Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-xkfw5saa42
Target 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock
SHA256 a1fe19a6f8e7118773f8ed982e88ded4bb2e161503ad41428e7c99245d79ae35
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1fe19a6f8e7118773f8ed982e88ded4bb2e161503ad41428e7c99245d79ae35

Threat Level: Known bad

The file 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (85) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:54

Reported

2024-04-03 18:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\yakUcYwk\raYUgwMU.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\raYUgwMU.exe = "C:\\Users\\Admin\\yakUcYwk\\raYUgwMU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pWMkUoMo.exe = "C:\\ProgramData\\DMoMkUEw\\pWMkUoMo.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pWMkUoMo.exe = "C:\\ProgramData\\DMoMkUEw\\pWMkUoMo.exe" C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\raYUgwMU.exe = "C:\\Users\\Admin\\yakUcYwk\\raYUgwMU.exe" C:\Users\Admin\yakUcYwk\raYUgwMU.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A
N/A N/A C:\ProgramData\DMoMkUEw\pWMkUoMo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\yakUcYwk\raYUgwMU.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\yakUcYwk\raYUgwMU.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\yakUcYwk\raYUgwMU.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\yakUcYwk\raYUgwMU.exe
PID 2940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\DMoMkUEw\pWMkUoMo.exe
PID 2940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\DMoMkUEw\pWMkUoMo.exe
PID 2940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\DMoMkUEw\pWMkUoMo.exe
PID 2940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\DMoMkUEw\pWMkUoMo.exe
PID 2940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2664 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2664 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2664 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2940 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2240 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2240 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2240 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2800 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"

C:\Users\Admin\yakUcYwk\raYUgwMU.exe

"C:\Users\Admin\yakUcYwk\raYUgwMU.exe"

C:\ProgramData\DMoMkUEw\pWMkUoMo.exe

"C:\ProgramData\DMoMkUEw\pWMkUoMo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WecMggMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIAIAIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaAIIosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUUAEIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCMgQckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWAEEgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qswYsQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UucoUUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcQIIIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwEogYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyoQwoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\byMEEEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkcsQkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DegAMkwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\egwocEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUkcYAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OysYcMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSQAQcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmAIAggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMoQkAss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LokEgAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwAsUUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyQYcMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcMococo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEYIkkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqocIQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCEwQYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEUoQoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgwIYQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkQUMkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMMwooss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-211040385314253254631915099310-555124270-2131797716-744072017-17238051671671218607"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\csscEQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoQQwkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQckcooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMYEQcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1971980157-2665195559825804471957747669237545228-1475939521-243892172-757520651"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiAgoEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-878334310-135901993219030014592029266645-2073058527-1897543122-1643093377502301726"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEoEsIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TksUskgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSwYwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiQskoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwsYYkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUskEoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OogQAUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEYsskUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKMcYosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcsocUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIYEAUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SyscoYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSYwMswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWQEwooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\liUcMcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmUIAwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOswYggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAcsoEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISgkwgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AacMYMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgowEkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqogQQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2940-0-0x0000000000400000-0x00000000004B4000-memory.dmp

\Users\Admin\yakUcYwk\raYUgwMU.exe

MD5 2f60b135fcc53ef58f01e4f07bfb6003
SHA1 2cb10c39827397624aa746852b5a6bc6046e32ce
SHA256 92e0bb80a9fafe5b895fd984e32761ba8cfb16c36e4fbbba938bee7fecc05ff2
SHA512 c71bb976a4fb421015266abab0faa47997c6338702343a367d4b9b3c66c89e8d8e4bbdac339f2a81f86fbd2ba31e195e6f3ec06f110d43500f09348a756689bf

memory/2940-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

C:\ProgramData\DMoMkUEw\pWMkUoMo.exe

MD5 652713c706e48792ba2a116b1ffa7c36
SHA1 e8aa0a70392cb99a4e0b7753f74c140991f7200d
SHA256 18901e699923b269f3620b31a08954f5a7b5f4f4d8f3704f79534b0014a696e7
SHA512 19711b7bf4a886029e0d35d26a2306fc8d7c091e21ae3b3254f9e2cbd6c522a301f3292ca90b604ec0ace69dcb0b9c8e98a6688f2bf9e7e414b4ea81337271a5

C:\Users\Admin\AppData\Local\Temp\sykIsAYM.bat

MD5 5c4fef0148d9f42282d8c2279bd04c73
SHA1 5afc6a426c9b8d073ebe2dcdea6d91a879ac9faf
SHA256 b0ea08f9fbf6aa8ae78cbd60b7d88c015d80e45e00c2f811ea06ee5a0aba4b51
SHA512 205a2b69a359596f8744ed02ee406ff4f00ed213f0688004edeef02c97cd5a9baa47d8cac5ca63371e5427484f36f9ff6aa0934ddeb4a10cf3490ebf2fd7ffd8

memory/2940-28-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2976-29-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2652-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2940-31-0x00000000003E0000-0x00000000003FD000-memory.dmp

memory/2664-34-0x0000000002370000-0x0000000002424000-memory.dmp

memory/2800-35-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2664-33-0x0000000002370000-0x0000000002424000-memory.dmp

memory/2940-43-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WecMggMY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

C:\Users\Admin\AppData\Local\Temp\CYgoAYYc.bat

MD5 c835d1c47826314c76df708a4349a6b7
SHA1 4a6e127af91f011541809f1e73e4e3e984f4354d
SHA256 7df412365d860ebfbe954e8c177118aaa3f5663de858fdc72e061b0968309aec
SHA512 955e7f03f7021a3f29048e35f42a555a5cf85be0a84a4be8e1d980f0f232dcb678e43e370c421dfb2af116fc8b751f4232c82ff4d6ec8a5c15eaceba3a04fce7

memory/2352-57-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2240-56-0x0000000002340000-0x00000000023F4000-memory.dmp

memory/2800-66-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JCIkQgkI.bat

MD5 965014a9be90857195b5a2e7106e0870
SHA1 0b597159e0e3931b864f7c409f34503893d1f75a
SHA256 f1836f6622d4294eeec32ca6fc96e24dc84792834fe3701fa0790f450bea147b
SHA512 e03fb3e5999aaaae2ac5fdc301e78ef4c50366c2ad9465bd94998f8f1a4a83c8a33434231f9cfc239cfb83726aaeb244fdf5e99011b67506159b66eb7f905510

memory/2216-79-0x0000000000260000-0x0000000000314000-memory.dmp

memory/2352-89-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2216-80-0x0000000000260000-0x0000000000314000-memory.dmp

memory/800-90-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xQgkcAIE.bat

MD5 a74d9f59b3462e5696636cdc241a1438
SHA1 7a3a922762c83eb6035b54f79adeab0bbfb088d8
SHA256 b85cfbbf4fd2bbbfccc2825284dfc4a2f3faaae6f87bc7deaf6fabd7089e8d55
SHA512 fd295cba20467e973c98c649a377a84f4c877ff83f58171bfac0b06617a4485509a5237b5bc1700e137dd66fe3bb51722f20213f56da3fddfa1c3ed37583adb0

memory/2760-103-0x00000000003B0000-0x0000000000464000-memory.dmp

memory/1760-105-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/800-113-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BGAgEAEE.bat

MD5 cfe7d9f6eb26b4beca940913c5e01a93
SHA1 dc8f4f542b9f4ba89105485b0cd766e475b847d1
SHA256 71c87dcdc3b226b4c080a9426c68a0717924176ab7aa050963da701d6b463bb3
SHA512 39347c969773d2445aca1b8bdbcab9d5040713d69c663c31cb2072bee28e524f521741b47f32b85905fb12159fd18da5c164aaa91d28959e2698f6881178cdb2

memory/452-126-0x0000000002390000-0x0000000002444000-memory.dmp

memory/2152-128-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1760-136-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nqUwEcss.bat

MD5 855a43c6f535c1752a7ebd5b6b270400
SHA1 551dc572bcfc5b99de25db7ff250d5324acf9f65
SHA256 98843b55661458eb82b632aa5fd478c9fc8c085423434213585c62593a351d57
SHA512 556cc127a50eb580711a25bbe6040356daf5163d5994b3cd515c6a663adc12ad8c80a4f233ce47a0e8c36268e5eb140a61a167320ab48bfbef0fb3d1c7a6f991

memory/1524-159-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/904-149-0x00000000003A0000-0x0000000000454000-memory.dmp

memory/2152-158-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kgUMMwIM.bat

MD5 f833033a140f55690c6b3119787bec4e
SHA1 07db1e900c659026f92000a1a9d4dc96f56681d9
SHA256 d978a5f21fc25eb90aa76770274ba46f815481e3b22f9ce2de64265323fab549
SHA512 0fab9d658115d8ff7af1621f3280594f735ad4251eb6298f9ddfe31e60b1d254a295eca7a296cd2530c33da75ca7ed0c0180318e375b2d05ecb96b01f7292d0f

memory/1524-182-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2620-174-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2680-172-0x0000000000420000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCYMAkEs.bat

MD5 15a02dae27a6953e0000eaa18630219c
SHA1 7ef84078c8a60401b5fe234acec10ac119b5509d
SHA256 081c53eee821e9eb92d08ce4af7a58c1fd9e15ce0def1cb2b974a4fff8f67428
SHA512 d3138e2c7ae24e4b5288fddb393f3e28a07bd3a5f7a41f200b6fb407cb0122796563ef43d5fc5781e2dae62e4e18d17186b58bc0092af7ceec2d1f0b2b5d5d27

memory/2524-195-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2620-204-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mSEIogQo.bat

MD5 e2ddc5a4cfd7c3ccc3317cd7c5c58397
SHA1 860ee70705e0155d9bf45ba5acf0800757e75d6b
SHA256 d85862dceaade41638ef1b8252811533e8c6c4515eadb79eb25ee9eedc9bc0ca
SHA512 2c627f7ac1275d7eb392e91ef3720c10c0ce3b939e32dd0439917f9be86a509d48b37bcbe094f2615ed1508a284d8dc2ca0e814551d4b45ff949ee3099a5bb9e

memory/2524-226-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/312-217-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\giUAYooI.bat

MD5 e2a3868b22aef3946847d0ebd042f6c0
SHA1 5478e337ca780e07a0bdb855111cba508d94e30f
SHA256 cf47cb68bbdb5282b3f743587c456e24dcbbd434b93625214645d6fc9607a8cb
SHA512 bc6787bcbe8813ca495373d63cf7328c7ee02056fc66b81ae7392e02e0395cfa0226dfd5d3f125e25477034e0e7ea72fbbb9dda90ece16b9cb6b005a3e56a329

memory/312-248-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2996-239-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QiwcMIUU.bat

MD5 6b5d9859112f598f7c0720b3154f946a
SHA1 e01b72481b9a4ba4384391e8022263089a5f81eb
SHA256 a546ec66b7935b2d3abb34cce275d58ce57c2873979e8a2565d2d096982523ce
SHA512 f7194246a84e23c18e8af5d53f54cb98146c6480ee77c798d2f7eeccb6192efdf3d255df441363b76cf7a3cc6b6ba1c243867608ab3b94a8bc4df75729dc9eea

memory/1504-261-0x00000000023B0000-0x0000000002464000-memory.dmp

memory/2156-262-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2996-271-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hEowYYsQ.bat

MD5 a67237f6d652110d6a55c8688303a3e8
SHA1 6dee56187cec65a2a59646511ed420668c3a04c5
SHA256 c72ad1678a1db14f6381a7e93038f66880e422d7a0a0b43560edbbd4623df4fa
SHA512 0f5ebfbd7da05a0ac667785c6b87a30e4f73fbca50a2dcd14709c8accaf7264d409ce4433f048eb1654583b87382b17cba0a7ba2bf82c76eca26ecfe249b21c9

memory/968-293-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2156-292-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VEAYYgAc.bat

MD5 770a587bf8b4a5771b276fd0733cf02b
SHA1 f6f2bcebdfbb38b215d5c2e2a8d004856d78867f
SHA256 3bcd8665626d1dd70536d042c00fc5d4d5f604c3b813596c456b2b91d9bc3bdb
SHA512 7de8ae09f097349f814b1ce11dd8400ceeab3317f0190721b51b307db083ebcbf37dbc967678f31cb03b843c9e30c52df10cee73e05cfe972916004f676e414b

memory/2932-306-0x0000000000160000-0x0000000000214000-memory.dmp

memory/968-316-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1628-308-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lIcoUQEo.bat

MD5 0a00d0ccd3ffc0b11814835c67d5780d
SHA1 1593cfc5540a3f0adafdee1fa3b0bff43f4221c4
SHA256 5de479318bea3fdebae9ccf8552eddd424199474af37d3c0d5ba47b942b462dc
SHA512 d13693ade8539138a9e4e40fdfbd374b3085dab5c122c66a84a081c01ce088dadfd7c0d085573735c034c7a5e27c280dba0d743eb8eb71db63187484fde8a0e2

memory/2472-329-0x0000000000430000-0x00000000004E4000-memory.dmp

memory/1628-340-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2584-332-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2472-330-0x0000000000430000-0x00000000004E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vacUEwYg.bat

MD5 46d2aab71f9e99b782ff6f0a84d66110
SHA1 3371ec9accdaf2e590a4aef55161e68135b45972
SHA256 9b1a76f8a094b6d11f7f01d42df656a5d5db55b8f521661bcc2c59fcf51e3486
SHA512 ccf53619e55c084666583f6fc9830273db12ffab8fdf43f39a349434002f8384078092b926e975b64c035401e14a5ba9e7aef7042a76bc8c917e9bf46f0cd965

memory/352-354-0x0000000002390000-0x0000000002444000-memory.dmp

memory/2584-363-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2380-362-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yYMcMYMk.bat

MD5 9712981f6efac352cbcadc57a38bedd2
SHA1 13a6ab124c929255d331f8a3da3366bb346ae933
SHA256 ba91ba188fd481f5f3fc9dfb980f492dcfb960f40f59aa787feac08b13a7f577
SHA512 dd9c47ab91c573a25a119ae19b08be65c3dfcad8768dec18a348100dc123f3f1e9a1e9dd08e739563202eedd9686dcac12a9eebca44c0cf07e8cc4114783d3e3

memory/2380-386-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/928-378-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1532-376-0x0000000002340000-0x00000000023F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usIkcIwE.bat

MD5 735f7ecc53420a901130dc1ec058eec2
SHA1 b8c25fa79d6ca23ba9be56ccfa1f7cd1ecfd91cd
SHA256 9d89e01ab8a9a3d5a1892ffd6b1a7c10cf4a7d3bb389e5ff114635405cb2dad3
SHA512 f5f19c93e33f0f98b26d853643b875a1bf1ba9ceb4dbd58f2b6114f0282d3bb99382e65cd206a850273bc78a989f505ebe86db988bf9d46b745048b79436451e

memory/820-399-0x00000000003B0000-0x0000000000464000-memory.dmp

memory/928-409-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1848-410-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/820-400-0x00000000003B0000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\syIQQcQs.bat

MD5 265d791ec1fbfff7b9e4b0d014f7cfdb
SHA1 f2716345f481b101dad38e6d574cf2d4d3dbd45d
SHA256 c88383ea9092260d2bc2e43fa528904f850ee11f4f902413360b172b98a371fb
SHA512 bfb0ee5bfe67d9fd0e944a08d1d12187523fc5b3a254407af80294446319df12ae3e969be868c7d686d248dbb513a304bc19cd6bde2a3ee0e546ba5facc2511f

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2156-423-0x0000000000400000-0x00000000004B4000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\YEYw.exe

MD5 0a71902ed5d40bbf4ea9bcc6653925d4
SHA1 9f4cd7f100a100ba258e9b2095ebc769f0fa12b0
SHA256 2334a54f8c883d3fb5824535753d6fe9d022a0cbcf9826a104b6ed2e87a8280c
SHA512 eb6a9cc8d47460d37bd7b36851a7103f8663eb308311b086b6965d8913a05b104e6cdd85aed67ec97e73a9a706cd93ee4df3a2dc9c30586399bb3bd51d82912a

memory/1848-436-0x0000000000400000-0x00000000004B4000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\gEcIMYcA.bat

MD5 7865b2ef201dceea0dbd657d63883f70
SHA1 d3e840d996387e060771bbf863e92f1288a352c9
SHA256 a0e43a261424d2035b985a2bfe61422067d286edbac2454aa7216d8182dcc2f0
SHA512 c711f53008b4e5af80c68f486f273ffcab9d0549a54ee00b18ad04e3d43da3bf6151ab97cef098c400c2b64529fc16c2ab4334ba8357f4971daa57bf8308fc41

memory/1736-463-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2636-462-0x00000000022E0000-0x0000000002394000-memory.dmp

memory/2156-485-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQIy.exe

MD5 f1bb5a5e585186dedb153e0453df09aa
SHA1 caeb0a69f630e49ff3208ca8467977381c315580
SHA256 90b35dd83294ea0d14ba67dfb08c48627cc30c003a64ce6037baddccb98abac3
SHA512 96bc8134ed15177c9f1305488b0f5702ba6bb503e625a270abd5aefd42805722aac809d7140cd11ef15da6c73bacf9a23952962b6169261ead92cf8cc820d740

C:\Users\Admin\AppData\Local\Temp\wYwQ.exe

MD5 cfca7f784852ea87dc431b32e8ff30c8
SHA1 b14557a871dc175707120171fee1dc28969f8533
SHA256 a3494f6fd318efb458b6bc6b435b78e3c616571ede614e27fe286e97bb672c6e
SHA512 114d96c647796000306a88fd5f1587d86e53f452657485068448772711facd8ac29509787f6b76f1e81c7d41651380d0cdf5ba971527767541065a9379b26170

C:\Users\Admin\AppData\Local\Temp\ksUM.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\OIAQ.exe

MD5 50bec4f89a3ad2499d64aa60470639a9
SHA1 6ec0d4ced31d743ed8f8e825489b9b886967f9ef
SHA256 5fa366c3f744ec0363793a16b02a88916a64012c43d0d980c32ed02614f89448
SHA512 7b756995a94c3db8db0def458c77b4281adc5155e845cdf4ea8b5a0e18ffdc2dcd99d6b0575bb177e5039528dce12537745304949bed1f98b01912999fd13c41

C:\Users\Admin\AppData\Local\Temp\eMgk.exe

MD5 ef54c60180d2417415f702e0beea4348
SHA1 ca3a41ff7f2aed236302d4e17cc0292206505b24
SHA256 0c2f63a34ef2c35dc94809c8e82cb41b9e850829a0e9f9a34f6da39883495abe
SHA512 9978ad38e19fc7c02c9edd68cf90a9c1f363cfafc52d02c154833325cd8b92c50d08e48448d383062deeb8da1035063be8f9ec25ec51328d4754d0ecba77e486

C:\Users\Admin\AppData\Local\Temp\WcYQ.exe

MD5 64f2667692c6cd35df6f03a399ef676f
SHA1 ee57a6ef70c3cc7a616f4beb44ca1e5d6ba6d6f8
SHA256 b6fb60760e26e0f710b389b3831e1fcb9362efabba36a3029b3d260583f802e1
SHA512 26b925361995954352b015c4665608b216225339d30eea87a0f6a84fdfe13323baeca1cd383bd7788ab26f55e61b6c7655a82fc2aa324213c0786c2794898925

C:\Users\Admin\AppData\Local\Temp\bSkIAcgA.bat

MD5 e7d9e1ff4f85c743f18bac547344b502
SHA1 560be011eccdf1bddf5441de23a0047f1572176e
SHA256 4a4e63293a7ad12910de7c2eca1c9971b60ca7238d148d49f3ba1db40684ceb9
SHA512 bf33ccd2d45cf6ba5955a771051fb3eb1992113e2f36d53ddbe741284e6a455e5eec36675073926f00d2948398446b04e74bc69b1c6782334aa4927e244d8640

C:\Users\Admin\AppData\Local\Temp\KYIU.exe

MD5 29b5c9dc0c3084b626a32f8de1f98080
SHA1 8f57d907cb698be323a47337f7f109632fda8f16
SHA256 f6c02120dc94290f5a7ea37c48ecfa730df37c602ffe5a426464986a42414a7d
SHA512 2874438fbea9160dafc33af942866c726e163ed2ba398d7702575bd5577fcafb3f9a75cec3e3047064171c69ed5449fbabe557113cd5544f88cd6d7ec9953167

memory/1736-569-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1316-548-0x0000000000280000-0x0000000000334000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YYog.exe

MD5 125ce65f7c451b06beed6502a6d49120
SHA1 cea84b57fb3f41734ee239459f5a5e93f2c907f6
SHA256 7a54f8ae0340f0d83ca2157b70e31f1e53ac489b23d10bc5998e70ff348956f3
SHA512 fcbe9b6a7f6d08a9d0b35bc205e9aeb2fde14aed373a5da6b2bd706346e678449693e51a99a49834d85cc848e6a160432015627f87b599f0630793f540537b7e

C:\Users\Admin\AppData\Local\Temp\wUwM.exe

MD5 c9bb46de9589c67d63e14e08f9e93f1f
SHA1 3ffa924ea5cf9a3ac561c9183a8ee2acde2fd5f7
SHA256 d3c7114e11f8ff184b6f5756e3dbbd049c1871d411e0ff4a7dda3df1f9826007
SHA512 6497a21b7f40d96f92854818830a535c2e25ec39ed1308c7583e498ba7ab3dccee68e0b5393fbfe99618b7268097759fbbc4f0b27e0a32a994bb70a7625c8e37

C:\Users\Admin\AppData\Local\Temp\hsIQIIQg.bat

MD5 8a2e9b7926faafc0e1a28d7c5cd2acad
SHA1 4b6bdadb98ba6680b4a8aaa4e3ee4704957dd2e3
SHA256 11c61fcfce64c25c649466a195b7325ad5bf37f984dfa8bd57b493dc5aef35df
SHA512 6636e7c9147b6bd1431eb27d3a582c7984c1e238e5b37121e1cbdbf2fd17aa8f61db377c3b4dea1060d869ab070555c630612396c6cad9ca36cc36cfadd29d6e

C:\Users\Admin\AppData\Local\Temp\AEIC.exe

MD5 5b38e8e4f5eb6da32a73ef2c383bbaa7
SHA1 405ff7d3eafd31ed1018b1f37177d076efe7a212
SHA256 f63d008c96c1b24c3235bb93f3a931be0e8f78f204fa18237a05b811a0cdf5a5
SHA512 084e19cc7fba1f61b1784cab2185cd7be641ded8b42ef6e4c7cb9ab87516281ecc5cd83b3d10c5924fc82e1b0ebeb6d90116042c837666b283c43e7c21272f41

C:\Users\Admin\AppData\Local\Temp\EsUg.exe

MD5 f1f97e9521e5c158ec25186186cf60e0
SHA1 bb63ff39e92cf8b48081c6743d7db5ba0a049cfb
SHA256 b8c5ea156e049aaca0e2a68e9fcfe787ec97c72d8e41ca777c24c12478d52a41
SHA512 e6cd0029045f1a83b2643e1193c50ffb9f1d3e8a015d820fd929e582bf336a8513b0d3bc75547fa86897de469c38a84adb979e361bf4130e0a59b1755794c324

C:\Users\Admin\AppData\Local\Temp\kQUu.exe

MD5 5243da6b8382270d168006077d7550e0
SHA1 849aa7d7a38b3704c1b7e0d4d8ba91377907a8b5
SHA256 bf2e38cc0fe9b4208df72be59392e2e69c393f0ca4e0af6b925b5ca932db5c4b
SHA512 e64e151a7a91d9795542f28f5d51d9574a22c3f6ddffed28712138ad6081ab89f0d7537a7360f30b14be745fd57f9aca0c7166db8e99060044a048a6a96dc67f

C:\Users\Admin\AppData\Local\Temp\cskq.exe

MD5 f8c84aebc581c8c3bb12d4fc821f5fbd
SHA1 8911bd607991117a1e7b2e2ec9ef49c9a1031206
SHA256 6e0ccbc281c21b815a5c0d4642555d1c0343187da82024af94aa82a87931ed48
SHA512 dcd8d2507a8d30b251b746444ec5c58153a835942e785efdd184f37eb0e70ea5fa3877950b9530cf941f72a734e4c445fb5034aad6d418e9f093f77f2f57b8e1

C:\Users\Admin\AppData\Local\Temp\QsMI.exe

MD5 97f40a9e2a57fa5101e01a7d411311f6
SHA1 f7c2b941042e195224d8cffe6854a1dcdb5a8c5d
SHA256 a270d8f6c9463ea831a7551aa177614ef1cc8e7b4b2a3654d245b98b0e0233a9
SHA512 3a16380f6dcf365955818a2a3171101590089bf5d25460b320ef6e0a32a9c3d4b254b93d5eacb7e4851635ce1639bba8a5f81a84051780c6a73ed8ea6cfea996

C:\Users\Admin\AppData\Local\Temp\bSwQQowY.bat

MD5 adde2bd440df3936030420d351bd50e7
SHA1 b71c8babb94b45f530938f814feeadeba333973f
SHA256 3fac97240837571dcdb8d64ee67e02926fb3a459326efeac859711d9f304e512
SHA512 f216bd77542b746cec707f72431b32d788f9bf2866abcaa9a7d1aa5167fa0dbb8f452bce280195d97bb2177062bb0f32ad703d3eb67275485f04e5d38870856a

C:\Users\Admin\AppData\Local\Temp\OMQG.exe

MD5 df3da5e1903955b75f996e9885eb3906
SHA1 00f21152f3a21d6380e068c65ff09df2a013aceb
SHA256 5082117d9057bf6a31c9f03723d5f21e6551bf7d39ce8edb83858de2dd14520b
SHA512 8cc6a175e335ce235d135158201bb3696db8991e2155871abbe485b53e192fb5659c7cf0289c1b24ab0c6a97e15b4be35135531f8f00a144e5ca258e015752dc

C:\Users\Admin\AppData\Local\Temp\isAm.exe

MD5 827582d30231c518a68e6253b0b2e2ff
SHA1 3f3c37e58456abbfe71fdac7a84c86348676d90f
SHA256 d84c9042f8327280d94955fa55a1259356828b1d330747b77e64a8a5787d66a9
SHA512 41958a743499f720e176f2ec4e45d050d2bd583d7113d8364db6220f1890e247176fa393671685da578a4c91b3157d9ffa6133215cac568e709820fb9fa1bd70

C:\Users\Admin\AppData\Local\Temp\cUce.exe

MD5 b4dcc802b1eacd8ec061aab67a78d92c
SHA1 af93a702ac187e02fe82204efe27de7ce5470850
SHA256 0ba20391614b493b64269d693f6dc7a66f28befcd17c2ebf63d7c811b237a2be
SHA512 131a8a1744a30a15fa9751494e721f5b629558eccc23f2730680d5d467baa5b64f7987c6884f7e83bf425cf58a37df1c0e9b49a86a821ed3ad0d7c27e26f662b

C:\Users\Admin\AppData\Local\Temp\gEcK.exe

MD5 a6187a0365314fe38773df680fcf8be1
SHA1 dbd40da138f0f96f2ffa11b1138aea850935c23e
SHA256 6e57ec5353e63d707bc1303f38db5b409857818dce32c13f60ae6d942551cca8
SHA512 0ccb38f3436045930fea6ad5cd1cc542f7c2e3df01c1b6c9cd506ca69b396f876de9ea57b29bc910db137db0c4f020a429d0eddac744441fc31405c9d1b794f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 25b76913eab1a40cbad103a6b148e638
SHA1 2fcb43cca6ff2e3ec89569e0a12b17481b971d00
SHA256 87d4c5808b5c0392668433467e5b7c3fd0f0eb0f2a4186d66cb0e7dbb1c325e7
SHA512 e77e0b94f58dcb6febb455d9b6ec7fbdfd096ee78b0c14acbea62135c8c9b4714381533107c6af924887101173ec11676e1767fe4dcedb5429b6aa73990eaa9e

C:\Users\Admin\AppData\Local\Temp\TikcAAIU.bat

MD5 12bce02116f0c42e718f8ae0437d7542
SHA1 0197c2364346c624f1cec54ee5b87d37bd8f2cb6
SHA256 1c701bde4bba2f6060a8a6de35b0da4ba7b972105c13e87c9c536b85cc117b7f
SHA512 8d877a2cbea44254d8af7b88d82b9cdb4f08176398aafa158cb8df108a2d3be6dccadedfd71ce21e757f30aca15bc5782f273201f5e81941f81c3f7864434f79

C:\Users\Admin\AppData\Local\Temp\sMAK.exe

MD5 10387ff797da13767bf5659c97c25a54
SHA1 029a171e1a5a5d6f58d19b8e88c832e6694f08df
SHA256 ebf4b89516c0096145c3e492ef783e3f135f18073572c8f3e8dbe72783c4ed9d
SHA512 627375578d67073cbac761f4e5865c19e1f04cb344576143878a6fd18a703a16306c0000c08fb95fd857abc48f4dd4de3d995180a4b9c5004af9820fe680b541

C:\Users\Admin\AppData\Local\Temp\YkAw.exe

MD5 3a3835db075f19ab6e782f0e70344dae
SHA1 91085e055ec6da66d7ecf3befd8404119bbdf640
SHA256 6c4cec895be9c4521412000864fb965d887deaf931e802c3d29a31eab609e1f1
SHA512 9a58826f9dc01bc3027b10c094cce11a9a2b17e288108193bc80208db61f768a72dd5ae6086fa1fa788ad1c9100ae05bb6d5696296ce857f540e861861818219

C:\Users\Admin\AppData\Local\Temp\IwEs.exe

MD5 3f681af71a07a37f6274679a869f999f
SHA1 bcdaf3786b90e66f0153e94d6bb28b13b75f7783
SHA256 f2a6bf3d4378ba82a5a32287a1776f6f94da9081924ee6d146bf85868d773742
SHA512 fa1058257e69dab52e7d3e115266b119fa818fcc38d188b4fe61355a265e0cec4ecf914e3afc5f4c9171ba374d3d925a5efb31f10a3e749ff5ec1897e8da7ff1

C:\Users\Admin\AppData\Local\Temp\OkQS.exe

MD5 117cec3eb8f4e8115b61d79a07a0372e
SHA1 ad25136cd7554ddc4ced7634f982cbb0ab044943
SHA256 0252da771d2d2f4159126f6ba1e80b9358cfcd7fa753c832347ce217a61aa291
SHA512 baeec43c68225df1bdc7796bd496a9236d5beba914d5e019081bb626c78eaff655bd90b080c3a572b8e3c4a8a2be23431e7c9f1a48c2e9aa5f2eb085222da382

C:\Users\Admin\AppData\Local\Temp\kEsE.exe

MD5 0db849b11653320f941322e12003c4c2
SHA1 028f50f1bec78837d2e27e334c1dd8b4d538bae7
SHA256 da879b2c070ee4ce2628a4db77b1d7734f6373e9d0c0a61961f037212545d3d0
SHA512 d4b3c175cb44ba69c5d446d750cb67c0f71ef8644903b2a2a7a7a50a9ebc3ffd89e846c5920cfc7c23485bac1f1d43102307d05cd8761ef407a8158231b007d0

C:\Users\Admin\AppData\Local\Temp\kiYccUos.bat

MD5 6b0e8dfca577b877c54ba495b860b954
SHA1 e7f20c6d9f4b4a255a2b07706cd86cc7c53b54eb
SHA256 8c03869b5981208a6b0765f692ce6067c2435ad179557c6c3fe16caff09e2d80
SHA512 310794654f8396c5856721916ad8616e80a11acf9bf8b96a64fd77b2605733681c36957b219a775fd3e874682460279fbdf1e98bb713637018f300cbaa35c356

C:\Users\Admin\AppData\Local\Temp\IEQs.exe

MD5 d080e5159bb8534ba719fc0e6c09857f
SHA1 235eeb801dd9b9d7a3c14b54f2b8678a3142a76b
SHA256 b10cd3d431fd814f0a6ffd411bcc113f43553eac6ef7df7943f40447b066d0dc
SHA512 033cf202c99e8ec02f86c0ad02de8bd09adbda822215a4b7a4b58e4427e789c282cbb4c1afb07e93b84fdf450398fc183e32df57271a8e6bd1e08f2fd3139671

C:\Users\Admin\AppData\Local\Temp\eUQk.exe

MD5 411cee4e605ff9753bb8f034c34cecf3
SHA1 ef071e60965cd5e78b864c896e210ce89b9532d2
SHA256 be8b9f0a58c7c1e1f2d2ab09b28a1e0ccc6e2bb782c9ca261ad098a69bd3fcd0
SHA512 ec3d645903260ed1a986930dcd713de9da397cae6130c91fe12d6aa318b69efa14168f61e27caeda23bca30dae5ede0f7471ba093af97265bac762d936502d84

C:\Users\Admin\AppData\Local\Temp\mEEY.exe

MD5 b246a52d0d0cdcf14eccaa05fd1a1926
SHA1 5e8166014eee2c9bf9fca6b7d834012e8437bb71
SHA256 cb6da28d2343529827730d8548fedcd37fdbb55e64de4b471bd1b672ce616814
SHA512 2078b8de08a069591622ac5b2bcf9ef12288c94886ae78d34e74c9948a463f7f7a5366280c73f90994a92edf282aa25f580fe3efac786575b18c36c31a75bd26

C:\Users\Admin\AppData\Local\Temp\cYMg.exe

MD5 dd225b899a8e4970bca7c86ddc6f71b7
SHA1 3ecfbe5802ab909c825c8184dde2f5dac3dc5e42
SHA256 5c1a427cdf42a2c9fcd7838714d1c0fbae33e6f198da8fd7ab25803ee5d691b1
SHA512 661b8432adaf926ebdc87657c13a95bb0cce7169038e19e4c8c1e95609e4ebe142f2fdc67ebc4a9c05880a55222d38a6ed5b17284130af59ab0f325afcf60565

C:\Users\Admin\AppData\Local\Temp\WsUAAYcs.bat

MD5 e90398221563e712c55bbb1b6071865c
SHA1 494dd121f174153984daaef3df62f6fbc6892835
SHA256 3291d72966dfef2e5f5248ee19b9a6e8b2124d8bcada59e9443b122199c10e84
SHA512 4c9c256ee76883855d5d94335376481e84975bd0e6f96db05292f7f2e1a2da882c2a22bbd7f3e66716bd63e401ea0f42e849e786741cca37867a1a6d52d6eabb

C:\Users\Admin\AppData\Local\Temp\YAco.exe

MD5 bfd7959a66848263f565b77d2cac235b
SHA1 a7d735a62c80bba741bdb4eb432450b7222463f4
SHA256 3c6505f1881a6d1a8b71b4a7b9ba42dc15eb07125b6cd4451a090b797182ea09
SHA512 c32efaa2be5b37af1884172a8b755d1f533996db249dc8f8f715eb162b2ec6303fc3b188118003219f59657298e4986958a1995fd389f870f87d28ed4c65e8a3

C:\Users\Admin\AppData\Local\Temp\WoYq.exe

MD5 68ba523a58bc182c9e2dbd8b0d6270bc
SHA1 907f93f8e927ca61f464bab06ad8d88d7db6ef66
SHA256 10854ecff5055a5745dcbffd4c6f2a03b15e76a08c32154e817efcfbec03de8a
SHA512 0aab6aa648010d0c122c60d719adebe7e6056508da3e9fafa129375021143ca52578c2a6a20cc048b1e8d081cf6bfbc6f0fafaea40188d66e890a3df89f43226

C:\Users\Admin\AppData\Local\Temp\ugYW.exe

MD5 6a3a2ce0b082ac4914df10eabc106aab
SHA1 100b04b2a676234134d3d244afcaf60e93715b03
SHA256 92e45a55f51f27f14c342e52376a77d752cb5881c7bea836ba609aeaf871aeed
SHA512 41494fc7bbb51b3a44f20f8315531e736dc18c3add1059345e3c23004b0e7bc6543427751960cb1f0513ce16b7fbbef66c601edaac96d1c6fb788e09541aa293

C:\Users\Admin\AppData\Local\Temp\UMYI.exe

MD5 b512681b1ff75d134452b2db5d0c9783
SHA1 f7f444fea389d8f1387bcc3a1c48c7ddd38b5bd0
SHA256 6892391e11b8b71061c3670a464515ac22b1f37b0c9b55d70c66cc0a6ba67422
SHA512 af4afa096340096bb8afec05c43314a6c972eb3126f1f0cdd93bfe85f5d35aea030c685e37983eb794a22de45ca99483a267da9fdc0b2d380191fe9156015cba

C:\Users\Admin\AppData\Local\Temp\WcEe.exe

MD5 657315008b715f655da4855486359855
SHA1 1e0a22f2b39a11dc8124f6c2a7ae6cfb9211b05c
SHA256 1589479e53f76fe01a512f64d18dc42a92f7c8396929c4dc7ae5129cda5764ff
SHA512 a5367ea5d40fe865d5b2b3098ee3a6dc2d793f6a563b738da64693e67d8dff7b8f09c4ed1a0356cbde812b69ba47ec34e59fa334b9c1235dd4b803fad5ea25e1

C:\Users\Admin\AppData\Local\Temp\QqwIEgsA.bat

MD5 fbf20cc742697236ea1f587b2c2e6eb3
SHA1 02f6eef02977d7c5fede7923864c996ed8a20151
SHA256 2618cd6e167349408fc3696aa82e1131c43dc537cb024868891dcf13e6f0ebaf
SHA512 9da34c74d02a3970775c9b3106e64eb3d0d01049e8cd2d4c527e9f36e32ab32208ddad30ef24fedda1dfd77b65ed64e3c5dcf171a60557d1d6bf19c0afac485c

C:\Users\Admin\AppData\Local\Temp\qgEi.exe

MD5 6ff8a031452b374d6f33fded335cae87
SHA1 a4643bcb6f9755172f577d6a79ae5e2253943e5d
SHA256 be861a684e9c13df3eb2a07b7ecc8cc59d74e6005248998e6d319ed94db3d2be
SHA512 98947d240f1b54461e17c165de842834fcc850da37cc77d158d4d8298c34c915fb0c1bc40c83d3b4230f4f0b44b065ea0fa6ee36345efc15e47f10ce42ab92b3

C:\Users\Admin\AppData\Local\Temp\YUIm.exe

MD5 b5664a16b2e7cdcd625f0ded4f947daf
SHA1 78694d9e481a4fc37404cd67bbe632ca98e3633c
SHA256 4ae06d8b31e786caef86b57715395fa44f329723e810427e744f2e1c7879bf59
SHA512 0db9bd7a47598c86b2969e909b4b99729ac0665ea941ca39b4e3c2b8277448731c11054faab783eec4968e1e448a988cbcf74643d4f4e0476d545ef7e9b88c3b

C:\Users\Admin\AppData\Local\Temp\wsIw.exe

MD5 47ad052b372567335a0ba5dd19685d0b
SHA1 1b98de8e5a053124afc13eebdbb8b65b24630b89
SHA256 8066819435f2441eda9a34b465e2a3d6c3f869956711b80c370c674f21111638
SHA512 ffed9acffc0e315c33451d7d3997008a995cca459fd762ddcdf764bc3394ff85ca726b3f6a6ac36cb143618a1fc0d4e75a307bad9feea0802dde2aec8b116b95

C:\Users\Admin\AppData\Local\Temp\ycEY.exe

MD5 a8cfa3983ce0139c7e2196cf355961dd
SHA1 c6c40b27f2eb6d0a64270ee6ae4c81132c250d28
SHA256 1f36347e49420cad3cd8598544d4956e82c247af9e6452978d61f3d9571dd988
SHA512 ff9ed66f401763831ea4b4731c8f6209d0f8800a53c652c9d48b5a25211198eae429a84ef6fb4679ee7f9d4071171309fe08746f501e53d32ac87f97888ed92d

C:\Users\Admin\AppData\Local\Temp\SckG.exe

MD5 24ecd9a747931fd06b79aab0a63336f0
SHA1 b87f5e8191b8773743e0713bb234fbbe47bd1c59
SHA256 47bd5f9ac5f0a56988a2926630878dac134eddab414790dfa66c39bd4fa2a4d8
SHA512 1ec9e30be2ec675fbd62f7e593a3e7f15bb3bace9a5446b4f1e55dd2aaf2d3044f381eb0c72806a1a19ba2f2ddf6e17865122851698a1f58cf228b0b60ee76b3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 c8661eb268c7002325492e8ab8fa9db8
SHA1 20183038f9fc44f1da98d71d9cdc85343f8169ef
SHA256 7231bcac4b25e55a08c5f5f6587e59a2d31824ac88eb178e5f77bd1d79b9a979
SHA512 21a093c3e9d103c6ea53dcd076627b3dac174aef39260b57c714dfb148df301e1bb21d71fc348a655fd88da6934f163fd2be3acd72ff858e7d01c62041e9247a

C:\Users\Admin\AppData\Local\Temp\sEcYcYEA.bat

MD5 a5e8a679ec506e5d31cc1b9ea36dc179
SHA1 eab22a287d79dc89488abdd7abe1fa54462c17db
SHA256 9f4abc43dd09239a56382063f4f1eee4ca1fd5a263a10f57c6293deb625806ce
SHA512 f2b3595d63951e2b6cb2837ae52198d0eb7b4508d890fde86f8c505b2f33b45990c952dc770c5a5a9522974346c44b5645ea52570f284abf8558452dbcf98cd5

C:\Users\Admin\AppData\Local\Temp\okkG.exe

MD5 11a63b865739aaa190bc8e11a92f5723
SHA1 5e9f21150826ba93d53ed4117030c5f98733b4fe
SHA256 9d9e0cf65b3f9ae1e93a298be2fe823662860dd562920821da1d73ecea2a57b8
SHA512 c8724fee62eaeeed101b968bcbfad3cf450c2f302b6626aacd9552159173e29b194f83bad7f9b9377e12317febf4100481d9661819c7f57fe08a38e48fa333b7

C:\Users\Admin\AppData\Local\Temp\qQAM.exe

MD5 35b77c2e2107fb614425b161e6d51c31
SHA1 666c3a9477c3fe1725e0eb28a8f8daf22297dcc6
SHA256 7a91a06811af5309d1a2c5c40b9571e08ae9e1eaba982d989ffb3646a59eb458
SHA512 776f2c3b492f6d5d54ce861837fbe7c3545e093873c652a95e5dba84e669b3b914c272bb10848420bf6d1a77a4ffaea8dee6076481670f4b68eb22019c89fe53

C:\Users\Admin\AppData\Local\Temp\awcC.exe

MD5 582592d95f81e1a69c8b3eaefa34eb44
SHA1 7109d8a370824e0c19ad1b426977d0973bc0f33f
SHA256 229a6594db3c25ca337ca3b634557dc1c43680cec1448199702956d1eb90bffb
SHA512 5cc1e4d4290803c8c8b232be477762ae36299233f2e1817b414cf34d04fa577f566d94a7b7e7e812bed4ae15f7d64a1e0e4657ab979679b79f64402c34a9fedf

C:\Users\Admin\AppData\Local\Temp\qgIw.exe

MD5 3987c2fba0033abd973d2d5d96c5cace
SHA1 16e8ae7527171b0d6e5c676ad502ee883fb4fbba
SHA256 47b716af5cddc32a491b6480c625e062882db0be5e8380fef70a16b7e91f1240
SHA512 222c712b3105c60ba73025460623bf116aaa89bc80e230ee03196d5dcacc9d77e4e4ff4dbb13c2252944d23cf7817782c4b62dffbcc05981d49a487789a3ebc2

C:\Users\Admin\AppData\Local\Temp\CgYo.exe

MD5 e39c5ad60a655f1b763d5eb2c2e5ed36
SHA1 cf4c01bcbba18c303149ca69b84aeaf936e0296a
SHA256 8ec48fbea01e86d3496d13c28bdae5928b618464c2c410f91637f1bea8a29cb2
SHA512 ced0b012b577c90300f3880cab92801e65298418a5b0410cf1d2c6d700e3ff729ccdba3e0d3ce6c8556b0946fd3003409a0e28184010f287990e09802ce5c591

C:\Users\Admin\AppData\Local\Temp\qUQm.exe

MD5 fa1757f18fcc942239ecdde63afc9064
SHA1 b66b18bcde723f75ee3d7c6a9e16caf8707b963f
SHA256 91db5fd9f28ee1baa4ca8a913b636b1913bf34bab3363178c8bc87462ea56c88
SHA512 0d7146c1cb1d6f644238b5ab1e11aefd5bf318ef04eeeb3183fa99b5772264c27719206942ef95479e163fe44f39f150e18987c37266a09db0d13c55518ba94d

C:\Users\Admin\AppData\Local\Temp\SkMUMAMs.bat

MD5 ee821188fbd7ab4c0316c7847af78cc8
SHA1 acabe121f1d50c57e269652da8fa5927ce85cfd3
SHA256 07558436c78d8e479af555bc40f0f2f84abdedab6a05b75291ace72ff64edaec
SHA512 d0dc4642e7191f98f05fc545e52a749676675438d604bb6e1b4d42d1060ac399c8fef52bf4c46e3182d4f7128bebdb7d41b3dd0142dfaa858bf4ee69e123afec

C:\Users\Admin\AppData\Local\Temp\ugQS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\gEYA.exe

MD5 1124f7e072151b401e0fa997e4f224a9
SHA1 e7b4f24aa3309c3a184b5ad6cb6fcf633642fb83
SHA256 8caa182cc110e7d0deb3e625c65415ab69c66b9794ead8b8847e9bdc609347f5
SHA512 033c613aae3a3bd5ae6b9e82ef227bd7fb570d0c2ce2de0feea3b184e80c998bcd5dce14eacf62867b6ae43a2bffac152ce1deb489f98cb2b4ba4d5e99053a92

C:\Users\Admin\AppData\Local\Temp\SEMS.exe

MD5 7fa71172f68a6532a679151bf0d05d84
SHA1 571ac51281bc721c3358c112ded5984f4733ceec
SHA256 ee36cfe31bce4ff0169e2b33c9cef4a26bfb10902c8ecaafea303ea7f8b0120a
SHA512 169351432ba9ae724ac5d9978ef88c7c0fd856fb772dc74c4287cf512976a8856cdab1e6161ba299a57b5f9bb29ef90c0371cf15888033cf103e8ec8b667811a

C:\Users\Admin\AppData\Local\Temp\IMMq.exe

MD5 5c9e51345dc4704c5cf99aa8456b8797
SHA1 56d84a1e9c4f1b8dc69b9527d9006a3fccf6a089
SHA256 f30e6b186f8bf65d25e5193dc780c823066360b59b65c709bc2d8a230e0f79cd
SHA512 098218af04fb2226efab00a67413dd5cc48ddbe3398631c7b4934f7f5a24e452304d166637e30df088c008fb7c8a31e406188023c3ec40e03eb9679f7efc7310

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 bd2647e28317e6406c175250a35856e3
SHA1 03fd4cb380ea8db80786d23d4c47a0cae5bfd7ae
SHA256 1f5c6d49a9998567fa6153fd51056e7b3bb790a42875c7066a462cb035a5b810
SHA512 e852c9655e60146ae5e76bf9e0f444d24bb294672fd766d6a5d72cc14ff15ee53414330dfb468d1ec0203acffc48d28f522495204b34f8f6cc3e105eed74a709

C:\Users\Admin\AppData\Local\Temp\iwwY.exe

MD5 987ab7a411224ea41e4366982c2780a0
SHA1 abd096287a8e236da4d075b7dbe58dacad647607
SHA256 3d1d75e1f955f9cd82cbc41719aba76975b25d7dfdc081f58602289680275ef2
SHA512 2def9c16324d89ac7e0cd0afceb74e8244350c651fb3f9135c243d12f0d88caceb4e34500280505c3cc26561fff9713ec89b1c8c854b4bcd8931ba69a34680fa

C:\Users\Admin\AppData\Local\Temp\NskUAQcI.bat

MD5 92e65dd48a0c6f7b99a0ee383b10fde2
SHA1 2aa1e80ac3f1a4397249e5ef9efc6e84249d05e6
SHA256 49e2e711169526a0cb45746dd4904ad86102e8054bb2d658ee5cdc79749d8b28
SHA512 adc82a12b56ce0b3a5ffaf668eb476a8cc52ab54bb664b31398575584f72fe34c9ad59bed8a6828880f33fefdb2c0ce1853881e79974cbbd29b400e2064b8572

C:\Users\Admin\AppData\Local\Temp\SEIo.exe

MD5 21a98817c76be14993f98977916eb537
SHA1 2caf60682221efe70b8bd1e719699390ae897714
SHA256 23f028295670c0d2b0f95a162eeb062268357aec5ea5420c9f6a670ba1fb3f1f
SHA512 9336f5cc3c4bbc89cb425fa15f56946fbd74b2cc05e1dcb296fffabeb2445ed11b1cf0248f6a1c63d448a6d879fd6db5c8349d92af79bc5e9ac3f4c2898b9f35

C:\Users\Admin\AppData\Local\Temp\msAs.exe

MD5 bf7c3eda44bbdfffcd4f9a8565f2efdd
SHA1 fed296c2db76d3be7197b625bcceb4db89b61f50
SHA256 129eb511f24e71a35de25dd0683986c6ceb3c4da98fccdc0555f87e56f381e0e
SHA512 f1a45a0f71559fe142e63a3056b9d4f27d28cf884675b594e9b4eb664df2857e6aa29fe95adb2c1f9dfdce734ebc4a0db9dc11fbe8f391cc4d403ba9cdb0c7c8

C:\Users\Admin\AppData\Local\Temp\mwYE.exe

MD5 1593ddc9da8b560d7a1dae7c3759fa47
SHA1 5feb82b21bee8223f50274d55b858077e9d9b02d
SHA256 d690ccc0caa04ab3d18834018e10e5fe836368b8222451044b831ea61c8a7c10
SHA512 6813074e67e5a4e5eb410c564f83f6bb536af103946142a5f7e45c0fed8fb4cd078171c4b9ca48c27ad5674abb828c9d279df3a398551ae07d2eae0d9a27dd55

C:\Users\Admin\AppData\Local\Temp\agMi.exe

MD5 35b013eec1ab2e62cbf09679a705e486
SHA1 108530e9b54b127c1fba7be1e5a5b9512c8f6e9b
SHA256 a99570e656ed46a614a392b35477543e7f06e8e82edf10cc6dd17207d0fc9d10
SHA512 5fc96a05fef480a1bc79afee99c9866d5efa2138c62411efefd77b726250c00fcd0225264503950381b508276cd1b4eb12329f3695d3f3e96408027d5208b2d0

C:\Users\Admin\AppData\Local\Temp\yUEC.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\cgYq.exe

MD5 8fb53aadaa36d7139bddae6e3d9c0fa2
SHA1 b6dd782e778aa184f8de7597c4205a340ec40760
SHA256 bd1ace24b782ad8ea01487bbd4c6dbd2489f060a3b5997d589f5c18e64bb7d41
SHA512 fca9659c9b63972259a6a35aa1286831d5c7c59ddd7fe92a4dc1b1e9da124d4bdc10c96ce5b6ff0fd934dacdffb176ce8a39f9a395a126bfa4cde55988d3599d

C:\Users\Admin\AppData\Local\Temp\RioEUYsg.bat

MD5 5c3e4ee1894d32bf68351e49b446d342
SHA1 9b026c985b8850be1e0084657af9fcda44a8bd0e
SHA256 06785420829b0c1c7cfb337c54b3909d4835d4f84d4309ee1d19066cd2e064de
SHA512 f79106ac4320bf1cd8ea1345782ccc883ab1164a76c2334c32aa100b4fcab0ca1d203887b859d9bc57a51ddb719fd1b13cceb819f1285a6f373b7325a0807592

C:\Users\Admin\AppData\Local\Temp\CEsS.exe

MD5 7cb9ce90c16efe53778db03cfe118cb8
SHA1 05ca8ade3cd68f20bfb58d7659f57f0b63100406
SHA256 a1f26290deae97d007c843d648c2f1aab762c31c2b414f6f6eb97231885f8669
SHA512 aa6ffdc98088c8bd13f791e9fd30c8ea3c6bbbefa1a1b17f192739d27c4c0dcefe9ab046bef47ef53759d20c7c86479790f9a0ffc638eb9bd6450701eeadcfcd

C:\Users\Admin\AppData\Local\Temp\yggM.exe

MD5 30f227352c2588a519df44a20da343d6
SHA1 17a4ac4d6d0a9df8569f59b36253fd416f2cb7a8
SHA256 754dec1f2946a6fb1bb066e425a11ff24d552abfaf848747297e7d901bccd23b
SHA512 0d17c2b573ef0568bf5c77ac5e4d67653609acbcb55712de7c89eb39bbcf2e80e151eca81425d271595834583f8d230e0f70ea7adc8a1e8902d05741a2c49868

C:\Users\Admin\AppData\Local\Temp\YAwe.exe

MD5 571172bf24d52a8f15187b31a4c87675
SHA1 ad09ab7dafaf5d13d82d83c1d62b4cd8e4d722b7
SHA256 937d41d7f3959ab3f01a7676ef81835eb05ef93c3be00a48df2f0a5efe515439
SHA512 d76e1d8edfda1fc31cba795021f5937dcf49c1245905ef8a808c528f4aef228b9f841233d061bbad29f2f5bcdfcc70d46f44e3385ad1366210697fda7870575a

C:\Users\Admin\AppData\Local\Temp\gYkS.exe

MD5 f8d650df87baf87c81cc1913eb477001
SHA1 445008937fb6ed9067803dc254b8405fb51aee61
SHA256 ddca4eaa09b2cf22a1bcb563ced22774b4c05a4ec4eeac31bfc77f31edf1ef21
SHA512 cc42ffae93c909ff18731e2ddd1d72df3016907fe22e0da91a952cf050c98e46f60dc909dfde89e9960bfc24f4b4eb1817da75d2cca1532eae0ca52c30700316

C:\Users\Admin\AppData\Local\Temp\tsEUwwEo.bat

MD5 b8ab523f4f7c6a708ac4f34753ac7716
SHA1 5a7a2aee5a6b545dd7aced1551901973a3e6c98d
SHA256 891a092ebfb1e5d1981e53e33cea6cca13ec3f06f73fd1cb65f28794c27a4ed0
SHA512 8a19ba7d1b5a89c7a38724e1165d64a2ebf832e09d00386c0a97731993c8772f0643f90fb6c0128d0649a8d79821373d68e98384f987123c338aa4dbe551cda4

C:\Users\Admin\AppData\Local\Temp\EQQC.exe

MD5 350f5e83c0e3f83a98f21435890c652d
SHA1 3638b4aa08f39475ce87f94f6f97e71c71fca9a1
SHA256 93b3fe490e105314fb94a11fd919a0dd7c9983861b183c905ab1e6de14d2e743
SHA512 ac08bbb2c17e9fcbeb12d542b57367703b52d715fb3ac47f050e9b9004da778c998677ffaf43fa459662e960afa0545adfa9cc2907828758881561e1f3bfc4fe

C:\Users\Admin\AppData\Local\Temp\eYge.exe

MD5 eeaaf0adf62f7de46849f94d4f9bd0b6
SHA1 c67eacbbd1e45381df8afda65af6b839e238cd4b
SHA256 81fca042c13431a5c804a4995b51390dcfbebe3ecaa7531ae8c107fd2acc48e3
SHA512 438cc1fd4b3b8b1cfba29851a67414d169f896d41d49988d9e5043ea620479e57ceb234c423a8ac61c69edd2729bf695ad94cced5590ef800e0ab68c4bc1546e

C:\Users\Admin\AppData\Local\Temp\esce.exe

MD5 f5c7ccc4220e4bbead1944d8f4021f0e
SHA1 09a184e98bc0ca245fd09d73bd3b3dd2f06e5572
SHA256 781f386a1005e8d43a55f6dc3c8cf06e657c79b00251e36ff819a4041f102a55
SHA512 d22d39e0f7b2c70b7289e9cda42d57411f485db7314b952f5a154c0a6b4fa734829a81712229752ff335f14b6db56513ac8720e37b6a6aa5b87ca0234dd9463a

C:\Users\Admin\AppData\Local\Temp\REEsocMI.bat

MD5 361ad5f77715d178501994bed4216f0d
SHA1 cdc979d957f9cd8dcaef97ea75408f22615ae836
SHA256 9f398d10842976f85bde274df68f25dce19f4bd32f24b81a008739d43172ef3e
SHA512 6412ce4afce0105a221e3c23a381c20adb7d8ff243d9ab123d5d5df99279ac3d5520679b4a2df799c0cb4bd1fbee6e855eedb749c3cf2db18cbae326dc6a0295

C:\Users\Admin\AppData\Local\Temp\Ysgm.exe

MD5 0df9b4f818ba2ffae8553c73fad09dab
SHA1 f152ab07c8a9c3ac53721bf80bd1161a0d866e2b
SHA256 239be74aefe20e94019186416fdf1ded420ddc58d3a02fb3bcc77eca956c6b17
SHA512 588ef7ba35aa6548fd0ab5b9262e09eeb5c0274db439ba21d13cf5b3eade71c8fe85becab2c998435940a6463c75b77b1986d0b15ac298164c689d575639efa3

C:\Users\Admin\AppData\Local\Temp\wokW.exe

MD5 01a4d6d811d8451b9c2289a7539bb32c
SHA1 5154c81dc6f26a4b88d76b0ee6b7b6f127ae92f7
SHA256 d5e0e0db97841276e0ae184c628d0c5846ebfc44b930eec545e2ab6de962dde5
SHA512 42fc74436f3b37b58278f7557ea563ce8e65e06e116edaf27a7c57d515d49175489006ed73c0174872ecff827b4994f50892401e45f7bc1bc8055f3ae9cf6b7a

C:\Users\Admin\AppData\Local\Temp\yMYg.exe

MD5 1dcfe1f0008926818848ded7b325d900
SHA1 7c93c849aea644b101d422c33341389df86fce05
SHA256 4c26ce2edad4bce35c3977208980376b166a2f64bb6e2b4af9a677047fa255f7
SHA512 882816d46e6d4ac92b74e0bc0fcb4a9292dbe90604571a5068c55015a3cddaaac77f5c34ffc3d7118742fa61a983af953161c355c86e8fa042f0335e08e4b36d

C:\Users\Admin\AppData\Local\Temp\KiwAsMkk.bat

MD5 4fbf154c17dc5d74e4070749db5bffc0
SHA1 d66c2544f6b9868213b8dfeceb297e6fdb685764
SHA256 14d83bed974f72cc4ed8ba6cff2968c3aadbd4e0d70a0b0d5bd6ad581c39e940
SHA512 beab5dbd6d53a533e106fce4cb1838852caafe495718077e00d1f86088b158d61742cec5a89b9ee3ab7f0578f19d4aabdbe9aace70ce1260b66fc6deb9897373

C:\Users\Admin\AppData\Local\Temp\GAYy.exe

MD5 0a9dff07983601b5a171b5740150cd10
SHA1 3cb3c5d9976fe3869eb1aebe69389c1ae9cfbab6
SHA256 699c920008b039c4762c061c8198576687949b37bf7690193fc35edb7d8638e3
SHA512 aed18d81cc04e836d6678bfc3d01d93085d0a83510096fa531606f24d5695966d590519e0b625c7f1b23d3191fff665ed91c2cf64ac4117002c5abef0149bd5a

C:\Users\Admin\AppData\Local\Temp\KgMk.exe

MD5 bb4d6a767e8752f0daea662e28ea957a
SHA1 b6163d23f4ae453496d66fcf79dc84f48af3af33
SHA256 cda2357e89032bb9beb48b742e4ad5df068c8cfcb09f693906ca4d4de316aa40
SHA512 51430746a94e2e59c798b26163ced3578caf1a8704377cce1a597859507ca794f3dfcf3450f80b708a78658026b2f1614a12b573eed5949f58be20b45ffe9dab

C:\Users\Admin\AppData\Local\Temp\gwoa.exe

MD5 c9c76d2966cab3c9947e9035bbc1ba45
SHA1 8fba389b8d13be693a1c8b70acbdf7fd22eb3b8e
SHA256 68b87193bffc18e6ce5d0c25845c8071f6ff69d6fcf16a1f8359a4dfd9091d73
SHA512 8b6fd1707cb7a46eff5fc9fd0ab40f3621483a324b926e1cd6ce9427c23f48584b0c09aae3c0fdc604455c27df4cb69f2a2177659c2c11ef08c4f1163a618d0d

C:\Users\Admin\AppData\Local\Temp\KMMU.exe

MD5 cc8e4ed62ece986c5409e10d4f357e4b
SHA1 44d945a072af68d51c1f3e6d9c3e1b95537833f7
SHA256 e443152c3b022249811c998f737a99fd42aab6ee166533ec2331e212dcc4f12b
SHA512 90c013f8f64cc8028488c6b9abfbbdbff2097ff90b6602f0815bb4b4bc3253d5ead12c1b9e6dcfe7e59e69fab9c9c239291ab8f6cc8f1f73f7a7b6ffacca36bc

C:\Users\Admin\AppData\Local\Temp\uwkAgAgQ.bat

MD5 baaa14263d09f9d20b85bfe5fec35e85
SHA1 b73e750b396ed03f373f899edf3de7bb934c0ff2
SHA256 dd6cf22d0adc111a6324ec534eb828eb0ffde7c1c071600acd2c580329b66219
SHA512 1da71d93656d7b2d101e8b121542679cdbe151d38db69145d1832aa02f976b7f1c00fbd51549c031296225e5bf777c3b0651b338649f8910a55ac2b515084ede

C:\Users\Admin\AppData\Local\Temp\cUUu.exe

MD5 ac3e79360bdde1865ab0f31ec4679d23
SHA1 7f58b156a94224eb73cba686c1393300c87ea8e2
SHA256 9611f7c9da6770694788e185e54945fa4822b22ea8597dec273c37b6445f5e54
SHA512 87fc28fa96913a53a10d124cb60fe11fac9ac8758f3940dc1db2f7e1d09759fa3156860eea075caec15450720c7a58e27fc0a8094ce96bd6227e477d367b2266

C:\Users\Admin\AppData\Local\Temp\YEMo.exe

MD5 91f2fe987991627ab3a44507d3858861
SHA1 8489a031b5e825099aa4709d3dd0cef57d135f9a
SHA256 c57ecabe224aeef6d045716a84287fcd1494e096a262e15462773b802870b728
SHA512 70cb36409f3646ff5f398ea42cd4d651fa0de2fea2bb7797e96e17fe8223e692ccb545d74a305ad14b7a5cdcc8af77487f7c01d35f3dd289d3d52ac75d71977a

C:\Users\Admin\AppData\Local\Temp\KEEc.exe

MD5 accbe4944f2e0577754d317c80c69afc
SHA1 b16c9f4e239b807c74d6ca5862591ba28ae20991
SHA256 d30240a3c371a234e10bd151e8502cb20958036d51499963c0eca05f138fe44b
SHA512 4a7fa2e6f91de1d478a3a99ac417943400161e344725f87370d0e469e30582e2d32d4272fc9b96a521df83e8622b3ac41c45a1e14cd08e7a82c2e58aacc7f191

C:\Users\Admin\AppData\Local\Temp\cIMMMQQI.bat

MD5 b49bac56bbc7094a769b4a1fc9ce5246
SHA1 0921a94cf305e5730091ead1737a17bbfe8366b9
SHA256 6ad38de62440510af29e8da04346b7223ffd952f27633ba77c033fe6b6eae36f
SHA512 ccc2bcb6113070320e26212bbb61a550ef90b64aa8f72089920e78efeb82da36d306cecc0212445126ab98766402fb4931caeb638246d1a906f73ef49651f998

C:\Users\Admin\AppData\Local\Temp\MYYq.exe

MD5 2866a168bca8851581d6599447cb18f1
SHA1 2450c93338bc2d559b49202680c415a96aa481ff
SHA256 a2546f4d5fb3542f055c8275ebd3630cd31c1c369a64cc40d302600d42ed14db
SHA512 cd829c4936c8a87e8e40b2cfa878d00eb9ce34c50bf584bc977caaebce0701be776f5c09700313f143ea882205e951614e3addc3aebefa1717de8b5f2e75afa7

C:\Users\Admin\AppData\Local\Temp\aEAA.exe

MD5 be92351bc49dbb0ecaa193653a0def89
SHA1 f32f29dd6f9f031502f2d93570e09fecfa62f6d7
SHA256 2df925d564f055d4dcd6085e118ec49fa8cd9a38f1bccec2323c4d8985b22aff
SHA512 54161755041ffabf2f2050964746f64d49461a8d7dcde81609a793173a8085b44346726ffb7593034937146d7be0e12537f97ac03504146c762e65f09b0ab42a

C:\Users\Admin\AppData\Local\Temp\ScoI.exe

MD5 c7776f4605816c45e988530d1d4910c3
SHA1 7326803904c925659137409e4c599a73179a0404
SHA256 501ceba3c28e2eb728015963c3ef8b95d5d651b543dbda8000a792036178bbc5
SHA512 d9929137d6a8b2691be2b1ca41a97c273219146a7ed4cc2ed0ce44c19024820ec241e47905a3fed7b514f256d8d6e5a1c181687ce1f53ee87349675722d1a6d9

C:\Users\Admin\AppData\Local\Temp\QwgYkwEg.bat

MD5 91d475e7ea4d7b095f87aa0d59a61229
SHA1 40ab9430ea4e6d50f3e8f609f9114346e9b1b428
SHA256 44a24d8d07179b3adbd39947be5fe28a5918aac43d8fc1903d8f072c4da11f87
SHA512 bb0fefd4f83693929e9f933f671bdf087ee36363e42c8626e5947d38f8f397f596cb5a3d5d92aca4fe1662e9a21008b021d0159a81a7df962714691872cc46fb

C:\Users\Admin\AppData\Local\Temp\KUwu.exe

MD5 cc7ad2b9def8aa2bbae3dc55e2281382
SHA1 5a10d38a932e396c2693216dd3a5d46767363930
SHA256 e18f805a1a78c3f7a16aba7dd2ac65a987b8c8ddf4bc8a786ca1f12960df1cac
SHA512 b0a4051af49b80957134a7429b542d1401e5b5dddfcd463d03d70bb77d109b9d296665fc84303c56938cf8f441f96e1bc988da6d3cef115452aa11a2b7d74afa

C:\Users\Admin\AppData\Local\Temp\swEe.exe

MD5 8d47775d989451b9666238e2333387d8
SHA1 b0b08075737ecdaa716048fdec50a527ae6d5be5
SHA256 95a56b3f8e2df166fc7108b0e32ec01118f537b66338cd3612c8cfe13300bfd3
SHA512 d754df5c1c2e351c514e5cbd3c6bb84f276b9ecca5c37841dbf9c00339908775936177dbb70ebee18adb73fba570f9131a32aa46d022fd655fb09a505f8d4279

C:\Users\Admin\AppData\Local\Temp\yYcQ.exe

MD5 88584b147950a9e6ea91887f684628d5
SHA1 a1c36aef61a6005266d2ad407704478912738b96
SHA256 ccf8fcc2b61c73018701895dd7e678fbb02ada9a9eb749ee6b32020743b88ada
SHA512 a448c2d82de75b0a67065351d2436d679e3b148594bddc5e0b407d61870bb949544d6bde01ec467796b19e0e3f804c23bcd79e845c5939b1c4ac8444db768d2c

C:\Users\Admin\AppData\Local\Temp\IMIs.exe

MD5 bd3934cdf8717e2df1451427b0735cf8
SHA1 bc6c6a6b0d13fd10f8e330bc49354a7a07e9b047
SHA256 5d9a85cd1617cff080cbd782c2274bb5f3ac6d4bcf41f17ec9598df780a3425a
SHA512 6f57e9a58a225fce63305725bc5abaa1b682501d1ca00b10ae7caaff7722bd9431114f71d3c065445426f6cdca2636c611c1c450887e4cbf0241048728be7cbd

C:\Users\Admin\AppData\Local\Temp\tmUEwgko.bat

MD5 bcddf0daa19352b2ceb03bb5979f4e38
SHA1 42b3d07a3f2bb3ba0d34224acbf911cfaf5e9612
SHA256 14c6824f5db388f5deec6b9f30dcc39c0c66d003c7bb4061afd6cc5b81e0a4da
SHA512 55740ea05c9e82ef7c059c02867547d64302014187def87fb5241dbdffc5ff8a8e368e9faca7c087575ce057aee25b7418ce4851ccbceb08d9e9cb84b42a844c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 e7bf957c071649b48d66355685aeebda
SHA1 c531a19adc534dd57f228547e9a3d394cf320a18
SHA256 67f188199b4a693ebcd9da5938a6aa666f3300dd2358a4800cd5ace286e05abb
SHA512 4686fbb5b8780c9c68be08f82795e1ea85030e2259bef87b9b7e26ee86ce8b7204bde538f1fb3399d5a25ebb25ab4e8cd6d35c478708e3347ac66e00650792a9

C:\Users\Admin\AppData\Local\Temp\koAU.exe

MD5 5be40facea863954b74fd9cd24952b89
SHA1 4e219089145468cf8b891e7b73c4be23220359bc
SHA256 4c2c09d5b929555c3150fcf17c40912ac7aedee44dffe9cafdbff26e7f707b5c
SHA512 0067f6c860cf98f28b650e297e89b29ce15b4bfd86a8dcb4f6be3b0a022d61043bea297cbcb5a82241711a0cbb43350156002aa98f5bd11f1ab6efb6434deebd

C:\Users\Admin\AppData\Local\Temp\ssAa.exe

MD5 a938b57527c4fa8edd6619fe3f63fea2
SHA1 bc7ab9f16558f37e2c6fbc65377ce67345439915
SHA256 9d829e701a6537f73c428b6c5c13aaababd3908b0b97be57d2d4ee3cb6a5acd4
SHA512 5a9ad993371b548871d9bf576ec2002bafd8ed6939db2f6f1a7c584121e98ecac757917f8780d9e7055f02750ad8b4ef991c3feaed656f50363f861c00fc0221

C:\Users\Admin\AppData\Local\Temp\koky.exe

MD5 4a70953c04db5021b55998a659a174d9
SHA1 3b2066ea03cb25314824789611e545dd1adcf6b5
SHA256 32d37a3d3b400c161fde6883d68bd6b79e84691e14cf7105e63b584e41b5e6d1
SHA512 06f5cd697d7f82b25d7fbcd704e09fc67955ff0cbac0e1cb18fb5d4dc2bb3bd9dc8f3c2d1fc49d4bd1bcf3ac40ccd346e8873eb65731680cfc86bf6ee9f76855

C:\Users\Admin\AppData\Local\Temp\pEIIYsoQ.bat

MD5 8b7e758d6212eed132e3071bdd783409
SHA1 18db28ba79a952b68ca09e97f118ebbff8bbc6e5
SHA256 791cf5abd762c8db49acabcf27773f0dbf2aad5c2e4aeda54e7a683e4f61244d
SHA512 df43e75112a049a67c5f1d7a92e6f83ef7e39d0a406c44c0a6dc8e23d19cf61347acc5a2ca642737fd541fe344dd0ad8890d01cbaefa6c0fe4b23a3e6dbce217

C:\Users\Admin\AppData\Local\Temp\yMgI.exe

MD5 444ed4f5b8129f50aefd02ce5068eae5
SHA1 d04a7c8bc6fa21df583ef7e1ae04745f2f267b08
SHA256 718772e104c3fbc228a83d49668190234f16025c99e7aec1183a82c37c655605
SHA512 a162305bacbce42af58abe1f3d6d76ed261445b7933777f7d6ee4cdc473166bfe5b483c18b0fb39d776a4a0c3742a03a19dab222475c606e8455f85b213c351d

C:\Users\Admin\AppData\Local\Temp\EAUy.exe

MD5 345ba79ac3528107a691d3fba5b6d558
SHA1 33e8022cb169d8876d6bfc8e141618364412e50b
SHA256 34d1d342dd13293651c2b6868cf178879b603daaf8f7f96a93919a7b3b92f846
SHA512 f282cc19aadce4dd443bab30640371c36b28e031177b5670949d4c37908af124b58578f220475a3161fb230531831e907b6b5f40e37063570bc7c45c8c4587d0

C:\Users\Admin\AppData\Local\Temp\bkMkUIco.bat

MD5 6e1ce41146c924db80499ec0b8c7aaf0
SHA1 55d376e74fef05356253291854cec54e737dcc44
SHA256 bea396237b375e6b43cb2505644c9b86327f9ea91732f20309042bb89500cfcc
SHA512 e50a486a24f85b3baa86902036944751f85756e66bf44f923166785733c0b9901ecf613b9bd10bb9143809dbdf37d04d933263ea1e45bade0b1d723c7751bf2d

C:\Users\Admin\AppData\Local\Temp\eAcG.exe

MD5 809e63102d0ff672c6d9bbb80da65165
SHA1 c089f95e35445520dfdc910da875c71f4b936bb0
SHA256 bd7e98dcf991648d43fe7c56e6a03fb3237ff5cb82e11a2f2e3bb83b955ec1af
SHA512 a3233d0e167af6db6cdfba4cf7b4a58e6ce06ee5e294b9e1a1929955978eb7531724d92d1548f736138873ee7fc45bfa24b9673b09403e37d855db987c8d471c

C:\Users\Admin\AppData\Local\Temp\iUgm.exe

MD5 de7cc9bd984dd187098d211d016f3521
SHA1 c7df5eac3d64eccc9663fb8adfedd1139e94ad6a
SHA256 bff45c00cca23482a1c0f45fc82be6b5f7caaefbad1f2c4f275b7118198206f3
SHA512 cc75d6d0d744f030e7d611729c4a5e9c83a714bac09535e775e5948ad14f97b2967bc39989e33fe9569443f090ff779366e805beafd975c0eff4d80a668072ab

C:\Users\Admin\AppData\Local\Temp\CksQ.exe

MD5 34a5bce24ddf0aba2fdc9b7c7c2f7e19
SHA1 ecf6120b6010ed9f5eda6e5e34c48715fda6dd33
SHA256 cae3ab6c098293a3c869deb6e7a875f83975ca8dfcddcde81d3176b629200574
SHA512 cc968073cfc326cba0a2365815dc35935775e7fa3e59061022245ec0fc506f9ca064f77ed4e264392c27955e98ac3ffaf294d70040f88754eff1ddadf4a29599

C:\Users\Admin\AppData\Local\Temp\JagMksYM.bat

MD5 256fb4d2349145d37d1e1ca973ef2e74
SHA1 ac4a06d04c08af4f45ffdce5403fabfda309fe7f
SHA256 88a4c750ff5f46c75b84c31b0e7191023615ad4413895228ce6f01b23d269e87
SHA512 0b5bf0d2e74fab23b812257bf0faec7c3b5d653c19b752ec3b6b5d40302f2e12567fab4cd2ecf71654ae2a31ad78efcf8e07d3c26f35dced8c77047c776f2664

C:\Users\Admin\AppData\Local\Temp\oMYe.exe

MD5 18e51505a065fa5e55cb6d40c500dbf0
SHA1 3d1cacc0aa446b65f5a8ba6972d44adca2998c1d
SHA256 6c91d239adbf3109bc7a61cd9257c88748abf03706408ef964215b48ffba8883
SHA512 5f2d9f9ea5f0e1e165c26e53e04ed2956a30772add1da1e07252c7486256f02d598a03ba8938d69e5d3a2d8ffd6f69a045b746f5ff0a9335d5ef14082cd1d18d

C:\Users\Admin\AppData\Local\Temp\QQYi.exe

MD5 52d03cdebda70b95ff440e9fbc2a7e3a
SHA1 836acdd78cdb13c989bae60956c999b6b12b5f69
SHA256 c00704f920f5171633a26b67e77ed8fbf01740c2d507d31abbda852605861870
SHA512 9fdd848acd4f62c425bac3f2f8ae22a9a720006f630166c49299703908221b23dafd11c2914dfcffbcf7bc1b571cc187ddb346319caf65d6020cd60c067ea920

C:\Users\Admin\AppData\Local\Temp\CIsC.exe

MD5 cb68822f20f24c90964fe98189c36654
SHA1 596c397fc8603e03d22d181b4d650828a92f96d1
SHA256 fcb195527284e42b4920702d17a30daedade1996a0dba3727b21105339feffa3
SHA512 dac7eca9133f72ea20ad70af3bb461c633dd504f8092e1d10b7124f7ebfc0f7b60a7beb409ae8f72b419381fc7f57e8184a18caad5cdaa860e984745a8e1df7f

C:\Users\Admin\AppData\Local\Temp\UAsG.exe

MD5 ebdd45d19e331d1619650779ee6b386f
SHA1 1c23e9e05a4cb2f8039013002f6378ae7e7e8547
SHA256 9ed53bb6e28259ac5ee337990ee8c08e3c08bb5db49e4919a3c36b213caded5a
SHA512 567ca608477c7d97cf7723c106bf9129686b3428995a8e67c71bd5caa79884c71ea269d41cd7daf197be13fb6d22c100287cb1a7c1b83b1c642451f519b56d29

C:\Users\Admin\AppData\Local\Temp\IUwEEEko.bat

MD5 b4210e5640e9fc0cee6e77027860d954
SHA1 c189f7cced3267c28f9b2b644a2129a5fc053122
SHA256 f5c314fd0bd8a50828c2f84e95607dcd93c392dc0e12652d85367dcc0d0b2647
SHA512 5a22fc1bff722cf8d048d0c4632fd875de02d93448e7d477649b0430e41f089301db6ddfbf3be8e9bd3a45a79180745c847086e0ccb938099156584ab497d734

C:\Users\Admin\AppData\Local\Temp\ussE.exe

MD5 cd77374a14a33087ac04ee1f33c7ba85
SHA1 18d3813773f773c0861e4d9266df00605236ecaa
SHA256 15c87b291c09c8abb7068509ac34e26fb99720280ae2d5fd6b9817b3d6515fb0
SHA512 aa73518de2da162680b6e7b67be4f75abad30df9c2090291b6aed4e7f9a14cda114a500b138a9a67fd8e8bdfdb6d09f902cb211c303e601871faec90da18ecc3

C:\Users\Admin\AppData\Local\Temp\sIce.exe

MD5 8f3c598a0d169e35ceac00202e82639c
SHA1 98305bff435baeab4fb605285fc8099bfcd487df
SHA256 2fa04371681e957344faf5187a5347b2df2d9e6e7b66c0292a7d72c428eb4269
SHA512 ea7dc576be60b3c5af5ff459d7793d25c1244ba1bfc4067a70577d0b101bc52320a0c5721fa7b0fd81711a168ab194a8576ae0d2e84e0f1dedf9ccb3634fbbf6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 fdeb612230d793a64b044a40a2135bf8
SHA1 c528c7dccf9613b3a30fffcdbb88c30410f6e626
SHA256 3c9d1b154b576f67c2b6467a68d220bb43b340f5386cd2145aa386478516b8c8
SHA512 9e5d01693ed75cddb295aa07787e66d74358a8bb7c064b2b6247c595fdf2ec7c55e698f48c05775373c09cde1c157b66e28c3a6e7c9410d79465e859c73a2c20

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 425689c45cc0727d3595b9eaa9f81389
SHA1 cd79ff27751640d0b9fb2d92f011ccc4e9ec2bc8
SHA256 58b252f4e7756cf724acd4fdf23bc88a87cc5b6717fea2498f0c30d5576a8bd8
SHA512 f96a2475bfaae857d208248de75dc6be5952070b1fe459177d15c732b8829230b5c3deeeeec93ea03e3727192cc3960c952a38b9a1a62dc19323953f4c5e69e5

C:\Users\Admin\AppData\Local\Temp\GkAoYcEc.bat

MD5 306d71cdfb2ae037d52ba37e23b93ada
SHA1 b80d152f53eacbafe5ebae9bb5edbc09ce036f28
SHA256 47554b5481f6d3489f181dfcf05682939b2f6092a4533eda3f47ffd3fd694297
SHA512 15e5ecaf3dd3bbf5f4b47901e1f6649a90721da612d7087c065e41b10bb523b1e02a955d93bb98376d6d05d404948f0c87674ccdf21b8b5e3931ccf24e129d31

C:\Users\Admin\AppData\Local\Temp\mcsa.exe

MD5 aea5eeb20ca239b2753861909da2305f
SHA1 f95648104ad1102c2e386b0cba4426b3d0a02e04
SHA256 e74c0e50ec0494b5e1bb8d8f801cfb602f4d73d3a9093e233555c56e0f484bd9
SHA512 609cdfc399a14efc375c90a962ebe4ed0e3236204e7727cfe0dff3e93bbe3862a6eea528d70db0829b40c08c849f09fddc1f7d97f9bad5c8a6bb66b57e3f42ed

C:\Users\Admin\AppData\Local\Temp\iAMs.exe

MD5 a20d3ed5078379b4a9834bf6f0ed22be
SHA1 1bf3ce8f3fafa8143e9eb8f37761bd55d5e55cd8
SHA256 2e6c56bf3468f2a1721b05fca757208a702ccac1b1b9b9aa9066ad555f669e38
SHA512 b5222b2c675c33e67fba05ad1fe9ca67f12a73e5bc884442b91d744ef2915dbd94a9950febf27703fc62230762a0d4de6dbc7c330d1b79887fbd76c488d6454c

C:\Users\Admin\AppData\Local\Temp\cEYk.exe

MD5 673872d60d85d3945b68d8e7d58bcc53
SHA1 566572e381a48fb79fb1a9209b824ae5b1586458
SHA256 e308e1aa8d5ef7432f1e89de01b5dd540e90d2f2713d6db247deca53198078d5
SHA512 e2bc76be1af33035163c76666692ea0dd459baddeecf76a39393ef138554ede5cb118d2e41afa17a5807b0f033f83661fe0c7b1a21ffbabab6f4c691132e4095

C:\Users\Admin\AppData\Local\Temp\MsgskoME.bat

MD5 a0390e0947e428a5a990167d5cc01fde
SHA1 1d83ce4eb5667f79b45748d5994662763ac0ff2e
SHA256 f374dea5e1c92c60559f20d43a8f00e39d8cffe6eb8a87869e9928085bab47d7
SHA512 1671a8ffca85c92f829173aaa5dffaab6a4bfb3271feec79a554a72cb5d6bab455230b43848f73d62da401ca9ef3e34b3c2bb7d49d147cf2cb09d307eef7dd7d

C:\Users\Admin\AppData\Local\Temp\oYcI.exe

MD5 5493d47e757f9c964b42b43b452ef00d
SHA1 637c64beb801b053f4d99d5fd1f9ff12f8bf7b87
SHA256 ca8e455bd44740243991d5d0a70038c60d93a218a81ef836c39881832c66ae47
SHA512 5dc0d76da318e6638dfb53f5efe10c2a610669cf92278f1ed1efebe18c29c3962b1203723dd30a7d65f937d3cc6ca840045874f6f29ebad37d913145e7e26203

C:\Users\Admin\AppData\Local\Temp\yEkI.exe

MD5 a6d3923f9488229f999da0932899ea35
SHA1 b06f4ae4d4c363d03c94c5995bb24a079159382a
SHA256 78fb863e344d7125b6b7704350c55aff483c514b34d87ac073591d24ab97464a
SHA512 b50b05126bb6fd2eab13c75eafa717f98751129c3c7097fc0dcdf6ea43a9933bea9eabb55962e8be7a9e2859a57454e54c56f8ec67c71e06d672af1f7e1d9477

C:\Users\Admin\AppData\Local\Temp\vIIcEAcU.bat

MD5 f9e1ec36580cee34a4fdb4d9e63f4d74
SHA1 2a6d6372440ee92b69772954748e37d0cc2d8e6e
SHA256 3f9dc101c137230ff36f698f05a7d790d9b4a3f7083f3abe72c21ea0887bbb35
SHA512 909f07455c32cb33e2d31e7f1d2b39978bb31c348f0344617963064130f2b6032bf1aa2ec1d9b52ab3b2e14e30324a57576766c8a05a1e6a0792c924bebb2bc7

C:\Users\Admin\AppData\Local\Temp\AMoi.exe

MD5 a954c443ceae61be02fc2eddbd6db597
SHA1 9fad9604097780e6c1da6292869ab540f66aedaf
SHA256 f9539e970abfc8fe123b734da0c746304a9a2bc0714f4a15a24b765f08dc49ed
SHA512 83b2d095de6f6918c2254de1f85402f62c60d2a2ccb1018d76a3e9b6b1675d06fcd02bb340bfa16109b6f92c1d17264c82adc6b92d31b40e048fb175084a6fac

C:\Users\Admin\AppData\Local\Temp\hOIkkkcc.bat

MD5 5e271f68ff78b060d4b3027d3bf65e96
SHA1 3435a8ed28699a0188bf77c658096437fe2eb868
SHA256 5c14b0f394552c6b8cca8dba2f2518d763b559f71b9a0f336935f3f3413e35da
SHA512 d3a4b9f43510aee078287bca92061507c95f63e6680609191f35dce6d402dc074e5c14b8cc1c54f70dcecd821b57e9a22f21b84d623c3d2afe09f2af1c6fae90

C:\Users\Admin\AppData\Local\Temp\YMoU.exe

MD5 da727688e48f913285053d5f9870205e
SHA1 d1f136b6180fe779235e375ef6194d21bdc7991d
SHA256 f7bf5c2dd21e70c5126140d56d0f33c41555bf042f03dbc68d5b355cd7bab927
SHA512 8cdeb8e22c368ac76d4b48c031085d77038af40004c64bb14c65df9ab795ef28ada0b94854689aede9923b9b188ff0cc519ce3f40c0fb79eceaa42813202bd57

C:\Users\Admin\AppData\Local\Temp\kgoe.exe

MD5 517a640f2c62256c70fda8c6ceb74bb2
SHA1 859856324a0b70f0b3712f02fc46bc1e11ada228
SHA256 a9f6a1b56c231021f2923939b01ce52d79c830c3905ac01afc61a3b98f89b405
SHA512 3ffa71ef31d72e9e2f69bd5048ef274ad0bddf701082942d6bf9e4c9dbeb79b98c4a54720bbbf0bb429ca731446ad66cadbee538e7c6a82192242f044db689e0

C:\Users\Admin\AppData\Local\Temp\ewQS.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\coEe.exe

MD5 8f548f1a7505e400819b6701492b713c
SHA1 06b2dd62c35766bec8c21a99eccd1b6401aab696
SHA256 3282a5a7c8c073d071c56561238613a51b57d5110b5478394be03f89f2029838
SHA512 d75c697edad6c9ad6b6df71f384e5c7284aab7b173c97e19a3bd1f1a59e535d535c6d01ed7feab3fb877b3402da7800458fb5ef1b4a8d91e113a15c8465a5790

C:\Users\Admin\AppData\Local\Temp\igoy.exe

MD5 6663c3ed63df7b3ea1913e3801c3b9b5
SHA1 41e9edc52f9f02aa6b55107e6bae24a0dcdad992
SHA256 6d60556d5498e466aef405e05bcf9239b4662fa43f2e342413bc820b381ce8da
SHA512 b4a3e2d7f361d23574509d4bf974193a0858678dcf728f02efc899e72da42e2f6686fb70ee87338985631b59bc22162ca069bc595f97978d884d5781c938bd4c

C:\Users\Admin\AppData\Local\Temp\qcsq.exe

MD5 d0040f8d8fcaa9358be041fd02007f15
SHA1 c15760314959a6085c3bc4c6014acc6208c59f1a
SHA256 5819a201781d7b7ab4ba668a0d03862415ac86252736d955c3150a0932700121
SHA512 150c32b654b55a4e54a7f7e42d5ad468a133c8e01089c8a369e46b77dcf9a0202120958755d10caecc779f4164b94e6ab76889ad6462b95f5aa35465d67a7246

C:\Users\Admin\AppData\Local\Temp\mMsk.exe

MD5 7426ee90fd899349af624bc0cc21895d
SHA1 c7cf43281711841b3f581cc86c502abc4e36d0cd
SHA256 7577fd118d3db1405e57bb9932d712c398e652e404223e24768fa8c83d2fc298
SHA512 885038ac601c5818e5748c7a09274e25a1a468197fa1bf18e01870e8b4ba2ac1f36e59141165f19419209118ead554866ed6966841652f8f8b3b453a78070dbc

C:\Users\Admin\AppData\Local\Temp\kMse.exe

MD5 3c877093b726ab3010316d9f65f78ebc
SHA1 1506496eacfd7b160126591d858bb8507c398992
SHA256 6457fb001ac5cd18ba2dcec5e7398c1bedf5ab7232bcb955532a7a27e0aeae58
SHA512 ffd19a9dd9038925b030622b153ac1956ade4f7f439c2e09bf96424d78b233e036d79d97ecdab0a235d540ee32e1f3c52ab6b24505fc8d15b42c47b852afc6aa

C:\Users\Admin\AppData\Local\Temp\kAcY.exe

MD5 70275ec726976aba875a362b45518d4c
SHA1 2cee99313947f68bd163c22aaebf598488a25371
SHA256 a0ef6d6a486216b2785d38400f6bae23970c99c39551eae4ff45c8f095a2282c
SHA512 6b4de6a64dbddd42035fe3abf816f42b3efb0dd1bd7784c0134ecf9a6953aa121bbcd85ef24a0ea018f272f2c2438735269799d75077bac12cfd66b0b1da5863

C:\Users\Admin\AppData\Local\Temp\GcUW.exe

MD5 7236ebc9d4708c2d83f3a5b0dbc10a4b
SHA1 a43499604a1fba01a88717ef4177d6566edde525
SHA256 571858a79fba8cf5f6dd3c8ced0ca25d4a9664cf9524c58bae81a74b7b5c5de2
SHA512 fe875a3aa6d76823294327376c8583fe7c59931ba01a5bc4f2ee7d1d8bc32197fed37a953da98efd914938aa87e454a5f15f5b6a39ec19b3749ac64d6103027f

C:\Users\Admin\AppData\Local\Temp\cEwY.exe

MD5 4bc1b350fb545f59b7bc8007adc11a36
SHA1 8c9c21753e00665f515e5f43cde0cf71741265af
SHA256 5a153097f7c476fb6836670f42b746c4f982184ff5aec3b4dcac268d7188269b
SHA512 ef02b7b3c149c985f39c22a6cdce94f5b0033c1c8246da593cef0f2e5af936ef0b7256cc8189c9061efb87f398b4f8308f2a269873d1b0a23c21fcd4000c90bb

C:\Users\Admin\AppData\Local\Temp\jqMgIkcc.bat

MD5 69e84cdcd63b6232594aefb5621c40e7
SHA1 16a41e41cee3b46815af655178975c53d6eb8acd
SHA256 35c0d9e1c57dbfeba5f8f2130d2f02a45e87b8cbb38630c5b1b6f3016ebab9b7
SHA512 cba3fda7604f96cf4a26db617bae5958fadcbfeb9efc05d2eefaf4ff96f27edd6381f2d09f75a6aa737a75ba47fead5b4a682f1fe71efcdb794cca268ee63746

C:\Users\Admin\AppData\Local\Temp\iWsQccQs.bat

MD5 623af119d823b34064afd00654998a4e
SHA1 cbfa66ecccb0a4dd843f3c68dcac0670365fc9eb
SHA256 c9c8fad6b9e42fe5ccc9aed35a04a539ba1b4ab9ddb7e269418f17501cb11c25
SHA512 b0edb5ca3a916535b0e50c52764f1340b7358c5508a30a235ccea767d14d0eb150322dba10a73e400d956230fe0816486f6e4ebe53278512fb8499a74d8e115b

C:\Users\Admin\AppData\Local\Temp\ooMwYcwk.bat

MD5 47a5c5b0070457e4ca1d50501abad6e9
SHA1 0499f61cbaf59839ba3c331497a3de83ddb45845
SHA256 0f469efb5247d305e03c40945cf7af1f9ae356af4243f26c9b055af2f53a1f02
SHA512 e84dfb2599ba7395470fd81f5978cadd113b6e5d0ccc5fdabb014752a3d99c97a2af666d325e443272b79d556238c3a57c1ccc716c6480848c6819983b5e25e7

C:\Users\Admin\AppData\Local\Temp\wmcIIUMM.bat

MD5 a89f9d2086329ba8328f72c3d9846322
SHA1 f1291d8a06d74f3cdad424880228631147a8e524
SHA256 2c1ea8806352344a3953d07396ab30d3efad30441ae28c8e1b34dd08a480f678
SHA512 041bb3e8e4ff37a0aa46e6bb563debe8f5f24161a2ea3a1ac7d628a595cc76c7370523e964144cbfa3a3236886a63c6cb5aff163b0e3bb64682384d1fd661981

C:\Users\Admin\AppData\Local\Temp\ESEoMgcU.bat

MD5 530305fbfd138f1d7af5e59f6c7c132a
SHA1 629f2a0c3e45532c3cbe7ea006880d684d76e847
SHA256 c2a8ab485a691cf73019c5042fdde8554de3febdc4f5695c46152a8b842792a8
SHA512 0114cd5b5ea1f94b0f5b6d03e35054a6d00679e084df47698e7c890ec7f778acb1ee5ba82f814f20010be764c7e696030b1df27cc1718b3436900b1de3174a98

C:\Users\Admin\AppData\Local\Temp\ZWEIQcMA.bat

MD5 96acc609c428c64229beebcc25ac5388
SHA1 7af7830d709068773533eae57e10dacfd8b05ff9
SHA256 b64a80d72f922b0ee96526f7759493d467b6b101f4e25e0fe00d7878eaeadc1e
SHA512 6f795dd0422dc5c9b6bf2cc702e67777ac6de0e3cd305320ee5f3baf7c8cddaec42928e9cdb3662a19c9d0ab82692f3066aa94b7355fde98d198417fe25ad668

C:\Users\Admin\AppData\Local\Temp\NAwYsMoQ.bat

MD5 5a100fb74bde2801d7015a3749a9947e
SHA1 238cc96c2443d2869e0e6d51c77ff7c7e331506a
SHA256 9b0fc5d68a3a828466e9c1d49656a0d66ebeb701bd50127b663359b68b2783d1
SHA512 58ac9e98603ac4449fc22c0cf83a10142a55988c3a7f35c3d3028bb524957f677e60211ccf21ea4f73ff95dd684ed0d6235188b32f233919810f71e484662c87

C:\Users\Admin\AppData\Local\Temp\tUYEUMkQ.bat

MD5 5f04bf8232763e89f655820efbcc45dd
SHA1 b7c62fe3b42e0c1a732a565f2c99b78f271f13d4
SHA256 7e9a867c8ebd824b41d05b711b6be4481c2a53fa1e9fc8adf8e5b2056d99ad32
SHA512 4a821b8cd9b57d6bcc73ab4c4d2e3d0fa526a9dec6b0f64ef81d0803931cbe7c846990b1146ff27c2926656cdf0b4a60c0d9c0159ba06618deee77e314ed574e

C:\Users\Admin\AppData\Local\Temp\LuccAUAo.bat

MD5 879e53eb97935fdc19aaa669d4798291
SHA1 fee36e6a6e882565268603364f304e44f6c8185b
SHA256 1b6873502d191f9249187bb28bf0c914913ebb519f1a6acf85f5b003b7732289
SHA512 7eaa60aa86935d13843505d26a491ca4d90bceb5bf20964dcfdc690c9d07bb8675f81bd211da31a9cd92ecd734788bf337e9a089215f1a225483d0d0c371a6f3

C:\Users\Admin\AppData\Local\Temp\megMkAgU.bat

MD5 b984f81a658dfe5c51105d4d00b82481
SHA1 4e096fb9d9b3851295a1d457170fff832eef407a
SHA256 44e28bc055699b230fee2ead1b85b725bacdebf6bd58d032f37946b88ec4eabb
SHA512 2252791fd6c74059c77bcfd1e7bbe8949429df33fd610638d2a0d214d5ef1f9046168b3f75d0d62a4a605e4adc18623adc7ed8b5963355b14d8d59ddcd07c072

C:\Users\Admin\AppData\Local\Temp\aygoYsok.bat

MD5 1700460164b47deb61bcb89b4b1f6476
SHA1 319bbd9a879080f2ae5e2548041a2784cc68cba7
SHA256 fb251d7688720dc3463c9017f8b4685d093dbb6e1e2732d5f9966d36e998ccf8
SHA512 315c67d2684abf3340ae6d5f22b575080fad44b7816924b5ac4d78dca11cd9a0b7f2da483398073be0c6ac5f8415f1435c12313308ac97b0f54813279dd343b3

C:\Users\Admin\AppData\Local\Temp\WQosgQEw.bat

MD5 6fc21de9a70f03bd387e404d755cfcdb
SHA1 b003cbe9b6efbcdb11ad9ea80f8ce4a6e4010d57
SHA256 476797622ae8222f4eee90593429c268450e5e9b399bc6acf0cc200d528a6694
SHA512 8dc7f38eb21c28f986eef2defebdc809d634e8412d879e7d2d63e1770d4c9e47e268868738737978efe63f0ca3897bf18f8adf26d9a94db840a729163674038f

C:\Users\Admin\AppData\Local\Temp\qsEUgsgc.bat

MD5 721c6b9fe6c09f28ba8d7a43eee9c9a2
SHA1 1ce77988dac63cd8da27c23ac9328fe2fd83ee0d
SHA256 a405a4d20e2427a9a847a0e9ad5e14edebc36d6c6fbe81f1510cb66dd514a49a
SHA512 2a0c565491800b4da5188082ae57d33111afa7d5505cd576bbb960054e9990155fa79da1f05d65f0c0c17884de4ce3b5508160303cf14a81c84d23231fce9029

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:54

Reported

2024-04-03 18:57

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (85) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zmQYEgwg\nKcMMUos.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nKcMMUos.exe = "C:\\Users\\Admin\\zmQYEgwg\\nKcMMUos.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XswooYMg.exe = "C:\\ProgramData\\TCMkYUEg\\XswooYMg.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XswooYMg.exe = "C:\\ProgramData\\TCMkYUEg\\XswooYMg.exe" C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nKcMMUos.exe = "C:\\Users\\Admin\\zmQYEgwg\\nKcMMUos.exe" C:\Users\Admin\zmQYEgwg\nKcMMUos.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A
N/A N/A C:\ProgramData\TCMkYUEg\XswooYMg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\zmQYEgwg\nKcMMUos.exe
PID 4924 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\zmQYEgwg\nKcMMUos.exe
PID 4924 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Users\Admin\zmQYEgwg\nKcMMUos.exe
PID 4924 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\TCMkYUEg\XswooYMg.exe
PID 4924 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\TCMkYUEg\XswooYMg.exe
PID 4924 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\ProgramData\TCMkYUEg\XswooYMg.exe
PID 4924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2944 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2944 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 2384 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2384 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2384 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3020 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 4336 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 4336 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
PID 3020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5028 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5028 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2304 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2304 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"

C:\Users\Admin\zmQYEgwg\nKcMMUos.exe

"C:\Users\Admin\zmQYEgwg\nKcMMUos.exe"

C:\ProgramData\TCMkYUEg\XswooYMg.exe

"C:\ProgramData\TCMkYUEg\XswooYMg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSosUgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGoEIYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUkIcwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQoIAsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nswEMEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoYwcoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKccYcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAkYMIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmsYkEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcsMkEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkkYQUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkYosIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSskQQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwYccIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmYUIcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMMMcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEcosgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQMwkAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQswckkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuMcEIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JccQUMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaoQsscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgwIoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQgUkIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACAAoYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQUMIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMogoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuMEoIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqcIYYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEgkMgoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywwcYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqIAwAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYcocwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKEgQEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcwYgQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyQsUwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AggoEggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEcgQkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEMkgMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYkgsEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWgEAoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwIgkUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcEcwkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAYkIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIMkssEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyIcEEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAcUMYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncQwgQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAscYUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeoAAYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcMAkUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEwAkAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YagkQEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYAUMgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYwoIkYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwAMAwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pekkoogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uScMssIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycIQAsQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COssYIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uskkQYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQkQEEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TScAEsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziQYQwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOskEcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAcUgEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMooMwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woIIMEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUgsgMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rskQkwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSsQcwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcscskEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEAocMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEgooggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKYcEsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kawAsoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOsIQwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGggUUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgsscgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYgEwcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqcEEIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYkIQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEwsIcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMcYUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgYYMEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuEMcock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuUIocIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqQcogws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwkAoEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIMQEIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUUYYQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCIUkMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGAsYYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQsQMYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUYQoIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkIIcoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMQAgcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkIYIAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSggYUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bisowAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4924-0-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\zmQYEgwg\nKcMMUos.exe

MD5 ef15d8f47024877808650d466647bca9
SHA1 2bc9d8cf9a6bb7c12498f365123848551ef87579
SHA256 8bb4fddda6ee81ef86b999f1e396696d75c0c26f98a8b34888ab3e14ac1c1e33
SHA512 4a50ec941d13337b3fd999f2718698863c9c2795268d0b512f6dc2cabe12090234abfb503421900782fec1402b6cda4e8764050f49b48be85205a4ad13fabdc0

C:\ProgramData\TCMkYUEg\XswooYMg.exe

MD5 fd97e433f6ad0407012a5206f38de25d
SHA1 b3ecced8d5b740bfd2f33ade6afa565d8a0ff840
SHA256 3f320ad3bbc1e1fcf376d48c69b9f0bb453b919f7a1cd27f7e3934d92c3bc590
SHA512 aca4cfde94172c28e0b3a93352dd1d1fc3e208cee526ef36a59cfe2274f9b26e44ae3d70b165934bc5e8d6a03ec8707fa92c42c8e82ec91be8e5773a2cac5957

memory/4144-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4252-13-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4924-19-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mSosUgwo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock

MD5 f2271fe569c058dc724d9b9e53811e31
SHA1 ea276fc14127875413ac387f017bd2291a987f4b
SHA256 bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6
SHA512 c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

memory/2304-27-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3020-31-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2304-42-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2280-43-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2280-54-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3028-55-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3028-66-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1304-67-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/888-75-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1304-79-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5080-88-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/888-91-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3656-102-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/5080-103-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/432-112-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3656-115-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/432-125-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4376-137-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3464-138-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3464-149-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/620-150-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4724-161-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/620-162-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4724-174-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1448-173-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1448-186-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4124-183-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2904-195-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4124-198-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2904-209-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4048-218-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4092-221-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1672-233-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4048-232-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1672-245-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2648-244-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2648-257-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4848-256-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4848-265-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3972-266-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4380-272-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3972-275-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3836-280-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4380-284-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3836-292-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/552-293-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/552-301-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4356-302-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4356-310-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1588-316-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/536-319-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1588-327-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4384-328-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4224-334-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4384-337-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/468-346-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4224-345-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/468-354-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4812-356-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4812-363-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAIG.exe

MD5 d1fc8e76246d344c6606b1aead86ef72
SHA1 3b9893c5ad197af4637abd666a8a4b386d503bac
SHA256 6d62a747510056b5b92bc2d7dc82ecaa51c5b92a5fbfff9dedaaddf1d065a427
SHA512 c47be00bff22a9a9bb1fbfed741096de0d281315ac17b21e060cc6dadf540bcdc718f6f951dc35273fe93558cf05511e7cfc94aa58c8c6bda4177d1236ca29ba

C:\Users\Admin\AppData\Local\Temp\QocO.exe

MD5 39d4eb9b5a0dc0c4db727bd5db4375c2
SHA1 523e142b2de2409383c4a622fa15448469345d2a
SHA256 f70eb91fb1b25cc0d83c1365193e728c6512e57259f5b61049c5a564727ff5ed
SHA512 ea6f5908c1be548c093425a4749201d7fbb32b30194d99b906189f87bd8316e16aacead85a25256c820308bc507da57180172c9f207fa0b4c906fec93c028f14

C:\Users\Admin\AppData\Local\Temp\oYUG.exe

MD5 613c5dbb6fc39296ae231125e372704b
SHA1 3623118d4c8129bb8d13ff00e05cf6ea9a9bc65c
SHA256 4edd29c00fb7ceae21429f87db698998867f08ee070741cbfda00fd2bd45952a
SHA512 3a43b3a272d9c2b622a9daf659338a2fccc33ddb4a72aeb19c4ebe14729c3044c6f74e6bdc3c66a42fb3b9048a75312fb59ee9418481e2c521e92a015c0cb326

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 0a1fbf087734034ce5c877ec687cd972
SHA1 45e61133c9710c065ae197fa99bbd24863637e2c
SHA256 b6497571e2e350fff294220fded36e1e4a06bb306d1b8938cd03b7f5fb85a6a8
SHA512 73285ebf4440f6ace998b99ed4263555872b6aadeb1389e82e234b85d50ab54cc1cc5725c5054e30077e544f40e82f47b3ddf466c25a7d7d60c481ead2da7c11

C:\Users\Admin\AppData\Local\Temp\kcsI.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ScIe.exe

MD5 65d5815ee60c527094273d10211b09a0
SHA1 a1cd5b5c9d38a2929cea223b6c7ce2cb05e137e7
SHA256 372e0ff4ee505b742e5182d522f913b10ff189d0e28138a6e4a0963e66b8b644
SHA512 de6155bd4c2027de930d0e0c7e98748f8b2cd9380ec94533e50fe3d44225344026b546abc53d7537379b920123cae8e5f9a2a306beb306211153376c36952d0d

C:\Users\Admin\AppData\Local\Temp\sEEw.exe

MD5 86b5b7dbdbe5a805d9850d477b3fda99
SHA1 62b9a5882549fde724a6c3ed59a36b0cc5e21078
SHA256 8aa3f565bdc5b82d24837093ca1650931c46ba64382eff7494c4d593e2952043
SHA512 c0c17478f6118439265cff597ba794a210d97d7c63434038e020583528115489d3ccc6e2918202a6fa747de03bc15037d36451c9bc2e02a5e6d743ee0c8786ed

C:\Users\Admin\AppData\Local\Temp\Uokc.exe

MD5 e332c4d8cc72200ee0bea190ef540e22
SHA1 013014361ea635f908e0156da269fe9e8ee01772
SHA256 703b82044965dd5dda48c4b1265fed27c6fc3d96a247cb352c6a2f47c09f0d1d
SHA512 b92c26b845d1d5ab12447b7734b9c00affeed7aa5a8d003c8ff761ee404c3e553b591c969c0dc0b2938ce266a3e87b5417c5954b6d43b423690c297722944efa

C:\Users\Admin\AppData\Local\Temp\eYoW.exe

MD5 6d320ad9aa716fdd0357e296da5dc810
SHA1 1815bdd1ef54d56d68f05df9963e4d27e266cbfd
SHA256 197860a5d3a73a99295a9df3908a487f19ff09320487006f800e2763b33ec1dd
SHA512 4f8ad15a4a10979f5f86f78ca30174049f4a9e4a91c014ccceb555e792a738be6a24bd34fd0d51344197631c164e31b22fce8970dafee587670bf1672236d16a

C:\Users\Admin\AppData\Local\Temp\yAIu.exe

MD5 390af74bf0e9b26547ae80046cffeb68
SHA1 cb0d3f2107879841d0fdfd6f7ad1cf3df8ee0b91
SHA256 504e2c48ae9829fc4d1588c5b0c2b72174d72c26e45befeace334521c626deba
SHA512 a2dfc4971e541271138e3a1e988e56cbfb902f60ea1672cf8d21bfdb81fd1af857f13201173052a9451fad5fbdb14c991adeba24cbc0d606f8e3e84098c13646

C:\Users\Admin\AppData\Local\Temp\wQwS.exe

MD5 9fe1f7ffd93adaee672fe24e08baa178
SHA1 7beabf057cc68067098a9a5b595b5bb11d187819
SHA256 6fbfa785ae658597a1c1c60623fc50f50f2369414a474141f11e6cbbdcc4aa17
SHA512 5f2b6c8fe2ec6c41b4ad9c633a17701a7a8a67fcd324ac78484e8c503050b178b9e74b9c4007c7f5977dc18db19b99ed84e95b0f3151a3ea00ec08ebf5ac93bd

C:\Users\Admin\AppData\Local\Temp\OIEg.exe

MD5 0b933674eb863e6dba6196ce9612f0ae
SHA1 3bf95d65f5627fe82bad8ffc671bb66578748c67
SHA256 c3bbadd170f0951d3c5c79f4be9a60ead71e9466243401410d3b3fdc33231b22
SHA512 5747f29ac0b57ea2d9847bca2f0d522151304c354ba04b6742ee94b9c88e48e76b2a717b15c07cce9c82de18daa7bc1129b78a4647b485d47428301ea9b111af

C:\Users\Admin\AppData\Local\Temp\qkMK.exe

MD5 1c846aa02fc094aa0dd5c182f8dcb91f
SHA1 8074ac56ba36a225ade372981058839b2e6456ca
SHA256 f735a4b372d36c1ab67e622b2979044acd4e47675441c9935100f6d92ab276af
SHA512 9fbb507849af6f5ae96d28d233c8c5e6e4c374c7b29aafc7ceda8ba87f4766f446ece783b5c095b693fc22c21bea3e02728cf407f100c64784fdd06f2fe02686

C:\Users\Admin\AppData\Local\Temp\GoUG.exe

MD5 9c84dce1b0a3e183f7c4a35296abc62a
SHA1 b824c5963d46e26b52f30d9b1ff1a68745fa2a90
SHA256 2ed14fb5fd9e1d5b9f87a318a59919fb6f32aa2a6112bf4b0a8bae702d0c9fcb
SHA512 f18ed513467d540a267e254c5b9e549103b687b0b3900c7f2ffc153df2d66090498d4aba702df53d9e50734e8ebf0a957496a7c7cc63a5bc38c27070b7b8c3bc

C:\Users\Admin\AppData\Local\Temp\kEgO.exe

MD5 bd683e5f8ca6035c0735a564f634b9a8
SHA1 8c19e2163a3be149ad1b6319d652efa353808c08
SHA256 73558bb89c77f7a69a287d27b969b99f3848c260f2034c7c0de84bac3662776b
SHA512 92badf19002786f2adfdd85af125897f7f0515e6fecf28a0ae11eb9ab679a2447fd2eb657bc438ea6c7e924b9a1d392dc867c2310d299545bebe5e62822234da

C:\Users\Admin\AppData\Local\Temp\IQoi.exe

MD5 5070a71850729ca4782c83ec3b412697
SHA1 ba97e88352838cecc6839ee91d86ad906efc8a93
SHA256 7a8eae2acd18ddbeb45f1bb948c061011136ef7b9e7abb1d41e1d6278440f2ee
SHA512 d57e432b0d2e3109960de85e2c88de5f071a73debc16113e622df7d654222afcfa52788f158de41533e22f85605256eea18b0333867b335f41802ef02aaa7d24

C:\Users\Admin\AppData\Local\Temp\cEYs.exe

MD5 4e918bc202340d75610979f4c5ecace3
SHA1 e5e72bee55b2c46762e0fb489226cc4554d6a2c1
SHA256 a557e9709262e673d81fee249021f8ba98d27000b74edf25d0ab0cb8b90a8f83
SHA512 41b4f812aaa180fd574ed05a82a81e3b314fbcdb8b0834b63cf90e2beb8d542988d38ba53604e55070fd50eb9189a4ab4d07a4aff87777bbf4e5d03fbda69a15

C:\Users\Admin\AppData\Local\Temp\sQsC.exe

MD5 df81c8c58a33fc8d5dc531e7a861ceec
SHA1 5a723f8213b59095ab27fec1e66c5018b133e706
SHA256 cf0b353f723b9cb15a4fd5cb0d518b002b7f1dd44e8ca0fabca0199becacf2cd
SHA512 41b0bd4dc95361c3bdbf9bf618b7691c327d1f8a6b836e345420ceab0cbc52ea47ad3a464b00ef3e522b2c4fe68ee6a66c0ce3916b68e98c66e030e9027a7e2a

C:\Users\Admin\AppData\Local\Temp\OEQC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\eEMM.exe

MD5 de2c4de4f8fb41c9e80aeb0f515dbfdd
SHA1 bc4b296a29ced096319de5bdd5a4b9448e933976
SHA256 187a5b8d724a2c261d3c8d6ea4091ed46f3f969c3e7ab04dda119b21050b57f5
SHA512 da650951286e4b1e1cca622c34ae3ebcdcb1430b6b25982d5d23bdfb28ad74ca36cc5b56687d61d156625b67f2220f2af6315ea713cbf4d7ded8cf544a8df500

C:\Users\Admin\AppData\Local\Temp\WYsc.exe

MD5 1b110569c4fd6b3bbaf1e53ee0dc1160
SHA1 5bdd8972c9b2a6536ec26b0ae5189c5b8ec128a3
SHA256 51f3818a90ead18063477a87443b328499df488677cdc7f07fa9e95848b24789
SHA512 b548a40b7b36a98194f26265ccaba8b2fe12af48243bc8ef3f6c3ffcf705c59bd9eabb824a5cc6424740b907706176e312933f088bdd972cc82299927fadf5a1

C:\Users\Admin\AppData\Local\Temp\EIMm.exe

MD5 aa972bd4811bb2e36ba967fd22251865
SHA1 4f54bad1ce83b6a26203a027726686d075c82cb4
SHA256 773dfe6591b0ba578cd15b66b0e407e9d3ed08f3f246266878a8bc07f01945bc
SHA512 681d10b193b7cabeb14af7caba1e04602afca284b97db27d82166341ade3c28f1dc18d8316513e6fe19f9c66a2c854664b946dca66c5e5fe8da722cd7fc2f546

C:\Users\Admin\AppData\Local\Temp\sosk.exe

MD5 c3c527eeabd045c004b00de2235953be
SHA1 3544786720cc029752f1733c237bbb0522b657bb
SHA256 660181895db8fcdb3fa372d93b1b9a5fc56f3c3ddbc4f2054041073634ca6a0f
SHA512 7c74856fb74e2e22fc4362ea2aa61e00069bad511ec448aa64579c6799b60487e1758b98e3a1dd27221e25021935ff3e2681ededace687994b2d2798b532e8ad

C:\Users\Admin\AppData\Local\Temp\scgc.exe

MD5 2b9cdc31ccf77c15dcef22e9bd9beb1a
SHA1 30ac6ea422fdca6ef89d8064de5fd5534307b783
SHA256 2c66e23d71119ff002335484e5e380860b9a9fe218dc9df334d6252102f47306
SHA512 5aa06bd9ffa31604553c86a1c5e7e2252ba4462e9cd97a3f72666d650ded0cc22cdf435754e79c777f0b0bc31514ab5f0602de15da18cc2390ee95d791e1c699

C:\Users\Admin\AppData\Local\Temp\wkgG.exe

MD5 edc8ebc6c616f96309e5fe20ba6fccf8
SHA1 ed15db6c350a7ef2ff6f2b4d1213a3f2c892104c
SHA256 efed4d81ac03516a6e1d3843794ca8efbc18436bfdde43bc36f7cecfff22f1ee
SHA512 ebd7be18add15a654b416a8ee6172065748744347a879320094a6a0a88dfbecd855fb16461aec5c10e24b67d876415e9bd06ce030df6a5675e3ce44fd2a240e4

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

MD5 5644708579f0b6c6eaddecfdbf57eeb3
SHA1 e87aeae1a161d98c9503460842637150ab76d196
SHA256 43b51db722377ddfb88cd3cb562e0909290499080d0662a12d9952b79a8a7515
SHA512 10f58e57a342a3e34526a6dba8cd8bd332ad00bf6e545f0daf5fcbb1708d9c72ca0e3f51353459e0e0e35f10a87873193a1230e6c87e569e2d0f5cbaefd439d1

C:\Users\Admin\AppData\Local\Temp\YQcS.exe

MD5 8f956ac444a1a35b109ea10bf6637f56
SHA1 913726c08973793e51a37eb3775b73e020f20908
SHA256 b5e32fd908e2641e1850b315b958e59222f2b615e8d58397734e204538e96fc2
SHA512 6fac78b558c8881785c792a169b26cd0df91586aa999f971e881dd42f88a86fccf5bdd2b75392d03dfeb5bae7c81b975874cf645d7624a9610b4309ab87227d6

C:\Users\Admin\AppData\Local\Temp\GgEi.exe

MD5 1af10a36a5db9657d2767a25807b462b
SHA1 8c510db4c4e5c68ed7175e4d473cecf1bcdf9f4a
SHA256 cfcab52cd59b58ae95ff22c95404047f39dcb280cc0e7a863e7e88dca5178de1
SHA512 026a80bacc0564befa93f51fd3ff117ee55c6096176c8650a0faf4b8aa21b0418b1f755e3b7485f787b3c4c3563071190324697652d0639e861f4bb9a58babf7

C:\Users\Admin\AppData\Local\Temp\SAUA.exe

MD5 f0e00b54bf244f6e1533aa3df688d2e0
SHA1 3e941f821f72c0b686e73fee2dbb9fe6b11d3831
SHA256 1859e79a9fb7262f13192ecc61ce9af641fec5998ebcfc0ed63e619b16025664
SHA512 14ea077eee3a639a9920f16d8e3461c4f19a26cf764abbcc4066b9b2f1a6147a9b6c1cf9ff5d4860a2bff267ddbc42e18721b8643773ac9e0453288228b4a33f

C:\Users\Admin\AppData\Local\Temp\MkQk.exe

MD5 07c3d008539a26fb886e019355694802
SHA1 bc0d6dd3659d1d86141d894ba66c76cc5a51d7c9
SHA256 4ab283e82bd512937973001da64c10267c918344048e65d5d42b7f686da599c0
SHA512 60c5086c485a0af01a2650003f215986962654f66da2ba3129f9aa47342cae31f13ba5ba2cee4aaf355e03e52e3e4b88e939c10b76a303ea843501b62257b27b

C:\Users\Admin\AppData\Local\Temp\GgAU.exe

MD5 eaac2f12131f377a044e2063d591e787
SHA1 8ab0d257fe5602728b8c7f464e8059a9af40211d
SHA256 12448b1a32768bbc76f75e421a108c8d005f813224f9fcae055aaf68ce1e5c6d
SHA512 bc90197dce3e9af86462e9ce8677e7a13152a4731acf4a1b022f19a1d38d1b35444b2b4939ef3bed88e32c82e051f2b7c36b2f66abba6017347f9290070208b3

C:\Users\Admin\AppData\Local\Temp\IAck.exe

MD5 7482593c8be9f3167aae0c00942bbc13
SHA1 dd1ea95376c66aa3eb1803da94d00e5f2815b878
SHA256 904653545a1ced1b927cc53123fb15c637bd3a7ea0568ad7741a489031db1cb5
SHA512 397ac932a7c550b70dd62e8836329212fa57af53586ed0c3ae6d143b758e5c9e47766d14e6e166f2349518322b55a858153182073b50aa59612d1bccd5737464

C:\Users\Admin\AppData\Local\Temp\YswE.exe

MD5 045ec5f6026d183dfea05b8be2ac21fb
SHA1 74dbf48e6d8e4082caff88e7ba8154c5d0ee1776
SHA256 d8a29af943e284954b37ff464eca796eb71700cbbc4cafac48177ec900755a2b
SHA512 655a19e87c40e588ab8896fd9009d80bbed0712e7504313a30c52e2206df633a30ab8c88ba436e1b979071e6b1ccee552a37dd26693c6a85c5ebab9243fd40e8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 298ad1dae30d462a78ff51f0e37eb625
SHA1 f3642cba7e7f8fa4e109b5bcbfcaf5d859108d9a
SHA256 9496c8333870ace85e4e43670db2973a6e1da97a208222affa079d5d4cb88156
SHA512 cdbdf3a516fda89d509b17f365d15e5d7be4b95f1f06fc9f3d2a01d9e370ddacaa7efa61b9bae813813d3b2d4c7d6889416014b673e68212c0ab728023208b91

C:\Users\Admin\AppData\Local\Temp\cIgm.exe

MD5 fff07dd1aebc66f41f8f47e9a36f596e
SHA1 48156b184698fc11b72019657adb9d2555e48849
SHA256 093b6cce46eec80782732c42643e66b002f156d0cc7d014c32f58600275a6e5d
SHA512 68cc5a58ecd17cedc0d1c4536a395f98b79b5a96078d9220cdedce2a07684eee080d1743a7697c9d54e8bf2d42ee0b8bb3a3446e8cbeb0ebefc288d2e3f7ef82

C:\Users\Admin\AppData\Local\Temp\AEMo.exe

MD5 26a296287542136b08aa5c68a2251abd
SHA1 722d14f365bbf500b72689f05f1b3f3c3635239d
SHA256 c57997b5793ee8338ffd4dae42aa397912fe74d085c98602d336bcfdb4711dec
SHA512 c0355b27f7a41c5dac08ef0a5ab9c405804b9029016f7372b358d97d424b5be4f16ef87b16e7850f6ead364a239aa4629c1c262fec4c3c3be9ff36c74e053bec

C:\Users\Admin\AppData\Local\Temp\eMYS.exe

MD5 b009fa85ea73d522b855db4a4915a354
SHA1 43c3fce9f8fea2faf3f915002cd733a16e88e9b3
SHA256 a89ea025b74c2598ed923b7e148b0edc11bac3d6c853aa337207e5564266cdd4
SHA512 5106de81e2082bb79099f251497e926f31f71216d37f63c49ffa0a258b727a5cbbe9ee3b6882f47edb7604bff2ea6af35f289471f63e74555dc7da683511eda1

C:\Users\Admin\AppData\Local\Temp\QkoU.exe

MD5 b2d1a595cd270185fa9dd7758a03583b
SHA1 876f548e6d49a2172a0643e21291202b52b2d7c9
SHA256 3a22944554de7e5629878c1364d61987ee1f1ad9d546f007b38627aeed322a75
SHA512 b2923874314077dfae1624c3565697aab995cc44cb240f826bffe041cac7471e705ecadb0bc0cde802aa3256ae6e8a1eae5924accc3fe9c5b62e8cadbe05b7aa

C:\Users\Admin\AppData\Local\Temp\moQg.exe

MD5 acbeb84d28253ded8109bbcba85ba70d
SHA1 b7917c6434f66d27b3909cfad189017a6c9b8bea
SHA256 a27d4889e8852468998818a4a3f0f4278338a0eb9d96ebf7f340d901a5fb043a
SHA512 c76df357a8004c31d1d7ead631dd31cea2c5fa1e0ab040a550fab76f9a258486926ee5ae6e8e8a702a50934a5e082e7a302d6ec46baf9034e13603a8e473dd9c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 0dd21e16686e8a08e3625a2485e8ec1c
SHA1 d8f97d855d9615e5d00bb802d95a8dad42043854
SHA256 7a85be859542a8711f4f24d8c6d2ad0c2606918c5d9c262d795e37ed8ecbced1
SHA512 9274b56ba132784b467001c9e3928787bdcb02b0888115ecd12f57f755ec17e8790463a106c2fa786ea1c96c1ff735b5b9252509db033729f9bcded6b124f57a

C:\Users\Admin\AppData\Local\Temp\qkUs.exe

MD5 51855fb6f80bbc3cc49be7983a33e3e0
SHA1 b0933c78ee8515a9dda68b8a7440e3f9221d6c6d
SHA256 de0e94f9362162a6bcae1ae065e069f081a5a50c4c97cd1ffded7c4af3dde85c
SHA512 a22eb8c2a23a2190015f273b9592b61ff8ac7febd5399516ab8acf07d3415eca50fbc3e7c79edc85c25f24efa70de6181e29aa28b31309ebb571abc06fa5079f

C:\Users\Admin\AppData\Local\Temp\qEII.exe

MD5 7ecca293b8726ad7b1ff462ae626e2ae
SHA1 6b01085285df4f2a585c5040bf0e29e77b502f95
SHA256 bae5f9de8965f89841dab2939625d93acdb1fdf04e65a5074ddcc488956ca18a
SHA512 9e8eebe678a720d210b9493df62d27dcf270bdccc604d8dc8adbc9bebed016e177a7f2cceab6a7975469798fbf00a316767a9638cf616df83e9a4992deacc9b5

C:\Users\Admin\AppData\Local\Temp\msYs.exe

MD5 3c6e805b1de3d79dfab4e9949180749c
SHA1 c6fcef11adcd943ea83fa3958748095127f92e96
SHA256 1e347af34df84feb56c2741d89280979448124714f5ba53abbf0c83878d70c72
SHA512 293e111f5ded8fe890da98f92afcb7eeebe0878e2bdf25c8fc5fefafd7133fb373059eeedb3cf9f9f8e37eec2f3f066abbecbe1cb8125da85dc667742b3d1653

C:\Users\Admin\AppData\Local\Temp\mgwO.exe

MD5 da9846be95e2c1e8ed4fd5200d566b72
SHA1 60b4b0c5c881abe6bc5622a720f7a7fb0bd1ecb5
SHA256 1846fdc0d07e4bab22770145b3ff5e29fe29644cc1078bd9bc30015918d6c976
SHA512 0fc81aeacb14c57a9ce65ce098079eb65aa6066b9faaa9770c58fa63bc5cb50ad8269e511e1a70c77f65c51639ee71f92a34503de274ac47083f8570af082e37

C:\Users\Admin\AppData\Local\Temp\WAws.exe

MD5 45f898b43f1c4389d450c15488e6ce8a
SHA1 52eb832de873fa5b0da1fb1395122307a625da97
SHA256 ff5a12b40b1c7bea320fec65389b75d9dc1092f77a10a87f07e3e6812a1d0bc6
SHA512 d35c5a12b188c00041a83a15cef5116da5787959238adb589f0ff708ca4d51694636966ec7a75380c1d056bc4f175256b76369c3b5352c020bfe832add76fca0

C:\Users\Admin\AppData\Local\Temp\eEgW.exe

MD5 b2bbf7303a61132c98cd1047a76cc128
SHA1 a6939b081aa528cc12b131d6493f4b39e49d491c
SHA256 da255e71d5d82e3d9236599d9c3850ea2d64e47dd39f41ddfc48f452bf359661
SHA512 3c8f23076725584fbfbc805c187d70de675e2b51d859ce0b2c4624e6cd72a717bb4d7cd33c7ac43ec0d4ba837b882e68b48c9772c787604a7662dfff2f59538d

C:\Users\Admin\AppData\Local\Temp\GsYM.exe

MD5 200d540b8a494366037c7aa613d214f6
SHA1 0adc3e3d9afe997469dd2ecea07ce63d2ac2abf4
SHA256 10b4709b89d5acae256f579856035048eb14b6412863145a18fdb4be8e0ecfe2
SHA512 cddbbffaf89bf47450e2fb2c98daee69c4ce9881ce794b5c8a6b70b13d82dbdc8284078c38a7a7e0c0191db4e82fc2b9fe49f41b02578a92946e8f0cc12aac1c

C:\Users\Admin\AppData\Local\Temp\eEUa.exe

MD5 9eb9b94ce8088e9c0819045cda20110e
SHA1 665fdd464e980bdf4ed0de03544e6fe1d7779ba7
SHA256 be66b5e4df9bdae67377904d728955f1add68434ba0b2a67f0471520a0fbe7eb
SHA512 b461c78ac16cf07b06f1bebd7cfe9dedcf72b79b4201717876139f2534a89411a4d34065ef99380d8feb6da49f96f8d12d3745c8f256f86241face60ea144aec

C:\Users\Admin\AppData\Local\Temp\aQUk.exe

MD5 def45ab65da6d4cecafa26d41b50eef1
SHA1 c8159d481e4f941d678c6cf63c032325c01df535
SHA256 fa7f78d00bab7f6b2e0efe031ae1a8c96754e5e285ccb4d56964cf09b8a4e2ec
SHA512 0b37a8760dc49bf6c64933dc06d6281124de63e8144f4f9038c29d5a0c80f38c4c6da0ad87b6bd0df05a74547c6be7c58b59025c3528e3d5c5cbb8af900db5ac

C:\Users\Admin\AppData\Local\Temp\EQEs.exe

MD5 ef29f5e5b98cbbbf2017b9fd34b29710
SHA1 f3079da138028d95475c78b7fe1227208496f07b
SHA256 cc39bb336c93abe4da690da4f347ec601e3e27b6a5e36c564fc5c495cf0b2806
SHA512 14531fb65814a4472c2c9b5eae9c149fee2ff24f796fd23585b2ff92e1904840b10764105c61f5bd99beba79e966062aba992d0dae0b36a57df7475b41c17cf9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 5bea15032cf2060d764d6d1ccdbc045e
SHA1 7e4ab06fefea3b18f8356da206b34d6aa80792f7
SHA256 0a775308d52cff345dc7819e4f7068e518fe729f0cb3c278b197a0a78e26130d
SHA512 35c0b654ee9b69e469b9d08ad687da3102e91c578665d8b9dc0da504e82f3b9ff7d1526f70eba5ed44b81b069e7c895a0d27feb2bcbed94744871393671e831f

C:\Users\Admin\AppData\Local\Temp\SgQA.exe

MD5 b360c922516ec4b277a6b2bca64afdcf
SHA1 4ea8a65f83396243f91dbf1c7ae8c39a9c19dcae
SHA256 63cfb9b9b6738f9eeb57d3887ecb900faf34305edcb76499025b67149ca88ebc
SHA512 8e460579649d36a97987e9febaf75a7e648636a5ac2bfb2be22521641772481397788a90e05fefe1644baa679ce3282db52022f565ae6de469e275824c3180ff

C:\Users\Admin\AppData\Local\Temp\yEEi.exe

MD5 61b1b46645a7aefa158f507560a438c3
SHA1 895541cd99559cd6b60b62dc61cd4d2368d1f475
SHA256 279dbe1a0d7a01e6b5801f89cc339267ff273b10f0fd78a98577bbcfd04427c4
SHA512 b745f7761deb3f8be4a552c455e021c7da7bb8daa0d084746f7b353db19a555fc44ae45ca66ca80fb4ec7601abf2d1d29f41e736fa384c59ba01441db881e36b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 642c18a1ac12c1d58be309e5e766af48
SHA1 0e9dfbc27d5a3cd02523ae6c7552552eadcf8a93
SHA256 fffd257eb17a56ea7ca35e3610919666d8f86cae7a77a0976a13545f98a00593
SHA512 3eb749de653f2c394cb12b7230bd666564042c5df7b5170aafee242a2ac0e720fcc21e1ea8c83ae740102b978bf4530a969d928a4d2375b5c5794971841fa487

C:\Users\Admin\AppData\Local\Temp\OkEq.exe

MD5 cedfab39b5a14b3691215db29625280e
SHA1 e6e08bd12e35a44302c67d1ccbea4ec98b356d8f
SHA256 e128bd5d956de9e95314387854132f4d7734ac3f07fecac38a63f92da14a027a
SHA512 aaa0c99f8ba6a293e1d58613dd8d3d575b8f8e62793e7481a77b083255c9d0238e73b43366f526406366c07b757df0bf61ff07aae96f98456c808411717c1c0c

C:\Users\Admin\AppData\Local\Temp\EIgO.exe

MD5 7e7a3222d7e839b6db06ce1962b9b44a
SHA1 3598593df43c5da7034b37be59f69914da650bf0
SHA256 8d957feab10d77692c3b603bcddfaa3699e6d00f87e6cbeeb6175a168ae13036
SHA512 8a44dc8f9731d03ea3a2ed92631d247554800579987090a3ea174acd7b7933e24785a5985137040b3bc31bcf914d70ed50595247df0860ac5dccde4ec78d937a

C:\Users\Admin\AppData\Local\Temp\qIow.exe

MD5 66d29e279a34d9ae17deb86424f9ab64
SHA1 3d5a80b11bd60f579b7dbd933beba8791a314247
SHA256 cd2d128406aa4e49b52922b8355b59b007ff1720124e6eb597e0e6b2d04b2d53
SHA512 ecef39e12a115b7c6627d9fc49e3e3064b94746258febc5c4fdf646141dcb56c1a33e8250edd2f68a7411886dc0a88b0b5ae5edc865bb1e92fceb48e9aa3fbda

C:\Users\Admin\AppData\Local\Temp\yEkm.exe

MD5 d0697ae2fd72ed373b4c1335c1b5491d
SHA1 5e0e95bec4dbcaaa353805aa75bd039f2434338b
SHA256 36fe0df3cd149220769201c8f5be7ee8fdae5d06db2c79273acef6498da4244d
SHA512 fb7da78dfe441f2145e26fcc8f948507b83862cb548ef631dfcd1019aae061d3438fd5452777b2ae7b122d69191b3383ba29f5b83cc981764b4103a7cb6eb864

C:\Users\Admin\AppData\Local\Temp\Qgks.exe

MD5 1da61b46db66cf56087e0a5a6e9757d3
SHA1 a985cc3551c0df8f2bb63d739ba180e1bf2a9e47
SHA256 65d9cdfdd3e391ac1a5c26cf8445d140b32db52c7e8297c80a7c086454c414a1
SHA512 4a626d6fea732c97c71f2617697594fca3e0f5e46fd5995b5af777110fa89bd1c6d0b16929626ccae4cf41abb6624df25068a9de4ab9b116fc24a193026caccd

C:\Users\Admin\AppData\Local\Temp\MUIi.exe

MD5 cfeab2a0d661446edd6a583b29d4f382
SHA1 b5957027da4b62d7ba54c33ad3c1f0c014bda72d
SHA256 9221cd33aca765f12a6fe100322d3eadb3997da1286109737d16aa004a994d62
SHA512 abaace130f8ba8afca5f9313ca70ec78934dffe335eebb8d6f9f026244099514484deeb97878b16ab5222b4dbbf7d7a921b50bca0547ddad2f57adc5f0584d6e

C:\Users\Admin\AppData\Local\Temp\UEsk.exe

MD5 583757419b551bfc1769ce8df6d35c6a
SHA1 edee7910b40fe7f3f11422ae07f0945b91a859ea
SHA256 80cf0d7cfd0c4c4ab0edab48ecb3991367448c75042e223ead58f97f98900e47
SHA512 dedf04de734088c70f00e293379c47711b6873f133cabe9b0e62f0dbff58163316aeafadca18d1ce0d7cc3cc0e0ff7fd21a2eded5a784ffca2408a5982baf72b

C:\Users\Admin\AppData\Local\Temp\uwEA.exe

MD5 277061f6191577cde13ba2bc8cf75c5c
SHA1 c3b4bbf86c7eea35ef530eaf1b3f34c4244743a2
SHA256 ad1cba818e49ed50a6b1b81e76f2c7d8bb4a1661a2ffb8113b8f8073da27177e
SHA512 39370affb47757d7b0fea6d90f252cefd484267176cd9ca5c0c62ea02554b3cf46e0b4c47f964277e8fc5534d43b0453e01d5ded980898f6bbc54e014eb5e910

C:\Users\Admin\AppData\Local\Temp\QoMW.exe

MD5 bb324eef46ccb968b3926dd84a1caa13
SHA1 7b1f896bf82837977143b92774e404076f38f2c1
SHA256 0a7fd14b0161fbb63d89937926376f28250999c8f889ff12d8568d8d68acd644
SHA512 ef6e9c70f4f46dd9cb90b4f83e1b64199eb436e8fc18e85371831df604d13e94226b82d988594b49963f331146d8c9766b1e36edfdf8fcc1c737bdecb9290e1d

C:\Users\Admin\AppData\Local\Temp\gEQg.exe

MD5 7b7fcd58ed70fc9f57560794286f6779
SHA1 1ce2cd0b73c0ac7da0682bb4ca4a1b4e781a5e05
SHA256 1485f498ee6a6c954cd8106b1514e37996eea688753c0c419e0e6777e9f6e414
SHA512 5b809fd9c3323dd91d50e696a52d78393965a8c276062423df3650520c169f1068e7f90601e074d01cc76ae6490f6415cdb82ebb6b1a7b9ea7e05fef4b821598

C:\Users\Admin\AppData\Local\Temp\aEQQ.exe

MD5 e94113ea87adf53e7413f531e6509bfd
SHA1 841b3a0afed924ce6d27c3a8736b524629477c8f
SHA256 4875cf77169f4751d83a35807fe625eaf1a0df2e08197d89971690e8b12a9259
SHA512 863898111a61a8ab4623c6fe85425808ff0594cc37fbffa7252726e76772c6ff531515c3ee8df0f4f318d17f50efcc6a6512e9320e61469a3a67d34fa943cc4a

C:\Users\Admin\AppData\Local\Temp\Qooo.exe

MD5 8522c59ce9f3740f2f45f74223566b8d
SHA1 37de98bb9eb6ecc980fd1207ab0e244c88e481f3
SHA256 734f7ff89e588c22162a938a2e0f6af0e8f818ff07bfc8a57a10ddea4e1a8020
SHA512 39aa2cb9a0ea65d594ccec80b909e3986422d3cc5ab1d372b6680c313c6d74b5ad7f4e729682ce862ccf2f41a11bc03f15e39ba495df293df86cb5ec0f597509

C:\Users\Admin\AppData\Local\Temp\kMUQ.exe

MD5 43254291c630183393737a4a12c20384
SHA1 ef4717421e5f48c81fe6e6a0d55d84951ade463c
SHA256 4dce72cefa83f2c6be738b645d11903b5039375bab0d17a44a24c934aa159536
SHA512 b8541a3fb578c632d26e56fc95277636b5726a6fa46631b97f829f9cfa0390beeb0e629da0bc240cf5c6a37bcb207314c0c888b8eec27ff128fb4d62ccdcffc2

C:\Users\Admin\AppData\Local\Temp\iUYw.exe

MD5 b0ebde41aa07e108e2e448269393079e
SHA1 84da56a1de10bc668db4173ffad088cf7b041fd8
SHA256 900b611a024ebc9b65a14c18aee57bd5fa4ef0a9a09efc0846188ec44602a90c
SHA512 452fd77065fd6d8dc48467d4be4dd53ef5c38a61260516196d469346652e6354e76f3d2d600c63f3c2b74f8091115839101a6314ba331350f2462db32d5a5f96

C:\Users\Admin\AppData\Local\Temp\YAcE.exe

MD5 34fa640c98c592f897dea314337831b9
SHA1 ecbbdd3706b33058251afb0d6b593d0f57a7ef4d
SHA256 c37f5a9fb93158a5bfdad940bf5dac9dca0e3530da3e4a28b884b92f2b9e0fcb
SHA512 ccfc518fefce901cc2329d3a4321bce756acfd81cd238733420b09f28990355c0eca737d74485f022ed130dfd7acc439799aef3c2a55ff7c8ff48afc0476d728

C:\Users\Admin\AppData\Local\Temp\AAgE.exe

MD5 781ff1ddf087998cc0936d2b9d94206d
SHA1 551d883a38cc85eedf2e6ad2690ef7de9946c3d4
SHA256 0cacafd0363af4984c3c846ea46b7bca90fb60cff38619656d032578b77185ae
SHA512 953cf5fdfc36c34220be0a983c6bc4cc056f109e0f161fdccb79cdf35ed73d9f808200915ce98981205c3d13f3167ab07fbad17f22426e9f140b627f29f366f9

C:\Users\Admin\AppData\Local\Temp\yMow.exe

MD5 3ee07fd3935a7c51c792144e1f7096c2
SHA1 47867a11da8658fc4bc0fcdd3f1a9c59b5adc0ec
SHA256 78abac08d4a54819c490f1ed698934eccf3d2054cc7fc5a5ee898b6d722446ef
SHA512 900e3d342fb4c8a4a390a77bf25d462db9b575552a4700775341d07cbb716827bf115d365430027201210663895fb33768ba054741c70ea2f637874fd526cfa7

C:\Users\Admin\AppData\Local\Temp\EsAe.exe

MD5 2b86c3ba5d52960dfff8b0f5b130da45
SHA1 acb4f0765f138d63371a9fdf35d936e01f1e84b2
SHA256 c3583e17c236e0300e2d4450965fb170d22549be4c84ba2943e77386d83bd174
SHA512 048e76925e8141689ec64bc623e7ffde2f3311f8cbc905cfedd6d764b55d91dc151f4e708c794252d90fc00dae3108add0db647bbd72cf0c15ecdb9d25cf34d1

C:\Users\Admin\AppData\Local\Temp\AwMy.exe

MD5 06d1350e3743ece5c496ce6c5c0029f6
SHA1 7efe461dde8da6def5e9d8ada8e2cac0ec86d01e
SHA256 445c5235b755643b8f3ea9e4651a9ebf189aa1df577201807d5a7db8240562ff
SHA512 e635b7a4fdc57752bbd09430ae5029afb83bc6c71dc60151880927fd4e0b9ed6a5b29091a2d215482072017e0e8fa97b0ac7fdaca6fed5d63d155774f32f89c5

C:\Users\Admin\AppData\Local\Temp\SQoU.exe

MD5 b80ebc22ffeeed5b7e71ee9bbbebc3c8
SHA1 a1012bb5ec7fb7d358b6d67150a1bcb9c7722823
SHA256 1168101a9fc88c2ef77bce87a950ed3a97897c770f4409529b8934947bed4e6f
SHA512 6e75a51fc414ca445b2a827d3244cc3e560484ac47e22d04345ebbe2a2f37d0cc8e16f97dcf9dc6b527c216006893000a05d9ace6092f127f266bb1657e82f6d

C:\Users\Admin\AppData\Local\Temp\SAwI.exe

MD5 2a6223e2b38f1bd6e6bc456bd670792b
SHA1 b02c926dfb932961367393555d4e5038096e352e
SHA256 26e2f1d44100bf0e0229831dea7457bc988e5341668304dbe3cb24f0b98e874a
SHA512 2f7dd1d10fdbdd5a5b7cd42aff7b5033bffda321140f1ce59fcd30fef9a79e2aaf05c25d1213cc2d004411fc6c73944709d9045b55e8ac85e99fbffe63a71e51

C:\Users\Admin\AppData\Local\Temp\Ossk.exe

MD5 17d01fabeeeabfa9ec414c4c8f7fd52f
SHA1 86ac38e49c55916728b7237d8ec783cb88cfdc39
SHA256 b784cb8c4b552e62d0167b36c23bd9e408166bcd198082a65dbaccc6e1c12f85
SHA512 1ba5343ead4a872036fa0e81c8b628b202dbf2e99d125897cbb44876fe1265f23caa9f8251b619077615529279274fc3225a1abb285bedcf7fce1f7f62bf915c

C:\Users\Admin\AppData\Local\Temp\yQkI.exe

MD5 ba720939e48bae638a2879c1a4065c33
SHA1 c4dfce685dda4d72e25bf5ae355e828e5cbc712a
SHA256 f24319b6ed1720888f4615dcf8222a820c7a22b94b0b2764f1892b952687138d
SHA512 1eef819cdf2ba00304a7791fcbd282b315985c553ce38f7fc14ccc77b5db424cf5aec73eb41ee736e31725db94cb09e22f7a7205e241b89e304366ae6e895382

C:\Users\Admin\AppData\Local\Temp\YMUi.exe

MD5 1306359d8b7d2fdbe77ee15ec5aac2ad
SHA1 8b392e25bfd61992c292720169120c6866dc4ce2
SHA256 ce078d219f70593a68e4fee9a34723261a9d4f7e13111ab1607d348ad207d7b7
SHA512 36b32d56c551b572920dd7fb1a42a6e47f8513719f0ac428cedd6b746572a187083dbd1c91cf60a7c464a92bd481115f2dd8526a381fc1324f61457911e158ab

C:\Users\Admin\AppData\Local\Temp\iMQU.exe

MD5 f72261f600d785ab44f1cfd8a93b12c8
SHA1 be6ba21dc9edc86ab7991a33fe6c019d94b50c74
SHA256 20070de5e192f340a79d32223f96c59ae6dec934287516406b0d4a0bd553208a
SHA512 3f4b072f7b6e05fce69a2a8c62c73776d00e5c4f36334fe98088e0d2fd7f574d6d61eb9e94b38663c0be02f04dc314ac9b7bf78d598408329e138d9eaad87c12

C:\Users\Admin\AppData\Local\Temp\AQgo.exe

MD5 266c2fd61443ed71b057f570e3418d6e
SHA1 d1fd4b332a5b7e38de4674a31170bd0916619055
SHA256 3f627cb0fa99c702962be2fde851f24ba289e9ed8b9c8c43d58f187e3d34baf7
SHA512 8cafc667b19e7dfec3686b4187472961b81b98985439f4818b516f6abacb004605471e0675945a4433b1cdd68a237e40ec47af8e027210baefb43c7461c401d8

C:\Users\Admin\AppData\Local\Temp\WUYs.exe

MD5 0126f05c5d0d2f7a4eb8c64355145ca1
SHA1 bdcf1748ab9be825408e4ddb38ce0a942710b1b1
SHA256 f30d02e8692aa06efd386de67fc9107eb545f0a41cf9132c05c4eec793cf75d5
SHA512 20205d836368502d9fb0d9a4be3edba4dfe2cc0ff959fb51eb534492896aafc4193424ffc71b2cc5415cb3806869192295697021e193a35888a08be18a1ca533

C:\Users\Admin\AppData\Local\Temp\iEkA.exe

MD5 ed48cffd6ea0887d3d5bd27ff5e1b894
SHA1 2cbdd87bd707d2bb33d7b7e3c9f2518755a3d635
SHA256 c02b653758d3c03a9ddb28465450982d0fd5ff0c56d9b2b0cb25a2d8166bff1c
SHA512 44855ed25381d4b6842f5583c01cb581ba58a04bef5b5fd6129f8f50833bea03c8624efb566f4a691839b849c62395b9d1bb4ffa7219f4bdcb50baa0e0fb9da7

C:\Users\Admin\AppData\Local\Temp\WIgO.exe

MD5 c15a7415431f0ed18fff5c1cda87904c
SHA1 7c19241dff356440accabd2349c70e2155598db3
SHA256 5804f09cfebc7e47a5328b13e5844915ad58420cf4e82c451c7cfbbcd64f27af
SHA512 79fa3b8766c3bd1ffd2fba787cd4c9c72619b73fb35c90dc0a9057653fa653abfde5da03758700d54d193cd46beec42f0603753de58164d2e2c2e27a002837bb

C:\Users\Admin\AppData\Local\Temp\EwAk.exe

MD5 285470a302f8fd659ea34118622fb046
SHA1 c4a6e86c01fa2f6200007f1965bd1a7f4d11073b
SHA256 906e9faf473152792d34da40277ec9a17dbc6531a0f8a2d45cf8e689b16acfdb
SHA512 3ba8e912547e806b26ecca4392d7dab5615c4528924f615ac687d4a1b0df1ee9557abb87a1b8fa7f745c227679d1951984410f4f4fff669aa1142239a2415992

C:\Users\Admin\AppData\Local\Temp\sgAc.exe

MD5 fab4422f63002a0123177bb5fc51ec9a
SHA1 660e4382250b0630c83a22b1c674dd7f16547af8
SHA256 87923229d3d9cba28be2b345373f6b1c85c465dfc66ded04058be76f2b2a399a
SHA512 dbef1205989a549f4526a5d725f7584f9a7ea4e78799332b945243e467119058d6c298e4e799d4bfe9220b72cbc590e0d6e4ee3f783caa9be1514103b6cbc8ca

C:\Users\Admin\AppData\Local\Temp\wMca.exe

MD5 49e4ad977c9ea03f8bb202ce19478a78
SHA1 80b0eff0653aba6932cd532fc253b5b5686a628c
SHA256 a7332b1e333ee999b000f1ac0f379938e1cca6d37b8440d74009ebd00db777ce
SHA512 77bb86d4ab7bac41b58a7b824c200007cff0f28156b629f538b2b17af52da3f52e62610e40ac359224e4cb5da128c216233b97ab858e0a99b32218d017882f68

C:\Users\Admin\AppData\Local\Temp\issS.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\eEwQ.exe

MD5 a24e625400ed0623665452be7f72bddb
SHA1 636bf87926bc09fe2cfa0d8400942584fa6606e0
SHA256 785006b9938b3e016e1fb56240004e0a98ebf8436f8c204127b780416df2295a
SHA512 f5639fd9b7be61b2c10b4da239fa3894cc9b7f60635035a632ce2fe47388eea21917dd49dc4df293e9b48cd9224ace69827858b227f00d55abc9b8d676ed6eaa

C:\Users\Admin\AppData\Local\Temp\AokI.exe

MD5 d06d3b9c99f60ff920513d35da4454aa
SHA1 bbc35c1ea23c018e3be5e2a7e7dc7a4295aea837
SHA256 3e203d046050df218bf05a94619352b13dacc6bb63a7a4f11243323988031a50
SHA512 7970486e4ab3e1cdce59fd6eee3fa62310e461cc141e87c5f2f82098a75424f614052e457143bd28228eea2c2fbd8c8a0a97ef3c689d629700757cfceaaa612b

C:\Users\Admin\AppData\Local\Temp\usYa.exe

MD5 55d4c260b3ebac9282f4332cdaf15f44
SHA1 8bb8514d0cfda744d182e010f41155bc7f634543
SHA256 75ac47ffebd81cc0b8b392ab10071b7b23be678affdf44faba2a5ac3885d0737
SHA512 b219a1d7d3eefcc98003c4bd1d7960c284f966de3254f7cdd25fd3f44166f3fa0d8d583f4b4a8603272bd3fccdf7834c1bb4cd12d12306293d083559f82f1146

C:\Users\Admin\AppData\Local\Temp\aQEm.exe

MD5 7b68fd4f348e6fc2438a8b58f923cff9
SHA1 e01e784931a55e016244891f6818811a0649fe76
SHA256 f9355fab8f1b231962c78feb8c48bb96a8f4458343b9e2118dfbfa0dfcf03599
SHA512 f0566e209c3b141156d0b2410e005ab80f044def4a5eafb6e54cca137afc3795a19c3227aacbce73799a74822d1089377f7babe970b588e2109750f4ee23ed86

C:\Users\Admin\AppData\Local\Temp\gMkK.exe

MD5 842e57a2693b5505df997ecdadb61bea
SHA1 809a578f98dc3e6087bfe65973a0b1930e45509f
SHA256 860db490954ad14199362ced6a7bfdc8c6949ad9fe98344bb678fb3da79667e0
SHA512 ab617aa590e01c9e306a388df310cb0df0230ae07f9e3a9f08797fe7517606b4fee84e410ef878afae2e7bb4d6e74b847946b123142935519b099bc2adf8de17

C:\Users\Admin\AppData\Local\Temp\Skgm.exe

MD5 cec46eeb6fc63dda91c0d0800af1be84
SHA1 eb32743c74aae2a8f151c93f72dc30f17253ea47
SHA256 7267c75beb386209cd8c441f38ad821bb7c0e884d2e5d3751c5eaae5151a8ae8
SHA512 93bb23de3fc2516af91f73c49e897bac2c5473ac4a8b77b2620ae0e86b23b31ce372e714325d67b5a1d85ea9fa393eb3fd8ad2831329bc99c6386bfb6b55ef50

C:\Users\Admin\AppData\Local\Temp\MEwk.exe

MD5 783db7872e82879d24806acc72a3b3e0
SHA1 009a1c38616d30d5d35f486802de129d065b6aee
SHA256 662a7a4e1859002451d373dd0657b7aaa4f225c7fe99115d4a539cc88c48207d
SHA512 66f8427c86e5ed3c847c59c49d56fafd44350643d867ec37e57bf17786599a9714b358de93acc2d9ec01a9c32fd110a978a0fbfc3826f9a68a387d4f05a14403

C:\Users\Admin\AppData\Local\Temp\KIsU.exe

MD5 4e8a9865c298a65328113916851d1c1f
SHA1 025c6f295f54e5b0e724854bfeebdc2b1efab7d2
SHA256 3966e18ec0306883fa2c15bbef731a2f6727d27a801a262b6a03790f449acd65
SHA512 1ef0ec171627fa7d37ec5e7f5cfea188b969f21172e9f787d22648cf0b4288860b5e7247b903ae6ca771308cebe6edfd5c1e892ea18b0ade208fb716b4696ae3

C:\Users\Admin\AppData\Local\Temp\ykMc.exe

MD5 8f2b4fb5e9f8bb0ba1314caa6db7c5fe
SHA1 6e72cf474f47de08eb8d7a183625485a87a70769
SHA256 2e522cd7356d6087a81af6945e740482ad66c4729f35cc21b10e001e4a300e55
SHA512 1254457f46fe01aacd9fc3e058ee638985b3c9c50a043350ffc659759ce3ab2f66bc86f6a3fe2918e076fd4967fe32602ee3dd6c46cefda41791ad1919ed55e8

C:\Users\Admin\AppData\Local\Temp\skEY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\uMAG.exe

MD5 22c2985403f72e24489a3a4a3dac422d
SHA1 9e0c4ef71ddeccf204899a516743040b2702827e
SHA256 8b57d058935843df3f2f1a48b2b2e27722369230cad549a256d0f2d3f81fb573
SHA512 59c1e0b796ec2b8b8cdedf4e64f5e3f4ebe1534058bc11fdf75d6667b259a374beedf49ad123b4fb969948ed5d24c8e3173d4a94f1c10d749da559d0b4991392

C:\Users\Admin\AppData\Local\Temp\yAkU.exe

MD5 aae8f35f3bedb04df018873093913254
SHA1 4074310500a149634e683d420c2dba5e1d485645
SHA256 02628353b9fff40caf8c593aa7a0c7a2f42d0e4b4ecbd1c477b6c103bca034c9
SHA512 94b72bcc446e65f801f9b16a93b413f857941e3cef382aba69250f90249b811e7c2cf3e3d5535a3e1694c9f9f56d703e5443f74f5617de2b6f51d421f685e1a2

C:\Users\Admin\AppData\Local\Temp\WUwY.exe

MD5 ed73e164f301a29205be922b62f4b335
SHA1 3af94f42530aeaef142d32f739030b080749d12d
SHA256 0a0c3bdc0e5220a7fb45b136927967be0483c7e7a9161cf432c7bf8e7d81ee71
SHA512 e96aacc79787e6b48dc67e184fe28912409a4443739dd5782189ff3f7ee0024fb6bc2efa7909be47e3f3804cc56f2b889de18fd086fbeea90aa0aa6dbbb0c65b

C:\Users\Admin\AppData\Local\Temp\SAcO.exe

MD5 153ba6badaa5304164f9ebbee9f11467
SHA1 bbcac95a76c30fb9dff91dc4c9c48b1bc678dd65
SHA256 1c02f6cecf42f136ccc5d62943728989ba3522f7c3a005bcc9276117288011cd
SHA512 57bead55650ff38c33ecd5c77e57660d7a86538e78802d888d207dba9891ca12c41a2e474cde607a0a6340ba99912dbbaacffd6c7350d5e6482f89cf5f45cce8

C:\Users\Admin\AppData\Local\Temp\UIos.exe

MD5 c1c6814de2da4ff71f6a8e5c7e106cd5
SHA1 c86d742b0754acb0a994c1febafb30fc7793fcf0
SHA256 c8e5b080dc4d21e703ce36f2b0ed622d72fd3461e6ff532bc5ad0c8461e34b27
SHA512 b5cb15c5233cf2dbb4840f0326646286abba3512cb3809013fcf12e43ad114d314577e0af5e63fc7e61da91578ed992e1fccdb9571b2ad5933c52842c3378819

C:\Users\Admin\AppData\Local\Temp\ogwy.exe

MD5 181eaea9cd9a3759436d576b743b6e9d
SHA1 dabf0034f3b540e6f2caddf8d88ae3a0acb07c2b
SHA256 a28baa0c718d4f1110b8aaaf3aa90de2bebd28bdf302478a944ed44965bb91cf
SHA512 362937332f6f62b875988ccf7a2b785de466df1f0d50680f06187599ae357f53bccfb3fea33b947e0170b298b014bd4acd12169e6cf98ff2a4acda23b252ca39

C:\Users\Admin\AppData\Local\Temp\mMAE.exe

MD5 845ac4713318c8f532f1947f610ca063
SHA1 f62eb3cef957c17525137b31488adf52295252fb
SHA256 810a7df6e806fc7b18fdcc2ae8a7a8d4e71258d8dff67cf4614c1c323c8a33c0
SHA512 ef1f6c75976f5a05fd4ed5b968e3960531b1f5c3bc9d491b9da2ff72b353b475a230dc6889d64eb33fda9d9de43e9f00d5acccdd7f5a27d3da05f62cf0206c00

C:\Users\Admin\AppData\Local\Temp\KAQs.exe

MD5 4d828df2389493d08b0c0a3739adfc56
SHA1 255705abe40dcef037122b20bc9779329513d97e
SHA256 93fa1e906fea6e46e065ce4fa7909fc365786251cd5d77269e5522dbd9910eec
SHA512 a580f0e49f705d5535b1a44ebc5e37658726c63e60c57dd6715431244159c41ee1f49d438b08d68883c2d7ecbcaa357fcde14c12521bc876f0dfa9a51d7cf091

C:\Users\Admin\AppData\Local\Temp\KUke.exe

MD5 b33328273e28e8e298af8c9bf0d2b4eb
SHA1 8c8ac0210294331ca5aa0f0574615b434b36b6c1
SHA256 574218a263cf20ef0ff912bcd15dca92eabdd6d92fc0f1df5d596a3fcc95f52a
SHA512 fede8fde67935759c1edc79789091d08648edcca84a7e76333355f0b9a779fe2219359667bd77c14d52bef91d9a0491815ae892978438f9b40ae8126f158ccb1

C:\Users\Admin\AppData\Local\Temp\OwcG.exe

MD5 9dbb2ebb2ab05e151ac1dd8986a46b68
SHA1 831707e79792eac282e0298d3313a258d57c9e5e
SHA256 dfad6cd6c30385007d53446c3c3b8c6455967bba03067ce3336648ac657623cc
SHA512 e255783d0394dd14584bf4a943ab7ed6e2aea3501f940411da433b9ff927a497a6c19e76a8a0460243e02cc8701467af88b0ca76be856b2bed753df65a41a314

C:\Users\Admin\AppData\Local\Temp\Mkwc.exe

MD5 454276992f63551ad9007330e65ac110
SHA1 e0d043025edb23dd00d13185efc5d907b92f4179
SHA256 3c64814eef6d2d8e9bccbbf2c55b1261cc97a49d4fcec941ab95b6c648b7003d
SHA512 4fb598c2f6fab60b7ad6562097e05efa2db31147d17fea75e94b22c99c8bf0b95b847a7d839eabc7ca3175c8071e814fe8e31ae292c2c75c4f588e70118285a9

C:\Users\Admin\AppData\Local\Temp\asoA.exe

MD5 be796e05995d3fe579453adf1c313b17
SHA1 37388235ee8797b043c3fcc69ad9e52cca9dd012
SHA256 226a245b3e8cf09397c9388636f4b7c2d47e7f13d2b7d01fe06d33bf7781bf6d
SHA512 9a3af55e29c138acfea8cc2e2572e915273d237663d2bd0a8598a30bffe6195ff578f6912b96a91333fe621d8178593348fb87fa3713c51d6679881907ea2ddf

C:\Users\Admin\AppData\Local\Temp\SAse.exe

MD5 ad551d249948e96a3a430c57abaf2983
SHA1 e207399ccf4a152fd1d9649cdd565b469f4ed623
SHA256 cd1725e819f23bf7f225d12b065c2031cf57bc0e0378d5a607fca22fd087f75f
SHA512 6f6c06cc272be0db8a1b18df26fcb4308350f45818a0b2d1635560f4cf77ef2f736a84a1f871760a1118580783a973b97be11dd235dd8803fd51196768d7dd14

C:\Users\Admin\AppData\Local\Temp\Wowe.exe

MD5 67e8cf09360a1cb751ed5af0e6bc23cd
SHA1 3496dd88334dacd0c767a6ab08f51f109ef72a50
SHA256 cbdb618a0fdd4f7cbb3117b1ee8e52f8f0de9ad6ad8a762ea2e8ee72f2dd60a6
SHA512 6784694a8f0174d703e998120952455aec22e8d6e85ceab91aa9fc00c4c93612e3953c9f3554bcda5bf8deba0b22845332ae2e7e0cdd112eb6f6810064a19c73

C:\Users\Admin\AppData\Local\Temp\EUYI.exe

MD5 0193e389b863b3949aa0a92703428328
SHA1 c9dc0c65145bf2f16369f65e6fbe3ef3989768a6
SHA256 7f70e8ed8984f3849dd03022e9ded8f6ee49a486e2452a3666bef0910faa9703
SHA512 8088c87d999e2a9eef7b4f9646e7b3f27a2028d8b2578c7b978095b1a46ea7e1a3cf0062ddf06e7e7bb7bc5f250b2c1dc6467a656fabf8e25801dfd2bc32353a

C:\Users\Admin\AppData\Local\Temp\Wkki.exe

MD5 30182cf0341057b34abdb047621fede4
SHA1 2993179f38cf14600ab8310e9d7b401f68afcd36
SHA256 2dc1fb8ae7542e50f1f12b6e136583e542b8786da15796f94fea0c700dab3d21
SHA512 747ec157066ad68a204eb36af65c8b581217d195cb47e204d27e3a117efd734fc56dd587e8f9c299c05bdcdadc835a7415b33fa7be1ee0823867fdf881ecdc95