Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-xe4e9ahg69
Target 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
SHA256 019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6

Threat Level: Known bad

The file 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (77) files with added filename extension

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:46

Reported

2024-04-03 18:49

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\ProgramData\raYskYow\jEgwUQkA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\suYIIMok.exe = "C:\\ProgramData\\dKsEgkks\\suYIIMok.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" C:\ProgramData\raYskYow\jEgwUQkA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\QmYkMAUk.exe = "C:\\Users\\Admin\\wwkAEgoU\\QmYkMAUk.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A
N/A N/A C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe
PID 2168 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe
PID 2168 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe
PID 2168 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe
PID 2168 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\raYskYow\jEgwUQkA.exe
PID 2168 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\raYskYow\jEgwUQkA.exe
PID 2168 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\raYskYow\jEgwUQkA.exe
PID 2168 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\raYskYow\jEgwUQkA.exe
PID 2168 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2564 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2564 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2564 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2168 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2756 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2756 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2756 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2960 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2960 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2960 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 2676 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2052 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2052 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2052 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"

C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe

"C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe"

C:\ProgramData\raYskYow\jEgwUQkA.exe

"C:\ProgramData\raYskYow\jEgwUQkA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CksUUUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AukAkgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSMokIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAookkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOoEsIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOQMcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqcYwowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUoYYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCUQgMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySkIkgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSgIkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUYsQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zecQIIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUIkYAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIIMEAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKYsoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUssMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyssMEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe

"C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe"

C:\ProgramData\dKsEgkks\suYIIMok.exe

"C:\ProgramData\dKsEgkks\suYIIMok.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 36

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGYosQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 36

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUIwQIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYcQEAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lygoUoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyoAMAww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOYkwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgQIIooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wacAUEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cogAkAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\skkIgswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwcAsMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSYgYwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgEokMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-270828653-3433920889451377532045526450-3726448042395989062138636734-668945241"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkAMMowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-275480136-6284876341336537968-13684575-15478983651341227007606191268-144242530"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOIgckIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1667511033661321299455517472138870033686169734856209561599891277-1681998621"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3762587961688163917-16562530701152411132-328952369-726515368-895286630413830774"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkIMMEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUAAQEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSokUEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeogQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "389707233-1709991136-1895280635-902981937-1256161847-274129642-601398146-435960426"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgksQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEkMMsgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "34776989-2019594162-1823067977-1365323659217136561624773293-155028210-1671521995"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biYAAkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCIcgsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqsEgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "333680948-703840974-5993028311158654142189465476620538832542086432908-464828824"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMockwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-793974375-517968169-191132726-95437802-1345152671-172093706-11420105001917363527"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1940081043212481157716334464511153932461-1460633014-572373680-776085410-90765768"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEwIQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-140378559-476509192-1235499057-1593932687-1451344907-31426164-17461575551152102760"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18072336971551736898294010735-66488820117021050291214712972-2036266837-1352399130"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGEgowks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqMMwoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14856328291043985263-1510694893-35204432356543903173359700-1291283744-652789759"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToMIoIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIYsoIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgwIIEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeYsAQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGcMoMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10334128191098605962-17049070211029025704-266793456918989737-6520075071224469070"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkEkwwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "175108959961351537-1078222692-5666535422058909979-17470887571403184646-534311351"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIQwYsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1044721534-1295297519-135467219957287083418584922581892698002-13025081081093207283"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icQgkIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1546925832-17409640961798430634-1035442880-1762397523751421021-18190628551781113770"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAAowAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\feYEYoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5421114721760929396-199079370115838130499704241331550742282-7124792441353040615"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1923626958968404054-1557823914-1460407726-156400806-94927004-1869717165-714764886"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkggIkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqooowAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OoYYwUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "839469612983808470-89842458518143955921180669341313289167-1647787370-617546614"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWIQcYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "46269973820022983711647792208897545278-206618721339149131-13416122952118659680"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWwgQUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIIgwgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BygYgYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "53612972129005235536388761717939749411012779146-1200020240-150655432-2034310830"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1560817602-1748394187-1973404953-2110323467873087158-78372553119716041-1098897421"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15427051142128635650-21180225061230546611-1581807624993613545-673926684601700171"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKYAkEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1685691737-418220560-10991424778219081326081145069088172131143542513-1351464208"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUwwAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1607083376-952820408-14100637131630527910-481463504-4640023521998582451515170804"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCMAUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcEMsUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMYAsgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2168-0-0x0000000000400000-0x00000000004B4000-memory.dmp

\Users\Admin\RwYoUMIo\wOgUUkoY.exe

MD5 cbc28a6f51c26bcdc45396d92f944224
SHA1 44e83c267f5883d3f7daa1906634d45c319ca268
SHA256 455a5e66dceb45a2c6e6b13caf6c740cbcbad2afb1a38d8bdac2cf2c818a13db
SHA512 31cd398faabe719b06caebd28ebeb238474311ea7894d34539b0804de67a1aefe9b6654e73f3cc88f79b4e581f22ed6c5dc49f4999df2f9c82a8d053d3a66e7c

memory/2168-4-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2908-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2168-30-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/1812-29-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mGEwIoYk.bat

MD5 eea9284b0795b53f73667ee5c98156bd
SHA1 d24fa96f86b96c3c14bff7984c7ca9e5b575cf5e
SHA256 28bc60a7837b53aaf411bf4d06b33b70c3ac5183d01c03ff29e47f67e078ff15
SHA512 9073f1014c1a2e63f8b4a5ef4b58b6403573a25ee13b604c2cd32f41a73ff760e8e408ea04dccdd53e9d48a3b824f95f37ac447a8814c96707e21c001553b243

memory/2168-19-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\ProgramData\raYskYow\jEgwUQkA.exe

MD5 e20343612eb5a5c56d1bf32991a8d22d
SHA1 3b4191c0f40b0afcc5bd6ad8b907e674e968330e
SHA256 1f8c255c5901bbb5e589d1c197aa3050b32adcebbeca4420dc001ef7c2b8390b
SHA512 ed14a4ebed3e0805b289970055c7f085e5daca2ff63e6619541befb0ff3aad8fa1a3fe1e75f0adbe5931fdcab5785cf6ff97a95455481b61bf28f493c1d876aa

memory/2564-33-0x0000000000160000-0x0000000000214000-memory.dmp

memory/2564-34-0x0000000000160000-0x0000000000214000-memory.dmp

memory/2676-35-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CksUUUUI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2168-43-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

C:\Users\Admin\AppData\Local\Temp\SGYwgAcI.bat

MD5 19d17a2217b72ae37cb5eaca7de08afd
SHA1 5557425b353260fa6fdd4f206ecd85b57a5daeed
SHA256 d59b1b2b8b05bb9b4cb822f219716e5257ab1832eddfefcdb9d32aad8cb2795c
SHA512 f9507f83079199e70002fbe9328307bdf2ece6a3b03a9d7ea16ad3e8138765021375db0f0595662a289c22fd25ec5c7073f303424ac297a665364cf83e406d39

memory/2960-56-0x0000000002390000-0x0000000002444000-memory.dmp

memory/892-57-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2676-66-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYUkQQUU.bat

MD5 d874dd7ec720ee0c246cff973557e639
SHA1 e63e9ea3460d848fa88d9bae4f53ef66a12148bf
SHA256 5c9de8e5725f07302415aa9ef0ab926911d0d9c1b65434f61a241a3c938eb0f9
SHA512 12a0f76fbf4652dc47ba300e0f04c6576c983be901633c1ac4276ae7376240df45ff1239d7219aa74128977527e5be95067862078a641efed326b83a1f39e998

memory/892-88-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1420-79-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RWssIUow.bat

MD5 a1bd9d6cc3431533165dc9f1c5319ed5
SHA1 bbd69bec093510e89976dd58f07d548ca0e52864
SHA256 518ef555ddd94be263cbf70f1a477b4f1cf0915c9122321229cf5a08d8d72689
SHA512 e5d1cf927b113183214f67f616b0dc4255795ac6ac0eb7621de19b38d0220a422f011bee7a2e471d397753a51e18562371d1bc6d695891f4e0943990f8f8a2cf

memory/2236-101-0x00000000001B0000-0x0000000000264000-memory.dmp

memory/1420-111-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1804-102-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NqMMMYEI.bat

MD5 549c33aea87107e95df9050ffc216ba1
SHA1 a743131100e23cb92d4ac88d7044d65aa159666f
SHA256 3247bee2e7a78a408234dd091bc0bcac3d968885550aeab2896bfa34985cc3d9
SHA512 415cdd9f2dd0d85c7f51006f7aa60718b98e4f7ba4600f2a6d93264fd2bbf691513966f62474dbf0b21a1b132ed0ac2092e874ac94ac88a0e3de34f6964b7530

memory/1164-124-0x0000000002340000-0x00000000023F4000-memory.dmp

memory/1528-126-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1804-134-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tWEwEYcw.bat

MD5 5b8eb1492bdfb4377c97937d421f6a1b
SHA1 032075d45af9973e8cca8a0c6bcaeb70c1fc1d8e
SHA256 99cda6acd5c784f3017041123843d18fdbf4f79d7bb3bb635e6283a2b68d14ba
SHA512 1205152759956139e6ac194a802a49f0fc888b9a5d0c1556faf09a4ba17846527e5df2e81caa7c2f1549972933b99cf28f90e7b409453cccf87a2ef91bf5e344

memory/2356-147-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1528-157-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/880-149-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\POUkEEUc.bat

MD5 57c9c6dbbdce3ca967c0952a46e40b11
SHA1 df029db49fc7d5b03365c41403f3734e95aa7686
SHA256 828ced1b2b9102932ad066439d744a94d1eb10a8af1b20b311538c6c18ef2294
SHA512 be09a4c7cb598dace1efb835672cec7813a8b8af301f317c91ea978ec54f2f33291be632fa1d2e8e60719bda13a578d9e23cfb2543d5e97398811f8a0ba72e3b

memory/2712-170-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/880-179-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AyEcsEMw.bat

MD5 07e7b50041775d7d177a5f47654e855b
SHA1 4ef2700e8e33fa1fb69ca5891d9a9a0988bfb2d5
SHA256 a067eb6263c0484f62b9a82a413892c90ec358ed89aa315e501da75959a8476f
SHA512 6cd8f33056f6e0ca44287a03d648237c3b1cb542d9026e42f64bac7bddc63f5f87f6a7b83f040d8923fe575109f204df3856b5996e8a04392748ddf83c732421

memory/1972-193-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1084-192-0x0000000002410000-0x00000000024C4000-memory.dmp

memory/2712-202-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Swcogcgg.bat

MD5 7957c30554bb40417a7911c43635f099
SHA1 ffa065c2a068119391420fb4e77d94b5b81c49fd
SHA256 d9851e6da2eb1ad0416f31eab9f21f44e101fa7049b4d29d41f9bcf136b53cf0
SHA512 88ef6fb7f7bea223c9e11294af84bed5704f0caf0086f8c75749c4baada859ca3dda4aa4033de8e7061b21a304d64ffd638e1f9eb1643f07ad6cc5315a3c1246

memory/1520-215-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1972-224-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QUsAkMkk.bat

MD5 d9da833deb7c44b94210663590f23bb0
SHA1 b33b0375a7d623afa8b25cb65c4ee5636e254a38
SHA256 0150e2cde60f4694cf87201e8635b34962f25d2586cfbfcd1521243a76e0c5a4
SHA512 70372b9678b8e252e12171e462bf8d1fa6593c0a7b012ce49ae207d65ad86c8734d2917a95f91a7bf5b575ca943c39b3355d89c90f82afcabe0b560e280c3ae7

memory/1520-246-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1524-238-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/1600-247-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\YKkYAIsY.bat

MD5 594b941e984ec8cc454805ec297a309f
SHA1 549018a538abba70a0b4a01727822594e41cafbf
SHA256 cb90718797d93b894f249bdaa86780c0a3800c1b80022f3f05a65ccaf9c4366a
SHA512 0ba0bcc3d594e765a8f53d455b306c519278e26d74a594babe23d6f66eb04197ac44bab3b370641b774d5a62c50509c668052d796cc2a4cd4939030a1823fd7d

memory/1544-260-0x0000000002290000-0x0000000002344000-memory.dmp

memory/1600-270-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1532-269-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omwQQgoI.bat

MD5 97b0c66dc223128c838c366aa94cdd19
SHA1 b870666f13ff4b08a5c6447852bd2866abe70004
SHA256 abf8bc82987455c87fc5161f27f32f6303d74d0a3060f66b5ff4502acd0460d3
SHA512 c5f7e767fade23b82d9b6d9ddf8e1ec6ab9352d19d5aa2f84fdc0e7559ec98f941ec472cf5bc7d34b444e32ab57f39072c89f305cc02d37f5b9a20b9f430f411

memory/1532-292-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2916-283-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lCgYgosQ.bat

MD5 fa714037bf27a42d12fa4919e2b00556
SHA1 a0d5d627fe2bfa66eb77b1bdbc1020a47cc29e63
SHA256 37cfe63d64b8006bc2e7e01e7b6128b8ff6833e9682c997eda09042512b9f94b
SHA512 a28a7376fdfc6d8d2a9b5ffccdbeab6afe0ad5ec9e9c9376435292eddbf61aaa994b4647383ad1686035a5449e64ffc6792813b2c8f282e4dfac64726ef28359

memory/2916-314-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1508-306-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rasYkIYc.bat

MD5 898702ca12b29ce171f4d031ded6a2bc
SHA1 64f6e26cd76715cb0b03944defde3196b5e42c86
SHA256 24ca895d52a6fbd617ce3a5ac1c1b4e6d2bf52f354f75efcea04cb5ef92d3748
SHA512 2da0a2a7b8bde712a2e91624c4c25ea460bd82064f9e6948fc42b6fb5438f4d7227c8cdb401bc3b30e91d2155ab331df9e06dfca3f6c53c7d77c1767d501e647

memory/2476-327-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1508-336-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCQkwgQw.bat

MD5 f04e477a1deacd5fad26d4b36e69a102
SHA1 b326fd68c5f26060f7f1726b2a6f7d536139ef43
SHA256 02624fc17258d1602827e6251e756d1d1fa0ab26308054a28d9ea19fdd72a42e
SHA512 612b8d225f1ed60997ac6cfadbd7c3e0aae06dbcdd50d9b76daa90f27f360858167d5c80b2dc2cd30585d7b7ed4254be44918414f35fcc17b55781b8c4255038

memory/2052-349-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2476-358-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BgUwsoAk.bat

MD5 9861311a97547a1fbc0cbb97ab3aa337
SHA1 7d8bf3823e09f6fdce9f36c9d9bc112b7adb0d88
SHA256 84c6785e884e56caeb5573899d9c3f9efa9610055e9324c5835c4f7a25b17ef4
SHA512 7df6414dda1fc055339470d6bf9824a1efc6c166df98e9e8f869d6c48ff656658195bdf6fb6fd12cdd37ea0bd315d17ceaa726ca8f46ad3135fa0b735a29a486

memory/1420-371-0x0000000002370000-0x0000000002424000-memory.dmp

memory/540-372-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2052-381-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\imMwgUcg.bat

MD5 a4522bb006cbce45b0e9daa3f0927979
SHA1 7135799115ec1078713a3b23bcc1cb5692553a19
SHA256 cf97182ff69702cc34d2139428958ae12956977a8a8783b184079e1dccf04d2c
SHA512 ef686ea4bbcf1eec4e21660c28e5bf30d4e56a16af4b32bc2bc46e374a84dff00fcce4378e5b6b58371d3bcd92f6f3be7c71f03d50f255b96fe489a0d106a2fb

memory/976-394-0x0000000000480000-0x0000000000534000-memory.dmp

memory/900-395-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/540-404-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukEYEkwc.bat

MD5 0200118f7a130cfc499bbd1c8fb47aa6
SHA1 014ae8a9411739ad40313f47af2574c99f8b29d6
SHA256 2c077e509bf930df38098a7798c3f93e8748f24ee467342d4a4311fea44e6d62
SHA512 94eb701d65f457c7218cdeb1db0f5a8c8dee6b8abdf235b24a12cfdf7b0804bd7bfc38ab53c4e21b8a5bc90a779439388bbb50a51a8e3bc9effc6bc2a937499f

memory/1996-417-0x0000000000170000-0x0000000000224000-memory.dmp

memory/1840-418-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/900-427-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1840-431-0x0000000001C80000-0x0000000001C9D000-memory.dmp

memory/2584-433-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1840-432-0x0000000001C80000-0x0000000001C9D000-memory.dmp

memory/1840-434-0x0000000001C80000-0x0000000001C9D000-memory.dmp

memory/2572-435-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2000-440-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1528-438-0x0000000002310000-0x00000000023C4000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/1840-445-0x0000000000400000-0x00000000004B4000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\eYAe.exe

MD5 3f29c8b95cd41e075c28932e0c0d0fa7
SHA1 580df0eac49d407cc696a1e2d17bddcc68e08592
SHA256 a547e6d65423d9517e32713a2741bbf33ab07c74a14e2fa878e5073ed46d723a
SHA512 0fbaf691bcf00968176d0c63c3382fc3e7608678315083ecadb80bb81cd822e3e597c51b4657f1c921f8dde8862534455bca1010b1019af486840d48e3df861b

C:\Users\Admin\AppData\Local\Temp\YewwMIYs.bat

MD5 c1e18aad9ba9718972884279b2d32fbc
SHA1 47f519952437e4b91a23ab04689ff049fc754593
SHA256 e0790a1ae205d2f175507c9c6eb52c6468cc9bbe033ac731fed5e56d6d5f9441
SHA512 0640353be71282a023106a87cf813a6e139d279220125d1f82f7ce9ea4fdfc125f05bc40bee562187573ea87103aeb6db2410d7139741742faed1686d433500f

memory/2012-473-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2064-472-0x0000000002310000-0x00000000023C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GcIM.exe

MD5 647d557824e371474206eac36fa3d2b3
SHA1 4b86425872b5f204659eeacc9f74f7776736c2a0
SHA256 0214e4de5e78fb286c646d8d841d017a345b814fe4ba07264a6da4b4e6f2a039
SHA512 2786539b4e9407aab8ab72723f7486f76e6e903c71b39f9b8eb80dfdce09de1320e246d08fb572432155cc1c77979fae016c64ed4e0c58420e2c3bb5a2933776

C:\Users\Admin\AppData\Local\Temp\yEcq.exe

MD5 9855386f39fb048f45f3c58244f2ffc5
SHA1 82f2e0071d92ce686f257bcb9d44e274dfe32e0a
SHA256 80c5f1693f48dc9f080b37f40cacd51e7e04c7c842f3aa911ff7896c4c0782a2
SHA512 4bffe6abb3038e70a0dc735858266f3a23309b35d66bef0d246726feb96cc6d8f357f99b60ed32a1ac8e22993143f94f4b91c96c50d5ba244cc282be469d0e09

C:\Users\Admin\AppData\Local\Temp\gQEW.exe

MD5 0e6e33899d43b6472311e97ef355e825
SHA1 5112c8e5c875e5461227aa8ddf73089f2abb06de
SHA256 2b0a2584b8936941534ad6818563a9024786e0fbddcf152d635eef905e018944
SHA512 7921921305705b93f8b72164dec55b0036be593db52ef0183ef42cd204b9a39bedcdb2fcc8b01e35d49f9f5c283b2d6d441f0b7f7428919c42d6a7a44a3f4ce8

C:\Users\Admin\AppData\Local\Temp\iYgW.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\dOAgMYwA.bat

MD5 4e5e61bee3b4fb333743209d95e652f2
SHA1 4f9e0680918f015664d258b4e518b47bd7c1031d
SHA256 7640971d316da1d4545bf82da13fd63a382d2f102d39b863de62beae0830ec3c
SHA512 2164d29de8f4bcaddc65ff1286a0a47c249fa726831eec16d6bc8d92b695495ccfabcb66a6f23d6c7dc9f32d494d7874aec01353214d64e2696dbc60ee04e8fb

C:\Users\Admin\AppData\Local\Temp\GsYy.exe

MD5 68b9ce5a6037544c440cc30557f0b829
SHA1 ea5b1521e111180401d633ef44ecd7bba2b40622
SHA256 bc74028ff5f415e656d2399073a26b301c8f2f6914206be4ad845f7e91d69c6f
SHA512 960ef5fc5d9677fc22f8a0c38520b217a9a65cae425ddbe66bf4ce720b5f6cc984324b00fd522f6c0022d27732cc4004e041ae91426e1f97d2b59ed2768b527e

C:\Users\Admin\AppData\Local\Temp\OMkG.exe

MD5 29d7137586160d76ec814b50691dc418
SHA1 40ae0600950c74dfd792281e18e1096f338c6f59
SHA256 f7e817d4233f400554579e83caaa88c8e1caabc2be17a36f825b6379ddb5a622
SHA512 d91b667a1d2584c04c6360b2c50f5b0b2c573a533756411731362405d32d7b5cff62c9cbf764f4e5fe626f5bb18af5c24f03802d6fbc925d25caee1afbee5759

C:\Users\Admin\AppData\Local\Temp\GsYS.exe

MD5 b86386307ae3eae3e1cbb3a5ec19d882
SHA1 5e4461c01a7df9aa3be317c230e659270337defe
SHA256 cfb1c763f43c4f78567d35973417213e68931e43b4cde227e2ea357a9f71df69
SHA512 82014b5e2747194515b355d3efe777a489147d5e681cf4ac0c05878b0b7cd1bfac0c9a1571fe0a50f8ed552dc06a187e9723492920c8a1363a5d6e18bba8173b

C:\Users\Admin\AppData\Local\Temp\mAom.exe

MD5 4a97ae7149f81d2833ccbd04172e4be7
SHA1 14bae82f5aad3433b11c8a1267c790e67e9e0f81
SHA256 d4364bf6aaa1bc2822f2d120950f72eac04cf95200dd1f2b756749f92fc0c20c
SHA512 222feb2de98957bc8d2552ec752740a70f7883d71b0f4affe5c7ab2fa3150359b30bf0fa63396e2873d937203f493c52bbb1bae9ca2ea509b1d66fc491cd41f5

C:\Users\Admin\AppData\Local\Temp\Ewke.exe

MD5 7e0dd7bbcfc70cb76315d863aa24baec
SHA1 abfa16838fffd42526360cfde49d892a1a4c8e1c
SHA256 1bd27f536e38c53bf4840709b872d110c2adfe580cd17c3105a7a81749bed785
SHA512 18a8423e91b7f060bb94dc341227f9c4e6faa9072c98731513aadaad70afe15bd1cf46a168cf0cde76c57fb42da85e30d19b861e3042ebcfc549c6f45843129c

C:\Users\Admin\AppData\Local\Temp\csAI.exe

MD5 43138e8706dbb08df03bad3ba64c937f
SHA1 f7033f486a0419bac17f9b784d662d6a16a7d59f
SHA256 4c0f80523a671c7241815d8f9e6fdaeed639104c9527597e3abf2344f4cca681
SHA512 7264a358087c58806718a6701fde49014531d5e43cb8455ff465ba5ce3d0e5751e72c05e814b2e6b3156645458fcd66bc971ae29c392bd93ce1c4f7434f61d83

C:\Users\Admin\AppData\Local\Temp\BwIskcYU.bat

MD5 367e3053709cce38828716d6aecc45f5
SHA1 522a22661252edec8ed83fc9f0fea85933effed0
SHA256 7b48c4fb4ada2f4205f4e937e33032c1e68db3d1a1770700e35b6c05639149e3
SHA512 50ce051145fb46803705328e59691dad7f23a67c44920852e798398e0462774c774eccf9bd9e2afeb7c6dd3566b932a30198a75d21bca8a993e0e5af827ade6c

C:\Users\Admin\AppData\Local\Temp\yAkW.exe

MD5 2fc8aa5d37a23fceeb56a5fa902f1f13
SHA1 882d76a137098a378be4033fe011e3c56c79eb40
SHA256 04f5ffb27c3d6aa14d0d238e5dab3569d55395d1494f1de21150d9b67eaa19f1
SHA512 5f710ac004a18b72e513ab6105b693a1b583d98940c2e73ec7c1a8b68b0cdc8a3706334b6e4dd732c73d8f7cfc594f5aa8ed1f570086bbcb3cf524737b480668

C:\Users\Admin\AppData\Local\Temp\WMYO.exe

MD5 a0551c5bac48ca558030766a269e5c5c
SHA1 5874d01b528bdabbb6580726b96031fb2b7b9dfe
SHA256 cdac5f385e645a7ad78c63b367ceb1ba37a446e6a2e77e189ca28658f2c549db
SHA512 3a737102db60991f0667b2c5c95a8e5be36728f3637572aa231d987bcc1939983962dcd7a96be58a5cd0ff6f58c245235bf76604701590d82d91fbd43a657a1a

C:\Users\Admin\AppData\Local\Temp\MAsG.exe

MD5 c436ab4cb05deaa567e9cb405cc3c3d0
SHA1 03ac638b5e663e9f01424b578d2e24c160af1233
SHA256 4f5a38b35c79c05d24a67c731fdd2e95f4198d19cb04321616cfb369c15798b4
SHA512 a062665a7e2efafe03be0d0527cb55928bc630457193136de238b1f4fe682b1f68141be31f963d755de082ee6395daf1e8a363a936799bb813bceff469ba786f

C:\Users\Admin\AppData\Local\Temp\qEsE.exe

MD5 0dc627f57b2b1f448aeabe4920638cce
SHA1 8adda20737e1ceb22dca9124253c3a242fe7da2b
SHA256 2e8196c783b33f4f27f1faf03b8d49e7ae43be9f4b70f8315e5d10e0b1b9566e
SHA512 b33d9c98a9fef2fb9d11b7e8ab99441cb0352f175a103c6f9f92fe201bbd66ca4f08a657aa24ce8586b39f0902a13d3257dee6668d8b79159145d986ac73e57d

C:\Users\Admin\AppData\Local\Temp\ikAS.exe

MD5 e26d3d6ffd6f82fdcf163737a016e20a
SHA1 1c2374641643530dc058275524e3ba208c23ac40
SHA256 b522689cc5d190a15f9a977e51466ed9e04999cf57614f7279e98973d112841d
SHA512 6d3fae79bda39b9d7203da072ac51a47f7730634da03372b290547f23596d10501a3280dc8a1040fc819e69c10a4edeed341f9ac2d9c460fd176fec2d20e1c62

C:\Users\Admin\AppData\Local\Temp\rwYYYUMw.bat

MD5 5d9b5c9003fcbcea4c9168fc9a42c82b
SHA1 fd6c8c2955ee3d97e0fffd2e923c8d904c9c42ad
SHA256 9b5834aaefdd557ed0467a29d593a57c85791b5692775dac57c7719fe9e36306
SHA512 5b6eb8655c02e9f3667d1b36e08170a200edc32fac1bd33c2cc2abd44d9a587fe95e0059fdf9e138efd3fa24a3f410a8e219a5a56648fe76497a120231681a6e

C:\Users\Admin\AppData\Local\Temp\EccE.exe

MD5 5d21cead18485c0d3e8badfa41ee9d1d
SHA1 78b7992471ad912489c7586a83274497a8435a04
SHA256 eb1f155e467fd471114dd10f974fe684b456e29109a70ac79a63d2e92ee41aa4
SHA512 bf82f11060db0f8442854d073a7287d232be8c9be42bb19e9b8f276561209b15897963d2210c15cf456c36a3d2fbff1aa33b43266d9df407d14b37a5849ebfd9

C:\Users\Admin\AppData\Local\Temp\wIAE.exe

MD5 e7af5978200e3bae946fe8787b9ff1c8
SHA1 3b29ff8f7d2e12161e5b7c2e04cb66f41306fdd7
SHA256 2203bda1927897382016e1aa36779ecaa09839a5365ce10dc8d20c837cbba1c2
SHA512 261bb149dbcc140cf896a96e9f41dc4af601b39fb246fee9cb6c075f4865334f4db934198ad8bc59c8f4091314dea2dc2ca9623a7b8a036dd16fdcccb99e2c17

C:\Users\Admin\AppData\Local\Temp\Wsci.exe

MD5 436837c77de549076023d4047b57d1ea
SHA1 889f38c054c35c371023e2bc44a5ca87bbdbcd04
SHA256 ebae5f2c992711885919215468a69c910847c1e08caf5db189232489272a3d56
SHA512 fdcfb7d4a3d043cc8ceea19448efbf9f0d1e3e47c088e506d33b7f9b23245f964d34be77bd4a39a40f1b1d4a42b05a8af7f8397d8767f10057e74a7b45c7e5bc

C:\Users\Admin\AppData\Local\Temp\IUMO.exe

MD5 420adaec6be2c2126492c743165c5630
SHA1 38bfa2d46cd22b5ecb7020325aeac10f72cc6e23
SHA256 a4e8f13dc32c2995d5be6c95937d35c4ea11d9f24d360a65e152f2068e8adc6e
SHA512 b04fcda0e92671e21bc22e52f48289b5e2b05ce0da0bf0388f2e0804f26456736a71ef3f53c16638b8453867b8b7fc4d7e44bfdb6cbf2121fdc31c4e110021a3

C:\Users\Admin\AppData\Local\Temp\ygcO.exe

MD5 fc5cb628c09bd9e0f4fca2d26e357134
SHA1 ad85148fd7b74ef91e4eb7a425352668549c8a63
SHA256 e5b79eff5af01fe82a32cf10c3fc3152eeeebe75bfe21ed9a99d71915580b443
SHA512 255b14d720ff61acddc93b5c24e400a9f637e4fdae925cd9b1f759d2b5fe42c26c0061fb0f0af14d72fdd1c92a86a0cf751047028b5425b7517234850b2ab508

C:\Users\Admin\AppData\Local\Temp\sgQu.exe

MD5 93e49c6f7c43031465ac37ca9ac8a3d2
SHA1 13a678c008dbe108539fe09b2c175c7841de42b7
SHA256 d8b6d84564c8e3ae391755192b1a945197992a80aea0911779d31d50cf4f1dac
SHA512 a28a2b0a12960d7f36011dd21bf21ea32fea46b55f7463114518b94cd56cc753674b5c49671d6ea6e9cd82243437d0036d680763041189fe7cf1d7d3ec2f2f79

C:\Users\Admin\AppData\Local\Temp\koAe.exe

MD5 98b505a8b6ee4ab01ec0888eecdc2020
SHA1 23d04dbd1e2894bacbc46e5bcdc631eae83c3f75
SHA256 ec65159c0c9fbb91fec90629668c86fe3082ba00c6449701d100111149a1a5cb
SHA512 b7d5f7464c06d448588581d36990d58d6e1479e7a4a60a39500dfafdd96fd6aac7fe8a874fe92d3981d8b1a28aa81189aef4acfba9def5ac3d6c446210e1261e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 39abb78553eca51c9411f38f3a51a279
SHA1 74da1d28027874d90a9eb1df235222259af4bfca
SHA256 a4496feb01b20aacd0a464691ceec3c723a8504c4e7b88b8e4577435087af4de
SHA512 a834ac8db4077c6733afa0e415716258f0c190b08a1a4c6337d34f867eb905409e3175308c32349a3ef93f336c5fc210a8a7db9a55afa4aa74493f64f845d18f

C:\Users\Admin\AppData\Local\Temp\jucYIIEw.bat

MD5 e48cd7729642aa9730f635286d02b83e
SHA1 0ebdc8c9f93699706ccc07cb944b0f25e003651a
SHA256 7b69885a028836ef18024d55bccdb2ce174d2ebaea2f4b31be87d84a9266a38f
SHA512 31c4f13039f0f1d30972cc5bb77343c8c11cf06b007b0c0dcb0fbc1d7d4e4246173b2f9062f6aa381f4c7070f45f372bbfe1ab4fa918764bd2f0a7541ad74885

C:\Users\Admin\AppData\Local\Temp\CkcW.exe

MD5 a7a7f58bec5f44714e3e1dbba523ff21
SHA1 db77e93b8fa2a8198565a00ba5dfd2213a00a405
SHA256 87ae0a9183594d4b474c2d82e9ca4bb5a39e78658ddcc696620aaec212654bba
SHA512 b26667f99fe6be057c7008da808cca72ca42d25e456a48d708fd0de31ca4bddaacae170b076784bbeb46239c3ee3504ff96cdbf523d916803aa0daa0768d5def

C:\Users\Admin\AppData\Local\Temp\Kkgs.exe

MD5 0b2c5be60eab4ddcd08ca1cb6a1b3227
SHA1 def0232582d6e05e10305f05bc8225c4ea993843
SHA256 a8cbf1e7161bdfc6973dee655d3c30c350706738f100185443b99a1ceea0300f
SHA512 6ef1d388418c2fa8e5d611c20962b135e44010a1016461eb9006bc374794d1d9ffa3b6881db6f31f83be00110303a29b2a0c5b3e8fb560447a33ef23f82915c0

C:\Users\Admin\AppData\Local\Temp\sQYs.exe

MD5 1e18fd1a44ec917151168d676efbc0ad
SHA1 24f69fee8d0ed78258a6e1faa3e2d6040a0425ba
SHA256 b240df34289833980e30c0b0bcbb8d1d88493f2fd37cae114025be5c77051709
SHA512 ce71c8d4a41661f7e591f4433bd4a279ed2a2bb13335149e2e78981b3a7cc2b245c0a380cfb78452c142a3b83e3f76e8d20d4052dab488921ccef32120f4d528

C:\Users\Admin\AppData\Local\Temp\eYgi.exe

MD5 c0de3dc09ebadd4236934cfbac8f1aea
SHA1 4cc97eaba94412034685b7421d9890cdbf16994d
SHA256 e4bbcaada5b6742f9a68c8e4da8369186f19d91cb3085801edf2b2720abf4139
SHA512 91d8f22dac34c3bc5bb4fccee10773c380d468398b8d4d286c1219e666ed767e313fb0d6a0b99cccdf0beab8b5e6069dfdbfff8d1ea60eb8ef40619394c042b1

C:\Users\Admin\AppData\Local\Temp\oUYw.exe

MD5 d037b35ff8735767dc9dc0239ea479d7
SHA1 020389b908dcce17dc3584856f2f5d02e5bc25cd
SHA256 b35dc3bd4249e528599d634d0ffb9b440ffd8e00de269587d29f1c33cbdce205
SHA512 31b9d7d60bc18a9416421da65612d91582e7dcf4ec33c577e1f6e568a2f09c321ea947c9aa0e0b372b154187eb1933970bf41bee2d1335be466588fbd43feb4b

C:\Users\Admin\AppData\Local\Temp\SQAI.exe

MD5 06fe246a6931f1839e544a54195ff900
SHA1 d9a7d07e891917fe9325053694869d454d9db514
SHA256 025094d82bb551902274ec9546b985c89ac5e9fbfbccb1fa4bf0de23b83bd7b8
SHA512 9fd8adac5e41dd5e0a1439f452ec828a88a6618df9feb2efcfa19cb33118f458ca577276ba01ce7b6c1e52f0b54b0038ae6d360cdf57e1b9664527d42152466f

C:\Users\Admin\AppData\Local\Temp\AskEockQ.bat

MD5 f217ebc0db23c60eb68fef8d4067f151
SHA1 0992f5cf5751c72e56d714f160019c27162667f4
SHA256 cd56f67e9661b75dddf7908282bc91b4002a3af9a67c0b80be0c1bd385acbbb4
SHA512 b36c2c0db875a91234bddfdad0f594386c7859f8e866c73ed58ae41a20875d69b829afd7d04e86b9a972036802775a8933818b12b4225e82e4060c66d6a8a3fd

C:\Users\Admin\AppData\Local\Temp\eYQI.exe

MD5 6ca6b37881248918483c8ac06fa8fb89
SHA1 a46372a807f7d011f4d5919c4b78b044366acc99
SHA256 8c70a44aaceb9551c8431fb80763e55c8c4e1ad83fd7636fe498967fc5ffa474
SHA512 d14e236e1bbdc42f0dd654931328a501fba11cd9a0dbfbf6003af455a4063b99b8128516801d0308e2d774291e68da1b7a07684e0af05fdb03e3c4d026a96568

C:\Users\Admin\AppData\Local\Temp\cIQU.exe

MD5 81f37f893c4f84a0da6702d86ffb74db
SHA1 edd8b6f13c166eb85ddfc52c5d544e78010dc31f
SHA256 758dd2e7187309ee2f39b2a80deba67a6c9ef770baf853e0c61db02554d93bcf
SHA512 648dc7e1a0857c0bb4bc00b3876af78bf246218c725e56b02bd8d6604caaabe47e0a43df0c7b2259f6bc60918b4e5fcc80c187c60c513aee24af65c1f80f2785

C:\Users\Admin\AppData\Local\Temp\gYIi.exe

MD5 04267c64bac6d9839ba2a43497d93e00
SHA1 16490fbdbf1d8c5e4269b279b69a01fb1a3d7c91
SHA256 f887a9224aab599b1c38b4ab5a6e1912f635a299b2c1aa728402359174a4bd3f
SHA512 0b6e467f91c3fad2f996f44a394e6501b0d9f2a87c44665aabce885fc76bd66d8fa063dfaaf4506e7c2ccc1809cc44a332ac5e90cbbf16f5fabde08ecf274dd2

C:\Users\Admin\AppData\Local\Temp\UIAW.exe

MD5 c245084790154fb1420658121cc9f667
SHA1 174659eb2efe5bb112f942b0a66cad05fcb4ac45
SHA256 c27560469e99e8df2a179dcce65c673c3d6047f842b8dc3aceb5454dfa1ecf78
SHA512 d7b4273bda2fc1508fed99fc0dab113cde1a0377c348a3b5da099b30876c2171c0620eb56465a1ec692570c0b957403e6ab803044e61bf5a7e6d020ff98a4241

C:\Users\Admin\AppData\Local\Temp\kcwe.exe

MD5 88d3d9d37a04830681c522cfeb8f5a66
SHA1 3d82f590a0d04c41c538f71f34d021e01d2d59e1
SHA256 b8708944b9a39d3a1c3f2a8f83bec9226e90feebec3af750b48ec80f6edeb721
SHA512 17dde4b232f8d0c7b6a6c85ecf5fbe4f6ac6de2b3231a87f07af31fb256c5a829612dc51797c50f575df514640c05750f254ae187f460976efd3029040cd9ad3

C:\Users\Admin\AppData\Local\Temp\WeskwYYY.bat

MD5 4a531df1f68125d1fd192a9b6a6c3214
SHA1 3cb08ea3e1f1a70fd9c9b843ac1e6077f66d3689
SHA256 0c992fd284979d16e82eeada566c1b5a46f095c795f9ee25b65ebbb176d21728
SHA512 3284aca3f200c8cfc9b35083dbb024ab59fa7624805ff395a9ba77e54846ad6f2b99b72a0df11d6924ef41013e13e0f7f106a1e367838cd84619f0865768ed9c

C:\Users\Admin\AppData\Local\Temp\CwUE.exe

MD5 a156a8bb699f4c069dea1c1db0058709
SHA1 3315fd92107e5575d34398320ee46d952e57bbbe
SHA256 dbabd9bb7e11b55fec67240459d3022b423824241a4e4d2035ffed965e1abb66
SHA512 d8759e0ac2cf09a4dbb3429f1407b05b41cda6266a17564e4f72857e684c29fd72431faa2102d0bd6cf88882292c8242955478b936b57e759ab29e8f25eb0fb8

C:\Users\Admin\AppData\Local\Temp\WwgG.exe

MD5 8c98fecd1c6072c7e988736f169cdd8c
SHA1 9becfb294eb22dd2383333afee0ded08b211205f
SHA256 167093ff7be24ce6fdbdd3251c7d6f6648668a711d4fed314a5788a6b681d70a
SHA512 5d2322e0de98be7249d0dac0a495f7e36cd4b1c7f3fab196669920b6c0d3260d26a66e8ae131556f28095a136f36158e805f2a925a2efde6cfc531fcebf78995

C:\Users\Admin\AppData\Local\Temp\MUsA.exe

MD5 35a799f91b922f8fc922275adcc7ad38
SHA1 d7a7fb3cd79fc28ea8919858b8770e81d85fd2b9
SHA256 5e7e2434e62d3df0e46bcf7aedf3c662413b25365ee54da6001ad0ce42541432
SHA512 713c0c26a4d1c083316d13b0772e5a1d2b288d37b0e4b45f7b3909a5f9712b2027a4bcfd110baf1eeba2ccc946fa2cfc53765b82f3cb9217c03f6354d17bbabc

C:\Users\Admin\AppData\Local\Temp\wgwa.exe

MD5 4e681f7771ca8670023b902bd06d55c0
SHA1 fa2330920a2addc65435e9a318e610fb2ce8704f
SHA256 41af4a122122f1ca6d1ced276604770ae2183cdad21742064cd851bf523a2ed4
SHA512 9287fbb5eec1db3ab199a3307facd26a645694e0dc5d55f822fb048944369d6ddb66213ca94c12f880538144d3eccfb6fa379a31acc9778ab64fb240b37948d8

C:\Users\Admin\AppData\Local\Temp\IIge.exe

MD5 bf239913aea2f3b99e320f4df064c713
SHA1 738d9bd9c06a973c7638ca32a4d46dc796cc9dcf
SHA256 6aadac9e4f243912fd2eb8b010b4c4ad5a4ed4ac13e8244b60f541e5c3afe435
SHA512 45af60b436a9b989269042d214d5304e5569a572c3a99b6fde9dd41a483f6c213070dc09010282b2993f4dafb88bc7043cf9f82c5e2c0bce89cef9fa283be147

C:\Users\Admin\AppData\Local\Temp\QgEG.exe

MD5 caf9a8e6eb4dafab03444a627ff1a387
SHA1 9f8188935efa0e8bf89ec70ea7fc05330fa595c2
SHA256 0a1b3f7166a458a8e40a16360ac14a038822aac3637d28c8df2e14316a60fc1a
SHA512 36b086e68a3ef91f1e83b7073a6444022990681843a9180c2e73ad1d0cebfe9fc861081f5ca2a945a3a435907e6c0db4f6c07f8ce99cb728891c94b0c3a43714

C:\Users\Admin\AppData\Local\Temp\IwQo.exe

MD5 39f9cdb70e52600804a6efb5a161efcf
SHA1 437aabc13840ab1dc04c19fea990e58431b91980
SHA256 5ce09cc6665287d71fb2d88ca001a41115b4998e8a141b812866ef91d3d36043
SHA512 f79ba6cb5d0bdb0cef8074790bebdfd2281319ee43ef3a9a35478315f02701109cd6d70b67e1caf5550c50e185e26c04d629a513a3cc62738173d705dff7f7d8

C:\Users\Admin\AppData\Local\Temp\uwIe.exe

MD5 5979f937c297b48fe44c51ac143f3600
SHA1 6ae90d7c2926934ec85fa2807f34a4af31c62c34
SHA256 93bd6c62ce90935d6179de96e536a8c067a0a7783f8c513ed9bb0b59d8c9472e
SHA512 b6148b827caf3b9b63df8cc459f58d10a9e275c2964021eb64f98a9d14767605ef716008cf63f6d5d4411369356ef21eeb42c1184b31909806faa8cdf7ba3806

C:\Users\Admin\AppData\Local\Temp\CwowsYok.bat

MD5 e9e8ce2b44ab21ae0e1811a4e5c2583e
SHA1 363f4a246ae246bf989fe54c43e87b8ece1b598e
SHA256 1a81b7efac9fe333dffced9b23c035d5db4b3a73579dfc1c2f4f60dedeaa571c
SHA512 2f2dca9a3d15281a735c512362a9fb92e9cfa1341a72ef60288ed344003123e48629138348285a692b23d334d609615e8d612b08f7864892f3780be527f39c81

C:\Users\Admin\AppData\Local\Temp\KUwS.exe

MD5 8624c422e884a0143915f01900b9ce50
SHA1 d30e113931048126f053aa91059c8d00c9abe5c4
SHA256 86fc0ac732427ad393e628a2409ee9676cfd0b375f249d4aeaeff4e164852b09
SHA512 8ff22d8e7ea6b9cc58d8ab0554fb2e0e2ac4180a217f7bf43dff207b50d83d9fe02749d83f6201e7c8307d56265dca6e6d6b9dbc3bb66ed03c888b924612ef42

C:\Users\Admin\AppData\Local\Temp\YggE.exe

MD5 bfd9dc3a0ef04507cc64a1547ec512f2
SHA1 bc47edd97a3a33762199f937dffc73c29c8deb39
SHA256 48cee882871cc62c1d6abb37c390554f23b8345806de5245e247dc07ce08607b
SHA512 7f6dd6c1714d2bc211680b13a2e2c06ad45b1ec5a6b0051c5739861218cbf97d917bd383be092134402e9dcfcd6e4e91d040596429ef6eb572dc229b386412b9

C:\Users\Admin\AppData\Local\Temp\sUIM.exe

MD5 5f14c7d7ddf6fe66af73b67f644cef2b
SHA1 a599bac0838ca602dd8248e1b3c3c4394dccb252
SHA256 81dae72f168e0c9ff936ff355858fcad730f66c4771780e023ed74484731a58d
SHA512 aff5c6e39016f8f7ad9d7078d33d7797185d40f4c1c167a43250e5f1b02c448f55046e070ceb4acb31f4255c8a994bfd743f83f0682a582ce10a7f7e0e02ea1a

C:\Users\Admin\AppData\Local\Temp\ckYe.exe

MD5 29c07e8d6e0d41b189962d2ecca0ed14
SHA1 a9d5cdf4b5c8e54026783a21b795c73955d0f5ff
SHA256 09cd3e770e4dee5ca330c399ac258f983da036b94ce29c9c7714a6b03a2333e6
SHA512 7c1b69254dfe0a8374c571dd47543a5f6fe9ea655b3c624ad4d732800fc02aec58d09c048b2633e3711371f59f63939a6e3cf9c737b1a826eee05ebd7333be67

C:\Users\Admin\AppData\Local\Temp\eUkM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\yMkW.exe

MD5 960658f8f25573334855532a0eb62995
SHA1 4f1c6049e71f5812e05c491d0330b197b6d329f7
SHA256 fab212541e7b88d8fb09cafd8986da7c6c6c7ac33ddf6d10f846d85fe08c1ccc
SHA512 fc32502b9e4239e66c24c152ab58527190724a088e2039d01a04787b2f73b5a209996d792aff8d52e49aba9f300b13b90aab88829684d34679514d7b1572dd06

C:\Users\Admin\AppData\Local\Temp\iqQAwEII.bat

MD5 112d67d61a1a63969ce83a93f597b81a
SHA1 e1077c231eb5dd2308cc66ed7f4fd5b5bd03bd99
SHA256 4e1da0bccf39f61aa969975379901040a10caa85b6b50ca5581565c847c527a2
SHA512 8f3c330e556eb6efa355228f0bbaa4f932e2fdb1167ff881696bcfbdfdf0bba59efa7b8c3d0595deac40324835b2aea3c1d4bdfd5595790c909bd4de55a25c47

C:\Users\Admin\AppData\Local\Temp\qQMm.exe

MD5 cd7857ce5ae3c6cb97d71d7e0fd3e24b
SHA1 a4cef0eef6085598b9d4e960f85c915c7c8dabaf
SHA256 e00dfe4daef286a1d074bcc665eca5f956d6dd51335a78bbb278e92a043996f1
SHA512 2bc86c7e368d602180faf29d083f7cb56325957e750fb6fa3881baa6ff1f0e4b4a295cb08ffdc1b2ecf95601ce9898a709bdcceba4977d45d2b613dac0397574

C:\Users\Admin\AppData\Local\Temp\qAga.exe

MD5 843a0484d58c89a17ef41f777a0f867d
SHA1 eaf5640016ffcafab65cf97b3e6bba8dd5853bee
SHA256 b8733159c4f8724578481e82812d76f8c8f0101983dbbc423e3bc333fb19ed8f
SHA512 943e714e1550a0935b64857b000fee76f35d372226a423ff6d134c328a7c5aeee549234145c1f5334c96dcdce9b6e7e3be9f099b2a10493a13dc7f0659aa4e5e

C:\Users\Admin\AppData\Local\Temp\Swko.exe

MD5 1fecf65c136d1efe082dc5c60b814826
SHA1 c8b6e68071e76287d331cc67390b406d99863786
SHA256 19bb4418911c9fe01b2debd9a773885939e4b375ff568120b22f41f6abd9083f
SHA512 15c8a61c4c664e061f6ba893a2808b2628bb32830fed813d2aaee3e1649876219df243774bf0dfc1556768e7dd3e68e7e80063540399f75dcf136ecb6240303b

C:\Users\Admin\AppData\Local\Temp\Uggi.exe

MD5 e4d200a4551680d9c87d1d3f5ba43eb3
SHA1 a2e61a02fabe6479371e45b919dc4ba04de86988
SHA256 064f57944b3ca6b9a20a3426c59f96bf9c143ffcb04301b0e85ca0c29ac7bc9d
SHA512 4f05f8164a5de577102fe44453bb1f6d616260263449a9f520a76b23f835d51f22494606bc7763ee739cdb72c6a703bb36405b338599d8aff5f1ede55e8c9e47

C:\Users\Admin\AppData\Local\Temp\LcQUMQgU.bat

MD5 bf70bff57be0ef581f72579a85cc5034
SHA1 fa2505626998c77268c956f60ae2b07b3d7b7301
SHA256 266be50b88da4a656b71d685de84417430112859ceb63096f1fceecfec795cba
SHA512 9f3a23b94733878dcdae932d52ea3329859190e473f91ad7c4da27830801da301c1ae52023d7bb1207b9ff0f941b0065fbd4d54e1334b1080b43b82393a205dc

C:\Users\Admin\AppData\Local\Temp\CAwS.exe

MD5 8f40c6296df71ee9c2ab8834346f0162
SHA1 e01477f6f6da5fdec704de312628a18c508e02d5
SHA256 3d5ae7a3a1d8e851929d3725c230df74bc4632a4d454b2257d03cea9838ae5df
SHA512 222067f1d8504c7b8aad893a5382f59f46226068dc67444278c361225b57475c9b3d0a938702717a3bf8e53e19248c418794131343ce24576acd8a4f5f0b6021

C:\Users\Admin\AppData\Local\Temp\OwIG.exe

MD5 03c5d78ab07a635e18f828c9c50716ef
SHA1 b923a7084316950ff451127761adb59b8b61efc0
SHA256 f7b0cf94a75839e39ab34bb4f6b96c4d62ec04a13ed12b514561fccc32ea2f67
SHA512 eb219d0432834ffccf6038c3a39f5629ef5699b0d3d3caf9aec997326b21638a1028e93c6207d592d2286acc6212312233f2d57e50478443b5122f6f9fe41176

C:\Users\Admin\AppData\Local\Temp\SsoI.exe

MD5 c575396e111dcb265e0edb217892fe8d
SHA1 6dfe4712f348c21859950e441d6b5f23b3514710
SHA256 40f412bd7e5c9be1d2f407e85ddc83ff809ec2a032c29e308666375d5e13a9f7
SHA512 98ab0ada1ca0e46b7efafc71997ce33cd912075f9ed9f98379fc506eae510b9fd8ebd7149bad027a26b6b372a982c04ac4b705bdf56359487fe72caacdeb793a

C:\Users\Admin\AppData\Local\Temp\LQwIYMoI.bat

MD5 c16a43985778ba0f0e262004f887cdef
SHA1 e8b08730d9f372b27e6f59b6604bdd0a5dfed04b
SHA256 884fe65d240619866f73ce966b50d2bc9ca719334a30d47a13070f1788453b37
SHA512 21b540fa3fed3c34debac08cbf3e41562ca193f6fbc663cde82beee6c940db3b9c4cb7357ea3a13d7c60a77a7612c478e483772918f677570428f85ba169c199

C:\Users\Admin\AppData\Local\Temp\ugsC.exe

MD5 83747e69108ac2b3033084b6aacfc6ef
SHA1 245b8a8ba5708c413f7f9cddf554399ec14088ec
SHA256 d67dc251a256e92df23b4a663ef38ee3740b9c660074c78f9e3736ab645a7ccb
SHA512 b846e13411ed6258dd6c732066212d3ffddead81309443f6f203fb17d92c57eced555d8fd3eecbdd3ebb37e1db15a5564223c1727cf1ae03ed5646cb9256bc5e

C:\Users\Admin\AppData\Local\Temp\GAIk.exe

MD5 9126f75fae990e8bb41a4c60c810ef99
SHA1 1043375ce94bae5da8a0f5fa23a8c529fe0af3ff
SHA256 ffea86df7de55c5fc21b15bb44c61ba6f7d51665f6ebc71b05d5f3d164c1e236
SHA512 c90c19b88f990fd816f3b4107342e2e0df059a9903cc31e7a7f885be32dae1b5632e3d8d31943fa8a399a4cca3af70dde4779938ed065779520e6a754a548884

C:\Users\Admin\AppData\Local\Temp\ccIA.exe

MD5 03c885f683bf2c2ddca17d258a92e873
SHA1 6580e40b1dbf24de3341660af7e89b14a865d624
SHA256 07c99eb7cbdaa04c029e29784dc10bc05dda2562960207e2a836c70db75c4adb
SHA512 862ec99b639a11daeaa3b4e7b31c83db7ce116bbf1c9efe64e4da52bd05ddda44b3a555c81cd0bb6a7ba310d0a16adb5c825136f7c41dca05596f6dd0662fc5c

C:\Users\Admin\AppData\Local\Temp\gUEm.exe

MD5 7af4b6f194eb46279ea77485f5289346
SHA1 c99a3dd32374236941a982b25505c3d937e292d1
SHA256 e3965119cf783e9057cfb684fa328c088f0ab50182b8c32f920e9af764ef5985
SHA512 c7f950c2ff2a324989881f880932b84df8f4792a3575a529714e8e5abad0033b97e40c6291fa7c4d7d1fc39601dba4f009f1ad25c09a11dc1d1c54485f546fc5

C:\Users\Admin\AppData\Local\Temp\iQcC.ico

MD5 68eff758b02205fd81fa05edd176d441
SHA1 f17593c1cdd859301cea25274ebf8e97adf310e2
SHA256 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5
SHA512 d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

C:\Users\Admin\AppData\Local\Temp\wMUI.exe

MD5 3a68c8785e878c7bdbfdf358f315ce65
SHA1 9098206f6ec4e096d5e398e1f4569e060788d557
SHA256 8c8e38f1af718f8ce9d0a64dc36c2102c462b03e3ed5242e3ff5083467fb95f4
SHA512 25a1b66b8ebecab68a751f5efff40ccca9460036a062ae9290dd84c313e5d5ec00240f82d2f63c3d05b6f37acc13259dad8ac1d07d245b9cdda42e4b1b4679e3

C:\Users\Admin\AppData\Local\Temp\Scgg.exe

MD5 79067bc69aba5842f3dde02c5973a45b
SHA1 4c403481af61a0fcef3635afe41ff850ed36c0db
SHA256 f60e958ea570fe2c47355b0771b6b4093edd63306d2cb6a4b5910b750cf1e7bd
SHA512 507345ee6367d23824e8c2906bcddc70a6eb502f149823b18073244ae9e712934f41683981d6877d47ec4b69ee1875181fd99fdab2cdfccc7dd352ab8e932dcb

C:\Users\Admin\AppData\Local\Temp\jSocwEwg.bat

MD5 737d6364de09fef2c1c3a5e909accfa8
SHA1 ff6dea41d4fa1fa9bcc33573174785d85c3e98ac
SHA256 eecce6a2244506f00e8d37891dc641c6b4523156f14b7fe49de904ac4aea5c8d
SHA512 3846c81064add115ef4bbe5b1782fc9016f67822fe8d61ce7f45d0a78751cdc5436869b49362cede0ec05ea97a98d17753b50ceb69ec1f4ace8d84104f4b4539

C:\Users\Admin\AppData\Local\Temp\McAO.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\mAAg.exe

MD5 9c04584deb120edcd584b3fb3977c492
SHA1 76f6ed5f1f114f96ce9774824c13587137c934b7
SHA256 d8b5cd74d406bd5dab2e9ffedb106ca84e11335fac5731e492de1000404c3933
SHA512 8271d952ab8b451a0c1690ce3bf5d062a7d55b83aedf57f3322a00274adcda018f3d61d83c4327a94dc037aff89047ded5559425a7e3e21d1f14d4c2ad634b2d

C:\Users\Admin\AppData\Local\Temp\ywUO.exe

MD5 95d7e2c6a5404af78ad4bb92ab03168c
SHA1 152eecd52ec8bb4329da534bbf1c6cf6ce3858f1
SHA256 ccfa5502c6e4bb2a49ee526a638b6460abeebd371106bc3686d143c4d5a62baf
SHA512 7531d368b353cc05ed02f5597a3d7de8e3d74e22fb4d764f1beafa3912a0d8fd67789d0c57c350f90826c9400234bb8ccc865ed735f6971287d1d57f5abd3e2a

C:\Users\Admin\AppData\Local\Temp\GQIE.exe

MD5 bc81fbfa0e927fe8eccfb7e0e8d115f8
SHA1 2acdcd71bcc055b691954810a78fa6d6a381615c
SHA256 27a3af7a1dd1f4de023b339f276bf9cc3e1bf7a60266df697d7e7d055cf70bda
SHA512 0cbb41d8f17c25c9308c10215c15252e78b1b4b3cbfa4117e5742cb11ca3c2d086a1ca95f03e5605dacfc936349cdb81dc0833711febd6ae9bc5e4462c33e05e

C:\Users\Admin\AppData\Local\Temp\yAgo.exe

MD5 a4295076fe5b263280e28892ac8f037f
SHA1 702a84208e02f57f5b5c61983d6a7d861f6f0e71
SHA256 c809caa8f57a1df1ff6df3de4ea75dc3a56ba055846504ef64489b25ffa8a2f2
SHA512 060c3c6f35b9591c1e878cde294f7ec4475cf4effff482f9a3afff432aa6f38c2fb8577bac8a6cb98e7eb7625970ce8bcf85b12bc2d0952ed9e6823a859e092c

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 3067180dcefb2ba80dcbfe21a169cb4b
SHA1 0a4916b0c6a42179f17374655e25ec66bc276414
SHA256 d453cfb7feb4793c93f30bd16782302140e8f4e68a34499304ea77a276a71b62
SHA512 a99987e9b588f11e5abca775f16b3a963e4e269a4d92ae868f7b80715e2b301f6544ccc558dc32ecb937fbe2965c0a36e163d1f11fe7fb13fdc8deb4d33403d5

C:\Users\Admin\AppData\Local\Temp\zOQwwYwQ.bat

MD5 644fec677a22db62d5a5e72f4422eb4c
SHA1 df99cf97640d35d101bf926a16528931405d01e8
SHA256 6a1b95366a130656ac57300113cac74618d3dd572ab53d35ff585a44eb3c2556
SHA512 4381731d1e9ebd1f1a103a71788410a60623fbfcae4ad8692c37afb88f7964e93d037a944a8928bc506e8aa496f6f9dbe6500ba681b4cf94adf345194e8b24d7

C:\Users\Admin\AppData\Local\Temp\EcwO.exe

MD5 2fe1b3696e25d0a9019e0fdf83cde2ad
SHA1 b2ba8229177fec52eb9a2ae34bc570b4c87750aa
SHA256 d52d60dd2bce31dda98a9930d1f48a41419995b5fcd7fdc2632e6c199906ea3e
SHA512 0623722e22f03642b2b1f09679e9532150eb6036ccce53df07f81a53c5a88e62ea499ae8ff15317a90e1c915b1ea4e791f50bbb9a2e5ffc08ce3537e3047c5e9

C:\Users\Admin\AppData\Local\Temp\AkgA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\MgEy.exe

MD5 704428bab2d435b9a93e3e58fef51b70
SHA1 a56d547a51afd2028e965805889f2c088d6bd553
SHA256 3897c1fc1bdf39961b635a215e78ece4956cbed3de2d193bdf6c1a1a1fae0e41
SHA512 da9dda8a91d1c1629374467c82e7463e798d6dd904ab4bdafd15a9ea7c6c195caa6e5b7353bbb4539eb7a335fd7407e361b0b05dedb30305fb98eba2acc3de0e

C:\Users\Admin\AppData\Local\Temp\gGAUMkAk.bat

MD5 7b511e7f5dc990f27956a730e88d3907
SHA1 8fa4c625649a40d64289cb6b759adcdcb94df40a
SHA256 c457749439bc99a6e9a99da5d7ed57b715470fa73e162a89e86b23678e14438a
SHA512 5d5257da4114cbe7780a999e1f2d0d5444e3469704ffd973697f1aacd89d9102686e290ff3475588999c41f6e20e001a755000078377d880c207ef648b6c8c13

C:\Users\Admin\AppData\Local\Temp\AYcU.exe

MD5 53f2608c1b754fa9299d99e3dc454239
SHA1 5fcc1267cd59581db4de0c3a2f8f8397fedc5b40
SHA256 6bee8a280fe4e5e766fbf50cc4c367c1618eccbd6272db1c3dea86736fffd872
SHA512 b6526748a13d073feeb89296e906c702d92cfaab8ef519999e70dbc80675f5ccc335145873e38cd1f2abe282eb78abc667e236ea1c61bccb24f7ac4cf21c6633

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 a5d21bdcc80a0af64970a9eccefd5132
SHA1 45a9903f7805fd5d1708b934e1f5cddb603cda10
SHA256 953636458b5098a89d4563923e68d0a3ba3230f2195ffaa0a5f37f6005f6c302
SHA512 4b4c65046e4ee4f9e84699e67e2c46a7c85eb781986ffea57e72c1dfeffe5883b1e9f4c9bfd8d3bde893da41caa6498fd4dd7c607b7a8d722e55f3657fb32cae

C:\Users\Admin\AppData\Local\Temp\guMYIQIA.bat

MD5 14e8c7c5ec94befab5ed74858a1327ff
SHA1 e6df7c716e26d9bebda8a739d44ef331dc5ba4f1
SHA256 9f79b57a1d0442338828e229111c06116dbe737fbb89d02220df4fe9a5dfdee6
SHA512 94c884fbd20260a3040f08d5a77088b2c088b89dfe2b836dfbe1e1df272ae4e010f489f801e46e2b36987d8ae9f293c977142833a1a8cce273cd7a4794ea1dbc

C:\Users\Admin\AppData\Local\Temp\IgUe.exe

MD5 55a3263daed36fa719404c77446347cf
SHA1 281aee5b24176e57265361dd2ce78e1dc60ad1d8
SHA256 7966b29c0ae505b81d24bd9903cc9e9abbcb6ee5edd985ef3f9e2b4862f37522
SHA512 da7b81377a4484f7f9c864070c33d759479421e5d23edeb4110c60bfe6c39a2b19247d14b05c42dc2036b04b12fdb826eda95057d708396cdcd0704c3fd7c107

C:\Users\Admin\AppData\Local\Temp\ISkwwUwY.bat

MD5 6bc67db82d0c7e50ac2dfebb342d7094
SHA1 328f06f41595e23d2373a5b5924385e354caf0f0
SHA256 245cb61d099a0a7092d125483a8889086424426d99d62a82f50a1217a70b926c
SHA512 86113a743c9504149cc6e016bf599175b53b46e202741c4a273d8a42827957b47d5b05b55b9c079e8f11870dea817bff88d248d6a86c2837bc90a883d03f9f9c

C:\Users\Admin\AppData\Local\Temp\agco.exe

MD5 dfbf46e8b20969bd968f2c85262260ec
SHA1 eb82a7a7895014e6d448d4ea0cee9ae8c3d00a14
SHA256 0118acda358507b939c853300bdb21633aa93c17bfc0de5c92937636da9770b8
SHA512 2665b9ee66f0760294b7aaab0a204e90fd6ed5aebbfd637cc52736737182c6908d733fe23b42b34e11579f9f8c816f3ad6dcc98027c98533a76d33f12c796a14

C:\Users\Admin\AppData\Local\Temp\EAkm.exe

MD5 61291d386982888b84332d1ce2e8546d
SHA1 f198690c28c010b0713fdd1c809d7a4f3545146a
SHA256 0b07eff50568fb6253e9a56432bec2654642554c14eeff0794c6b01c7715512c
SHA512 9b74b1c9189af579fde079fe4c4c1ef8c7a40cddc9bab7a112b26817ca29e75284a051cfc47dc1451c44a0924d15640ddf17fa5b35d2f606afce5b39454e61ba

C:\Users\Admin\AppData\Local\Temp\cYQgAIgk.bat

MD5 215fdc5b80d19f3932d2504380570c57
SHA1 31a789e975644926bfba5a5ffd6cb0c6a0898a2f
SHA256 8bd153ca19ee7f2d2f8092cff8399d7176a9ce46d0a41b00123ddea298e59fb1
SHA512 4c4aeb68e04edc949722ca10ebf76e8686ed35b5bff2dcf80523997f61a1a08081796324eb07e178aed91ba6bd1750485ae093411519c0616c03a5b86d3120f4

C:\Users\Admin\AppData\Local\Temp\ScIs.exe

MD5 339cbad762a75e4eefbdb4350fcb39cf
SHA1 b24c8dff44579051bdd2444f8d3afa0225541843
SHA256 178f0640efc897c0ad5906cd8f5b1ba3c6a78c6861a5b956e1710b98ef938ac5
SHA512 d4829a8acb7973019a0138fccc54e25d7d32ea2d5189a10ce77e13ea48ed903709ad28ef0f3f90f07fd7309a32875c8ac20f326134631c1a472d767eab7bb5ec

C:\Users\Admin\AppData\Local\Temp\Okoi.exe

MD5 8e96c832e18db36245d49ad809c44c32
SHA1 c23820af56c6ef718d9b7aff0dea61215000c2f2
SHA256 a47cf410be769ec7522d9bd110a049f8ceb6c47c1485790ac72e559eab03e39e
SHA512 9775d072a9156985359c6ec59ea4d3e24d035dd84114e2675f56f0d5a17150a03d5c98b16023c80d0ace3089df7f139bf79a88b5621a0d10bd7546cd792305c9

C:\Users\Admin\AppData\Local\Temp\kgso.exe

MD5 c759d8b7c5cd37bce0af688eb11263b1
SHA1 b5c573edc372678d9ba0cef47696c6dc110d91be
SHA256 51b11eff17b3e6d4f6b96cc69b49bdfe55159109370083c01f59f55482200ff3
SHA512 55b9eb3aac6bef3b39e79952e2cc57f83c5c7348e9a0c7d6bbac18444c5856ed0d52bc34f8f07b9f307573fb0d53a41ef81a99cb2cb4c848759888e4888d416c

C:\Users\Admin\AppData\Local\Temp\OiQwUcQE.bat

MD5 d6434610fbb1a9ba01d8a2e40a17f213
SHA1 7070b38f95992ae2743012cac6e34d6da562f3c7
SHA256 e79958f748ef76084678459f5df8826cf82c3d62be0e9b6674530519ce4b6e22
SHA512 bf18189804f49f16c0d22ee60a251edee0723a78347ea334e65b2148db60f8d7fca3d936dd40a5982d183116a0973b29ebe19dd28938f9d34408c6611a9c4241

C:\Users\Admin\AppData\Local\Temp\GwEc.exe

MD5 5596771ecce669c22af0e40af475470f
SHA1 03cb55f95be7625c8acfc7f6b3655908bd7bd39b
SHA256 a6a3e2d26f9723823aef8f36cb942d80435fe2460abaf30c32524c08f68cde50
SHA512 abe79ca7b505eae3ee0edcded5d35933d92fe3565d46f0231f0a5b4a17b59020ee4bcd44c0535cff53e597b4a3c9615c8ccb3852908b3f295918f3a89bab3c8c

C:\Users\Admin\AppData\Local\Temp\IMUo.exe

MD5 cda6a032cee26d30af9fcadcdc695ebf
SHA1 e3a3bf9f0fcfbc7de79f57250e42df38c48d452b
SHA256 04e6375e387b183964d169560a5b5bb123abf2b4281b9a75ef8ac95edfd482a4
SHA512 e2c07c93e931ec56d81025188b9bcd7ab65e2f4acadbf93a29dd29e5980f84a031d24a4c7cb35b255b36907482c22986e3016dd7499c2a9c2c0d538fbc98ce21

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 9cac93f62b5c3ee1f264b642a8478f2a
SHA1 59a8a1ad4851de0137d4346f76c639ea0da57b6d
SHA256 723f12ec23648e52515d9cf1f45e96a4e4cb4488481a35535b1314f253da77aa
SHA512 e323846d49542b14d1bba1bea166582375a4fc357c386d613124fc0c564e895c1130a0890e7040a453381afa734bdba548fd4f790bf28bd5c706e6e6d1557bb5

C:\Users\Admin\AppData\Local\Temp\CoAIEcws.bat

MD5 dab8ed5677d5220fe81147dbbc8db557
SHA1 7ac4343fce9e65d9d3e867b593c969204b399d59
SHA256 524a9b020c6fee0c1ee0ee024ba614f6633bbebda1d9c0351c19ef11ac5c1bce
SHA512 8593e79b3e4f4831f2cc95405002c458ccdd0b41942b4294c7f56ff983f962e5c4b7abebcdcb799a28ecf1c2bf22d7a94405044d5aab6218dee1b17ca49c2a45

C:\Users\Admin\AppData\Local\Temp\owke.exe

MD5 79c5073dd663bd8785fad46f5959ce9a
SHA1 3ede847ad1841bdd4362bf0b0d35b8589fe52f7b
SHA256 b2066ef9b8fc0827d49d4898cb1f5c1ca2129d6d198bde1f3a4f9765b09cc8eb
SHA512 ef3e89d6cb376bdbb2d01d55cfbe10b9abb70b1f3a25d2b6df64ec1f70ebd2babbd265c84a06437579541b5960985ed54857f32eefff3962fb576e044d2396dc

C:\Users\Admin\AppData\Local\Temp\WkUq.exe

MD5 3c2bde5b0875b02d66610bafcbb56ff9
SHA1 d20a8b65049f33b964578ae91e429331ce0db496
SHA256 e696eb4247ad2d838edced6e32d9ea5779c1937ea56fd9ee2eb40459217039ed
SHA512 9982026875c1f0d0c9730d68f6cb5125317e4b104afa4163bf6618a022fb0493674b322fb3c6437edc5dd5a01fd75a2d69855e2d6d8f574c3a7c65df0acb1fab

C:\Users\Admin\AppData\Local\Temp\cIgy.exe

MD5 428b0614b46576471fb1bc33eb777f3d
SHA1 767384e4ae915aefa0bd535f46de304c786f3627
SHA256 55d9e264fe63f09a59c9a0d22639be74954039af4ab43b32606e578d2500a37d
SHA512 f766033c9d5b9a2be390d5ab3e5363a4e1f8ac7d21c772d5809ad1e75969d516a5ba084c154b88cea428b2623decc8671ee84a43589f140d48166903cb099c67

C:\Users\Admin\AppData\Local\Temp\qQAA.exe

MD5 4962818cb55e70d810718b748cb6cb20
SHA1 8b7e77d3097e5b4736cc3e0c6013a7b3a6b1c579
SHA256 7b6084c0b7f65096dcbdbfbbcfcf254ceb3a68f5cbc011802b0721a75b3f7c2b
SHA512 dbc55da5d5313c7d33bf765c7d20280a3e8ad5c74138833433697a3b3b6cb10fff049204bc7cec54dfafa80e2873343fed4bf7cc059d8b048ebc955866891196

C:\Users\Admin\AppData\Local\Temp\UIMy.exe

MD5 b4cf125988732202a490edb37e41cc36
SHA1 dcfe9e94b6c32ec126946fde3fa20ff84db1409e
SHA256 d92f44c563b2fcc1ed770ea4e20422883dff05c740d9eeca9db810654f6a067e
SHA512 1147c812d146dd0f41f9e10828691c35607f86b20218a768561872692ab43f997534be1973b9c79945ab0053b40c33a33107f18ed83a572313da0ff3dfdaf901

C:\Users\Admin\AppData\Local\Temp\DWUYUwMU.bat

MD5 0bcada31685fd2e38baeb691ef1a29a8
SHA1 ab1efd2d2b497dde1e1ff99d847b369391d4887e
SHA256 43adb77d3301d60d6013643a92bc0ccd6693f284691d39855e52b689668bb434
SHA512 7a8f4a81d8d5ab9e327ca9c0736660f53b1bd12df1931a001bf69a4aeaebd1945c7429e5c977ef56db1d64de4f96a4f94f7076b169dd785383b5cd6ffe3c0e37

C:\Users\Admin\AppData\Local\Temp\ossU.exe

MD5 0f6da1d42896ceaf526b22a82cfe96e0
SHA1 0037e5fdf962aad70ce5ef7ad1d6f3ce0ee12f40
SHA256 b8cd1ca911ee399116ce0ad44df7c51437d11f0c81f9dc7fe05c7a47e23b7704
SHA512 ab4cd1656f663716d3e25dfcbccc203c4be00e6c3193ffc09f6a29dec971b777e44a939de7dc92ae499be46e2096cbd8ddc144c3ea077932b29fb65d7c317d3f

C:\Users\Admin\AppData\Local\Temp\ecsM.exe

MD5 e9fa31a865529aba2d1736a71237f930
SHA1 010e71acb6a5cd299af159e5e73b560fcf1721ec
SHA256 9e176277ffd4cca063b02b979bbe3ff3efbd35ccbe872d610b701ca5d5359e2c
SHA512 9b172a54af306317348f08bb6655d7836073ecd4131264f7f5e2ce870de369ac98d7e9ad57f9a2f4e7504b2f54e0a2354d5cff6f3fa353832eb572678aa4a337

C:\Users\Admin\AppData\Local\Temp\yMsk.exe

MD5 189938b4f0662c6b2468478a9723b656
SHA1 c2ca6ca9172e7a795b439436f4ace162fccbe105
SHA256 3476e084d712ecbf13a49fa9ebf861ebb80e80a2eeac345f6f1614a3a9a83cc3
SHA512 18f1180e7899fd35930827d78878f203294c81fa179d4649877f540d19b29584f9369bcfe2fa7632b133a27daeb35b87db6875527886cf5fd28207da00240aeb

C:\Users\Admin\AppData\Local\Temp\fIIwosMI.bat

MD5 e7de401eb85a6bed13839d2c0d515ed4
SHA1 653adad7c3ac61b5080bed488a15d4a911e8ede8
SHA256 6fdb7d359cf97da614e38efd73eb522a38ad3ec3393185fc66d574f288a3d4fc
SHA512 3667c4e203ba336eb9551d1ef70195ec7002574313b97c3889c37a487815af4f25fffb85870395c3bc6ae0b117175bf0d5719a05c2ab551dd880ca78b2ab978d

C:\Users\Admin\AppData\Local\Temp\OMEm.exe

MD5 776a406eb905af85e2387f8cae357a2c
SHA1 834d0ad5c02ddb0156f72e3c6ee3ce2e2fa6b623
SHA256 f9517414cb6d524fb18ca3ab693dbef29c57d314692a057c8fea9cb4cc6b874e
SHA512 d5ee0c900cfaa728d992423b61a83d1f76660a47f8695bd4230ad1a8dd32912e8e7db7e1f98ea106e66a585fe30148d66d2c05a826aaa89606b141a67652c310

C:\Users\Admin\AppData\Local\Temp\yocq.exe

MD5 e71449956616d0b0efde8b0df94f54c8
SHA1 e7bac8c31251cba4d95c3ab868c1984a449eca7c
SHA256 a01a0134938ea8cf9e5e91430c9fbfd71086ff5988dfce0281abe24fb35e66ad
SHA512 730a6054f11963e356d44b6b367a967376a86fbf15d4f85f3d7fba06717b25785a81fdcc01bd3efa7cd952bd06d5785666dbda6787b199f6864218d26ab20037

C:\Users\Admin\AppData\Local\Temp\QggG.exe

MD5 d0763d3d09825ac528ac065aee5612fe
SHA1 aa9c55f29c09da905d373271a7947cfa23e23bff
SHA256 713ae3f197dc512180ed782e5e036f2e02c260616878c42f86668b3cc2b8131f
SHA512 fe79814dc5d901bbcf4b9ac10351b21e1bf0bd8e3a9a2f6e8842980d206c78f62352601174c31d7c11b2ad964727058f4d56463f062b6a18be8a8a5f03695e0a

C:\Users\Admin\AppData\Local\Temp\zogEkoAc.bat

MD5 ec8c8e7ae93d671314146e26cf80b751
SHA1 2a2dde3f613e364c258053974c1f4a31ffb4d7e3
SHA256 88efd37eced19ac83c7e11bdd26496829e47f530d98ecf5975766a9ef183cc83
SHA512 8757535e48bda3783095a9cdff074c97048431423103ac3aff328e622321f86ada237a1a5484374b8795bf83455c0a1483d4aaf79ee488db3465f8cabda6b541

C:\Users\Admin\AppData\Local\Temp\qIMW.exe

MD5 6f28c29fc046f471af68e0cc94d770bd
SHA1 3bc993fac4b9d91a990a8c80ae1bef62699b3c5d
SHA256 f7f0d6197ae2c267d1a461191c3d88b46f7b64138b1ff737d3fc15919f9c2445
SHA512 4ac857fa53b77b8ef986b89f3eeb97d2d5a748bf485c5f1532ba21eba15f6c4d1b0b99fde5dddd93f17292cafbe3308aac75adc8e77a93e60b5e8ef3c97ca079

C:\Users\Admin\AppData\Local\Temp\jSIkcwMM.bat

MD5 96c55f5d0d32a4468d57ef58b4ec8836
SHA1 ae7671cd8cd5ca4318f82ffc528d8fbd24fa6d31
SHA256 01ae3724eb80eb2939fb85f3ae6d13568b839c0e76a7501dca56da0322472924
SHA512 82311ec2268981ef817bfe23e910978592fe66b394f73deba40f0c11ef0e1af58b043c63ac4d131d5aeecbace10c7c55ccda45f36d1a4e3ad539826197be4427

C:\Users\Admin\AppData\Local\Temp\KIsm.exe

MD5 155d4cac0fb49932ebbfb0fbf1bed153
SHA1 23a8fde380da7ed455151e22541f2b3d743b3c06
SHA256 52be2e876a30f4c28b18f8ceaa016d7432754d051d7b6ded6234ee8150d80e2d
SHA512 244ddb0ecf61a47c68b2d04e6a873b91c8e9197fd52227dd335db763669495729da9e4131c013c03ed41f604685b26b48280c13dde9f37ea72220e5710427bec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 a24892464b3247613b826eabbf2a31ac
SHA1 940efa53ffe9837daaf5b241455800a9da913866
SHA256 091a42b072ff3dfc150b23f20bdfe866813e233c6c190fca154752d3859ce9bc
SHA512 3fed91cc8fc1de872a3eae761c46365ff7b8bb792ac28e5565784558d745680ce475c3b14cec466cd6bf5a49d2a37a31824cc3fc7e0ee220f63725a8b7f2197c

C:\Users\Admin\AppData\Local\Temp\UyMMoQwk.bat

MD5 104e9a2f535ec538445e9fd3647b22a5
SHA1 9b3a022ae6e6b8480c60cc8ec1a20ec631dc6539
SHA256 e06196c8c2be6b66fa8388608a722af75f0bf680ce93a546fd73db4072f0f237
SHA512 ef05cbf8686298605c928c4bc9f60729cd3f874196edc31589a9f1c976d73e033e945351ee515ff664b1db5a20f12a76a53075631bc3b7b7a7a59a253d86003f

C:\Users\Admin\AppData\Local\Temp\kcEE.exe

MD5 b433307260af7b1b42063b51ab28ff22
SHA1 9812dfa07cd46c483097079b4718bf1821b0f7ab
SHA256 356f3f7b476938a1301f0a387a56edef11855a6ff85224a5ea1944de2061ff3a
SHA512 bff2714052d8decdcd377ce87803f5a5af129659b7c8ad169a0cce3680e50972fc650dffea492a05e3d6e3fb2361e9c45aa70c7d10ed753c2288a5c2040f14f8

C:\Users\Admin\AppData\Local\Temp\ikwi.exe

MD5 ae07a00e7d93e78f3eba2b93458c7ab9
SHA1 320adedec745106ae4ae4a910060d6116196646e
SHA256 919acbf4e9081a268b20a03669e3770c7e3289f5b9dfbc106017b8ea343aa253
SHA512 2c6da377fb5c0e48ead4abff3d9ffb97429f44a4b28a14fa4461230e1767ce1285d27106c444114b30c1c76d240656728f58fc3d41772a3f292adeb5c94985a2

C:\Users\Admin\AppData\Local\Temp\iIEA.exe

MD5 36c9dde0d2d23ebc6b3609bc0e5cd2a8
SHA1 03abef383b0571034a81f580a0739417d001275f
SHA256 d43abd54a6a3b9def0507213e70a5c3bf68c1a95ded890823e77094d83f98aea
SHA512 03fd6fc32e9218f70835d6c27fb5a1fdf9006747f8bc6f087e45e1b37a61a7d39f6ca7f22bcdf057f275ee79a8b34a5967aad21c5c411c298ed82be7514218df

C:\Users\Admin\AppData\Local\Temp\WmwYcgYM.bat

MD5 4cebaa976499754379edd2f792b89758
SHA1 08d70b997b6334715a66eb8e8c66a8d13e279deb
SHA256 5564f146cc2b17b8a352642bb9f27363a15d619eec5451a3e098d03838b0e56c
SHA512 0498300f3e2d0d90e47b77bbb4373896597aa328efd0da4b0ee9bda5c184752d8ba73cb7acbb2e838f0386cacc323d58ed5799a7b05c29a4e95bb0c23a42a828

C:\Users\Admin\AppData\Local\Temp\EskK.exe

MD5 cd4ceae943bdf2bdccc2525afeb7e531
SHA1 0cfd00bc8af6d6d6d268c4a13c07bf36b9490e1a
SHA256 0a0dbcc29e925051d5951734e82263d9eca15d93b2c3569001be2f00d1453b54
SHA512 cd1fb5353ac118a619b9c4342fcda27b122b87ae393b0aa65ede393770dfc5747ce84b07701e6e55e342fdfbd29fab36b066da97999d1637faed4e5ee2df5202

C:\Users\Admin\AppData\Local\Temp\cggk.exe

MD5 3182f4491045593f8d61fc832bcba652
SHA1 66ae3df9624b08f9e0ce4ae90895c8a43e9e44ec
SHA256 d2db2871ae5f5842d46f7c85e1b5a7fc0368938c22788aabeffa910aec041aea
SHA512 ac74a882eaccf98c5393e6df2864abaec4bbd04c25716df817611c7de2de2c20b9ba9b3ea9513f2f0000302155aaa2840b5f0cc1353fa96ffd0633487b85a9da

C:\Users\Admin\AppData\Local\Temp\EEos.exe

MD5 9bb6bb16f91b2dfd8940bbdb3aea06a7
SHA1 cd847edacc44bde378fdcfc184a989c2c3087d9f
SHA256 cdc03ece44deb704dc3956b98530328b84584c05f905cf91b59a0db278ebadc2
SHA512 8c6eb22b47811f6d9e8662bab2418f3a3c4ba7a0dbdaae8ce01b74743f1ab8fcc4b8c181d749784328eafe84b98a9158d5e68bc1f52430bf55553c81ae4b5482

C:\Users\Admin\AppData\Local\Temp\maUAMkUo.bat

MD5 46ffc281896ef3590053c89788fc0cee
SHA1 2b68ad574c0d9339aefe9a78be67178533f5de2b
SHA256 57917a73973d7861cdc81028a4dffdd4623aafc4dc85a9e3e2aed34556d128af
SHA512 5c09d4475406debdb2bc59cf9f553b34535a541f7069937cd86b418fa73861f467053ad2c55566aee4652d304ae465af6fe056b8038a8479d6d54805b5086e24

C:\Users\Admin\AppData\Local\Temp\kgYy.exe

MD5 6c1e620aeebd801a21e795b83beb6df3
SHA1 91d14b7f6ea597583eff57c1863050e17c882448
SHA256 33416a4b7cddf73cfe660d7f786f9aea51d6d865b3293922d759903202205e1f
SHA512 fa74709d8877c454f01c282fae45d3151f49436c1b23a7dbe64c3553c2a3c4ab6212d0571d50a55d6baa7d221629e4c5d181b644bc217197b0bb48814731d459

C:\Users\Admin\AppData\Local\Temp\CkUc.exe

MD5 f34430c17135f5c609cc3feeb5907e97
SHA1 73b1f9e564d7b8f20f5af7ba41f1bfb3568fb2f3
SHA256 ba6b40e844da456c4bf5b3e15d5b0e88b46000d17c7f6f29c7167128d151bb8f
SHA512 e6836362144b81133024b1ae0ea49ba9cda9b38af79d8cb5ac7849c13094150ce903dac8f57c59220368201025f3d5de21b766a31b7f38d083dfa237561b5474

C:\Users\Admin\AppData\Local\Temp\qCUsYMAw.bat

MD5 248afa18fa2807215302030e8954d81e
SHA1 ad1cc3548e7b2683a6dc0999a6c0cb2838270ddc
SHA256 25fda0b63786b5f1777e2ef8afbac004f5041ffab9e89dce80cc62232d811a8d
SHA512 3d823fabe9491ab4d72f953e7b76455dd3e8b4a521fcd219818884046df1674b1f79028b7368eacea19c80582f2e08ab51c6c345525fdb52f79bf0b79dbe3767

C:\Users\Admin\AppData\Local\Temp\YMEs.exe

MD5 abf0cfe8e7102ab12eeac674f95ff50e
SHA1 786490d9242d4dafd47e1a8ecd99e128c6f35fbb
SHA256 27d58124b2dc620bcf561171be192caadb6bff0de6ce73271dbd4939d187a399
SHA512 bcc2e5b78f7fe2c9fcdf491dfbff83662844fe63c4223de09cd56573267de254bbdd23fd716f8c5cf99c397689480d697a018950d268f9b661010be56a594265

C:\Users\Admin\AppData\Local\Temp\IAwg.exe

MD5 f530473fa6c0fcb73cc51f36e6a628f0
SHA1 033b79948e79d178262f5c21f5edc1b7b8c6a0df
SHA256 9672f993f830c53b9e09f7d76a60ec7aebb3835477366bdac0fdccc619c2408d
SHA512 b95df680b397c13f08d0ed48a222c12cff8dc76145d3f8b27143b99082091f9dee49edd50664cbbc85eb3e55559b8e7c930768a6cad9541ba7e62b99b37b32d5

C:\Users\Admin\AppData\Local\Temp\moos.exe

MD5 b6abe61e33e61c037248cc294ab0e127
SHA1 dc1e5ef36549ff6e5dd4e12e9a6f109f85e2f95c
SHA256 61363bd18114d932d1716b2a90a8b4f5e6d9db02e9891ee20e98130bc581235d
SHA512 22464aa75a2802acb83ecf7c57fe5a6fe444c677012525638c2cd278e99cb45025fd097c4e8715a0d07da52ead7c2170cdaf56b7bd271757a1115c42b7c747b4

C:\Users\Admin\AppData\Local\Temp\Ossy.exe

MD5 045061be0ce5995b23a90d0c2d9e265f
SHA1 bfa1e75177e083df4401a9d4349500d181d884c4
SHA256 257eee1ba0cb0e7b90fa46a6d82267a7ebf4c3421f47d1700e4e9316f71d6b32
SHA512 2761b97d3c99c10a0a77983a827db7fff318f6669d7952d71ba89c5c077a3dd8aedebb47e93aa7629b9e691ad72a786ade1352bc3e4792e86955365e6667ae38

C:\Users\Admin\AppData\Local\Temp\DCwgMYIU.bat

MD5 5fe0409a663600530ea2adb05361ed34
SHA1 054419bad90b150feca82d50b91aa64a6008fb1d
SHA256 bdc0979292d08e14a08672758f810fdde9ec6c178cb9122d3a21affec5373130
SHA512 0832d9f01d335ba045143844622842a954e6dbe2ca0ad25ed9e3be24b571d2f6ff9c81f916991a42eb9055e402fc807115820a08fcd1bd2286f56461b88fb9ce

C:\Users\Admin\AppData\Local\Temp\KQks.exe

MD5 6c20d5b08791a90fd262acafe0948479
SHA1 2ccd991091701261abb3a2b1044bc15f021b9c34
SHA256 dcffdec5415a569985e692bd399e639dcef55387a20f806da217ff557752e17f
SHA512 3cfc9ae908205126001b9ebff1dd6e7a40a799a9cf49e00b5344fa968a692cd03930dfa79d5ff3cbdb75321729c3ffe0cba210a41454157c0dc2e8134edf9888

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 3c4209039d1f2e2bfec19be1df85c24f
SHA1 7991141273c5d3c86ae4204e4719f3c8c3ebb8bf
SHA256 924d19d0bb5e3cbcfb9e04f4c1b110eb74cfc84b4f87044e068eb6f162e39a1e
SHA512 9ad4ca07c72aee61c0191be4a1b7b7b86713c75d7c20ea3f185e2a5bf5223670202ca95deb16aaa0b0110b464033eb10ca3192ef554e269b2b7ab29a8ab36615

C:\Users\Admin\AppData\Local\Temp\dsQYUMIk.bat

MD5 767a44379f54ab2190ebbb2f4d1a8412
SHA1 76eb1c07beb6bc4fd9412000b9fa6a6d11b81080
SHA256 3c86f8d37addc971dc890336cb542b62df2ab0eb41ac866f4cf43afe68ee9196
SHA512 74e3b2f4d16d40fae0739360c32fb8b1a886bdced751dd16ccd1d85c7d5ed2504b6fa62cd1b842f09603db34d9abae1e03c6be75a3ad9400ebf59b28536e7b50

C:\Users\Admin\AppData\Local\Temp\ykwo.exe

MD5 d44882afb5cb23806a95684c54970e7c
SHA1 15ab2a5e4616514a0755dd864f70a3b88904a43f
SHA256 0892efcb573eebc8a9f2645ac3cac83497eae05f239d32beb0fa620141e0edbb
SHA512 312512d2413e99151344b9a14d379a30cd4d13d64e9f4a89bca77e522d268ef87dbaa9d116ffd1f28f2fb856943063b2422be2ff8e2812acb5694f5334aa493c

C:\Users\Admin\AppData\Local\Temp\buoYIgcQ.bat

MD5 5af77006a86d29c29b501fa2ecf7fd0f
SHA1 60cbd46cf3c467594afbc6bfc174e93c5bebc937
SHA256 12c68dd8e8e07d13ae77d04cfff7d60262e5f9b43cf3932726b7419e7a476e38
SHA512 8c1b9f93fdbda75290424fa28c469e76bd97bbbd308f92df044afa7f9422809e852e2ab7bb97cc83936f183389bf5ed7aabe594a80c0c0cab3b1e980045add5c

C:\Users\Admin\AppData\Local\Temp\ZugkgscI.bat

MD5 991331250333a96afcb45bfd3fcc092e
SHA1 850bb5eb38b58b0f86c69594146d439fc14b54a8
SHA256 95933022fee5d3ac901785931b57b9f47e5026f8cb94098aec6c1bfe7f8b27ec
SHA512 05a478c56fc3b457a43b231053d1bce091e566e7110a4df274dda34a65314a03baae17126759951ffd195542c623a7a8a943567a45616ea8ef3aae0f76791afe

C:\Users\Admin\AppData\Local\Temp\FekYoQAc.bat

MD5 cb3e30a250c35546d06970999133f851
SHA1 72fd7d23394dec729a3920a91deaadc51c0090e8
SHA256 0871f1254190caed92921dc8bb9974deea5a1aba2d6ab1983d1ebbcf7684eb07
SHA512 5208ff64c96687a9be2968666ef370f0ec000a0b870d3cb5b6262906ec2d7ef319ee7d92eeae3a829c04ef386eef9f6ec58f155c106da7dae06fbf95cd824e90

C:\Users\Admin\AppData\Local\Temp\wQIQ.exe

MD5 77d479181f2a48dd375fed30027b2af1
SHA1 3cf789a09747f6e1677a1f499da82b7c6a527f8a
SHA256 fd8115ad42e61e10777e26d02cd8a649164ec58dd95b04931019d18124f1e2e7
SHA512 85d1e5daec54402097a189a70ad14563cb4c42b55476a2c07883c0e2f975011df1fbcfbec4c49ebdbd1e6fcbef9db4e29388bddf14f593d870b6cc8bb8b2a606

C:\Users\Admin\AppData\Local\Temp\IQsG.exe

MD5 ac39cecfe5f56da899b58ece64b39eb3
SHA1 065480a4d0d3a0be5c703771df46f2cdf355fb14
SHA256 337bd9d39f782c8a6c98905762ad2be55537644e756831669d7d61f4764b0b43
SHA512 613bc373b58504b3be45854dbed3c7c0743ec1cfcc4843b2cb99eb78e1f2292427c0f26cf9560ee6dbe569689e54733a142ac06f78482402316f0360c1bcc74b

C:\Users\Admin\AppData\Local\Temp\AoEi.exe

MD5 1053668e49ed536bc805fd0b7a35efde
SHA1 1741ff43769c5793e7e478f1430a1ae9599137a2
SHA256 87adf85dfe40840a0d8d70ea9d9b0c660afe76ff9664e3a62f5cceb5f29f8480
SHA512 4f90bce322a0401a4b08d948367eabd8fce60cbc1c404307e1996296adcfc51a55ec64af44972b0981700a729787bd0ca3bda9bee41cd17a17041973035c829b

C:\Users\Admin\AppData\Local\Temp\MMgw.exe

MD5 5a91e26497baa6e0c37eaaaf26236c3b
SHA1 3f33cea67869dd4d7dbd2106444c85946fdd1a00
SHA256 a33d3c4e0ad9a29582b9e8e76b5d78688ca90150c7435a2b62445e6987c52d21
SHA512 e68bc3f8b3c7698e1f2e9a0131418be1fc5ba023d46311ddfe6081155dc1cff77312ce4c9321a30afd0c711691c15362854deb325aea052b614dbaa80b3a8022

C:\Users\Admin\AppData\Local\Temp\qUws.exe

MD5 ad6a97f861493b3d4f25bb27749823e8
SHA1 1815ee5e275c31d4de8db1fc0a54a61a1b17c7ce
SHA256 5a6797507896245f61ad97f4f91e4fdef5a0b885f3f1a9184a7a5cd2e94404c6
SHA512 12f1a06b1be324f80dad8b0232975f5d7e10274de3438a9cdc5864635c8b5366e9420f23dc6391e3e2b7ada7ef6db72214426accf490bf9a33f8201df23caa92

C:\Users\Admin\AppData\Local\Temp\MIEq.exe

MD5 a8c1b69eacb89d9f26cca439bf37841b
SHA1 5a3e6cf8632964e4a595db031f80beb33db87559
SHA256 3bb0c7f32ebef851613f179d343d87192e6ed17d05d1753bd2fb98e1e2fa47cf
SHA512 b094fab6666245f491aa550f391fdb5ab5050cce7d2090af921a7492d68dd00f71f3c842f66c78cb6a042fbd27a973b451a490ceca7b0c69651ae1a3a2d66688

C:\Users\Admin\AppData\Local\Temp\wWAooIcw.bat

MD5 e71273ea1e0424f00e5245cc094f0f55
SHA1 c069363a197a75e5b4f8ecf7761ecb7c19d0aea1
SHA256 23b08d4df23c100a23843020d7f55e4c40bc735215b77c99b44775c632cbc645
SHA512 c2226ae1f2ab11bfb4d1bcd8ce049caf2b3f87559286d2fa2851a9ab6c35beed2eb4d636c7b861fb5556fd0ad41de3ba67acc33e1ef95bb3935b562085df0ba6

C:\Users\Admin\AppData\Local\Temp\WwIu.exe

MD5 4d7cd4e86d042ae6ff33bbf4a2ff5373
SHA1 7bf04a8a4930bbd8d8ef54aa7a5bd5c7c631dd25
SHA256 58c39945b40fbbd609636c66ae76cc94fc15bad5265d64ae2d922b978b14227d
SHA512 52cc1b920e50dbc5cca06c85bee8334c14fb5d21316000f73c03798c1f382afb628fc2985582189a829d3c20c2aceb2ed1974ebb787d9e48d07d6092d8f7e379

C:\Users\Admin\AppData\Local\Temp\GEIS.exe

MD5 5e2e6b44485fc840d3a6eec443dc7297
SHA1 9f8b4f7663606b2778a4a0cab28b43a8385b02da
SHA256 985eb29158e95b57a777317f87ed48e18a0b52959d3cdbf5874a95c08e510b37
SHA512 c7b0fea1bdd682f11891d4816088d072e630a685126c66465481ce460a0f6184e7126a88413f51fd073fe023b892945323b0e7492c8b0d8e9b829c8d032a6277

C:\Users\Admin\AppData\Local\Temp\ewES.exe

MD5 7d3441968cfc9801fa94ddabbdfdb7bf
SHA1 cdc392b6b9dd22ba934a0804e81ff2547f06d966
SHA256 622ce093ee6154dc01a78d361b0ba1010ed1dd39fd6321d5142db37c57c3fa32
SHA512 df766d8765e2a560b5b152b1ba01ac0491e3ade0127abdd86939ae188f41d680a69c369cfdb5fa076a7ea695c01b894b6ccbf39cd5d17eca9ebb41619095414d

C:\Users\Admin\AppData\Local\Temp\MkAE.exe

MD5 1476a7b6dbbf8933e7b772f2f261a610
SHA1 eb20c9449f3072db64dc55003eb00a5fd0eb5ad0
SHA256 e63ea8306ce6cc8c1c188d28fc1d55048af07c9b8a197e02bdc02bb23cbca1a4
SHA512 da71a5c4a7286ea3aef5c0e1b99a9be40cfdf1de3941706cd1c9c3de981d322a3a23fac70c95e1bd490ac7d84d9506d4760e9df6e3a0af9d080aa9097c3b86ed

C:\Users\Admin\AppData\Local\Temp\McgQ.exe

MD5 b104e630bcacf791c31a9580f188229f
SHA1 af1437372b233f5315d251d648f24e55cb0e77ae
SHA256 ef46e50a98ec186e05681cb474c1d0030525a97c67ac601e608c8501642a9657
SHA512 9aee92e811c133095a7c46089d3b266daca8170605adc349d7355376f384ca00e9161074fec12b159054f8cf7620081aad2573e7e5887fb97fbca244436de679

C:\Users\Admin\AppData\Local\Temp\YeYswQMU.bat

MD5 f12889b6f2549a106cf2c44023bca82c
SHA1 2b263c38113d4862188ecb8b02cd0e2ae61859d4
SHA256 af70f8972446c25a4fcb75de42ce7c4a692217480b70b7f60e34ed5b0be42caf
SHA512 97b7d274a3b70eb084f064dd0cdd1d9e85c8f873c1b57c2e885b9eb4320a3efe2c1f0d33eef15169a1a3e612d01865c9ba5f28e42df983612088088334e16b33

C:\Users\Admin\AppData\Local\Temp\ycUggAMs.bat

MD5 8b2df9b698c9684cfa661e231184d645
SHA1 4e5f76171d5919ebd5a87e98cd1cb874faf5f2f8
SHA256 59afeec3ca8f654259048dc1df51b466dc86afed00c029a64c262f8dc155123b
SHA512 b69d9db7aedc1a6dc82cc09bd47eeb8db41b70e15b18753c3b5ec026fd366fc14b82864305c7e94dfb57d2fb9cc21979bf8e986d5f911d306cafb93156f088df

C:\Users\Admin\AppData\Local\Temp\bWUUckYE.bat

MD5 0e8449435f235b6a4e9217cdc50f380a
SHA1 4f0295de8354bd0d00dcc4ba3a290c2727129ed8
SHA256 910f7fe7759038fbf8e1d9659839fb37ec614b814df492f7c64906acba1a3923
SHA512 ef3dd66c3ba967631b3d911f907dc0c0bac90054afbd552fd455d9bf484be153c3c785f42c5c6a1c41dacadbb7edb9acf8ad974db579e5cc8253f8addd3e4b8f

C:\Users\Admin\AppData\Local\Temp\roYEgkkY.bat

MD5 2f01733dbff50333b57dbe3c5c5dff45
SHA1 9450bb76af2b40b816497821c47a517eb552eeec
SHA256 daf1325ed2a22f9b460eb0d00ba31bdf49f36beb90ac4d920e4c5cbd84c88305
SHA512 b5e57eb325460bb3c29d5f66ee613b74de229a05f57738f01a96dbe771b9ae09310e9cd102e8fc14cdb0bb9daa5e41cc103e56902605db23a61d479392411754

C:\Users\Admin\AppData\Local\Temp\tAMgosAA.bat

MD5 f80b4137848ea22fa7f82530be236cb4
SHA1 099e5d105d027e8cc296e5644b6fd4316b0aaa2f
SHA256 20a54598358594c7b6c52d21c3c0d7a220ca64cea55c0790560a0ea793f59ac2
SHA512 5b4a7d827af1c3736d0f770da4c51b47cfd79f705e128b0051934f44fa285bd9bcabdf055b2658d6ceeba20e2291c464daaacb52526db27f35a85e888f0adfad

C:\Users\Admin\AppData\Local\Temp\NCAAAEgw.bat

MD5 e914c312469c9d712fc7be0527c1683e
SHA1 86c316b1722b60215f642bce102294a2a06c9adc
SHA256 50ff0445d8d64bea7528579c0615fa6d7b97881f6293e350719240767d75230e
SHA512 cb2a5c9977150dec974ef0d730e2ea7b9f0c8e7d84dbf59dd12826900c23e02f962a5b0a934f608de4087838bf77f791869bd0dcc102f36d6dbd8db3ecb45d25

C:\Users\Admin\AppData\Local\Temp\RCYAgcAY.bat

MD5 6efe7d5702fa7c39261d1494c6815831
SHA1 e154da4d546b841d62014c228588a46326e8c034
SHA256 4b5de434383a88635c8bb5d1a87e1b24ce1c3b202c8a7325f748488d2058b3df
SHA512 79d21d4c9a7bdaa319762b84ee0580416ed690c91987a7bc68332e0e8174bd65c6c23666ff7f93b0708b7f5679d248154bead069faec8c70f21aed458c0addfd

C:\Users\Admin\AppData\Local\Temp\kIMQMYUI.bat

MD5 ea0466da624e13acdb9877ab663873c8
SHA1 ffcea22067ddff4c9ce2111a1762a9dff2a5cb0a
SHA256 2c7d38f2f6bddb754dc7c92ff7ded335a1867c4f83546adbad29715b8d81c8e9
SHA512 2636049377818920ddbf8716b118233b5b34e70dffc67f2aea37ccf0ba80f353df140f355efc97808d822ba4390520e4680a10176d0f75b7b1ec5d8841df488c

C:\Users\Admin\AppData\Local\Temp\CIkgAsEc.bat

MD5 0ef2e8a7a694b7bc6203142f4c846717
SHA1 9b8f4c432e3551dfd8506ed968a552ced118762e
SHA256 fec9dd7cd760302adee52c0c721b891cc20f4c8822af9faea85bb6668499a782
SHA512 5df04a054ba547e702f7c538c7532c30238c0a356c16d197a6444d5e09c518f90e5f09384c02dbb699861e28056d0e70f0e5b06024dba353d5fee9a87f925bd1

C:\Users\Admin\AppData\Local\Temp\akgkkEIo.bat

MD5 17852890553f6c017a860489de4cd96d
SHA1 68fe3d091f654f2a0e74564c87eb0b882ec8dbe5
SHA256 4437a5e3ec7c862cc18a35bf48ba2230fb2a53be6a853ff4a994db6d3f14d8cf
SHA512 7f162f3037c8a30f9a10cff4911cc5ac02a6c74537921798d52e51cf3dbcc821ee0ab15d55e2531fa4560a2cc7a6f61e32ac2edd4253e3b5821d615ea354bbe7

C:\Users\Admin\AppData\Local\Temp\XWQsQwYo.bat

MD5 e81900423206f534be4dc78256e35458
SHA1 26e2bbb25307742111155405ca9463983c289c5a
SHA256 4a81fb3035fbd6b73f80c0a9f3fb46a0bd67fbfb2785549598b0c85f1a5b1f1d
SHA512 923dfff695242891d1b12164c36500d62526d59c8e863fa101a6b53703e760feb3284da11188cd0d8ecabbfa60cba704655f93af1ba06dd4bd8110a8362a1ca2

C:\Users\Admin\AppData\Local\Temp\BgkUwAsg.bat

MD5 df7e21ccc59d2e723aee2184a2259571
SHA1 d54623bd3513fcb19b1597d46916cac90654e708
SHA256 e34d64f8b78937f73ccd9dedf3aafce9c7f6700cba2a58a1cb1eaebfda8930d4
SHA512 41c8d08d932f288662888d2c8949605cb39a5b3255a99c1b56f169da15fadf40432311419f864a099bf198e06bebea5b86e8d66959b9a46357b09a93bdd843c8

C:\Users\Admin\AppData\Local\Temp\xUcYUsgw.bat

MD5 8c89c2a40ca1c2aa9a599d1be1ac839a
SHA1 31cac98f7b5604adae9050afd340d18288bd35e8
SHA256 7f8fbae3ad2e92a1d56f55378ebb0a814146adcda535208ab2d84b0c968e36ea
SHA512 8f642c38a4a1e819cbf4f14c517085dc4b0dc171efc6ba5ac62a8283782ae0664e7149ff3337bcc0a48d2ac78375ddac001ac6525119dee9f752f09404b855fb

C:\Users\Admin\AppData\Local\Temp\RYYAooIg.bat

MD5 53930ecd42169c948ec325b57bd798d7
SHA1 3286f4c1d2ee344fde3cda11394b8efdd262446d
SHA256 b89914719833eabd93ea2b2e0909d8cd22d681b844f4066f91ce018316d63a3f
SHA512 b2399ea0f3277ffecad4822dab7c61dae3bc1909d70ca561a2152e55da2b023eb7693f4c57df138515442d4e42075627d230dbab00298b66e3a02fedcefd03cf

C:\Users\Admin\AppData\Local\Temp\rIIEUgQA.bat

MD5 d6a7d21e56d57ba3a515eda77414bc2a
SHA1 6857411c1d44fc5091200bb796d2bcc0475d605d
SHA256 8c2adff7815083c78591f16dca666f4bb0d843757e3542ce1c4ea9d5d4dd5071
SHA512 6e0994112631766284fcb9eccecc0ff6557989ffe2173ac3e732d64d2a83eaa1522fae3e11b1b9dc6954413587530070f62c45665f6dc3296db6c9e6dbd554ae

C:\Users\Admin\AppData\Local\Temp\UwskYkso.bat

MD5 4269076daa7943e346731df7fdcd29c5
SHA1 c9bc6ea70d4a762e6b2483b53a2e864830910c78
SHA256 73e2ed4ea68db8b3a39f7bbe17200cfe30336f7e1d743a9090279f8a712f302f
SHA512 001215c15126f03065e59432a9c8d60bfc170a2405fd0462a6c064c9551b96db44a23bf63ba5fd6edb6ca696250632b81040f1cc2df1c4358d8e2d585852ee71

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:46

Reported

2024-04-03 18:49

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (77) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\ProgramData\AKsogAcE\SsAIQAoQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" C:\ProgramData\AKsogAcE\SsAIQAoQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A
N/A N/A C:\Users\Admin\JwYAIAUI\EswMooow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\JwYAIAUI\EswMooow.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\JwYAIAUI\EswMooow.exe
PID 4352 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Users\Admin\JwYAIAUI\EswMooow.exe
PID 4352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\AKsogAcE\SsAIQAoQ.exe
PID 4352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\AKsogAcE\SsAIQAoQ.exe
PID 4352 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\ProgramData\AKsogAcE\SsAIQAoQ.exe
PID 4352 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 3760 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 3760 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2244 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2244 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4412 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 1660 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 1660 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 4412 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2972 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2972 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 4916 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 4916 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
PID 3756 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"

C:\Users\Admin\JwYAIAUI\EswMooow.exe

"C:\Users\Admin\JwYAIAUI\EswMooow.exe"

C:\ProgramData\AKsogAcE\SsAIQAoQ.exe

"C:\ProgramData\AKsogAcE\SsAIQAoQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruwkAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAcEssMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGIwwIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUoQksEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAwosko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suEYwUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEsMwckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYUwMcow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQscQkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUksMAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAEEcQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECoIEAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEYMAowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YykgMogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myIcoIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYQMIckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSoAwgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsAwQwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQYQYkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWoQwwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIgAEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUQQooYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYsgAYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWkUUQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSMIIEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEIMoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auoEQsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAwAkYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIQwgsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMckQMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruwwoMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcYcUYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEgsEUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwIcQIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuMwcQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMsEgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgMoQcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoAMIkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGMssAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kegoAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyYYYEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoMQIUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MacYoMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMwwUgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jysEsUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmMgMcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqQMwswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMgoUQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEcEgooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyMgMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkosUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQEIUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqkUIYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYwMwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeoIAIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsskwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgcIYYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoUcoswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGckUkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqMkUckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSQIAAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUEIgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQcUIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acgQgwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMAQUIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skocYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUMocoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcAIIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYwEQkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuMsokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocYwwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYsgEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUIQMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQIwgMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcAIIQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSwoAQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAMswAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKYQgUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKEMwwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIocoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYQwAkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOckwwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIsAwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TocMMAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEkgsAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAEgsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCIUEgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSoAocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYgocsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuYUkkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKkcYEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQcgsYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQcYAkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkEAsgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEwgAAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VygYkgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUoAQMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsYcwQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaMEkQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOIcQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 84.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4352-0-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\JwYAIAUI\EswMooow.exe

MD5 4e0a3db204088f4484651968f8728ef5
SHA1 b0775ac72b7550ef0c5166bc52da30ef0eeaad23
SHA256 0f50253980188611e33a534906c02e430a24864b7face66c566703fb1d658168
SHA512 7f84f581361bb5f6fd1571fe01d76d7e880c919eff2de135b9f8ecfbfbb773fc3c015675064ac24e7404f4243632b4e477d81a9d02309b9972c4bfc6b54dd5df

memory/3400-12-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\AKsogAcE\SsAIQAoQ.exe

MD5 76d0ca46123a20e2bafd5c1c6f44e8b5
SHA1 71198280401feaa722bb54122ff872b94bc1a380
SHA256 bd5d999dd28d8b96dd1a54472d5d3e634d70aff53d87b00aa8e977e0ea2a6a48
SHA512 85a029ec5641c429a35f646fdd3734b4eec72d1fce37b677fe869a20298ba955ba3991d1904247d81cf3f3c3896454ad449ae338ebf575c1f57b879471d8803b

memory/1800-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4412-17-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4352-20-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ruwkAgwU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

memory/4412-31-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3756-43-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1988-39-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1332-50-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1988-54-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1332-66-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4244-67-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1780-76-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4244-79-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1780-89-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3260-90-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2744-99-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3260-103-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1844-111-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2744-115-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4956-124-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1844-127-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4956-139-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4280-138-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4280-150-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3592-161-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2404-162-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2404-173-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/844-176-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4304-182-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/844-186-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3688-197-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4304-198-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/876-209-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3688-210-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3680-221-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/876-222-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3680-233-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/548-234-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1528-242-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/548-246-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1528-258-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3836-255-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4428-266-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3836-267-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3920-273-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4428-276-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3920-284-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4860-292-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4912-293-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4912-301-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2976-302-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2976-310-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2944-311-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2944-319-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4412-326-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1392-331-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3336-335-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1392-343-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2976-344-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2976-352-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1124-353-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1124-361-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1756-369-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moAs.exe

MD5 3ad2c74a39e89f0b3b110c5b95bd3e8c
SHA1 9767ea0e902bc4da9fb8415233a7d1e33142beaa
SHA256 078f2fb3766362f8f0fcb2a5deffc283993df9d402b584669950a9c95ed0ce75
SHA512 db995af69e6c16182cc24049c7dd637e8d22a5449b29b6300f62faab1dc7335be045593aee39a8ad7bb1c01dd6459b820a3c5e69972742b0da1f898b1e2aba14

C:\Users\Admin\AppData\Local\Temp\KkMO.exe

MD5 ff6ae2026af6da82199416b97c71a217
SHA1 1fbfbf4506def384c606f82f386161ef31bdde4d
SHA256 09c99a9e7c204fd41df8e9a4e7ca4209cf786577f1c361e9070691d653c42d0e
SHA512 f3237414d67417007bfddf5429c5760d6b8f2a4de1c8041fabc0f5cbb82a7a64e77847e3d9888b05d9e33a3114c5f6b63c962d1c72fb236a5749e1b059ee2d41

C:\Users\Admin\AppData\Local\Temp\EcMA.exe

MD5 31fa25ac217a9edf020b5ad520913490
SHA1 069b9cd916f49c8dafa73d429eddbd209ed265f8
SHA256 463e5784e613e67a1d4402a169d8d0afd794cd986efff1880e8196ce5a79d20f
SHA512 30fee1f2e6fd62b99aa9e0ca9ebd5b80f0ba7f2430e86faac37f3e19d163304d5de7fc0f47b46c74a0d24eaada9ac7a156c05e990c12e392273cabcb03da7f64

C:\Users\Admin\AppData\Local\Temp\Cogc.exe

MD5 5eff2683fd278a5434cc1dd2d4b6a2b8
SHA1 d63df523e61af066268a4ad146cc666af95d484c
SHA256 a9aae6e682b9ce8a6c070f15184f1f289f3691d660f4ad95ec5472af568d5880
SHA512 2e6d5ff0bce09db9730dcf58d17b468bc23516fcc9414d505b055b0cf7e0493c677920cb0d314c404954228f3a85dd5a736fb9fba5a4c2aaffb78d2134fbe3b9

C:\Users\Admin\AppData\Local\Temp\wQwW.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 3ed3e59c41cad4c7b5cbc0b22a7ec35f
SHA1 e367c84e3886ea144491cf312cd8362799220e69
SHA256 97534362e4f22351773d645223fc1f086a986ef25e5af194c54b7c9233c87f6b
SHA512 ec49f153d8f2ce444a0a42b0e5e83b921d99fa8e59de60342142c7d26d053717a8073376f1c9ba757322d60e4940a0974b4a6350759860567c730991cbb174a9

C:\Users\Admin\AppData\Local\Temp\ScYc.exe

MD5 e52ce52af6fbc5a90d36bbf832754d26
SHA1 6f04a3a531c1109beb38aa7c78cd3b0ddaf4c8fb
SHA256 505d13599bdaa4b572845611bcbda0ffc751ca17da5335dfd570a9a64ba071ee
SHA512 5f11d4e1a2233e10acde1ee8e6098464d42f1a641e856f367254294a810cd9e69d0c4561529ad629504368f556e39f7131a96b512e7d7fca4d04286ddce9ddfe

C:\Users\Admin\AppData\Local\Temp\IgMS.exe

MD5 922e81d3a6903b3c988a08eb1eeccf72
SHA1 6e518866632ef21414853b1a9dfafdd55eb0ff81
SHA256 65aaeca6e54b506ab92a466d3fc61c0f2f595f6b52ec8117d9247f289d24baf9
SHA512 84952957547de62656de34f9ac6da4979c629f5c5073d1f35bd94de77dc6bde11ef0b16fa25633e5fbb04161c698c258375cb4365212afab27a49949f46e1357

C:\Users\Admin\AppData\Local\Temp\QQcs.exe

MD5 f1ba606773d53217a759cb5387eeb4b9
SHA1 8190ed2cebdedd3197ece9a0152667a9b81997f4
SHA256 80370cfeef9270b695b94131a4fa40f9595e4b56990f801634984919af63b3b1
SHA512 ead5048db9ded47ecc547559bc5048a12b0b4362f327369e0a7577b21841d9ffc727d4bf0e6030ce2868b892710cb96dd3c41b53fb5ae54cb77cafe7e1a58df9

C:\Users\Admin\AppData\Local\Temp\gMcI.exe

MD5 c91a45992784753f04bde47b5e211c03
SHA1 133d99f60047a4c3ce8b1da64a01bb4202c7cc25
SHA256 1056a02e9c3e99a8da364b371d14460a25f91b3d02ec4307c045b508fc63654f
SHA512 74768f5dde7526870218d17fd97f210275d3079282823bfbf2f356c1cc744c8a85f59f4357e06ddec9f10b4a5582928d8f82cce73d287beca5948f70209cee65

C:\Users\Admin\AppData\Local\Temp\OYsW.exe

MD5 99c7243227df70cddd1a84cbdd0c1c1d
SHA1 f9ab3311fbc32943583459d9600893c4346d01ef
SHA256 e958b15e7140f35dc114a2adcdc54ee1612027fec84e7c85b84e5ce4a5a9a6f8
SHA512 6e88c9325cffdfe29343bde72af7a83d235cbb88d518698c34486bd07410ae81cda95d67ab3d49eefe7cda44130f5815241fb63aa37ac7ab6f5728e4d089f8b1

C:\Users\Admin\AppData\Local\Temp\KskQ.exe

MD5 61ad3d9bbaedfc6b0dd93c37585ba7e7
SHA1 4a5457117187955a1e40cd4059cc35b85ed4df54
SHA256 f4eeca427361f28fa4752f0050cfcbda74ca95747b62e9785fe4d80dd7f38208
SHA512 5ab60509424f34786fbd8e8f3e5063f1301ac9da79a89b865a8c3c430a7ff6860aaabf80402f3f3888c7ac48c423bebc1a017dfe4353a6b83f67a87bc89c18df

C:\Users\Admin\AppData\Local\Temp\MoIC.exe

MD5 44a972f453f535d603b87a3e86c25e83
SHA1 317f9cc517b63f7644925f94bbaf0ac8734caca3
SHA256 228e4438c235418ef32e8bd3b539aba737948dea2979ef1dfc927f34e94d1274
SHA512 cc78394a5839f5ead3757d3bebe5703f6b7ac7c024156706e7f6c8b7054cc1fb4905bd4719379303c1638470c9527b7ed50306636a01a0e77efbee00f47e4514

C:\Users\Admin\AppData\Local\Temp\soUO.exe

MD5 c60d22e69c27ab5444759e5ae6e0f882
SHA1 a8db83c2facd1d7ce5458d8be61deb623d549b6a
SHA256 b10ecacdc537c8a6e60cb8a3f3336351faf130c8db75a350b154f6a1174da6a3
SHA512 19b1e81551a3434f3b502d0dd43299913d4fc7adf2535d099450634b98bb2fef09a0283721d4a2f5a1acf53f06597befb0e53702fea51d2a4738ed840e6b9f93

C:\Users\Admin\AppData\Local\Temp\cwcW.exe

MD5 0f4245fd63e292fba11050a7fd97b72c
SHA1 716f916ef208cf0503123e2d236959953316ca6d
SHA256 2a214913354da20296c68c08d1472ac09a19d6d60651a7e942fc8f9e88fd2156
SHA512 c6a80e33b017c56c8736934e1b3b4e42eea1edaf0e255a205739527cabb0e8df0715d7f10e6c4e4abd4297c3ce10cba3fd1bd779d0b3e3a5d95b47eb800c444b

C:\Users\Admin\AppData\Local\Temp\aYIy.exe

MD5 f15b36902522e505ba93457d404a76cc
SHA1 08b0780beb4f42b533eece59c259f94ef3abb11a
SHA256 99ac5145e23c94451f0f32c7e29d880dced582ce6364d0c72db0e0fd99650e8c
SHA512 5b262bfcff09446eeb689f59a7af02313eb7b3f93422bc6aa4638d51313af0f138676a6b8a832b3c3df8ccc476827762e0a21c4994ef9fb0d926e643aed0c599

C:\Users\Admin\AppData\Local\Temp\QQsu.exe

MD5 c860ec447039b62ac25a6fab5eb9e9a9
SHA1 cf52710c9b0fc5ecc5b6d6ae2020c539397f0b5d
SHA256 55610755c2d77484d5fbf09cc660c5203bd2291bf20eb02ec7bf4bd21286d9a0
SHA512 b791fc61a12fb6dd591d9d345796069d5c8a26acd0e55cbb665bcb135652577deb697744858e67f0cb6728c493a134959351f82f126675bade9fbc172f082892

C:\Users\Admin\AppData\Local\Temp\MgEQ.exe

MD5 15302646a3a734c9754ea2fb592d9855
SHA1 fb8678a2d8403e0eeaeeed9db5372c9b19fb9feb
SHA256 fda361469978331d83e9fc7c1b4a945c2dde9545ebe361a81461de860c0fed76
SHA512 91de34bd52f6f3b4ab93a46608c706d04a5e76f3b78bb5eec326b1494881c57059e2bb31289b4990cc86202cb36e5cf39327b8f95a326e62d6468cf9e1c8fa36

C:\Users\Admin\AppData\Local\Temp\EUMy.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iQIW.exe

MD5 9e737f663bddf9e856b15573bde43346
SHA1 1415bd522a51ff021e5c6871538378181087c0b6
SHA256 fcbab3652be5dcc8f999cf46ceb552c988359da3a428052d3046b204f6c3d496
SHA512 6728ecc88f1f55dcfe4dc3159afa146d4e6e45c45baf1eb7133d591fd9ba6521d52bf755eb5182ea72434d2dcfb0129ef76f7e882fa0852545634895d6548bdc

C:\Users\Admin\AppData\Local\Temp\wMQA.exe

MD5 35184b17ccb5bb8051d83dfeaa4335ba
SHA1 6ec36c9a219c5cdbf90e21923cab41e740e71db8
SHA256 15954ff935f7d8c607c55cc09d5d52eaf9e4ca068303e2096ee786c8b5088046
SHA512 b69501fe1bfa57a523287e514af822bf7788975dddac9011cf7c08d910e4276c8f16b73f3bfacfa2dcb7d59e6c011e10ab02e5521ad21679747f7197b2669e68

C:\Users\Admin\AppData\Local\Temp\UscW.exe

MD5 ef5f192ae61fd13b762a76e03d4dd781
SHA1 8475294ad8814d08b09a2d4bdd36f1f78178ebe6
SHA256 036f8ee7f382c5d99e31e322100e13e79d5e1cd1621a66e67fd3b61d5389b1fd
SHA512 173dc74282e4e73fe8315828e5f7668e3faa68dc4624801b060cd10c4db21cc58c5a27a8c350e26658d549453b2514e479d590a69e725f43a9207200c255282a

C:\Users\Admin\AppData\Local\Temp\KUki.exe

MD5 6a3393ad77eddabb57b7dc0a0868f9af
SHA1 ca2f962e9a01068464d98e080f21852bee244870
SHA256 ad5e4bbaf730be8cd382ff929de35b33022af7592b2e1147c201ef28f5194f11
SHA512 d18ca9856b44f5b106927725e1514dfb7860d99c690e7e55343eb3e8480c7dd7d184d2323c6a1498beb6f738415ba51b93e03a57ed692cf85308d631b60407aa

C:\Users\Admin\AppData\Local\Temp\wksm.exe

MD5 c0cbaa32f72bb2b3834262c2723f85cb
SHA1 ce6c67f77a4258e589b96ae22e4d63b27b2ad1ae
SHA256 252ec3309f55d1a4d1997fae63937c26f7efab94f4af64f9686d2e280758a4ba
SHA512 51464c3a1fe749245445c0be801b52a5ba9a76b3c09b20f635cc8081e9cb876c79c7b54466c15e87846cf1eb843a60228573aa8ee2c649fa468df7ee7137881a

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 cccf7efa276d014fa5ac0027b33f224a
SHA1 313f7f1333a6c6b223d69b26749c1c90ff3839ff
SHA256 53fc947f7d13e47f7396ced199be0f9df1d15d9e1eee09c1aa0ce8fb56155587
SHA512 f1a6f0ed5d8f6c5251a109ddfcb9e00b69072a2c60a1f6df33aa80a1b80eb148d41740f5a0405d0ebe670033a60af977c036a48dbb57cff624439d2a3418a839

C:\Users\Admin\AppData\Local\Temp\isIC.exe

MD5 8651010d3303bd27e5a8d8e33f7796ac
SHA1 5cc05864b803cc7e0418c07199520c56d8f3db9f
SHA256 40d7ddbf1bd175b7892de2428653636d3d1ff903206ace6061a1da52722413ef
SHA512 8898054f11abd4f4754feca76393c79dc4ef889e0e314c691808b81eecb7ec15abd23065a8df8eab360452e26e823e8144e628e0bc5069c1c1f95c714255524c

C:\Users\Admin\AppData\Local\Temp\GwMA.exe

MD5 9f04c7b4bcbda773a4aaab33c7a11498
SHA1 d9fc0950751e27bb80e0c8a66db786de4151c838
SHA256 d629a622a10c33507b485ef3ebd952393c1b262ffe3d8aaea95586fb54ccc0da
SHA512 fb9c9e6d8c2fb8d795fce6b8d638906c01b764f6c2b3cb44aefb0f993973b9748914df8148ed924f27ac11299fcdcf4f5d5ace145bbeb215afb091dd5ddbebd1

C:\Users\Admin\AppData\Local\Temp\gwMe.exe

MD5 3f06a31c078d6b5cc68f04a5729f7e10
SHA1 3751b9a3b3c756c957507de9f1c2717e46515f81
SHA256 52f7af0bef48090f82153c823c8398591eeefd093edf1046aed54f7298fc8c3d
SHA512 ac783c213b25cb8a699ab34909ef5a14471cfd935c2bcbb7baf07c038620792d63088755930099527e1d510708378bd8dd469e8578c969061fd314de88de412d

C:\Users\Admin\AppData\Local\Temp\sgUM.exe

MD5 9bceaa2d78ecbce83a95bb44e2216a56
SHA1 6b096ea25c9765473f98e913afe5f421afb22eb7
SHA256 8e710945cd579c3a1fa2b72fc9bbd50e36ccf535b1f3db90ff11c9c5961f4e2c
SHA512 ff70c755fb36dadf5c39e49aad00b5039032abdfafdb320db7d3998b2a87337ed35c2934d9785e653846119abb88e962546d66244150998378ec8641a0188f90

C:\Users\Admin\AppData\Local\Temp\QAcg.exe

MD5 51c9703ac4b6de9e91fc0656893254dc
SHA1 8fa480ef41831e9d6d9c51cfb7c61a9211164294
SHA256 0127a46004a1a43db7f442f7b16927793e5be98d4911ab940ac06c21fb4523e6
SHA512 74a1469361ce081a73bf45d08277642e9ff31c153e39bb1e1ea48d1899594afc6804c4e05323558401739a431eecb76ec8c3714985f867b75dbe6c04d702107e

C:\Users\Admin\AppData\Local\Temp\IoUi.exe

MD5 139915a138571e71865fb3193c9e9205
SHA1 46d931fc5acf29ffd0b7f4199a1d1ec546d7d53b
SHA256 f4b36fbf54213ce7033d0cabac6ed111fa7690f9211127e450c93a6944253a66
SHA512 957084b4786fa65517dd2485927eea0affeb77ab908dd1aba48ee55cca5864e02fa22d4e33e8b38e4c99ac38c5d3967a1ee9c70266d9c3bed3724fc323984811

C:\Users\Admin\AppData\Local\Temp\EgoG.exe

MD5 87069ea29d8626c19fd069e16af5fd34
SHA1 ec9198e3185d8d8b924692d1eb9d8105be3c5872
SHA256 47e11e2ab3ec428004db0130c08a4475c32ccab35acae9a0ed39c87bd62de1dc
SHA512 8463a6c45e828176f13930624a9668a6480bbae1b4c5e63f1c8f83be815b21e73d97169e658ee60eaf2327bf4b21fcf0007b1c9792e540b7c987f60ef0b6ebd7

C:\Users\Admin\AppData\Local\Temp\WEcC.exe

MD5 d26b29b3acbad04ac72d92086dc0e5a7
SHA1 2c463216f77e8902126976bbecd8f18c4130f124
SHA256 a4eaaf536ee30cd5974ec2fd6db6c3682e53b5dff7fe5703a3876283a3f4fd4d
SHA512 8ff799099b2b2036d101a6740ed57cdb90bdbd98c4259f270eade9f2490c5ccd3ada8e0359406eb1eba22ea92608432f3c20396b3f16a454a2e1d2b24325a695

C:\Users\Admin\AppData\Local\Temp\AIMo.exe

MD5 09933e53047637aa3ca56899b6061414
SHA1 4ec733cfd5f4e3877eac9f1f991e41e6b870fcff
SHA256 6c89a1d4b3a3f51b70b598cc149756e368ab817ba6afddb67617744eaa1baa2a
SHA512 721643f280d8b2215b987e31fd5cac43075a160b7155e697c65a674df5466041c604b7bd70ec66bc5dfa550093e5486089da811bb092c0f793db7c2de75e939d

C:\Users\Admin\AppData\Local\Temp\sEsg.exe

MD5 398671a3197f904858147df2c332e07a
SHA1 0be13f1d71c42cf7c1de5c3cac9ac012db1fa37c
SHA256 56950cf0823e6bf1841b0c08c7de9f0c0820338a92f23a32e9273a8a7da1f979
SHA512 30d5e42682d4dc8635e66f4fdb4b2af367d489e9e5616a6574df01b566b3e29cb213c61c0488a325e0e64b72434be3a3d7343674dcf6005b7d67bd2d03a8ab7c

C:\Users\Admin\AppData\Local\Temp\GYgM.exe

MD5 9a6ef2d920aec83726473ffeb05ea844
SHA1 a917f28ed8d3c8fc8c26e607ef0dd23bc70d320a
SHA256 1d4854b813814bab96cbcc8cfb9ce228984172efe68796f1f5314d51620d9efb
SHA512 66c1ea7cfb7eedddfe602ab97e692ae66e66430d496602b8974fac23b64f066132ac89a577feb1b71302a2df15c85ec744b093cda1de1080f342653c27477ec3

C:\Users\Admin\AppData\Local\Temp\IYQi.exe

MD5 617b82f30380a603414a277a0e575731
SHA1 004243563704cf54c1360f544cfdbd0b6cf66c4a
SHA256 72c4267f75acab0e025a1607f3a2804bd760352435cab1b3249cc84b4ae48707
SHA512 28625c66ce7f780910e5def064b87fda379c3143205d27657c43002fdd7ff00c7fe1f2a22a1d86b823f9af3d7246d2a67ac4e4f17b790e9d913c9ae02e9d268f

C:\Users\Admin\AppData\Local\Temp\EcMU.exe

MD5 97a384c62f02940221af3bd770d642e7
SHA1 a31b0b4e3b1eb81943cd5f69d702a053db8e2aa0
SHA256 6961f4596e8b291a1630ed7b3287cb4f8c4d86ca3c282f1c38d4c77b0e7a7b9f
SHA512 3e747abdedcb6f45db8169c0aed28cf0080bcb2a55f431589a191a0cc615e1ed3b778d802e8407c963b79d2b58676f2852d510182702289c92f11247eb0ef658

C:\Users\Admin\AppData\Local\Temp\qoEk.exe

MD5 1d2e9e730f6ccee24e0f62db8ac7410b
SHA1 8373ab65e85f56e283f6000594228d988dddc4ab
SHA256 ec8b57df8200b35b8c0eaa8a20361101504daed3d721837918f3a31bccd2ee59
SHA512 076875f65dc36d7f1076c0ebc413cd6fcae8f6c060b6ee4d4db8c27c0670d287a72edd16dbb09c3ed3962dec60bbc2d903b6cd200ab6e3d8b9e37b08bd493dd6

C:\Users\Admin\AppData\Local\Temp\sgsI.exe

MD5 9e33a9647dc441cb367b979f1dc01e1e
SHA1 c811a534201b6fe912520afec43acb511c4f7b17
SHA256 f5897631da1f2f32600be3d1ee00e33b6c17662777b34aa6b945d9add461f711
SHA512 84b9153442ca8cd09fa8add4cf7c8aee6ce410c5986240ae260d8e2e2ea743c35d9e54f3916a858c89a679009c89c098fb29960ff84c456456d0fa7a41858a27

C:\Users\Admin\AppData\Local\Temp\KgIW.exe

MD5 63d164ad7cf55591c8c4cd6107d25778
SHA1 2f79ce7ad00027166dd1fad6cc0adc651ed065e2
SHA256 9f3b46cc0a21056c5ac89466968dda506214aa71d4ffdd4c5e2e17252787ee31
SHA512 6781439212f4de9cde5b9ce576abcc096556544fc1c819d8e8cd0c133055a44eed0291aa22c4ec8e0ca1ab91b1971257443382856ca1c6daffebd47c08184bec

C:\Users\Admin\AppData\Local\Temp\qkgo.exe

MD5 05449a23022bebe379b92e8e1c6f1f5b
SHA1 60000b53539aa9ff0c6e49486fc31ef622fac7e5
SHA256 c61c56f2fca2434fde48e0350522e291b8cefa7ad10be85bd23f2caa08d4ee34
SHA512 d5209a76a64998e2fe5c43a68d24dd67ef673c2a6ea31f7064b8c4c0fbc83cf2616a3eea6a58ae96f76a704e538f733dace843b4450087c5571c7604b8104555

C:\Users\Admin\AppData\Local\Temp\AIkq.exe

MD5 a1ed7b4aa1207ca02eeba39c7f26cb13
SHA1 e3ce92e06caad16d8faa75e9d0b9bdf98ecdeed9
SHA256 45ca5ecddd8440aa58fc14ed231a136d08209ae72ddc6a8419113dee6eea2713
SHA512 755bdfbd5614455f9fee64d4433057cf1463ab8fc9ba0fd0aefe184648bda216e59bc42d7213dba78fdcdad84130d13b2215a47d2d755e945256a7747e305f50

C:\Users\Admin\AppData\Local\Temp\iYAE.exe

MD5 3e1e6f0b6971dc9b7f25cbb0620f80c6
SHA1 867a880545290bab501b21fae3fd0b111afaaa29
SHA256 d312f7182fdc9d22bf68bffade199a772fa8b6691de96fb51c96e02269865c93
SHA512 3da8fb2655d3ade123d84d791f882235a006e40432f8385b268214da85f81b45664e6c600e513165691fb33c17e128611a175a2fe0d4dc4c10ddb4f8f953c1fd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 dc1b45ca947200dbc444e9c42f3d8f57
SHA1 46291042ff959e7cfdf5f348e9ec94d9a00371f2
SHA256 d7b86e72518f13ffd4751da4173b1bcdb3294f51509a1e124d249b4b9d23703a
SHA512 c322bd0cb4b16697bf95078a3ca96cf7d42f2cbd74c84bdc0a78ae6fa94651ab63c50891218e2b5d4258d9f6224a6eef4238357c59b80aa26d1efd67a929986e

C:\Users\Admin\AppData\Local\Temp\UYIo.exe

MD5 a997bde0ef9b9d11216cbc581e06f991
SHA1 4be24825a9d7b8713012c5c599f83d107e85c815
SHA256 8496974c04e087db6215743ac7f330c93426905db7d54e78baaed0c88e992172
SHA512 9f7de12e41904c0d14ebb29202d2215e0fa64967c407cff5fd028231ff561603272137ba316721fb3362b0344cd29c857c3fd5ffdf1f021183231afc9fec4ab4

C:\Users\Admin\AppData\Local\Temp\GQky.exe

MD5 273591f7d049fade4ae9776bba833728
SHA1 716d33b9a45d0f445ebe64ee07fc63406affbbc7
SHA256 7d31dc1596d4913d2761fabbffc5f8ddca5bd7abb846bda5b0b1a4f9c112d276
SHA512 ffe974a416b699b4d69178d099cfd90347715a7edd4b03f0582c8fac24c8213273b7d3e86f51da97e9336754e00bbc0b70f98c86f33e871982e9f88937fa4653

C:\Users\Admin\AppData\Local\Temp\YIkA.exe

MD5 30996bcd24c972810e1d263d323530d0
SHA1 4b5d90ee56b05c68af3a04ff9d94deb6e3149e5c
SHA256 75321f0da39198182350b4fbdfa73bffe9650f9c3cd0be993920c462f5c1b6f9
SHA512 5578be86e3329f16f8ed1553531fd3dff7bf3b8ffa06aec73820dad647cb34233dd7a082940918d0e46f8c4f8e001edc03f046b02bf8465e3de31cfa8f482655

C:\Users\Admin\AppData\Local\Temp\ccIu.exe

MD5 a69ecc6d868fc0bd558960b4e616d7ce
SHA1 ea1cebace780355679e65ba2cd48521ebc60f4de
SHA256 1d6fa47ffbe5dd13f2852d47a4c15d6fe37a252559767a190e11ff08ad58b860
SHA512 1a19d498f193cdbaa187c096bb43bbcd8257a8250ac42a543b8d5b7746aa1746e705fe920aff9849c95cfbc854db87a0a1eb032526a3e84528ba5b9657d30aae

C:\Users\Admin\AppData\Local\Temp\AUoe.exe

MD5 547f69163dab5f5886b5d0898e026ad7
SHA1 dbdb783accaa2ec63d36fc9b83b6038bc5d3faa0
SHA256 c401a104fc93f26871be9b96e7d1ee1a6b3924597a9c17fda6f114b9a2141297
SHA512 dc7995da6c78409d4e0000a4b772bdc1ea302c1f33a2b90668331b7c6ad54ec1338d8093ce137bc4f2bfc6e25a7e4f50cf2ce8f27605791e2ce6315551b73efa

C:\Users\Admin\AppData\Local\Temp\OEku.exe

MD5 0618d8189b5685f02b2e4d6356197d04
SHA1 28b5dabe5e45bbedd2859e564a4e540ff9802f33
SHA256 f70f96731caa8135dde9c80d006bb5a2cc3757522eff414193a31a45b2230240
SHA512 a39e1f26335af222749c526be2684f7fbef62660ffbd9b6615b34c995d9a2960d071fa8f76df6468b1b4eb2c9d1769f27b602efad8170b18177ac0433795a2d8

C:\Users\Admin\AppData\Local\Temp\ucQa.exe

MD5 45da77e86011015a571f70915b148ba9
SHA1 948d0929a0830a9fb40d2ac1ce025b36514c374e
SHA256 bf8f650f61d691f9546ed8f2ab3a0b2a8e3f5ed4bdbe38d29cbf06e0a4f2918d
SHA512 f90ef7505938fd55418c213f924bbf9500586fc7fcbfb003d7fbdc7d4987550338e9117e64636bdb1f39bfc572aaafe6b50b399b542f7b4b433d53ad2f381ceb

C:\Users\Admin\AppData\Local\Temp\YUMC.exe

MD5 749a6628a0b55e089185f294def27090
SHA1 f68c5eede458117bdf7e11702dd376bc6f834f79
SHA256 aff151325cbbcb55f78bcc1fc5fe71c866f674833991224c8606823db9bdb83c
SHA512 54b03715e9c40c6c16c429d6f15836e6a16b80d515b5837a531f86114017e7c05f480732b231f35f9443b57ba68cefd6582301501c233b47eb1c077a6b7823f3

C:\Users\Admin\AppData\Local\Temp\Koky.exe

MD5 100609f1d18eaf310a1a613c2281fdf1
SHA1 4005b2e06e95cf95e3c8a11f0bc76a2d24bdb0ff
SHA256 d1e5fc6402524185972f5d862525df63f12dd5d996aeeb6dd72232c2f26a1e18
SHA512 278570c3fdfad88aebd501f54bff1ad3c10a567de520214769f8c5bd2be6c2be1c901f78aee3e2aa02d6d01b475389a6edd6acb917f464e9c99935c0ecadd889

C:\Users\Admin\AppData\Local\Temp\UIwo.exe

MD5 dbb46c5b7f1e73dd1eaa80f9d7957012
SHA1 47aa124534d9a5a96ca5ecd8e97ab173f7fef45a
SHA256 b8e9b658af8eecbf9c4569a50955e0f67ead9f5bc3b8b8723d656417278d0d6e
SHA512 0ff52d2f845dbac5cb4b6af639dd0c4faf100edd7f0038e3b934760848a413b66980caf3f1660d89eed8210a79803c94ae65a1aeb43b2f61ed7c42037c3ea663

C:\Users\Admin\AppData\Local\Temp\mYQy.exe

MD5 3e55c7fdff36ed168a15a325474a859b
SHA1 1ee747837e6b61230f49e28deb0e602bf20f65ff
SHA256 befa93e0d7f1d41e11cfff7ed285219b7d918eab753bcd8343bf9a9d9cb1b773
SHA512 74f67e1a0550296a4f26c5eded1c9b678b3936d365bc0423bd8dccbc38e5aa5f6469177e616df5d27936e1c73cdaf0d5afc6ba2a95ee4ad58d8cb1bb1cf4dd04

C:\Users\Admin\AppData\Local\Temp\SAAo.exe

MD5 e62f428d239067f6529e0a697009db85
SHA1 fecda0082674981005ac9aa27e7f32bb409796a5
SHA256 cb92565f862fc7d76ea4b7fc0c841f0b42f7436cd5d01eb05131fb8300c90d74
SHA512 51de0766aafb34e46770d08407bae7f8790914bbab6e34569e7615d2e6794e519b7804d165a906b91fc80f9d0e01a0cb3ed439e5a112e5e54f42d1a06435e200

C:\Users\Admin\AppData\Local\Temp\Qwwk.exe

MD5 f98534ce7e60b418777cc30107135079
SHA1 ae76660fd260f5f13c60f651c477ce7a85d9c6a9
SHA256 e28c4cbd654d10af2aa2f93dce9ff7962933a37056cf083151ddbc5eea8aa60e
SHA512 a6e4c6de78597a8cafc6e94c3beb30a5f974b33337ba684ab34c9e77270ffb08262a7d41811eef2e5b6dead17108cdd8f0233becaf1a9afdd8ca7199d2a20958

C:\Users\Admin\AppData\Local\Temp\WIAK.exe

MD5 ff3c02841c946fc37215b68e9a271c24
SHA1 60b324105e6400b4012277ba316fc8c979cffc69
SHA256 c8e26a2848765698bd8144b87230f556936a84cb7fc4a384f7747f4c126c1c08
SHA512 69a3e620c7247d64b975b3a134b70a3ffa9703ebbda66e885371e9b2fc2c341dcfb4df9892813a185686c5dfe1f57a04d2c1ac54dca47064c996e064be7d075f

C:\Users\Admin\AppData\Local\Temp\cgYs.exe

MD5 4848efe6fba3c11700c138062651c1f8
SHA1 7002a72f6fe194a36e8de01daf3539715dec8376
SHA256 67c287cade094e369f857a5952997428baab2e2cea99e9d69593757ed6c02a6a
SHA512 c00245350ac0905637256471787ef1a1c6f326f7f146fd860b7815aad3b3a98315ec60b9a83c05ed92fe8f8ded6e0a83cfdf647ca048249171b4aa0c8d291d84

C:\Users\Admin\AppData\Local\Temp\uIEy.exe

MD5 8f22d0700774c616797a16df7c063724
SHA1 e57083a88a6f42af7ea62a7ead6e87b106ef27be
SHA256 c7ec03d131ac739b45d4146f7987585a384078071584c3145809e795b431adf2
SHA512 05a7d251c9ae69822ca784b484a649ee6e18e174828f4070d573c9495d02e8724c3ce7828aabe9708f5ee96f4e7a5b90eaf36d0e065d10fe6db9501c3fb89b36

C:\Users\Admin\AppData\Local\Temp\CIkC.exe

MD5 33a329813fb34ba1d714f1bf009fa3e6
SHA1 18aead942dfe6974b96b37038e1f56596aa0f3b4
SHA256 7ad677e53bf4d37b9e6bab701a7c8624fa28bb3bc3b69d9f387065676087e456
SHA512 8ef29eee32d4c906c4edb36da3566125bf7869bbfa2f54f85aede98858fbd83c3fcc7c602be40fd1db67a300f31e012cc0d5cfed576f28b6927a0d662f3ef53d

C:\Users\Admin\AppData\Local\Temp\sAMc.exe

MD5 a3f7fb58fe8a55568667088dda38803d
SHA1 cae7a510e18e305031b84ba6a1ab5651b48f3cf1
SHA256 7917adc60946cb7fbe328c5f065486d86d0a3d82c2ded3181e476ccc84d916b0
SHA512 fb7074f8be4fc63ac02d657c39b4b736874abeca86fa95fd6a11ed814c71d57fe3bfeb27b4afaadbeb32f7621758987e90b9cd11e1ae8ec82aec3532b108eb9d

C:\Users\Admin\AppData\Local\Temp\ekUI.exe

MD5 e1260f679097de245a100ce31da77642
SHA1 cb37f2a59f61c17af6f540046e1de3017ff3c136
SHA256 3def8831a888169b19b9e03873cf78f949bdfa6a43f868db03ae10285ceab1c6
SHA512 52dbabad1efd2abd1c88d8b573c95d4bfee9a5b6e4cc237b86f5d7c356794a62966e0ce180d7f71a535055c9edcc701c22ce25c5a9376ccc8e36c0d8f0ead20f

C:\Users\Admin\AppData\Local\Temp\Qwoq.exe

MD5 7f67e67144b47b94b53140d60c8fc4ec
SHA1 d0728ee9d8ec983f66b4a154090092f1f75507bd
SHA256 ae5a1f34d6291c57982b6163396d688b7b318336b816f541f0a932231536690f
SHA512 599b412125116066bb4c858495f10a727dcaf680761a67535b7828b63ca06e9e6b1eb9dac84a41854949224af01fe9204dd678048cce87a702bf59b676d5ee17

C:\Users\Admin\AppData\Local\Temp\oIEc.exe

MD5 fc679689a802d2d22fd8565ee443119e
SHA1 90d36749c74d8b1f7102ed77a4deb388fde15f94
SHA256 aa77b986c9fbcd25de7c529f7c7c508dedb493a73ff109aee39b1c3510826a53
SHA512 898d7c427e07453833f91274d5bde80413fb7233c77e74382bcf84b659399383b361763f3b565948cc9fd17bd6770d4d6da4a0d89b2f3f7285373b75bc73c4a0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 0b7827e2748a6a536e17f6a4743bf9bf
SHA1 1402e0fe50af49d9890881b565a01052072cde47
SHA256 f96cf0c20523bd107824b478ac55f715b69fbe14cb6fc71e147341ea7138d1b0
SHA512 9423a77b4cf248fd6ddd198ea24b65df4979e0400b98de39c9ec20dd9b907f1a8e800908a9046106e8ebf11053fc161237756c2736ecf0fe02e66f94a9249608

C:\Users\Admin\AppData\Local\Temp\mIMq.exe

MD5 df361e8280637258b46c44c1391c3720
SHA1 6a6fc887a7bed6fa7ab6ad1fafe8b201f259315e
SHA256 b17603a7326697b5ff9d9e937ccb00d2a00831e54e0f1a36c321331065aac852
SHA512 2064a7a45ee45174c766a03ddd94ffa141d9f01630ead3333e6143bcdaf11da4d13923aed561068521067045f0b3730b09b1fc82ada7b53db880ca928e1eb96f

C:\Users\Admin\AppData\Local\Temp\aQwU.exe

MD5 1c460e276fd8df3bcf616f94738c6c0d
SHA1 6610fec432da7129f1bfeeffd816c232f4e26e85
SHA256 69cf941b132a754130809e77df72e52e6832fb7876ee1aec373fbf247a1cbba6
SHA512 4ad739ec463ede3ebfa5508684029f7735577a86f8ce938a9de7d0f6eb0a16fc956bbbd6b47627cc6711b092c40ae472abeb3677dc86db0e837166db62504761

C:\Users\Admin\AppData\Local\Temp\AgYg.exe

MD5 68075f328542b589178114e41ae18aa5
SHA1 328b9fa3e451954ed639c05bc68930261c2cecd1
SHA256 8731b94615bf0000f8dc490246a3559a0af1f95e4bd91eb4aee9d2fbb3072c23
SHA512 29d28b919bd63278d8473c0eaf437127fbbe1a4289d8dc663be4c7fb67e05ac8709865df5da42943c0b3060f3012fc04f53a1f4ac1caf655efa250058e83e6f3

C:\Users\Admin\AppData\Local\Temp\cQQa.exe

MD5 fc76288c55a94d58b983e505c56b8a45
SHA1 11766a1703c2db474079ba9c774ade8d4946b4a9
SHA256 72998635eee08aeaa66cb9d3318afe34d0815f219f92370d9db36ea3cc64a954
SHA512 b20a616e322f5c51937c73b5bc59b556b4b519881992834f2f365a0f647ec5f583747d15ba78b80d1f89a4bc3146716f3af8d5bc29fe8f9f5eb694baa934fdcd

C:\Users\Admin\AppData\Local\Temp\sgQO.exe

MD5 d01c10ea6aed83e842f6fbad07ef5c50
SHA1 8b420478123721ff18d78cabbff9300f8e4f9e9b
SHA256 3b89ceccba85fb2fc1d61b70e28ad54cc1d01321be71c243910544cf2c736b97
SHA512 96e5adff52c2975aa816ba9b6e50c4f913f621eaebd8e614f908acc7dcdb6e58ef5428127165c7f72e87638f78738525a6117c833721acd6b1f781595f25d35a

C:\Users\Admin\AppData\Local\Temp\kMAw.exe

MD5 dbe7ebf26ee01ef5e2593522192875ad
SHA1 487614152a247e3170d939ecc8b3a13201ff8c2f
SHA256 372ee74ae54f6e400dada57b7734dc33045cc687d6ddcdb95a2e27272ea1e366
SHA512 5c544921e172e7c30973f9ea1e43dfce42d5d89b9bb21bd5be19c920862cb3a97da7d8dbd57b140d35b1d711588a6cd9108313ad8b93d0b6a1fd06997656ffd5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 ca9dbc78f4dc0e3d3e4e4af4f3368e5f
SHA1 8466cc1c30058e93ebac57e59cf551bdc104a361
SHA256 09055973d8d9ab1f03d184d7a9830b8e9e4dbeafad41abfd6cad90a54fad4845
SHA512 cb2fe970bf9c0bdcf1bb528ac188d68c4cc2d6bebea1a65472352038d7896feebd2bcfdc6b099e59b9e70cc3b364f0b1831ba32a5a4493f97f05812698c5c92f

C:\Users\Admin\AppData\Local\Temp\gQoE.exe

MD5 848cab107f95df9844cccace09f15554
SHA1 d859977ee300851ea6ff6ead5d435d49f84e32d5
SHA256 cfea7285f1505e7dbae21036572bfa11fdf2423d3c8f03aac1e60c55a6845b4d
SHA512 c18f28a623ec68207f1077b2ebc3bcb5ace61268d0aef8588fc99a08243c5ab62061d76535cd97b10805bd50c6052c438992d3951611ef6514a8cc58bb33f156

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 0438b45d98653fdc3fe8ad43597e03fe
SHA1 bedc2e63ea35921dc1aff7c8302fd64cd562e447
SHA256 f0e5b3e9dc508ba47663b25cd3ec8e605da4f3588ffc2754d72e759590a94cdf
SHA512 509a45b2d8851ae26cbec3ae73c553af70f36b97144c2ee58e96ccf24070ad0df91eb21cef4a04806b0f8ce067e0b526a0bc6e5f3a6686638413f86695f8963c

C:\Users\Admin\AppData\Local\Temp\ecgc.exe

MD5 29fa76b94782b415a97efe6a6ee280e9
SHA1 8f37f2b9db26069d6d55b45c8cf5caba687bb00c
SHA256 b2dfede1b11f8bd2f7bdb2b401387fe1ad21182d4e361e68234911288bce780f
SHA512 13055c6515cd08de146af4a402fa4e3dcdd4ccbc5c515185f842d8cf429a913e9707ab0c41fd1c9479b7f7bdbf225245ac8dc48ec74a41300eb59575fbfdac63

C:\Users\Admin\AppData\Local\Temp\GIkS.exe

MD5 4ee73cb502972cacb244d4552759e519
SHA1 9e842e78a409bd3b223e309353a48c26b656fafe
SHA256 ebb22845e8c3369ee3b116a4d09ce6648cc845cf42b224e2653402b074a2d5d5
SHA512 d0e61435c95d1cae24297e0f0ef5e378313d81022cc5d5d95cc6a5f369a39375a085b7913fc012c754c7331e94d77305e14a000c1756666fc0847c805f1e7ef9

C:\Users\Admin\AppData\Local\Temp\oEkq.exe

MD5 c0ee9224d368dd6105a348843e4b2f73
SHA1 f6873d347f4b109d697defde8fd29909f999e403
SHA256 307da79b40527e0ad812e50fa43cdcec59fc850ce771eeae995f19e2fe5d83eb
SHA512 9f1875be7f287b12e39af2a5235d28bc1205b603d134a943896f4be5d676e47568cc02777357593ca2fe16f24bb3b3a474a683e1f45f5e4706db131128ee72fc

C:\Users\Admin\AppData\Local\Temp\SwQC.exe

MD5 a440a34d1114ea6ae1792a544a46d773
SHA1 061ce1831e2e688a9edb1deb6aedd3e552f9ec45
SHA256 0412a283e1d3a8e94c42ff86d92c95d7325c2a7be99fad02ebf4054d17df9369
SHA512 f04d9b9f1fa35983d0d89be3f07bddfdf52429564a3d85aec977363d8e0da06629c527ad02cdc24a4993a51e3c9cf8e39dfbb3d267999ca72430b3635cd98243

C:\Users\Admin\AppData\Local\Temp\QkYy.exe

MD5 b0a74f16bf8d74bb64e5f61274fbba39
SHA1 847205b164918ad3acfdc8647685c660290106b3
SHA256 0b4fb861672caca58dd0e8310753805f775ad6b0ed072785abfcb14e73de5e98
SHA512 908f196f628c809c4753c2f8674153f26233c2ab3acd96c5e0374999ed2805864c828b36b0a30a1e17050c5e97839a32aa7f8f692b3f7ddbcf6a112afcc18b02

C:\Users\Admin\AppData\Local\Temp\UQYW.exe

MD5 f931333756cddfd00432e308b12aae0e
SHA1 fa8365f933312a1665b4bad3f04bbb6d2114c46b
SHA256 765a03e87c6740c29ddcd598d6a87a66c5450796adc3290d3bdf0c9d18542248
SHA512 589bcb5ffdc5ef00783fdf05717c73619c78e18e0ee2ddb194f14a7e5206b9fbf338c8e580a7adade6a7e1ab19bc90faff31198759863c95de33cbde37b9bc8b

C:\Users\Admin\AppData\Local\Temp\ckoI.exe

MD5 aa1a1b143a8f199670940a050d9043d3
SHA1 e42b5638f6a1f450a923650558ccf089cde54ceb
SHA256 f420dd17bb34ac73f230f02621926dc2a79dbe798cff25135c757381260e2264
SHA512 600c99dab76116d71a03e423e7c41b9ac3693a0861f4b8dda45ed407cf881c40e4fe6e6303c975eef3507211df4102c68c6e41c4dec6dd6a3ac164c1a3baab7e

C:\Users\Admin\AppData\Local\Temp\SAEu.exe

MD5 f7e808cca68081d86a5d402e40ff23e1
SHA1 cf8e7829a14d58117985023b6fe3d3012afc8202
SHA256 310d4ab4f15613464d9d4dc8df11f9514d164020f417a2fa3a7221c35c1359b7
SHA512 baabe5d28922854215eb5a38f9d22a673a7b269424592cc10a486526b931743ba0ec7ee506d5a80165167b849a046b02ded21daca9ed3f8756393b71c127e09e

C:\Users\Admin\AppData\Local\Temp\WYoM.exe

MD5 3bc6bc9d524d82d50a6309ca95cbfb9f
SHA1 e64d25f0c4ac929cc464b550d3ed08dac833bcf0
SHA256 fac020ef1f784d2df617a265adfcbc6120ce340b9a3c7f5a0baa1f35e0e0460c
SHA512 02ef3b3c427be1bd41d78600339849b1f9c2572aec44bc8a10ff0bbcece84edb55bbc6de7d313faec74371f83d4a6e079970098ebe7455e33f56663226e58194

C:\Users\Admin\AppData\Local\Temp\QIAG.exe

MD5 d912589ee04474cd01182cb14c649ffb
SHA1 dfa6ae2eac7e4eb9bdd965fead9e71489df58a1d
SHA256 8fefe3579d74c6d347581b52922673bc03b9baf983c3360d463539167934b17c
SHA512 ac7ca82e14f0f86cecf0249fd9a5db955ae1ba366cade0584719a5ef4721de00896371f1aac395eb51866b877e66b23065e2464045f48002813fe10d485cdd42

C:\Users\Admin\AppData\Local\Temp\ogky.exe

MD5 8e74a482165ac064521bad439c046865
SHA1 88c06daf03ae14701b396781de751a251be8a14e
SHA256 fb0753b2c1f228daabee3e823dcd82f5f5180c4cdf8ab1e1a2c31ebc50f73ac9
SHA512 d7040484d6433b5917a8c1a852e02a92f27c0c07dc758565156b97dbc5c0ab0a1060a2ddecdc60eec7b028f604d0c771c8625634d393b06ae0f7ca5cda711126

C:\Users\Admin\AppData\Roaming\UnlockUnblock.exe

MD5 ebe726d83633999ef34aff3006ecfe18
SHA1 34bfab904f74d860a279c33673232cad228ac1ab
SHA256 59e5891a40d1c1d0c4bd0bf31167e31251e89fd593b70754d1c14114e62271e5
SHA512 b2fa9293326cd6c40b313de60a54103330876b8212fb5623f020839fd2b2a4111a219c8ecc08a6b1bd8b7814ede7b345b6f08b3a12f28a48fde5281b5f67fa7f

C:\Users\Admin\AppData\Local\Temp\mwAg.exe

MD5 bbed05afdda6863146418ef673045c0c
SHA1 fed20fca0e9eb6338cfcb08f91e71ae9d052a912
SHA256 96f44e0b395c2d4171bdb7d0e3a6d1395af88c29067885a0a1f338ddcba4b42f
SHA512 c1b71f318eb382ed40ab6c9c9a676747c74e52aadf9d2bde4627531356284308753e52736fb0dc98ed8b0035f5516ccf9133804bab1212a19c8f8a858346c03b

C:\Users\Admin\AppData\Local\Temp\WQQe.exe

MD5 58f6a361b91c3b9eef33ac2418756ad8
SHA1 828b80a6568e058be388f72116a3fd038cc92c0f
SHA256 7f9db442eb480944f73ca5bec907ef0530f71db20de4cc8277f27619dbbd00ca
SHA512 98540b09cd8dd3e4fb8559cb1e2bc2a3562eceb8c5b0f01a1288f8a5507699c0f711b34ae761298da5035968c236f6beae7d6fe36efbd426f8752f66b6968b69

C:\Users\Admin\AppData\Local\Temp\qYQw.exe

MD5 6f25d993254c3d51472fa9064494b591
SHA1 389b98c7d7ee2575ee6476b034a4b61123f6e764
SHA256 9d15426c842c3b15e5e5418906e46fff3b1d5a577e814c38f8032ff0bb5e8dbf
SHA512 94d06bd22a6a07a6a310217c1cecf7dbfceafc98e01b184af2a1714e7aa4a14163e2525d8e341751f53615be0183638e3d8343780bea22a6ba13ed767b03000c

C:\Users\Admin\AppData\Local\Temp\CcUG.exe

MD5 a47b5a22017e8b39429d815869434541
SHA1 9c94045b26cf84e374f841b9f72e978f2e6f1479
SHA256 ce2467c1c7088b309c09f02b919026e645c24fe3d5bbd4f0bcedcd678ee5fe56
SHA512 cf30ae777513650d516973dc51df0fbd0e5ddede333da666e4799ac6893e330f3d4bbcd7d15f1df3c5f13219d464fa9a9541078c1918f2cc42337106f367da81

C:\Users\Admin\AppData\Local\Temp\wsYU.exe

MD5 c56f1348bd3f15e86afffa54103d8b47
SHA1 8a59c940f243abf4bfcf521d26b21ab8084358e0
SHA256 e7209a1884177dac0b7c691743fd5ee920620737b57ada8d92aad22bf8154b4a
SHA512 15535957122565fdf4a3671252e8bf229b697d5a3059f1eebc00cb7acf37c49839ff5cc8cf507690b12877314d61637016c4f634f27eecf554f9dbce5274cbcc

C:\Users\Admin\AppData\Local\Temp\cgAQ.exe

MD5 c9e02e5935e81b2b2ea6d82d4f17f4bf
SHA1 9a7b0ba2ec8ee53960708d34cdf0fb9e6f25a64c
SHA256 60772913a160b93c70de449b8d4a326bdea1b3f74a97f1073ae4eef1f75db957
SHA512 3c8ed43a093fd9d7e2d2059a50a3055c2ae950221fb505f6b243e6e799c435bb996c898c8e61c1b6c58de50e78ea581c79415e0bce2c61b610d5f08b788d721a

C:\Users\Admin\AppData\Local\Temp\yoce.exe

MD5 b4370a00a85a860bf6e3f1153e0d7c28
SHA1 0d9b895229b043bf604dda21cd68c0f888857249
SHA256 6ae743590d7d8d93012e34f410dfffe32925c271df7722932483f6869651fe63
SHA512 f67953b6c8e134ca1bf8e403e9558223cde56d975481b1c4c1a6e7318404eafd3c3325447cbb911072197b1be1ab08315cfd994946351b624f5ea9f332e79388

C:\Users\Admin\AppData\Local\Temp\YAoG.exe

MD5 90fc1237a38a97ced6eca2396d323502
SHA1 1d222cec068f2e91cf9ed5acd11d29bac00185bc
SHA256 691eba3629406805c042e381ac271107ece533198bdfb7926164573a01656da9
SHA512 e5472aa823882cae02d203b35fbc14b3e6180e497bb6569109363195608931c8cc2a18912510c69590cd5b2d629dad7764a5de52215828d5d84e66be6ca68b7f

C:\Users\Admin\AppData\Local\Temp\mgIU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\WwEa.exe

MD5 139242b8c79e5aa56c986a2a7fba4eb4
SHA1 f21e96822f2a26426a1eb32746b00c80f4bdaafc
SHA256 4b1c2b521e32d02a332e04247f022d5b622ecfb7f98329df4d0c09980f7d63a5
SHA512 bed5fbbf5bb6fcd1f58daf08c36e5528c9e3b3105237dd672b1ca1635ec6791fad4380dbcee231eb69153f4a18d1ba21df1296c141974671085e68c8bf0b752e

C:\Users\Admin\AppData\Local\Temp\Uoko.exe

MD5 722d53d3670bdd4fd9d7cf6389ac27e5
SHA1 aab8c7861ae4d1924e5f1af872bbc43fe29ff8a3
SHA256 5386a640343243143b3e06befb04ef99339e9434be375a907de42ce4566c4d22
SHA512 1490aabb0a4fca8d18aff603368e314621fd435b7267db0336edd07d6cd60b7bd0a510369e109e2278010b7bf25cc8d9197787104661a667799448e235eb05db

C:\Users\Admin\AppData\Local\Temp\QMsg.exe

MD5 a9162856e88ef1969ca7f31a00b940e2
SHA1 e433113f9b8609e87f435974c86499ab164a774f
SHA256 d52c1ce2633b801576b9fd3b6261a84b37d000201658a61de9d4fa56ed87a77e
SHA512 0c16928890d4cdada5ce3cfbd0001397e745243944c6448b268a48917357ae327c98541e88488c4e4a3e32d80e68908a40ea4149d8a3ad895ed2d7659b22f6eb

C:\Users\Admin\AppData\Local\Temp\QYgS.exe

MD5 39f22776a25cff8e07bf33dde7c23cfa
SHA1 a2676cb61301862d84d6d48488690d39d21f7244
SHA256 6692ae4dad240b87e7d99fa842e3f3280ab7ef7c251b9b57d4e798eea1fb1e67
SHA512 6abc5c436b53aaff67ab765825b491247b23a806eec43f7f598a34bd705b98a3ab4d6a36f240a3ae56b95240125631b434f137558df2bca3140acd9a359c1ed7

C:\Users\Admin\AppData\Local\Temp\wIIO.exe

MD5 c31afa9df8fe9aad262865818e578fa9
SHA1 5ac60b3b649d0c341402df78817254c29a5f08ef
SHA256 77618d78639f8df44023e56b8f1866f1e5ea0cd581c7d295681f004dad01804c
SHA512 670929220d040f77274e736ee672f534fe696033496f7f9fd7623bb8789da08219103cd8643cfc424406f9fcea997803464cc5462eebd3082e69f2bd76b6292f

C:\Users\Admin\AppData\Local\Temp\QQQy.exe

MD5 50528c6c7e250fb0b7f837303fddf477
SHA1 760ba55739f72fe88533643c3b342faad291bab8
SHA256 34ffb2e0fffa0be698c824f6a52472284a94b073899ba9126654980f06cdcb7a
SHA512 ea87e3371861b81a170fc7a10786b75e7ee799af07a5809b7891b95b3bc5013342d1ccdb7781fb77dc76329b827af69f3e2de920e88aafbea42882ebccfe166d

C:\Users\Admin\AppData\Local\Temp\AsMq.exe

MD5 8df6191842d61e3d833d1d98d3dd8c2c
SHA1 cba3d10e1070ff2735a3e566579e037490ac9e23
SHA256 3686c860152fa517ebaeeba6358c249c73e61e9cec2a2edb1d072972d9ab54ca
SHA512 6d57b8690b3582815de6844b352caf0d7b5919e67d83ea1cb5dbe4dea38b7df936684fea1bf2698552e79aa1221e475b92bb7ba18f6aa05b992ea2413bd28ef8

C:\Users\Admin\AppData\Local\Temp\okkQ.exe

MD5 7b4ba51318e57c4051feb8d8eebe7f98
SHA1 c53e77b4679ee5c266e6e6a13a13f3a9f7069237
SHA256 328f5771920a4089c7169ce41fceec8ad42900fb612b5785f535ea13fb4d74f0
SHA512 e19d906b01feb48031af03fbee61fe795e3b387c1daba355d0d17babe3b396e66aef1f4019e70cac39c6af3f5480d0ccb1881f7fbf1df61413b090c9ee1132f1

C:\Users\Admin\AppData\Local\Temp\eYoo.exe

MD5 e4f1c61aabd62f6681996d763c60b54c
SHA1 2b9366be8bfd15119accaf5646508ed673dbf197
SHA256 c3c7adbff92ecde1e32516ee879185e8d46850bbfc976d0f79527d16b73b749b
SHA512 7e34157ad328c580f1043c10785ebdde183cc2f204b95d5869afca29e7a678da4ff8bba16d3eaad230faedbfa44491a2cf3196ed6fb263e6bdf595a9fe8da2ad