Users\Admin\AppData\Local\Temp\QMIW.exe

MD5 737d44fa110497ac7fd632bb92d018de
SHA1 a04c9b74c5ed071b06e402ef3c053ba4779fa13c
SHA256 c26f53318ef5e3513c6ce0230426a5b78642dfa404635de0a840a1549724cc92
SHA512 a5fec6fc7c2b4a36ba97d5b7161bee6c715cae68a9f9e581b14af04909e6fa644840a93503aa9aac81a18f6c4df549dc0daf009246fd3a926d1ef32e7288b24f

C:\Users\Admin\AppData\Local\Temp\sUAC.exe

MD5 d160e2064906d871b606c054fd2340eb
SHA1 43813e06f467478b76b6e50192fe94e4d5bede3b
SHA256 772e800c61821e572f309f7f70b1f186bd3114ed1cedcd2acd1e47adb3bb9cf5
SHA512 c1b5c1d8b1ab766cbdba5dcade59414f90ff30210c2a417e5cd60b96e6d501be096e250492e67728b4f374f17279b0f43f26cf4fd8742349401671fd24979fc7

C:\Users\Admin\AppData\Local\Temp\woEG.exe

MD5 2c9a2bf5788a641f41df56062ce4b43e
SHA1 d12d983874ff21f73acc004bee5a884f0298e61d
SHA256 5fd9755568370af72e894ebb2d11b2faf5d0af4ad1f8261afbe4baa237f8a11a
SHA512 801780ef6874ba5a97b900d16c5f080ac56089e28df9379108717ce16c9e8e5f61296f481d862ea1803c922681b68555a3c3917aadc867ff7fa983006a423a24

C:\Users\Admin\AppData\Local\Temp\QogA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\cwUa.exe

MD5 d14582ba05d4201eda007ef8529dd377
SHA1 9a61aa17328e36ca7d67ef17e1768e5f8ccc53b9
SHA256 1aa0ea51bf88db5d75fc0e2134f872069eb24f8590428e5e1b56113eba0bdff2
SHA512 5ae49a3e4de744693450d7cff72ae52ec7020e1ee43ea42239833828332935afeedd076321cb88b5afb5dea277ac1425771473470a4507773adc9a93f95d3152

C:\Users\Admin\AppData\Local\Temp\ckMa.exe

MD5 2df52f520c6064f2b88091298747cf2b
SHA1 639de755250bb2ff6cf0c042b37a9edd18689285
SHA256 1a847080904db9d4b0ec45f03e352fb089708f6c4b70144231b510d8b0a7b6a3
SHA512 a077ab1308e2fdca12e0962953a141cebbf9a2cd49cfde64dcef15775baffcc3ee242621d72bc65fb1e7b8108b49c27af01e9b6939db6d9277c608c0a695370b

C:\Users\Admin\AppData\Local\Temp\wIcA.exe

MD5 f178e4759b3ac31d11cc7c6f76c50e71
SHA1 a20d068be8aafae13962223f5f95bc803ddec0e1
SHA256 c800d1a0cf2f797bbf4d57f4033eb584deaa8b64b1648344eecbd0b98e8fe9f0
SHA512 9b94a2efe3a502d627295a7a13d19ef2193992a1cbeed7056a8fcd3d0b126b1b588f41d4e0680826c66faa835df97777aeac70c7097153a800ee13348fdc7cc6

C:\Users\Admin\AppData\Local\Temp\mkEo.exe

MD5 43e7d8cf6cf27ed90485e23e08f2baf9
SHA1 f755343d9006d905a0ca003df2ca2519a2d96a40
SHA256 6c048411e5d10fde4de7453f11dc26c87506149772a56e6aa9d7853b7cd23d80
SHA512 dc1b03f6ab7cc481283cabe732c80f12845393d32c5ef071c2ca67f137c5b2b32fbea5ab3543d1b6a6cf923fdc50801958026b10373d08cae8cfea02fe96c102

C:\Users\Admin\AppData\Local\Temp\wUsu.exe

MD5 4969d0db0c919807aa20e66309396521
SHA1 8a7ab84ed10887b0234f76e6fd59e0e92fe2b035
SHA256 e760a6dd660f184add15c190638cf23b8dd14902f5f1d454ad7e3f1a304d3d92
SHA512 feb187bb74f317fa8f21e4e0e48f5f917e77a7e6f97b6a44d8e2e0d1623043e2ccc06e998e9d13efe58d339c625623a5f0343427716d6caca75a916eae1a9188

C:\Users\Admin\AppData\Local\Temp\YksQ.exe

MD5 b9a5ff2563a25315dc0a5e8a4196775e
SHA1 ad6bf8414b9ed9f4983ad43470e96bba5f413967
SHA256 b23567330cd67b5b4d2ea716f48e9229237b192c01e42893837ddb93a75d8ace
SHA512 718bbf96b21840ffdce0d7fcc9063b1bdbd8cefc89563c94be95c5ef63e0b7f60a3687ace08e11b0f21cdc375a2d8149f9c5e94eb4ca364aeb084c37aab1007f

C:\Users\Admin\AppData\Local\Temp\okIm.exe

MD5 0f18ec76d5463e54d24307ca6a92003d
SHA1 b66935560d29af6081b2a9baa6c8f29406feb8b1
SHA256 f77cfff6912b5757d7bde75403e7e803ff5c14df496f21841244a7e736df057e
SHA512 198bcd764c8d96dad12fe1c9d9e0d4c5cc812dceaadc3c45893e82cf4a43b309a2fabeaa9e679e08525288b8e2ffa73f7fcf1ab56eeabb79d5bad34f3517bf58

C:\Users\Admin\AppData\Local\Temp\Usky.exe

MD5 f798904a602655e5e4890fd8b447c90f
SHA1 71b14db763ff68666b1e959c63ee028f61dbf349
SHA256 5db0b04abe25a1a7fb7545d2467674728bcd761fa33e78100168f10e2412f8b7
SHA512 e2948dc1988cd860ed281e08b4925fb05b293b577541ffde0da6a7770f222f215529401fbc794eb7e0298222d42df22b352e87da2f220c9b11aa03b619c786ef

C:\Users\Admin\AppData\Local\Temp\qEYS.exe

MD5 6ceeefb085426806fe3b7b773dcb3655
SHA1 a7f55447313b4dc6f2b609122396ee3ef3511fa5
SHA256 fda3b5abe63f35aa0219a888d84aa55a432b3d5d637b2cf00af1b180836c2df5
SHA512 81954c8151ab65b49bf9e430a584bf344b593640bd8dce461db73fe794b6faeeef926ec56bb7bd9ab72a4849dc36bbc06d165656d5ed44476ade8fdecdce8eee

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 63a09d4510d6f9906e03d8f60ec0b6f6
SHA1 0b44d38847ae2bbff209e627ce5c8349537b1779
SHA256 7f211de7a82a2bc6f5add17bb84b3223d91baa77a0a15de07028d5c6bd2b3941
SHA512 df14a1402cca061c3781b6a11814fb73456217371ef8bb3b19d41d1a09f1aff4a7788cedb9be21e5a445ed208f7fc89b30ba0d8c0bcdee4311f847a451d7cf47

C:\Users\Admin\AppData\Local\Temp\CsQy.exe

MD5 a25c796a1f47a71c1337b56b41b30bd4
SHA1 0968501a99b56497e713b8083b1c6751cf168222
SHA256 16cf5ae224f3369c5541dbcc99e2e07f0459fecbecd38771700b14a3ea33fb29
SHA512 35db81b2e1f97cd90a5acb98a070f3cb54c6815594f7ff34d62442ea542e5f1c823ad97cad1824450248c79f8b135c4b3850ccadc7fc4cb7ea42865033bb3904

C:\Users\Admin\AppData\Local\Temp\KAwA.exe

MD5 efdacd13bbd244249c9f74992169ed84
SHA1 72af4e58b90d8987661b3fddd295894680ba367d
SHA256 93a5f340d734a8ecccce22b916ebfe56bb9e63076365e5d7315ad885d803a1c9
SHA512 1d6512ea22c0c584931b830bf7aecb346eab1d52839093249b5300ca6d9abe7cbe69629ec1ba78b7d37e8f5a67fd8b4e734ca3bbb09cfab942837f6301bc8d96

C:\Users\Admin\AppData\Local\Temp\YUke.exe

MD5 f09c159852482e983b6fd261e824cadd
SHA1 462e147f1387c1688b32780829f887a93a8cf517
SHA256 0cc4d0d0961c948996c2ca07dbc1582717b4de2ce2c901d80b88b7ee2fe84eac
SHA512 f09e19fb2559ed9ae78c4706908ae8f57b82e6b804f7bb5785400846fe6cad67b29a3c4bfc008661c7836fe624289c4fee2d1c5b4ddb02171161e0e75877bfa4

C:\Users\Admin\AppData\Local\Temp\agkO.exe

MD5 5f44588bcd26e57cc28b70d6ff616ec2
SHA1 7818d82228aa1188d99c1c08a0d0fcc8446ca777
SHA256 fb6f7338ff1b997ff3096c75e790003e247648bc41057c831639f0116d4e96f9
SHA512 541e8fba64360b3c3e50c6f96fa982ef9df79b75a9ee734e43482e252562236ddfdbe96ad83a54418e9a7fc25f0df9b9451331b2b77fbb6ce4bef2eb2cb54679

C:\Users\Admin\AppData\Local\Temp\WgMw.exe

MD5 2bdcfe55091778628d70b4814f081706
SHA1 b3ccf9e824642c3a1dc0c5521e1ddaf9a9eb8598
SHA256 ea6ea39b06f6334eee4d7dfae2b0cbbbeaf328e0f8e895397a037743705860c5
SHA512 c7efdda0c3af3ff8c202f4eeded96e9f31a1f63448e7646b2220bf2d2cd3ec2523c90e611d70f6e643344a4e518ff75e42d68856b08091fe8f70850c67ed4dd9

C:\Users\Admin\AppData\Local\Temp\scQa.exe

MD5 8f407bab3c816afb0f494bb7c06ef152
SHA1 98b8b3596d9c3afd86e0d0003d985e68bc6d78ef
SHA256 122f8fd2ee25953ba90b049e839b0ad9dd653f1136927e51dac168fbe32bc68f
SHA512 6d6a5243105c9cd50a5f1a82d3d65a77abd3c960f789e4ca8b41de7e95ba4ed062b7720a2463491c6587d4629ce77e1ee6a999410badd0d03788e5b13db7dfc0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 24aae54109040a065f7cae6ab786d6cc
SHA1 4e418eeeef43a5ff97f5d10043ad7fe85aabaa81
SHA256 c5cf0a5cb2321b1c68b18fea4d3502c10ebfa78d61bfb396336ca86061dc6e96
SHA512 29add759a93810432b4ec0f656a5b67b791be5c36bab91cece8634ede6b0a01708a10b6bd281c1df957fdd1dc5915824cfd3a5f58f64a824d7c0d3a9308994c2

C:\Users\Admin\AppData\Local\Temp\KkMY.exe

MD5 b72d9c61eff8f4c43bf132863d951420
SHA1 3b9e98b39d88f920553a94b5d99319830db5312e
SHA256 cf29b8da21eac66a31fd68640edcce49a775a09ec0ce9ad525a3419e47118b4a
SHA512 998d7d2e407e187633f7961370cc33a5470e26efc8ef7e3d142657c5949cff8bbc1b12145846209f4741d9ce8e0b2ee0d2126415aff882095a6905a4832beeb4

C:\Users\Admin\AppData\Local\Temp\EAgc.exe

MD5 e4c03ea2631500ab6fbd66ebaedf03fb
SHA1 f7aa83dd8fe83322d8f548ce79198e0074657ffe
SHA256 8025bbc9db09aa88ee16912b2e4a238703de82a58e1bdfc365fc533a2380c0f2
SHA512 9b52a37783a908aa5815499894243a6f07e55ef9017b12039c5aeeda548141305664896e9f1a87cad98040b0ae9e492349a9cd4cc621fd6443941bf899b8e384

C:\Users\Admin\AppData\Local\Temp\gcoO.exe

MD5 4f1ff28b0e06f4f0f3f6de0006126366
SHA1 a687bc8e22490f1a9721ad0eeeeb8f8d232b74d3
SHA256 2358ab469f8911afb1e88ccd992ffc99bdad64feb885d4a4e19622846cbcb225
SHA512 35475183a32a203439d7b31efd1df23523b5a0bd54d7d561ce634d7c272e4ab5c37301671031ba59e1f71ffb568fcef669534a24fb0e66a24bfafe31fa148de6

C:\Users\Admin\AppData\Local\Temp\qoke.exe

MD5 a0b79c0d0d90473c8d082dfffe30d837
SHA1 a04aeb8f8c573e2d14d52fe16dbc2c50c7a16541
SHA256 c83049d8c45a21a3487b8c454ae8aec1aa894d8a17a5391dba307c8186ddcfcd
SHA512 f83f370f397ae19084d0f250eacd4f1f7f3bf9ccb87bcfb2e30b173018dfa405bfa8a4cdb3b435e0a1a191cc6de147b5838fb220e860df2ae1de87d1006f1b1a

C:\Users\Admin\AppData\Local\Temp\UIIq.exe

MD5 807075706f1df16281471d2cf2a00650
SHA1 a08342235a02097984d882dd6cda0a95de20fc81
SHA256 6e78ce9a0c1c08956fcd23bb47e224295c0e92f48bb7e6d9979bb1229fadceec
SHA512 5743aff7e350d5f2f47a9e9445466e41fc0f908ab123d0b762c561d5de0cd6bd8ad79e27029bcc152863cdaa26e81da3d9391633d089593dbc9ac2b6bf3be79d

C:\Users\Admin\AppData\Local\Temp\KIkg.exe

MD5 a7b28a50a4751298e680effcc20d3b0d
SHA1 3b5939fc9668a015b5840d61d1c40c0d2a8962a9
SHA256 117dec6d40b05f079d560346a698d789158a57b0ed3550a2a095222b58216b3a
SHA512 4444134892c9b6564164b89776d25821b95e279950a970237dfba160af6485f88c0e6d46088138deaa761773ffa988d913b7012d4bb57b357d8c82bedb7a7bfd

C:\Users\Admin\AppData\Local\Temp\igcs.exe

MD5 eb2edabfb540c91b608c489d05710ada
SHA1 6e9e1a33560e55405ca0d634bf929a933abc2f21
SHA256 65e40ce0f3dee5225a63722c5291ebd4385e4fbedfcde48bc028ade0d8d23b22
SHA512 8f9d2359fb652edb787ed8f587ea2b7214fd931fd60bc0872e9d2412b8d201ec5f218e0acd71c14204fdfa0febdc04435e932a563a041c991d3a8d9e071a9817

C:\Users\Admin\AppData\Local\Temp\aswe.exe

MD5 5950c7cfb05d72786acc205159ffae49
SHA1 a116979be769a364f7ccdbe2ad464b9fade88b7b
SHA256 3418fe9c37d6faad9a897f9ed2f514461d850f85eda954c8292ff926f46433b9
SHA512 339ae00f1bd536b18fdd27c1356bf47ec84c142994384bd5f3572ca2e899669dbf46a2a9c4858f5c07f35746b5e72bea2273babe978661cde95132c3b15d4bc1

C:\Users\Admin\AppData\Local\Temp\iYEE.exe

MD5 c62b8faa52f5f3c8228066f589de53f3
SHA1 d237db1f96ada91add1bc76847229c1f2d0e39f3
SHA256 728d5025237a051a0b1e0ef0056e0927019df32dbd651490eaaf41e8d16e94ca
SHA512 313c9094cf2b1a9d468f73336b9cd76edcedf2a3146b5050efdc319674cb3dc6ea1dd316fce3ebaa454ce8b03201f0e65d08fb0a01441d58bd705bc0e805842a

C:\Users\Admin\AppData\Local\Temp\GIUU.exe

MD5 b0f28fb474b743a5d92baa2333565036
SHA1 2854fc9ff31b0156e62f4f44a1ebbbf9500ffe7d
SHA256 b134620a0c7e522c08ef965feb73273338b8f99357210637b224eda7aa9c2fd6
SHA512 67471df4211c9a746c2c954bd0caf1da3bb962287b9f7f010d7e4e3bda3994e1d5d922f8b3f2b18142b01726f46e10c410fa183a0a4c4299bc639c2ed0cfd953

C:\Users\Admin\AppData\Local\Temp\oYUC.exe

MD5 8c3e2d292c6a1515187dae10262c54b4
SHA1 d8f62a1088cbf31621757a85fac45e9facc8630d
SHA256 d07f132a7237c9d2ad64e13debe86f079e72597ea535106d77bd42967993785f
SHA512 70ffcd1c76324981bf676fbe0e0d6eacb74a8aab8637e5f48ee114a5a04550b2d7fadcec71a714903319e11c158980bfbc9b528ab2eb60dbbe63ea11374bddf7

C:\Users\Admin\AppData\Local\Temp\Iowq.exe

MD5 7bbae5b98e9796cb180a8f1479186545
SHA1 b21079dee8f1976db5b91bfbc843c27e2e0cad17
SHA256 f7c0043ffe4757f4418aee69aeaaa1ffb3c0b5238b34c133f28e478f8c9b2e72
SHA512 c0031137d28c999e57476d55da1bf551e1ac3b050e2259ca5a72f4dba2b122cea7d7daf8c53e1f8af6de41e9a67f75ca48417c7e17ad6c54ebd21570a9029caa

C:\Users\Admin\AppData\Local\Temp\kkQs.exe

MD5 1e22e8088dc55399473acfcf5a0eae4f
SHA1 e84c56cd5c4ca0bd5fa021f5b85aac25a1969d60
SHA256 863559c07f2fe42ea58e89710c85e980f23c150e2e24b6d5058b3fa51741be26
SHA512 3ccaedd2fdf9202697fabeec91e3ca3d94df79782d3fd81c7a573f4dbc63b79a903e986f5dadeeaa2675880b04a1ef031bc2bd5c70dcd193efc7c7f3c9de35b6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 97015f93ea16df13ff5fe8e7e68750dc
SHA1 ab1b3d73f4d42e20933656ab86f8126b2df35fc7
SHA256 6348cdc4409be2466f8e22e22c45b1e0165588a17e4177b5958630b38660b7cc
SHA512 d86f4934e8a3a328f05c82813c19f33699b76569ae0bd15e7a16aecee88971250dabafa4075064b122323c666d6ad32461a8006413bd044a659afd508671435b

C:\Users\Admin\AppData\Local\Temp\KAMG.exe

MD5 17e8654e5c795f8be6893bb0730d7f70
SHA1 bfb72abf39199a13bb70e0a8034183671e230846
SHA256 cfaebfa68c597be7c27e56131c6350076fe8a25a761579dcbf65e32b923d421d
SHA512 745bc19a1ca59b3f5a1e1443a706b06be8c612596e7c483627a14920a515d15cf1ad60a43d97c7e34b5fe01873097a7af65038a09dec8db37c5fbf25ab4eaeee

C:\Users\Admin\AppData\Local\Temp\MwUQ.exe

MD5 3d15812d2d26db0620d7a4e13b671d21
SHA1 8b49e6dccd267a09f94d2a08157bbede741f9818
SHA256 0d1b35c04f35463370bdaf11b06dfb25d5a3bf495282ff2ce4df47a3880f41e4
SHA512 9da3f7128f798a1cb403dc2de885dd42a2edab4a974f9b948c8b36d57906b6da6b53879e009f5b86187589cbba9f7e6c9b49873e991e4b80803d7e5be2e7d41c

C:\Users\Admin\AppData\Local\Temp\wQwY.exe

MD5 f0399d01521aec5c1dd059a8c101c9c1
SHA1 374647f701d99c58334de471d4e7e3a931c3ea71
SHA256 c01df007ae7d6f3190bc01dc4150e2cb93d34ef03208b13c82cbc0b16ce940c7
SHA512 787c15be234eb50b93b6ec70c266712948f0f59d4856a00990137351a7f13d6d743da94a20423de6f01e693f2fc362204d685dd79cd70abaf0e95017e58361a6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 862c7e59991fa7e919c8f9681bc89e4e
SHA1 4517c7c96042f43e6cb7bdcaf291826b7b519d32
SHA256 9ee0f18e794664a8436a94dd4d297596d06f980c76d8e3ae2e18f2aaf2e9bbf1
SHA512 014b5300c8f44484d4ed90932a967704e3bca9d1f3798420472afb4271d603da88ed72c640a6e31074df608c374065a198c337296fdfdaad9031e7257d969963

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 9409de132906c2d591f5839d7e232262
SHA1 52a883dcc3f2e6fabedec8a432946f4703fcd603
SHA256 3208ad407e54ca73d3a49170067fc9fa66ccea97d9a24b7c5e24cb7c9ca7d5e2
SHA512 5a57e4bd8b7ed5369d78c9b57c9c7afeb7a2d5f62047e53fc9922572dd9c75dc4b08e5ba844557a7d9e6df089de694d231e72b8685bbd5782b1d6459e03d6fb0

C:\Users\Admin\AppData\Local\Temp\EowU.exe

MD5 7b9baae58a67ae43cb23425799928426
SHA1 870d12b2484e3ece859d5021c61c186a8f1cce4d
SHA256 a03f56f538a319bba621bfed3d914a16c3dcfb0ee3a5cd5a9359f80bec44e5f6
SHA512 77508fc096b38530b4b66d9a82a3cd2a553346033ae270e76c80d52f6136f77686440707c568d99de08880f0b6494bc9090965dd4c1148744736064ea652930f

C:\Users\Admin\AppData\Local\Temp\SQUC.exe

MD5 a41cdf801661de7ae5502be57dc4f343
SHA1 dd2d0796ed51778525337b8e5da86d02ada8810d
SHA256 ecd7df569233ab96b0a7311fb2dbcaff18e475e31c17950882cd0d7acd26f980
SHA512 1d7a471acbda3085bdd5c8ce7bcc0bb16d0feb40b202baddfedf765353b2f0fa9583b54b527edcf2e5e4e886f8a9df92920ea5980709d84c01c98e1432b3be39

C:\Users\Admin\AppData\Local\Temp\KkAA.exe

MD5 d1a6f49cb7d3dbf49228a2b9e2021e24
SHA1 f881e2fd434309995f5f63b13b69cf495f619a9f
SHA256 9306f91be9867c6bad92d53d4d73534a641653292912d6fb273c8df8c153fb92
SHA512 47455a76bfc8dd695e512017b9873fa817df691213db59a9ec71907437b575e20c965a6d531c5a2ae8b678ca5f0ed89a0ed25502376f5a009ff4131e4b2f7c87

C:\Users\Admin\AppData\Local\Temp\AMoc.exe

MD5 c5b00ad4408e24be05365d041cfaaab8
SHA1 6186d8646d62acf9f0a4dc7d493bff11a4ac6c1e
SHA256 9a6bc3fe74e1ec6eec87247c11d2b06b6abb8465c60c4a2d0fcd79aad35eaba7
SHA512 03a47015ef39dccb02bfe33bf58a9b5c76b0771667d006f622d3277be0c86dbfa77cf27cb6904ef456ef1b88f8a86009fecf4c5ad43cd7be92c7be68ed0edf1b

C:\Users\Admin\AppData\Local\Temp\mUsA.exe

MD5 1465daf462d50bf5a046bd6ceaf61767
SHA1 d85d072b4e07cec0bc305e22f671fbf3605a633a
SHA256 0a8d04f9d0082f840d7ae5e0db4f891102d5b7e16440478f7d8658466a38a09a
SHA512 157854ad72c74af291a3b87ee5ef0d11419d9a7d006872e8a25c75afee29ddbd072185bd795990ea793be58f17bbd5c65a870db9e30abcf1cddb588ca9322026

C:\Users\Admin\AppData\Local\Temp\qAQy.exe

MD5 5187eab2e0eb8da4ceaff14b73833f38
SHA1 3171444612ce2f000ebded1dc609311baf1517cf
SHA256 6d4c4521360c7351ac627aceb59e690ba7a565b504fbb9ac729dea25f2ce71f7
SHA512 9a51202a0a3309562a46a31305a4f6ec6902cb8c8360b7a08a1b0a1a540c47644ffc2ecb470b811a052b1ea481f53c6b49134ec7aca22eb7fcfe5d542462928e

C:\Users\Admin\AppData\Local\Temp\IksK.exe

MD5 3524d565c4d00122ffca150d79649779
SHA1 13d46087d3138e74cbafa2c333becb5a817fffac
SHA256 7d89c1d186137f5e33731d815f0ab82fbcec774e47717192099b26de6dafa081
SHA512 2b60542ee494a03c86a0443b0e75b1451b51356592d2aa838ad631a2c8728abd6bb171ea1d47b51d88c7d1b4990caaf893b1127937554526370b67477cb35050

C:\Users\Admin\AppData\Local\Temp\kcse.exe

MD5 6bf427cebd2e93cc42f5383c4ec9f03e
SHA1 ae0834bf102fc68b33147476628faad103a02c7c
SHA256 14b2b046542e9afa78351692527555c72a04fe96b6291de4a5907391a4e9dee0
SHA512 85f80ed3a20bc652218362f767052eaebf2bad49cd316e44b3158c55a47f245a3ac98e6e38906362786b47d81dac8764d2dec5308e738ca6768980a6f4b6905d

C:\Users\Admin\AppData\Local\Temp\ygwK.exe

MD5 ad990643deb354c076c8c8e3755cd0e1
SHA1 1d7954d35969e3aa3fbfea5dce699fcc125e59e8
SHA256 9870c9ee89348bff8894b8905077a6e0eefbf7f81d4226974c10f6d3d1139dff
SHA512 fff7aeadfeb2c8f699da42daec1d9354268e6bc1111bf662cca839fe028b2d65f33cfce5c79659c585f2868e8d81e49c0c267b1131878648fef683d158505daa

C:\Users\Admin\AppData\Local\Temp\aoIK.exe

MD5 f02e1cae37f542f319fa1beab69f9da1
SHA1 d033bdfc22eb767fa484cc25cca4af822f003a5e
SHA256 3ec9a3a993fdbf8202f4e46ca5dd807e7c1dd427f7ac30279ccb3bde8d868fa6
SHA512 5d64dc3841c4bb792af3815a0083821c662d6c113b137f0e117d93d4abab9642f7349ed745b5a4001aeaa5b1886b365a31f08c3ee8383a8a256ba09c5abcbf3d

C:\Users\Admin\AppData\Local\Temp\cQUO.exe

MD5 e75713fa966c37899ae67067ee2ac9df
SHA1 95c9fc216c1cff67fa0bebfd2db3a27e6620f8c9
SHA256 22840271183f21b23249a0274de77a73e4e3a0b9e4bc6da5454fd9b2ac0a7a62
SHA512 d5b160736b63451ba29797f165f65fb7cbd483680d2b69bf9b9d0c745a028823e5c0764c313b46e8af1f114a7a23724a72c89ab0cb6716b98328a7bcc658ff13

C:\Users\Admin\AppData\Local\Temp\OEAO.exe

MD5 d2c8a8330741e38192af1bd6a252fac5
SHA1 6096d5bfd0bfcc7ba58d410a5fdb7ba180c4d30d
SHA256 431811bd048542c563e2e2bb061e4c16eb24f327718dab2e43b047099fd42756
SHA512 9365551ada9d55af44ead24294e59cba2d01874f6506efdbe190e17ff3b96a3d5662766c8d9200d2cdccb6a5d190966cbca7b7655bad692b5133c6480dabfa93

C:\Users\Admin\AppData\Local\Temp\mIYe.exe

MD5 38b3408e436ec3ba9ddaa3d9094e9ab5
SHA1 4d2771cede1986707de31602ca4dfa7946bd5fd8
SHA256 b95d44c3249dac25ad2fc863fcf92188b36cd1fba2838ccbca15dc6c738f2b7b
SHA512 797680f3bb74c96e157baaa2e33434130b46e4e7b957f65ffb71ef6307ea6ecb4e6035ce9d5d6a1dd627a13e67df5407ddd5727b8280d9cb6e4669bdb8342f0f

C:\Users\Admin\AppData\Local\Temp\gEww.exe

MD5 c3096ba92eca5889c822348a1bfc8b5e
SHA1 cf1c2b4f3ddb601c60ca66e01c420fb29f618298
SHA256 78393dee39b89dda645f158097dbdaa904a4fd92696c65f70395a1b837b99efe
SHA512 6c8a805baa1681787af3f0f6fbe2a98a54701dc90a5a2a784998bebe9d527edb48fd64c98a234130cb8c0852f6aaa4ec0ec194e12a856326f801cc130de841ae

C:\Users\Admin\AppData\Local\Temp\GcEe.exe

MD5 fd7b06eb5bb1cdeb6a56f32cabccec4e
SHA1 4f5d5b8886646df2a35974de83ab0d2b2970603f
SHA256 8a493d4691a5e73d1245b1cef3500cdd8a425606cbd6bc0a076e3c2e77c8e0ab
SHA512 56feb30d5c27ffef5e34074a52bcf7e75673ef6a36ceb7e213e1adf987692975b4cd1dc09e13b7aa65c804e1634de947ffe7496142ed15f1894f1d9e74c19f3b

C:\Users\Admin\AppData\Local\Temp\qYUg.exe

MD5 bd664cd97769a7285983cfe7a9062de4
SHA1 e0aa3c702a4ae8fa8c053bb9ef2286fcba4738ce
SHA256 177637e3379cc667b357e0968bc4aea0cd62a24d6a87e882fb21b8914a11b978
SHA512 551d336695a107bea86dc30c7a4941c37ca65eb3e0758da999a65582dd2ddeb9c38f357bce3fd99ac671dc292d1c0dbc82a1295f5020a1248180a6f42a8e5f86

C:\Users\Admin\AppData\Local\Temp\MwUK.exe

MD5 5e2a5529e0a07ea02ed065ab76e4a1df
SHA1 5ba846c0b46c24c3d02e3739af36c559b592e86c
SHA256 68b3a37d939aff7b162dc9c962317ab0b842a6374cb2ae28d78cd2797cecb7e8
SHA512 651693bb072186cf36d08aad9d42b7de59d6154a17ab1a8feaad1329f439c48959cf1a37824822782787646fde98bc659db76613221284bcc73a27d82ba1d10e

C:\Users\Admin\AppData\Local\Temp\egEI.exe

MD5 f4b7d707ac454fcd804d94a09a3d917b
SHA1 a8a26c191439096984ef10f343fd54a6266e269e
SHA256 f9e18cce14b0e6b7aaa8ee9c659b1434226b1cb69a27e5f30d85225df147b656
SHA512 377e0d61968b2d4980e1cd24d1472674093a808275ff0043dd88c5fbc27a268d7ccaa22af5dc60aec9791438e050cbcf9e78671822fc00ad18439d3684d978e7

C:\Users\Admin\AppData\Local\Temp\WssS.exe

MD5 e00d532151052e59e2d0d3631687cf95
SHA1 f4e5fd96229280c824084a329329ef85119e54cc
SHA256 6c1283bd5409ae0093d9c7ff360fdd8ffeae47b6905a8df38d8e82ba45cef18f
SHA512 17c8959b357b09b9d7a6fe37401ad94dae8eca17d1a5a2413b2125c2384dd9cbf1237c10f711e1a69da583b1f568cf1fb3298a25c36bd8f0da38bdb41ad867a6

C:\Users\Admin\AppData\Local\Temp\kskU.exe

MD5 fe48f1dd028cc49fcf517477ef441db6
SHA1 a82e43926808cf398c0c4d64413ec5edbb2fcb28
SHA256 2c5926e5dade9d403952233659ecc6327eb52fcb06db437bd459c7b507dae233
SHA512 ad8be013ec33b21b0845dcd1672047b3348b280ca285e7ead3ca36de8c0ce01b6309d2d66f8e4a44ca27fa0669b6b999b90a53de5068f942e3be9971afd920d1

C:\Users\Admin\AppData\Local\Temp\oMQC.exe

MD5 47c57bf5e9aef980dffc8191181f355b
SHA1 bcd2e8f423a08cccf7e0cb60404104a7ee20b5bf
SHA256 dceb5a7e7fdf27b56fa8259cf6bcae30c6b7033bfb7c3f22611e4179e2e4f862
SHA512 a422591e2f21ff3976d35d86fe70839da4afabce8b960f82f8ed000007ab9822342134572e3389f96f5ea26c92cd0e8a96382bd3390621830c43c30f4cc9c9ef

C:\Users\Admin\AppData\Local\Temp\gQoA.exe

MD5 b78cf6ae97b2caeeb384ed5ac7206192
SHA1 312310f2570a710df29f00c5c5127afdef0ef8ad
SHA256 a55bc6138075cf1e920f7931b7e02b7f04abe364b2ba99de0415e2c4f43ba5ee
SHA512 b4cc8d1ef4be6db0a7e3d7565fdccd1e8735bc8039f03f0ce43a31aec14fe2c795f9f10141bf5e0dfd344bc9aea659e8afb92daf1006a272108095d8e6d76414

C:\Users\Admin\AppData\Local\Temp\iIEi.exe

MD5 821370f67af07f5d1c8faecca4a977d5
SHA1 7879977cd529dcb9e7a14f504fd188bdd49b4664
SHA256 c56aa6b90db76392995b30b9e6d1e3a697599b790716b7f055f40ba30a62d745
SHA512 c6d641526d893a66d0b5c29b3fc89dc7c5e385cfb648d7f1828418018597a434af027cdb2221ca1709d5e72eca0ada22071c01316a16cb800e32524b995edbf7

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 87d18442a683847bd40ead8ed74ebb04
SHA1 dbcde7742f24dfe117adf275519434aabea3e636
SHA256 ca48d091864baa73751c463e09f5cb10595477b5fb99fefa2e378a661ac50270
SHA512 aa861d4aaf0e6f0663fea61c19fe9e9599f7dcb1d6ef2507548978f31fd0ca4e611148093199874bd22542008d0b2249f6a0dfb9cf871a956a820a4256836625

C:\Users\Admin\AppData\Local\Temp\CMQY.exe

MD5 b86eeb0685fccb9becedf8a840288cc5
SHA1 e055e26b52cd9e09543ef8fefa3f1dce01ef2f9e
SHA256 6a5402e6d75d661bcfb80829e494dbfaef5622df8bcb2f7c9078d932aeb33068
SHA512 af6175ee883798cabcfe365e603018aa5026c8455336ca191ef8addfcb22aa7f36fa1f0e091ecd86426ac142366a827fee7397bd284680a7d30814176dbc5f78

C:\Users\Admin\AppData\Local\Temp\GUsU.exe

MD5 0730a784a1f32618819016a635785b92
SHA1 936d48810843d19f809bd0fcdd93503a608c0566
SHA256 336d0d568763fcac95c8446c18b2d1b117f1c5e42e712db914e3d91251fc40c2
SHA512 29a24486fdd0ed06b9bf9de7604f946883b53508e41111161d7c4e9921c70c903e86f1f14b6d2e3477f2ee1c340797004f6176723de0f65bd26deae31b58e0fe

C:\Users\Admin\AppData\Local\Temp\wEMM.exe

MD5 1c044f78ea3a0f8e2944f19a97b0d945
SHA1 31aec1372265b74a67c36156d9c1a9a48774e913
SHA256 11af46f1da555fa31f93b713c8494054b0b3ac867d1ff9e5fd2b9801b557ea45
SHA512 037db5a8bb65fd15e4e15f9274ac3ca766d682e43a95c079bd5b4e9cf9297f6f2373a812fee638e7574cd69c6d8b314e71ea2c9192de6bbfff3206759d980cf8

C:\Users\Admin\AppData\Local\Temp\EYIm.exe

MD5 18160b17fb7bb6f15e055590ce8f4b74
SHA1 1f3011ccdbb0996abd4bc9afba0c7dec1266185f
SHA256 23022de4f75ab049338b1788e7342e55c87616505281dbc626d1b2584a73d746
SHA512 853bc4986d35e2aa2ecf2a692b87f3593c3050fde0f4db1938f6ebabf881cb91e115c6af786ec0952cc94ddc965376132246651fbdcb293f042ce849edf5dff3

C:\Users\Admin\AppData\Local\Temp\QIQm.exe

MD5 b72b8a8d3de634da0b5ac3b9b2fe747f
SHA1 2a26c5bf09b71396ba0676f9abd0bf5bfb68877c
SHA256 1b9ea1a4d455789df522fe26b36eea78af8345095a73811f04acbb81640fa500
SHA512 c688a9849bf7c0b37336f22c7ff7c07bfcea764bce09a496c78861b8b8d87527658bcafbcf93d0e0b794c6f32f5b332877850a9358422029fedce55170ea6c42

C:\Users\Admin\AppData\Local\Temp\uoIA.exe

MD5 e18f2d29eaddb6744d1a43b2a5bb2785
SHA1 bfaab33128a60ae5ff160aea5d666c7b4fa5654e
SHA256 8cccb775dfd821029914bcc8192b308d16b6c11c8f5baf632017507e80a47504
SHA512 756d4967d25af67049c0dfc79c655dc5004f8f3a85ad46339ef35e7e15be3d041863094becb70d52515096c6e6c2810eb42a70b486ad1d0740c29af09da6dedb

C:\Users\Admin\AppData\Local\Temp\ocUk.exe

MD5 71682cebf304e1cdb22e5f77cfabb114
SHA1 29976429d61e9c3e9d2788f87bfd900d9006299d
SHA256 9d64fa2c210c47d4d7fd1c87a60fbabc3c566b40a3dbfd1cf7c6ff84a6785acb
SHA512 7faf6ecb6ef576ca3a22fa1d004180ee575a8e4bd92d27907ca1dbc268ebc87169d5f130e4d00e1679ba8b47b4a3c24c2f33e94426fbdeb23f9eadb4930b97f5

C:\Users\Admin\AppData\Local\Temp\KcwS.exe

MD5 41eefc0959cbbf82c70bbfb6d962a3e6
SHA1 e6ca2cd30ee194ff5dcd16633490ec4e35c2b4ea
SHA256 27706f2da05513e7e901e5e2bb4dc314da7f3f7f4f467e583f76b31edc81c985
SHA512 8f06602470cd8984726733d869692d9f8b51e2f254eb016ee42500193186bc3e69b1564206b275bba4a1653be8924faca4cfa72be20dda82ac25f44e460ee741

C:\Users\Admin\AppData\Local\Temp\QAoQ.exe

MD5 82c13869515f1c49dff283eafb5a1ec8
SHA1 989fe54ead4dc6c2fc0efeba238621af8b1f8927
SHA256 d3b70b67696696722040de3e4b421284ce2996c3beb5416df6ca3b3f29763ffc
SHA512 e72f3b0b69a7ec7d6908df4b6fc974a0d6c7518447f8dce98e356c4629b1b75bc570cce3fd8c987946fc02eb4e71f8b632970d2ac24a8dc0d245efc266058d4b

C:\Users\Admin\AppData\Local\Temp\scUE.exe

MD5 1ed57797c754351750503652b782a76d
SHA1 c26c2c6796b61f9aa3ab2ec11b75c17ccd5a580a
SHA256 31bcb726f27b6c9a175f00fa1fe00d6a2d51eb33e791cf83145a3515fd3730e4
SHA512 c58d26c459967de26e267d89a3ee381088bde4e4c4c11cce2e2040aabf5cee081e91782dedc5911f166e4d50b50a4b313baf1d824bcf81506144666fb84fd235

C:\Users\Admin\AppData\Local\Temp\OMMk.exe

MD5 b4dc13469bf0e889e662638e278abede
SHA1 2615b34bd26ab3a7be16417e1aaab35d50381e83
SHA256 e0507870869202f4db95768f6a9bf1687f105b66afbb413a38a8e6d2bd45e141
SHA512 bf727f0d9b37555023dd9c98f6c38d82ffddf30c1f0da341d76b23b04642a33ec740c024658a10d90bd84442b6f12ec3375869c43906dec8e81d584ca1cd961a

C:\Users\Admin\AppData\Local\Temp\sMkO.exe

MD5 0ec8956df7589570ca52111d6fe20dd8
SHA1 1fc9cf5f09f908324760178734f029217e6fd954
SHA256 b3b37e2a644c0c45333ef8cb5785e569ab3ff22b76e7b8fb7169c1d3b15a192a
SHA512 2f483825aa912a1c7061bf78394bf8cbc9154eae31f8020fbc679787e5eeb44082b1556a5f5d2248f056fae2940b8c7e90e953bd35383d8166a965c5da0b0092

C:\Users\Admin\AppData\Local\Temp\ogcI.exe

MD5 5c117f9eb3aadba45f2b3cc00d7b2e5f
SHA1 f657517ada52ee46724c56f6386f70f19d85bf60
SHA256 40218e94f13b136abdba195d87e2fcbc1e1846a71b09a2fce7415b0df699ddaa
SHA512 e4bb056f0956991b488ebca6b6f011cd9da4ca58b0a34c84f6693e31578fd247b294b35d0f48959310ea7d002b9b2c7d9a6a621c08add7cb0bcc5d93394fd7a7

C:\Users\Admin\AppData\Local\Temp\Gsck.exe

MD5 43916b97605e86fd0adf7ed6ecd56d7b
SHA1 2d5c337765aae88c3fc4313da80f29b90eaa37ce
SHA256 f12e87e715603c474bc5e9bded14b9be3d24e1545cd21654e5164c8ed929b321
SHA512 df042035342cf37299191b6c353a6cbd048ac8fdcab0a0db6feebc6fb78d964c6f6ee1c269fd5e1342317c1a76079ff49d4531fcf6500a3727d4729c2d62a894

C:\Users\Admin\AppData\Local\Temp\wMUc.exe

MD5 682b229d24fe003753785003681627f7
SHA1 cfa04da20d6511a94b244dfbf351fe13309d3244
SHA256 4278b700fc26ea44e7b5401b8aed8a89f0080f60d7878ba0c023982aa478f787
SHA512 98a457b113803ef5bec377563c4fd65b3df2619410029e429491ebaeac0e095890146f49a8075ed5ee68d9d71f1f955c7a33e1f2ab97ad9aa5ba42e804f82247

C:\Users\Admin\AppData\Local\Temp\cAgc.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\gMcC.exe

MD5 897e5dd6fa9bec1f8fc38d4e9962ed80
SHA1 ba1b541819eca4cf370bc9d4559bd9cfd124507d
SHA256 123ff836b603d434ae2ce50d58872d2c0c9319f2a88645f9fe0908d100957f81
SHA512 647430806c92813262f0a1a420fb7ecafa4db12f45a79b57fa9ca66a701da0839190011a7ee0ff8b09a13f13b21b6d1689ad322417b6b812a0062c4435fb9191

C:\Users\Admin\AppData\Local\Temp\EcEI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Music\ApproveProtect.mp3.exe

MD5 1b7891441bd29c32ae3f5c2d2e8281f1
SHA1 700f36255fe9f20c7131be98df4feb87fbbd4046
SHA256 35d0563778fd2e58d7455ec7f74a0349c531239104ae821b9b424491d578e103
SHA512 a17e51eeca61e9cdcdd07d3cd510e339ad84a3efbc316a40e6025614a11e7c625b4df2a6a980215583c7119b1510d00bd2eea67478314a7445ca61791ed440f2

C:\Users\Admin\Music\RemoveConvert.mp3.exe

MD5 b1e069ace7f2efbb636ad1bd561c26ab
SHA1 0d9cf9eb773c22528ea592b446c122b54f438471
SHA256 8fbbc78288c7903defd025ade7330c1d6a521d1b97559193119a04bead326c63
SHA512 039abf702cc22532424c171a6c70f04936d98b4e9a1e3dfd4000987793aa956c2531c8a2e3f50fecc417bee1092f3ad34f8039e9c4db7b53f28d3fa075665349

C:\Users\Admin\AppData\Local\Temp\cccK.exe

MD5 7d4273d410458cab0fbd21f95625c7bf
SHA1 82254c7a40c366ff52e8ffc686d5af571d254ef3
SHA256 2ff3ba1696e5b0ffeff0f1905e179b2e909e952b107ffed29d73e7f7e8bca62e
SHA512 5420bd96b56198abf3864c15406f3f9c560cebab330559e3ead9491042068b9aa9dee41efc0cdf106df2b8709f1e80cc6628eb49821660b93e135bebe8dd34b5

C:\Users\Admin\AppData\Local\Temp\gkQU.exe

MD5 9f128c50ed8d1fc42fa48e12b1577e06
SHA1 fa7f136c8f970163d98fbebaf0e91f5ced27f67e
SHA256 445fdecb325a3ea24431f5ec748506f8d6e722a3d3b3f197096e1fec847b7c7b
SHA512 d2a479c843add3ceb5fd408efa2f9ff9f81ebead6c4f76babecf478dd658edf881d75e96215821ac99054f4ec4b6e0cbe36adb8b63fb98dfc8bfd382a6ae0bae

C:\Users\Admin\AppData\Local\Temp\SAcO.exe

MD5 cb32f140097e007a6a39914985c13c33
SHA1 891841e3d6a9cd4f33e2732a24d5453ce171cc5b
SHA256 c69ba38e6b0c5c32d88993cd1cd1cbb13c086cfb883f44c64253773d09edd509
SHA512 921b5266c4b5b4ecbbf5cb6d7eecf5fc11e91460c01537ccf103dd04fb6a273d77025a3855e3bb8a04f26cc264bebfe58a7212a03bb5624071da260560cbe836

C:\Users\Admin\AppData\Local\Temp\kIAw.exe

MD5 e28f7a49f16751d4a2b3c871935cdf31
SHA1 a9f809142945019ebad6fdfe030117f58cda401d
SHA256 4e0e25f30eaf8391c41e5614e0bde829ccfbe11fde7fc43764db2b21b620456f
SHA512 33021958b7aecfb9696640f1c6b2d64cba3c63ac02f7e8a6e09372327ce398f150828258081c25b628f16e3d247fb524281b68a976734fe2f367778d1c9b8cc8

C:\Users\Admin\AppData\Local\Temp\eQks.exe

MD5 4bd4b38aa7b28287b3f758533aa8d26e
SHA1 384d9468739d27b64a81a6be09c3189f2d762b35
SHA256 958064a5dd8d486f095f47743c791f18d5e39a7ad4258839d5bd4fba18e4b0d8
SHA512 db1b1fd4344fbe51906a55608f1cfff1fd4a0f1b3af857e3fd56cc58e190e9fcbcf631284a77f48e0e5244a0f5b4c95bc9c7a53c93d7a7d26d1f079c4092a5e4

C:\Users\Admin\AppData\Local\Temp\mgkg.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\mcMI.exe

MD5 908b90e3afe45ac4441c814750e373cf
SHA1 e727c895677344e1a74d77df91e56f39f81706bf
SHA256 e1a66fc80003f8a098fbf94406d0e3e93536eced24bece9b879d9367d09b5754
SHA512 881bfa22ac4687e80aef8b52894bb7dab0ab29aceb00b1c6adab9db47f415861ec5e6aec06548fb2f8077fd3544895f9ae20569e6880c458a6283a5f980349ab

C:\Users\Admin\AppData\Local\Temp\cwMK.exe

MD5 3b7e5acbcbf008af3373f6541a08b4ce
SHA1 2b68d18a5f9200d40f12063e6a501122ad06de22
SHA256 9c6d2385c856e3563cb5d8838b59c104be883c8a0f963a0896ab134c0f8e2a5b
SHA512 1967e8dbb89a3748ea885419e3961fbeac91d4da8411e875fba3f9bfce6f73055418b894154ce18d2d77f7f6dcf17507fa46e9540e92086bc713b29f1bca4a3f

C:\Users\Admin\AppData\Local\Temp\oAgs.exe

MD5 1e171b18e8d147e19e0b1b1ae638281a
SHA1 9ce013607704718fd2fc3644aa6f303ba8f978b3
SHA256 850f6075c043642d750113523f0201bea0c9ec6f3d868fea48a8fa37ce7ddba5
SHA512 63ac5eece269d77467b7dbb15cad9211a6c22569aa0658caac704fa26b8239fc6d50bcc7760ced2afba469799240f43799207b32cc90f556062d14fc4e2d2a98

C:\Users\Admin\AppData\Local\Temp\yIAE.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\qkUA.exe

MD5 1149b9d9198925de95ce292d958aee8b
SHA1 e434fd8929fa2969a39ce7f03f36d6078ca74681
SHA256 6bcdf03f1ddffe95e8e95b5c7fbade43a60f7bd5ddad13f4d263d21bd48c411b
SHA512 91bcf5c3aaf7c082f637ad578339988408117c58829259b6553e83d00e15138203f582eafe37aae9a0f52adb89eebcd58983b0e0131c8047ea24a821f7f00dd9

C:\Users\Admin\AppData\Local\Temp\eQIu.exe

MD5 8adf2d10be13711c318543737152879d
SHA1 e1cd2ec6c15fbc4aa662d5de606475e299df9799
SHA256 6149c5d26ebde26c7f81246dbc5204a2763d5057c23d1b0d4316b692f032981f
SHA512 059ff785d79db5e68d8976e581b7041481292553be94387128997aaa43375aabf9b334e9f8d6b6e51abcb250553028dc41253506916a3f8d73282a963dc62a83

C:\Users\Admin\AppData\Local\Temp\OoEC.exe

MD5 115a3c7c58a79658b4d6bf6838f8f3e8
SHA1 2824a8bd4ed527a8d8adc9df4bd9c1b5e88a0dc6
SHA256 6ab2cd4000d60089da5de61e94eacb241f412aa9860f5bc56f7bd7ca1fc67caf
SHA512 10d768f3495e000dd6b1020973b66c00f291a045f79482e76dd5ed62586ea030758af66835a901309f4c684744ac230fd0a61f4b92ecb5308650df0be436ace8

C:\Users\Admin\AppData\Local\Temp\kMEy.exe

MD5 c406e777fa88f46270498ff867743f92
SHA1 ed712737a04db45e2b9451355be7e668451cb5ac
SHA256 ccc88c974e62930626d37373752a1363fe8f40dc11b0430db580e46a721aaa80
SHA512 1ce03ca6a46418020ab7e73743b53c83c01551c79b574fec30793f44455035b9c9f804e8895a8a7068e5de42c59f382cecca02fb6ae35c2853019b8677c4db2f

C:\Users\Admin\AppData\Local\Temp\MosG.exe

MD5 f25201f2e387df1a052e1eed2db8e9db
SHA1 68186d833195f20173efd9df595bac57ba97bd55
SHA256 328022078185251e6e5a2d3e6c1b2caab73ba19597dcd2e5512e4784cf5b9ef3
SHA512 2ea6ad42080b0d0a1217e66f4e001a149aabdd9abb880f00fcdb01b33d129ffa76dbd7d34740de792fd45442be12454d8b037af85db2b3472283dd9fc8ebe0ff

C:\Users\Admin\AppData\Local\Temp\SYYy.exe

MD5 8c33598bea73e00e99829d1b461a50db
SHA1 1429b8c816ca830254e3b22a9d1335a592f25f46
SHA256 d73fe1f99a1875e3398e3b508ae6d7ac81643147cef399aba1d0572456e70a4c
SHA512 7df3fb5030aca000fc939999666cd1c3404bfe85a28c6e488dc3e289f5be36e9536078d60f69df0365e6594b61c7453971c28dc59fdd9ba0fd78641a9445a2b8

C:\Users\Admin\AppData\Local\Temp\ysgg.exe

MD5 f4dd573694b1ee4bf0ca5165c4eae29b
SHA1 73c8ea55abf8bb5027bf4c5d842f4ed4a57764c2
SHA256 fa96893b4e138dae73961c7ca9070fba117a225249684d41f9be278af17bd328
SHA512 528b8402651ecd726e63adedd882760de663b0e681c2963696a09b5dbe4e8e40481e991b8beddb3ac8dae692ade9b52d2501781187214a80e326547b6924dd45