Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-x7azeacc6z
Target 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock
SHA256 fa3fa87588ae7afe00e7b465e7208973c217aaf395288bbce0ff2d4ecb0fd597
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa3fa87588ae7afe00e7b465e7208973c217aaf395288bbce0ff2d4ecb0fd597

Threat Level: Known bad

The file 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (84) files with added filename extension

Renames multiple (57) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:29

Reported

2024-04-07 19:31

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (57) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\ProgramData\PaIYsAcY\VEYMgEEA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYkUwsUY.exe = "C:\\Users\\Admin\\KwUwsQMQ\\FYkUwsUY.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VEYMgEEA.exe = "C:\\ProgramData\\PaIYsAcY\\VEYMgEEA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYkUwsUY.exe = "C:\\Users\\Admin\\KwUwsQMQ\\FYkUwsUY.exe" C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VEYMgEEA.exe = "C:\\ProgramData\\PaIYsAcY\\VEYMgEEA.exe" C:\ProgramData\PaIYsAcY\VEYMgEEA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A
N/A N/A C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe
PID 2316 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe
PID 2316 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe
PID 2316 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe
PID 2316 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\PaIYsAcY\VEYMgEEA.exe
PID 2316 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\PaIYsAcY\VEYMgEEA.exe
PID 2316 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\PaIYsAcY\VEYMgEEA.exe
PID 2316 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\PaIYsAcY\VEYMgEEA.exe
PID 2316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2316 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2432 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2816 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2200 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2200 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2200 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1216 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1216 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1216 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"

C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe

"C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe"

C:\ProgramData\PaIYsAcY\VEYMgEEA.exe

"C:\ProgramData\PaIYsAcY\VEYMgEEA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceAcIEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icooYcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYwgMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\husgIsgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\joQMIQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEAQgoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqUMIMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaEUAUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAMQEsMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWcsYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIMMQAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWEgkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcQUYEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMIcEMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IugkYcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYscEkwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwoEoIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAwcAMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PyokggUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TaUIokIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\likcMUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYsgUkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQAgEYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiIMMYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeQAYwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaQsMYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWAQwIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\laYwgkEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuUIswAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKQoQAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7164051641270162928-1514434054789099563-196592474318228153095586408-193441175"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10039760911286415034787026352-20956048481510290343-1606978056-1511259737639108811"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaUUYgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "590486063-1532752741-112349721-1696345979-641270118878728035592004179-720790998"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "443500675-1715000863-1227746081223430437861497011954883969-997584961-1900496982"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyMsUMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmkwwAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGoIwQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWYkkAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKQMcAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOwUgAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18486163228802459718805042711024712860-547607826944631097-15077133461132775571"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAYccYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1665919767-734743559497196698-133203771-470643692-461554848-1434904223-1597579633"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwMIgsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAIEEAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEAwQwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuEsAksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIQwMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCYwQcsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYwAkkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCIAkgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWgMEIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYoYIoUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQwQgQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "439605093-1994811762129428404-11619177181681774574-1706525586-52862801-738737399"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yagMowcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUYYgIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKEUkIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQooIMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgYIAccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYkgAoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyEgYssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIUcIwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYAogYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqIocIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMEUEUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAcQkIgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIIUQsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYkIQsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkUIYMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aysIMUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5587036531046243342-1229625262-2002546937912336540-57971207-17377203311147412168"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKAowgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1549084226-21259641122146148250375605577572856309-1286671281666458130638413637"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1744538503-1412419365-1962432305-1526259302-12679478931387987510-907512913-717609214"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "749600121-148544694512727880167468862404632436961026145720-1178666851-1410322058"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsAscQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "560021621-19933461398177873162641633-2001614761-3819525311412003799-1687280081"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSIMkwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-153089448-2118644768-222159221624800130941718865882005314-123260418-955369681"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1029785989-1591461747-7783192631835588989-270320360524005018431465244-1508441537"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1025986453888115420-18699271371831895312212574769-8647012621414586238-1988092275"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12828228761879416010699722581364388813-21557309611807844922063994283-1244729294"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncwUgUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1758637087151022262318706784851664503843-1603096730-10769326086296137362036172758"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEUskYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2082070959541116764-601469004-4618922141804065848-17712635001593924286-166551058"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1903042284-1747099491-1503802861-17610783259926226761872291088-125439519248639254"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSEIokIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1549170212-1348996995-1999886781563788976-6323964691361928466-1320957831811901107"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1566661754-147253736-1099728554980992018-1194121536-14994090021319441351060418950"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AocIAcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "91958376-62285912-1378358583-1449456776557822489-1582264545765609317-86635223"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16517556521555161616-15027311101579803953277012822-2071496357-8549754051305386504"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11568196461507489089570270438-10801341291585987033-1661929836-6116441911762460163"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1105185341871819896-11367392621253096008-2540606401000769611824184731282008139"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGossYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1267077764221153402073158008-1867282982-29723854479709521261446792303325757"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8014883951099076532-9883629981327126720-1306149881658280125-8007205621855230420"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15113283931627343282-20682532625193439511684561818-981158107-14054673401425898429"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "71126036-6251755781503219846-296329125-160253581723190424300992007-2141479879"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "89173667-12669992342040690447-2011031759-1373289249-1775122727-3880955041236205984"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYUEkggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKwIAkEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17263824431033291235-18028175892018292779-15262479985677146431500461871-1515034901"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10362018391098626200-1494829655254996554507371268-8475996071398554808-609640210"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-689069323502622163-225703744-432267124121458562310282471048279290621217641535"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqoQMoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1104544838608908975-606490406-647187857-388701083-838773898-1055025556-512161235"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-460819852804250449-1668190129-17800319661616079700-937486215195729111356326537"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwQocIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3477985591117287513-5213576441059827241-2053676911173957598-330126986-923357579"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWkQckoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-502231436562795425894137060-70608465-1768819399-189370979913407482382143894279"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "545193391-4154904711325856335-1972913548-969263036-1843236912-21290397981276622524"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1479226093-67405608918610361520715195401611513877-1940072836-369008489-1230160345"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1750428552-12582339838827925771014803270-7897998071577809062-14095368761223652924"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMgAAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18351704824939542041738370811-627999422-728422967354533-2136311684-461785036"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGYkAUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1841140898-1981073045165562994-210527213-17135535136439969421370127663755407984"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "715670250-1628249902405871439-420423595-1140097729-1897410885-3886769691801696709"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\daMYMQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1532931919-1689989672177204619818175326811235462419-2022582685-12679983572134402432"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18452550371337925823-1334318823-17805517301146463261-725930903213811428701938080"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "865118216423203971758087284710869656309558957501067376527937677-1517893661"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1906524099-1593630742-1612672802-1552299700-483842488-9129113651980700332514971113"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqUcsYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1602649385191025933121388740935730527324837674667976592-10301111141109222174"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1560778704209505087-1729654282773496732946844890-312360801353585391400337093"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-49593873861398011278804006368671104-17273805131008601018778138646874317060"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIkcEMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGIUYIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuUcowEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeAwYQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIcgsksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-506699955-104481214-1196186333-1232423727-271759971-1835379875768427844-1002848986"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWEMYAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-486613916-18007725481045560488-10893316201171389665-1371423194-84418825-250083368"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQQMEUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "108546411468868758-105908081-1105016130478457908-2036192903-517569750-835165647"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-90282423811540535775993920073105962861949444119-2041324659-10495936502100221784"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAwEwUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "214800803652462923101959344544934613-440131092154906045016572336091594841977"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3898981571681076984-47690930819497082881303209779-541750697851852240-474538192"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "237789927-1259662684-14521468461514012920722349604-90669095613307332622565822"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49941050717688800018074719812033492318-1139699881424273663-600261917-1676447310"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RioEUwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1041608861407407577-13634616741459277255-1588090222-2146067964-152528194-1111685846"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VskcoMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\weIkAkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1174566197-102478188-975973470537401141-17082344711508344268-813235444632389795"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1722611211689111381-6201889119996331401957572424-1205377993105480627-1484076219"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mmoYcMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9451366351702107691141181906-214129817629421086-1664113180271798628-2130997613"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKQgQgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOYgIswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1375394936193549645-17518160881242861360-12967233512540928152107992531819016472"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgQQYYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "785050327157020931-226292755-1915293585893834134701030086-548398967860109689"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PowEoAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2095554783-3071173511810933418-569272751-777115579-651105360-24950007173936806"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcwsQEsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VokoAQsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-133530965025864934013150954216522473821711360788-447734373-1789676583-107069292"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hecYUUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19045350132007772061150940211-6676858281135036229-85639486494576540-28163782"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAkEMcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-469295411-2098659626-9606357541183060878114821221183248235-897986772-1745858241"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7331238915935267501405302044-6034496541960889685-8298892944046733381000004288"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwQQkksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQwsUgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMYsMEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-446276218-8694916192601011691322138125161534828116240766789187639021807545387"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuUsEIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-155877828-12061730401392448718-58206505734913434043732056915326400761194363452"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biIQkkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1038903318-766131008-1044169365-2113801078-644533673725724617-12154446001353193459"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAsosMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-833785572-869071016-931233492210954791018127208662026494300-2075983119-519437806"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "552025299-1467010087-1368585318-811764287-654944896118127856819369875161518863392"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUMssYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2094987697-2022484892-106997988-778149972-545469707194600989638482440-906227244"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkwAUgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-431604637-19190895171579964460-186463548380573161516664966321373070905871551462"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQcQEEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1224903810-6453226214961582921607877318-2012848249-160634748550050115-1921845151"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqcAQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\scIIwAww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qssQckYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1257392112-14474798683559060931580413965583784172048592575-1031231751624922078"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCsoEoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwUIYsss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKMAAEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RyYgIwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20879055902085237629-1339234731-1249760706-1886891796435396224689954860-2047435230"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncEYoAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmIIwUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16487550511472722255483373841142445422-60367571613714939782738442-214386431"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUMgEgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1358719875-57832279384738406875806592-1947162848-556379482307925481-147259576"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1407105070812431316584622757-593007366570386958-15746174007117694981934582452"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmIswcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1111814980447880068-16805889641397182304-1196369523945603047-2103632242-367938168"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGQQIAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1544104883-4459424608460174261104935164-133709311421457175381546708686-1215631810"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkwIMEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqEMMIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwEoQAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "208958616617494361331910572965-665171933-986480050-325479376-420898840-1269962878"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyYQoYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgkIUokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaocYgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qaMwQUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-113423913-1218490981-1390842755-1674761975-1385928684-812468273714743855-2009300311"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmMUoAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "373033617-7626358961855224952-64480895956276556713422393088338205221457720572"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2316-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\KwUwsQMQ\FYkUwsUY.exe

MD5 2030813a58e714b4dbb535554490a4f9
SHA1 fcbc45434b4982a564ea2fa05727815c219e15f9
SHA256 4a5a3b831995d1891ce7c71b6b7063e9267388a51d8b0b2b2f9554caf9d1b10e
SHA512 2945a3d4b6eb30798a9a355c07f15ffa7076626b6f59003399c89c0a484d8073142b9e2a5dac30e5e4efe966b612f9e6b837be37658534641129b1223f0cd5d7

memory/2316-12-0x0000000003DA0000-0x0000000003DCE000-memory.dmp

memory/2316-13-0x0000000003DA0000-0x0000000003DCE000-memory.dmp

memory/2864-14-0x0000000000400000-0x000000000042E000-memory.dmp

\ProgramData\PaIYsAcY\VEYMgEEA.exe

MD5 ab87beba26e7648d61f9fe702e82629c
SHA1 1c1e0ed0b27c21e294d7b175165df3f3deb0c28b
SHA256 87edae48738b5844e8460e1c4a3f9e1054c557b3f2e2f6d7e5084bc2139817de
SHA512 d0799a6fc90eb7b29a7c2ec01750524a922b7a9a31e6bd5acfc3d4dba4088e0b55bb278042f0d81378afa4d778f21d2160345004c9b27a6aca4a8ee06ccdd18f

memory/2316-31-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

memory/2476-32-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YgkIAckM.bat

MD5 ccd5839fecb3e7d0bea57d5fb39fc63d
SHA1 2be19346e0a784bdd00068ca4d94f2f1a4f84ede
SHA256 ba8570e63b3f6df54d983d5ae5bc6c8cb3efcde9658b23a61c4e6934e556df62
SHA512 e6d4b510773de5d46f3c9d1227e6ed65612773e49855e0ee5f408fafc6f0b0882ce2343552196219b8c859daa0a38cb4886481b48ee9828b3cad1754d9f39c5e

memory/2316-21-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

memory/2540-34-0x0000000000120000-0x0000000000151000-memory.dmp

memory/2540-35-0x0000000000120000-0x0000000000151000-memory.dmp

memory/2816-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2316-44-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ceAcIEEg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

MD5 b7a1b79ee0aa71ff5c2704e112482771
SHA1 4695cedee75846b343188b9cdfff6b443766df32
SHA256 319296ecd18ddcfa1ac858cd0604c1a22ef1b39951806d93ae04906917481b1c
SHA512 ddba05c444613efc4c2b932e44b39275fc8596e571c95e3e5de8ff02881d45deb4df84a10104b768d45136c0aca4505278c1cae0e67088b08a97ee74c585a729

C:\Users\Admin\AppData\Local\Temp\IIYwccQc.bat

MD5 f90613b080e8cbbb71f86ca318104e14
SHA1 1887624327602b802a58fc0f4b977dfd46c3934d
SHA256 cba805cdd2ce8489bb9175a85002d017af256cef248f20df17bcbfb651c9db59
SHA512 820d76dd38efb97e403f97b6774f399db7978cb5b449141f94316358fe6ab7cb7b2b0bdf8fa432652c699ed903716bd83fb15a3d1a47ad6abaa2a4f4eba9ec00

memory/2200-59-0x0000000000560000-0x0000000000591000-memory.dmp

memory/2200-60-0x0000000000560000-0x0000000000591000-memory.dmp

memory/2288-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2816-70-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmAcwUIw.bat

MD5 ef4423c2665df05f77f83e4cd6b5fb2c
SHA1 db5ad51bd1dfbeda4ccfa6b9afe304a9903ea21c
SHA256 5497acf739c98d4fd178081b7dc4e20a5db68687bffb53cab1165133e63c30c1
SHA512 82ac02098a282d6ed91b94f7260fd2ce2dee50a7ec63c6c284afbbe75bfb109e32c0355407dcc4568a1702b305aeaabf8a1b5f14ab83f4220de07e023c3f153c

memory/2384-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2288-93-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1664-83-0x00000000002E0000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xcYoUEkU.bat

MD5 33adc7f55fa86dabe0862893dc434457
SHA1 bb2a454fbd1263f0a7cfa1327e86dd5a67b3f8dd
SHA256 67fb3d2010879a1d1973537050475a400b8abc69f5ee1a63a263b9c5d903906c
SHA512 ffc82ff2ad7ccc03cb3d7fa34cc48910ea6aa079f2f0a7957b31347758c892fefa2655f9e9e67dd8972213ed2fcc1b0ec84984e4280c16b45054fdc3470c9de5

memory/1652-106-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1652-107-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2384-117-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2820-108-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgAccwcQ.bat

MD5 854773339b1a0e36113a4b5f0cae6bbd
SHA1 980377774017320ffc166e44353d30fb6c5481dd
SHA256 63fda7700090a71ac594a6f5947a56b4bff21b9126cb664137e8d0c30f2d6e37
SHA512 bff1741d4eb4f93a4919cf284fa2080aeccb0bb7e3260893134836c3815ba02f64e188b14df64c442e5cd654776e6b02e05a565ad7d343f59b791ca6cf2ef419

memory/1592-130-0x0000000000860000-0x0000000000891000-memory.dmp

memory/1592-131-0x0000000000860000-0x0000000000891000-memory.dmp

memory/1336-132-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2820-141-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NusUYoQA.bat

MD5 830a8fc547955efa0685ab717bd119e5
SHA1 e4d001282325ce9b6dcbe7fe0d7d442ee232b8c4
SHA256 b0fd5772f8ef5a625bd6f234e41152f654fb45094ff560a0270327204fb1be89
SHA512 3d35c23b92728f58a50518a9d3ce3a2801825af92ebcae56a6e2a3435a8e3e4757bc13473874456c127b9c2d288c2480832b6d8577975b20986be8a6f39fb7b6

memory/1692-156-0x0000000000260000-0x0000000000291000-memory.dmp

memory/1692-157-0x0000000000260000-0x0000000000291000-memory.dmp

memory/3064-158-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1336-167-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UOoEUgYs.bat

MD5 826c3f40f339cbbd3538a610f853254c
SHA1 f9872f06d9b03f8f4d8bec35bef7511264f0ec3f
SHA256 f16b719c361b46444e76590b58d616a42547c6a01b14992bc4f95c76b3d5cc50
SHA512 d424a911340b07134f273d13aa0f46705afa019f0492a292a7bb342688efec6346459c10114b705dcf82b2538834cb911313bbe6285c4b87a4a88b0ae62fed5c

memory/2704-183-0x0000000000120000-0x0000000000151000-memory.dmp

memory/2704-182-0x0000000000120000-0x0000000000151000-memory.dmp

memory/2548-184-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3064-193-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YGkssUQk.bat

MD5 2b7d88fbb652a1759e44b0508c6b6daa
SHA1 ab26638ce1c57b9bf086a0d8caf7e8bd453404c2
SHA256 67a5b16718632ec73cbbbd85c27f759e932b8c5b79b4e888d7079ae115406795
SHA512 b2db28f046eece1f92d98c911a53f1cc35c77e23d1f85a71c3a02314cc5741adeecaa4ddebf2ca3e3dee92fc6c057076c46790a988a66804b4f99570833ffae7

memory/2668-206-0x0000000000260000-0x0000000000291000-memory.dmp

memory/2548-216-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2928-207-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sWYMMEcQ.bat

MD5 581d0c9e41a13da743398a6a542b5bc4
SHA1 9d6724e7bd85aeb861fc5e2681dd3526c563da02
SHA256 a25e251b05e49b1c1ae99451de20a73866edcd8e93d07a2e32d69262c7238970
SHA512 6a14032440868b7aa89b28de2d3e69c89956706bd168f8abe8b702c95957246b9363c74537e7605c01d7ade40a4d5dfa2678dc407b0df0388b30f4cb9bd915f2

memory/2936-230-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1244-229-0x0000000000410000-0x0000000000441000-memory.dmp

memory/2928-240-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1244-232-0x0000000000410000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gCIgowMA.bat

MD5 2ae858f1e6686a7a5847a89e5e529d8a
SHA1 4d8fea4ebbd0b3663ebddd4b04e0c7f372fade8f
SHA256 e60328d9d498d30e9366a30ec5e1c263de6383e1f052dff53cc76ddfbe116efa
SHA512 41d22b4bc1d2eaa263d4baa4ffb9ea3f78e1b66c93a0d3b30ef06d2c868eb2cafff8e859cada6215c5bbae15ef2bd3a5d7eacbf53926020d9e67bb08c83d54a7

memory/628-255-0x0000000000200000-0x0000000000231000-memory.dmp

memory/3036-256-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-265-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqkgQkMU.bat

MD5 85f1afa30771e3e0c5c02bd5d1ab4416
SHA1 5b8de7f9f0953687175118d3d0395b0ca478bef3
SHA256 18630207c25ae0709dda123fb6a8a46f2cc94e4a3943b1a14b5d7cc435ccb477
SHA512 547e38d7e9d51b189b11cc3bd04ee29939e8b17113e408a415711399751b7773119aa968cb48804634f525a2f842073e9236236d649167ef217b289b10958f5e

memory/1652-279-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2068-278-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3036-288-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hQckUMoY.bat

MD5 b524f8b2fc81e0e3cd33a1adafaf8f2f
SHA1 c15e2bfdfb81c33a94ebbc6043b0878be5862f28
SHA256 b1b4fbde2f12eb9a0856ebca80e59fa3a410f4192d7aa77148e91b97c863397c
SHA512 a3adcf30e1986342ae8cd87d6a86e1e6611ef19d345cd190838c720c87d14cda54e18d4dd95bb458a2ac308da7b5ec4cd29e557774b3d8b0ece56a542ae5577e

memory/2868-301-0x00000000001F0000-0x0000000000221000-memory.dmp

memory/2868-302-0x00000000001F0000-0x0000000000221000-memory.dmp

memory/2988-303-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1652-312-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DmYIIIQs.bat

MD5 91eeeeec92db99501b3dca70dc92e92c
SHA1 799507898b91f1aa5779bccb9825f21f2f1b588c
SHA256 adb4a6682f6d469ce651d42a3bb5de9827f60a23409a11a58af4014055dded15
SHA512 228936deae8f2a206201b9a5a9e91883f8a553f3a32a4bba3214c84530805a1de5ef14150e9a980f96e1e4368ae20a3a6a15f70c42faf3c245d1491785ad6494

memory/2036-326-0x0000000000160000-0x0000000000191000-memory.dmp

memory/2364-327-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2988-337-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xEAQwswE.bat

MD5 2d76b73bddea2f01fc0410dfd4b55a57
SHA1 1b8d4c9dcf1089bc5d4b42dca003aae1d6b25d2f
SHA256 0c565452055b73ae1bcfbafe193727527f9af4207480ef9ee5c0fcfdf735f257
SHA512 a907ea0ed2a1960e4af65744f80c0266ecc892f49e658f2a705cdecfe37c7d98cec026ebeaea01b91c3ba10479bd0c8ba482f2cc59c4e286fda505680ccfd889

memory/2784-350-0x0000000000120000-0x0000000000151000-memory.dmp

memory/2800-351-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2364-360-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQUQwAUg.bat

MD5 062e8534759c2dfa174b689e351932c4
SHA1 604cdc343b1638bece848ac4855b0fdf8eb5fb81
SHA256 b34abd5df611203c9d74c31617c9e80b27c2526ed9fe06ff67f4a73cc9cc87c5
SHA512 ee4c7d66875d2a2d297b0e0ca4568f6a69ab28e630112677eb817be4948d9590167556a870af2e82c9c88fb55f283449535d664449db2a4140d196773d77feaf

memory/2668-384-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2928-375-0x0000000000190000-0x00000000001C1000-memory.dmp

memory/2800-383-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2928-374-0x0000000000190000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wigIscAY.bat

MD5 bf2bf8953dda7e431d985e17b299f68a
SHA1 5e3fc6eb53a0425bb05b9ef890bb3aa41f390532
SHA256 97f4a99789e9dd3ac95c64a0284c1349ce17ae198d9257e0800274b9113b7275
SHA512 5b8bdc8d9fbbeb3d10f791de30be11d8efbdbcc508a9b394c923432aa59ea37659f2ddc533bd6601f60295c7f36235b699b7119f1cb3147b7b1633659e9a39e1

memory/1296-397-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2668-406-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yQwgsMkI.bat

MD5 ca1f3f1da1edddc89dea738232aa52cf
SHA1 bda5c75f5f2f6cde5b750878336d12c79bc9c937
SHA256 af3530595ba7383b0bc6d25dc5502dce1a9a2f5740ec42ee9aa20fb2e428f341
SHA512 a317c9c348fe0ea60ac82f5d35cd75eb5d1ea699d799b01e3cc3fbce481397dbf346329931f2698bda71973da252f60255e1226f546e2e851d314043ff4bf158

memory/1980-419-0x0000000000170000-0x00000000001A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMogkAEw.bat

MD5 37f6fb5191d53f5e6e5c1fde616d71e3
SHA1 d2f245b8d3eb4f035d9b07c1bbeb3903624cb193
SHA256 977b12de14848ee7aac18d59ec1feb94ffec3d449790067f988bb620701049c1
SHA512 8ec38d1b2994ecedeecda327f8aa87bccd3adc204fbccac0742bd9acb233432379cccb5fc44f5673bfabee64fe0569517968b6e98d11a65937f1ad20c9d723e1

C:\Users\Admin\AppData\Local\Temp\pCYQQwUQ.bat

MD5 284fdf45aadac0dd11bddf3cf7e80dd1
SHA1 6fd0a4c12361e2fa354e18bc38a2b5d48c0dbc0e
SHA256 8375565c53c177dc75f0be8f7d6536dd231c54131f587a6a6d04181e07842a74
SHA512 854d4e6ada342dfdb711b695d642a18b72b0c085a064d09553dc6db2215274e6fc10de6c8511b2def1dc5e6c1689587da53f27da653bf8df5bb73f16db0e16bf

C:\Users\Admin\AppData\Local\Temp\nIIUgQQM.bat

MD5 8d60d3c57ee54267c6672a8c35edb513
SHA1 176606024e468d32c62b17eecd993844ba2df099
SHA256 0948ad366ef315403de9b2cdf9be96d39f3b67a6df3b038e0fb6a9d1970f1606
SHA512 99781f9b4e08ad93453ab197cf00f09faf10146a6fe4f030d6fc8cec7efae179b44e126fce51c94148e9908649919ead0f40c0e9a113ebdc7f3bb814819341ec

C:\Users\Admin\AppData\Local\Temp\TOwoAEkk.bat

MD5 d6260cc1ddf56a79a96a41966aa1c045
SHA1 2fc5dbaac59276f8c918c57a1b095969c43b6bc4
SHA256 f587d2337a8d2200b9278598f9f6a330ff8f2fbfc736244df8aa47b7b219cf5d
SHA512 e6ea00542e7ec48e30646d5814f7499e86479fa4a7588df5987cd23949c0a47f6d7580a59395e9ec3518302e1e98bce314afc026b2e1a6d34c8c6d6022cc6faa

C:\Users\Admin\AppData\Local\Temp\rAYYEcoE.bat

MD5 8de4128fe43be9f5241089675e2abd23
SHA1 b4e10388c7cb2cf16435087bb3e017f390a89ccd
SHA256 f8cac417b8e4aac879eabba51424c95ccffa9a8a0b8ccc52fd790f5d128e4bde
SHA512 131082095166b045a3b9debfd0ffbd0c70b14582432b16c0437abe0ed4503dba100dba939a0f438f6a28a05938e9bbd3506ca2fec40c16df210615134d862e76

C:\Users\Admin\AppData\Local\Temp\iIAkAwEU.bat

MD5 2c54564438ace8802344432b85d154bf
SHA1 f93b13ed724b2837286d0230dd5ee500af628fb1
SHA256 86939ffc6ae527741f723f191bc48ab44cb4e9417bf171127b9eccc2be06becf
SHA512 285fa7db557f12f838c87824c1b64cbe7c6429a3ba1d70d40a9d126f215b3092fb6fa6553f55fe773685a96cf47489892734fb0c4941c3ca77cce9fee2d893d2

C:\Users\Admin\AppData\Local\Temp\OOsIcwIY.bat

MD5 3b49143df7f5542cffe1a9a29d245466
SHA1 e885453bc67300e37eb34d9ef3b23e478a4fa3d2
SHA256 ae186a2ccfc5781efb454365b2b306c0917739740d5ee689aad45bcb9d0ac643
SHA512 70a7c773be0d23691b2cad24ce28b66c6dcdc36b9a1c66144b7dbf9fe592fd5ce00fb82dfdae7f1a66ea2de7b414e9d6444ade775e8184e50bc7307ae3320830

C:\Users\Admin\AppData\Local\Temp\GiQsoYUY.bat

MD5 7f722f83cef189e48fb3666cf82b6a18
SHA1 b0ecbdfde1965ccdc606eb46c24053454c141198
SHA256 024fe570f51277e77154fc52d6041930542ca13222cef0fc93a15adf06bcf0be
SHA512 bc5b98edd22f0c490b96fc8e1aaaac63ac5a6bbc6fb503a8b0832fc6d0085424b3137ad2a42f82486110f376998c71cdbf2cb00b519c64ac3ccda2edec849df8

C:\Users\Admin\AppData\Local\Temp\YCAQYwcA.bat

MD5 ee8bb3f1eb8586fd1eb87d2a31ecca02
SHA1 ed95c8115e0f2e9efeed71c479da5e252464d088
SHA256 ca378bc3f2a9c357c958d529d549152c296726ad0a00df29ecc48ac89dd746f7
SHA512 b47a4a009ee1d71c1b4f7d5cdbbf079a5b6ba31f7a77af458493d26e3263c45f8ae295011cda1b8c29ae8c845876758bdf51c0e7dea6a535963d2025a08d056d

C:\Users\Admin\AppData\Local\Temp\zsAkQcsw.bat

MD5 e96438f789b925edb9f130c7519df0a3
SHA1 39be1c0e421c1e10036aaa65046b50c8e772a231
SHA256 48e0fcad919c90b71f7d470b525d13dc4b0711beb9313fa67f8791d220563c04
SHA512 08a30594e83b3b6c192ddf711a746b140ad15310b4d250224fc05a242751ab944b55ba2da12cd2e3d79576ac4d0608d4dcd756a0fde8f35fef998497416dd3fa

C:\Users\Admin\AppData\Local\Temp\dWgMcAkc.bat

MD5 d6e415f77bf4b5fd111a48a290ff2ed7
SHA1 1451e175d49d27a286656a7d5a4793d9dcfd1f0b
SHA256 cab78fa08f0adb3143c2f2311a431bb991b9306fd6f7e0ef114ec01f0d174f31
SHA512 595ac9b6b3792bdb3970679018a5a4537a6195cf0f2303750bcd30df8487390d9f1290fffe9dc0343199546ef68e26da4fd4dbf8e47e22c9c02a4e3bf62265b6

C:\Users\Admin\AppData\Local\Temp\vscsUQAY.bat

MD5 3de70a0a55db72f1fb457a21b1fd1e64
SHA1 ef07823733d5f0631c3a81e9cde2597063ecb39b
SHA256 a232cb3ef1e2300708a68b6ba4e078541613d0e4faba012aadbeaed7aefd2ba2
SHA512 4af1a11ec1402ea143d791d48b8c81a5669adcf09309c54bce5e8a4a8d501087af2276cea3097f06ad7c0ce3ee6d67ad79b66d197dd48412fa9d2bf577d44868

C:\Users\Admin\AppData\Local\Temp\CMQQ.exe

MD5 dd80b08aeffec266076b3fe485b90ca8
SHA1 698b970496aaa3b149feee7ae81fa7b6a70a059c
SHA256 1461a0cff216d89f6478cfefda8552cba27e5c3d4d5ba4b0965e4b3c34c5101a
SHA512 c54e994d8ac7a5c1556fe6636e5298e0b1f1c5d3a6dc56cd9e541d2609445181f2e82063bc27ed17b5b6607249e8b71132fd4a9cf4daf84fc957e0a7b59d7246

C:\Users\Admin\AppData\Local\Temp\FYQYMMoI.bat

MD5 9f4213246bae1ac362fa48644bb6167d
SHA1 d12eb17bd33051c6563008828471aae6b88e5ff6
SHA256 5ff83ce87e87662d0e4f6242611f15a48f4a147a4ca45bd859b8174156787d4f
SHA512 2243bb2befa44556a6ffc5313dea66c6a68da36959c6f361cbc8bf0be0974d8066720f768d5d623bb22acde67a00c8899f9891d2d9c88212d5a45798c577ab57

C:\Users\Admin\AppData\Local\Temp\cSwMAcEM.bat

MD5 2c54588c9a844dc1b278583991ed0a1a
SHA1 adbe6996547ec83059ab0ebe92546a4c7ea2670d
SHA256 99d6943f69050d53a88b72882ae4f4ef89c982c74e4143300abfd32ad165b90c
SHA512 089908ecbe2671de3185c85dad150643c4ccbb419357af958e8bd5f4a483fb15e090947b0da13cec3f5b99a36e17586ea5d21adaf8994c9b85dec9f88dd2d7a9

C:\Users\Admin\AppData\Local\Temp\qOIsUcsU.bat

MD5 9ee77e006981742f0306fb40798df73d
SHA1 af93b594d35737f17f635fc1dbe89cc40810fb73
SHA256 03a2bf1313beeda083799d7d7903159024503b1a9045ba986fdcddc977979a77
SHA512 8ccf0c9344b8ea483f2b3a9eb6ee23f2e3bc0d1b0eee6492c38c00ae8a445d5407cb85f899f29876526dee74c6258362dec29f325d9cc2b058e0b82bcc56b9a1

C:\Users\Admin\AppData\Local\Temp\ywEkAMEc.bat

MD5 57b194138938eeafe297fbdab3bd297d
SHA1 c7c778ca922de2bea52a06a3683dd144691b16c7
SHA256 3f1bf750852c0171712792365dc63b5475f7d65c9c3b54206479667e8f8cfdf3
SHA512 fb9ffb007df04edf4189381f73b844cbcf72db52ec18571b6c8a3203b4bfac3e88e1e89157b47c7fd5b4dd34fee07976d4accf2851312a0077fb3b58df509062

C:\Users\Admin\AppData\Local\Temp\cCEsIggM.bat

MD5 95d762ae39b749f0305ed098fcaecfb6
SHA1 caa346017aa17cdffec5abb132ef7b8aad1a8357
SHA256 bb12f46c9520e1695763bca1c5bc0e800207f91eec8e605aca4bfa666209f871
SHA512 b553fa8c1810410274bddfe6b5d9bdab78e1f4a890ef997351c2f5d531ecdc59f7d12536b7d6d45ca189a2c4bca81be704cc84f147ff8cb03615dd4e4dcd779b

C:\Users\Admin\AppData\Local\Temp\xgsgMoYE.bat

MD5 1b0ba0929af394006a552dda780d038b
SHA1 8eac10c6ca683f31960b4914ae92052748739f89
SHA256 08c3a2e21647b1af00225d70e223bbf3b1a1864a7dfd133d16471169106b88fa
SHA512 880bcbfa090cc929ab768b7d2420b2d6d43e48b0db84cbfd5616467a4fffc4a5f1d9414f8ecab8513cdcb772894767acc238192ae4b94e3c53e3a4bd9817cfab

C:\Users\Admin\AppData\Local\Temp\jmIMoMcM.bat

MD5 39553e84b389f5d77afb1daa54909286
SHA1 1648c1c83b760d2021528aa3b6d41453be7867ba
SHA256 d731fef6e0869a52842f4724279fc42777f77121346d3cee0ec0c79f0fd21485
SHA512 6ca2dae9e02f3b47c9e322ca180bbd8ecafb0e23ab802e00976245299f4eda44b7be521ed032c3735e117afc148c410977270d234fe9b4238200cf3207b01337

C:\Users\Admin\AppData\Local\Temp\dsoAwMEw.bat

MD5 6645e3de07a91f2132f398380e5909bb
SHA1 ca4ead15392862d4f7fdeeb215e2fcfb21b37bac
SHA256 6f718383ded2c3a3066daee095e9cf07df3888f7506a11c7f4844ca01145ce3c
SHA512 4c075e134143aa2ef4519e0eddfe0f35e32b77222acbbf8f6eeb2f2e90668e09deb3be1c1c9b817b33d10447408c70da03e2249a8b8507a37edec2e4ad191921

C:\Users\Admin\AppData\Local\Temp\xYQowoAQ.bat

MD5 aa3682e1c56f918fd52ec82a02584c5b
SHA1 aa5421df59af604aa140c4f6a5ab1f223ea07b46
SHA256 38849f9c90e395f3163b3500c33c6c8a72e2e5e43d5db7a0d4323da65c31e8e5
SHA512 193c586649f94972330783851c4e629f1c708ef6998900848d1483b557148b96dfb773fc9c0749dfe802487d1f1e9037507d23d7d1822b499615d864ca82114e

C:\Users\Admin\AppData\Local\Temp\xiMsgEEA.bat

MD5 286ff0d64db5a9cd3d55b4292babf6a1
SHA1 543be165679a611a4aa3706db7fe44d49416054f
SHA256 15ce793a2cc1d59bd69a03a3ea218d367822e7a63e51c980b6d902e4327b3022
SHA512 a3b316d0eb5af31ab93f1f38e3484336575ea98c5e537a8c6bd70f41173a6a060dd84b2ea7ce6c9809cd110920dbed36c3791df01ec742b67e0fd986c7776797

C:\Users\Admin\AppData\Local\Temp\KwMQMYEM.bat

MD5 e55dd1a908d6ddf319bbd635e7ef4774
SHA1 8eee82b54b9561419df1e81adbbc52a7281b6575
SHA256 6bcd18694ac81f6b07c1f0b3f82b810a8a26504eae2a3fb1518464b9bff3b906
SHA512 0e99a7cbc99710fc0a06ab2f85a7b0f11f280a8025b90b56d65a3e0936c7944833db9cffb6e306732179ca3dfcf59ef6829c7320f7c96ac3c9d1423b6c3f26bd

C:\Users\Admin\AppData\Local\Temp\gyEAwowM.bat

MD5 a4c7abc40687d7861de04f0916b55f61
SHA1 3117050e83bd4f4d109e0961808276e9bbcdfbd7
SHA256 c6949d21015dd096eb47f01a6dc03bdc3dfea1130da84d53716d808e1e13c232
SHA512 189f471cf5207cf58f45fe6a54a90a4191e1892e531c5fffec44879553c5284f341cc8530b56df770480b6658e4c3e944e060b7e5e381067499d2300dd0d1e06

C:\Users\Admin\AppData\Local\Temp\OEEMMMEM.bat

MD5 5519876aa63bfa48aeb3a2e468741101
SHA1 7104c6ac28b3771788fbdbab6172e85f4160d187
SHA256 ea70b8ec0069ba7bba750ad45a0c1f4702c89019639f4bcf034e0cf78b0f05ef
SHA512 e7cc33341266bbc08780d48157e82ca6b28f8bdfd2427bcc005e94dbe41c7157eda0b804a1be4ab8cf3d140278f01521356f3ea3e783d57b526e1d268405404b

C:\Users\Admin\AppData\Local\Temp\PeAwsQIA.bat

MD5 8a47c381abeec854771b55efc34f92d0
SHA1 d09afebeb0a342acdc2a63008807ea1a30b882c1
SHA256 b3a8f8b6626521f5ac4b25d958df16cf962f414c93d14c4a6432940bb44da874
SHA512 9b47e53de03d8e7e8327871ab28b58b36f3daa6a0abd8acd24de1dc5600aa166cf3ea0472dfab0e1f6191097f5488f1fa2325853254d8c4d31dabff8a35b9414

C:\Users\Admin\AppData\Local\Temp\LEwYkAAY.bat

MD5 17ef549a4b82d9f4c1360ac67c61afc4
SHA1 6eb340ab1152566904ceb29fc904b782acb95bb0
SHA256 ed805abed22f11347d16eda511fd1d0ae1a10060583688fb4121bf461d4e1ac8
SHA512 f063704e1fb5f783d3d42960f2df4b2831664968647c8a45f4b76fd44f7a31e47322be2df4dd3b9bf14526720681597f2da15024fce6f0b812c0051efdb42ab5

C:\Users\Admin\AppData\Local\Temp\zskQowAA.bat

MD5 d2553867470d3b886e1047e192e22875
SHA1 1d99efc23200c14a535509767c36efa82690e07b
SHA256 ebc9899529d79a280dbaacd4b6e484bc6215fda739f111d27292816dc5759a8e
SHA512 830954f82f7bbd2675b8ba55a1698e0c9243009e0963db9be79b3e6a33f772510d0e7c47b37c99b0acf3e2b01f53ce6e3a57adda94c258592b8b3bc6bb22df35

C:\Users\Admin\AppData\Local\Temp\pAEAsEcg.bat

MD5 afeeb8fc0f4fa2b1ad58a183d7306865
SHA1 c657948e1cf41b4c9c27bf2918009f4cd8d43337
SHA256 a2209add46891a8394796f6e314e54161441930ed9343998ebabdc123bfab1e0
SHA512 cb3909e9923ef89904ae4a929ed36cc8737a876158759233e8d98866fa47b85a7e1015decf17050bab6403793a01c886b0283bd84bba543c3179b981d494aa34

C:\Users\Admin\AppData\Local\Temp\DGYQcMAY.bat

MD5 cc6c31cda4e8e3b231b1b6044c15eafe
SHA1 dc2d7d8245505834911938450a0152b0ac5d2e4a
SHA256 8fd552b51efe361eb57cf022de1ad58bbdb7aa5b60b5b2ed1564bf4aee6f161d
SHA512 bbd94ae1eb39868f605e93fdb3ba2f707681d9070427c38f75736f8287c46acb48ec3f1725fd2569296dfc9b3c952539ed7e6f6c6c5d6a19a736ce57da9c9a74

C:\Users\Admin\AppData\Local\Temp\UCQkkwUw.bat

MD5 4d94f4524da3c39053efd52fe1297232
SHA1 6da19753817666750112dd458d5dadf53b3b6e6a
SHA256 976c621a34d9d977b1db48e8bdfd994bd1292f70b858f04985bf2cd4bca13119
SHA512 1c420a53c7a73d65ce14f648447cb3375d5b0b2fa0972e6543459f04070fa65fb3cd21f8c1e8bbe5e547cdba0e6eef5d744b964f19f6767549496c6a94ed2db4

C:\Users\Admin\AppData\Local\Temp\CEwi.exe

MD5 933c4d2ed3f98ad07f62e4042cde6b16
SHA1 611354e64388ab0f094ac6d9e68375688e998e67
SHA256 af310de37d420bf6708fd7e089b7e75622f77315524ac3f288e6e5e857238dfd
SHA512 42348a32db90f205e30ceb4353ccf47e1f8d42afa54687de5ef18f41d32c532aa13ed8d955462b11e8466d1d2d5f6bda3e8151f76234a027fc302408aa1f98b3

C:\Users\Admin\AppData\Local\Temp\AIYw.exe

MD5 69948d322be2eedf2e73f842cc82bee3
SHA1 22a4546e0c537b122e0f48bad3468e56768bdce9
SHA256 096e268d9bc6ec749b696fe7d1e9834f47e015e3240ad8a9a0e4a50e4b27b475
SHA512 3405ef54648542c43c82189ea28dc0ee5b9dd4246714ca3f682eedfe69af35c5b70b18ebd4e06d8f96d6ecdb53c2049a928a2d9d00e0d7064d2903355f5939d8

C:\Users\Admin\AppData\Local\Temp\owMo.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\eoYk.exe

MD5 238b27bc19bb3d50358729a9f5814620
SHA1 edbddbb3bb1f6b4938192d1a8406581bbffb2ee9
SHA256 58286f7468996165ebf41162c69af9fdd21f5b65202cf57c00034b2508c3e9c0
SHA512 a3fd745720ca99ef2f9577ee8ba54edc45d6b4ca40e12de0fb592f906d6106bae476fb9f73ec3b25ceea43be803b9ca090267d7b5ceaae3cf5e46edf5b8170df

C:\Users\Admin\AppData\Local\Temp\cWgkswco.bat

MD5 764ea03153b22120fc5a0b8378f69fa4
SHA1 94e41e9a3a698af2d5add45d35faa57899f35a32
SHA256 2346e69c1b794dbbb0a58bd1b308938005e3754548982feeee26544107dde007
SHA512 26564b1efecbc42bc2efc6da2b9612aa30a340e2abed94dcb0340f93b42de2f08bf5fe42324bf92db502cd61ca0da1ef49f27966a9c3d7bb131a84fe60e32a53

C:\Users\Admin\AppData\Local\Temp\ykwo.exe

MD5 07142cbd852e409c529f76dbcbd22b5d
SHA1 8d4f34b90c6d04be72481da8921f43ac8ea92a5e
SHA256 a7a9f5c55d09c48d2b9178f08ad062d1805159c3f7552894aa37e25ec952893d
SHA512 3278c3e0e273bfe0ecef243c455f91428e16c3748668683e36c72f53b87a35eb9c818d0ec489b9d22b43495c356efad83be82ca17d4cb6ae2536ade813d72132

C:\Users\Admin\AppData\Local\Temp\mIMq.exe

MD5 7e1b3c958795a3f3a1d4d4bf796c6a02
SHA1 acf11ab5f59f07182226913c28ff226c58b33376
SHA256 b0b550385f6ce3e88beecbebf3c382f12deec7ae2ad0e63e571c5612fb351a99
SHA512 a61869be8eba058c4a503a9cd6e2d9caca01d103dc88db039d2313597af8bb4bbdb0cb474b762b33f94be8417536deb904b3883e5ddb8813c420aabb30d955b8

C:\Users\Admin\AppData\Local\Temp\EEku.exe

MD5 e8b402dc6fae5135d3a160e9d315e01b
SHA1 650a139e787ab658ae358767eab567f67a9d19f5
SHA256 c294cbf4152a4fbe7762eb8af47bb4beb307e7ebc5fa760c1c39f0962c14a403
SHA512 c8227b0d6fca620482057344def54c1f0faa2ee1c2e7eb8cce00fa77672a907c03c2600ac73a35358c73e4de76d1da23c1f67af9cd09b19dcc84b66e4acd7334

C:\Users\Admin\AppData\Local\Temp\mooM.exe

MD5 b2a219cdb266c50d94036498e60c312d
SHA1 333311d07013c5257b7a229b11e87086135290fe
SHA256 2bdd1740f99c7d8290ab4610d8efb34d9f58fc89d8771dbe6ce7c4e6b8ebc170
SHA512 0077361b29fe2cddb80f08d72d225283731e90f6fad4f4a7914dc48e01072f09f91856ac69cec0693785bbcb6e2fbf18be7741c0206cf01acb1d5106d4482a3f

C:\Users\Admin\AppData\Local\Temp\QiYoQMwQ.bat

MD5 d158fafa9c5109646c76b0b1974d3d4e
SHA1 98eb6546959d6546a4460c4cc0ca3587ffacf3ab
SHA256 4e68c926a81e256dda6d60007907acf6fc4de5f87be3ed6fcf0ba04be5ae3f65
SHA512 1b4fb0f530925611ce4acdfd8deda8d1a2384e63aec7bf57ff6710d913ad8c185b27dd6af1cee17818b7bad4966d40bc549d367cdc94073c651b68a94389ee16

C:\Users\Admin\AppData\Local\Temp\mEQY.exe

MD5 7e6d697c86b78281abe0ccf04211200b
SHA1 d1b513d974120ed0e7aee3b7b52258be07e5c1c8
SHA256 449a7c8e4772060d747320671afa4e2e24e3d95b83c2c8438d0ce06c5a390129
SHA512 31f5cd35a8ed7134a89a10d9c5b422ba4dc0c56d653868317447ab4fc27d09e7c67483a17d2ca5cba56821f093edba16b9ea675c6494467d1cb528ec38057d4f

C:\Users\Admin\AppData\Local\Temp\yEgi.exe

MD5 5680915d7045b6c6fdae48b4778b712c
SHA1 9802beedd1f2b180feca789ee012c0a9c77bf20d
SHA256 31fc5a9bf7c602cbddb3c1a86fe690d6a85f5c45e9a9393733b90ac1dca587ee
SHA512 69d336f46a4c9f54ec674a35053e6ce511a6baa304c94f74425d03b15586fb8f891b1f06ed3728d47fc23ce17c6d46b709ef27e431a6772940f01949ec94b569

C:\Users\Admin\AppData\Local\Temp\YYsA.exe

MD5 c192958af323139161dccbd47a2586f4
SHA1 660dd105e3d480c8e597c3e649b5cf35ee7f5332
SHA256 be82f19c39d7781ebc41598abaa4699ed7a0321b469593672ffec322bf39e381
SHA512 7da5ded6a7250c9c3846af07b9ce1a2febb6a4af656b1666cc0c9c472c80433930f74ee67b7836e7e7115167367d2a6b6a09ba130d5f44cf37881ad7a1afc531

C:\Users\Admin\AppData\Local\Temp\OcgG.exe

MD5 86847387642d94b671bc82874b87b6fe
SHA1 1faf66f81f5604787e0cc7d32f9ec3b6d9665457
SHA256 ec2c2c974a1693fd17f45bdd788b8b78a5f80293ad23669d40ffaa5f50719373
SHA512 3e37d52db3cbd7f23fd42dcc9535391a46be78063cd7725a066370d10320a7f26b63f4219a02423906a32dcbe309e0a0dd1f7e0aae398c0b98fb24154d24f2f4

C:\Users\Admin\AppData\Local\Temp\SkIa.exe

MD5 c0ba2a537aefdb8d3d6110f8cf3c76a5
SHA1 b852cfab9651a28619fba3726070ca4ae81f0afc
SHA256 a97b4700ffb64d6523675e1da58f79977e8502e2e26fee40bf5e010cb8820bf5
SHA512 ef09c0b82df01cb9299f3f7026f94dcb5ebbbd24bda1c808f74b542c1c39174cca4f872a9a959cad977c5438d51d81b66764cd4f917678277caf7d6af5fcb721

C:\Users\Admin\AppData\Local\Temp\eqYwsAYY.bat

MD5 a532af482da7d8c3e22e9810f49bd15b
SHA1 95e64b9988d7e57b5869106ff9984c356ba31c99
SHA256 abf4599d4b570dd6f8229a34dbdb0e6665e8a64cd0f6f66d86569102688a0407
SHA512 4a490935a7c179632336f64861af33e068072e37ddeebfd3f913f62497a1a723a67a2020cbc4408fb48862a5e083a5a91d546cdd71ac9609c2d98d0c8cb4a27d

C:\Users\Admin\AppData\Local\Temp\sAEW.exe

MD5 459360f75bb33e149719b1f222e71e7d
SHA1 6dc346b9619052f50ad5e82450cec59cc22c2e3e
SHA256 84bc286c6cbb4564c691dc3f6d5edb2d98a32b03144277d0b159f76001eca8a6
SHA512 558fe922997b093f9c54d399101fab7a81df120b292a12a0553dba0319eec7a956a0e4ccbb0367be0f0793f601005d01dc298cfcaff307d5042c0b43b1b0af40

C:\Users\Admin\AppData\Local\Temp\EIMe.exe

MD5 4837944c8f9385616c24bd540f4320b0
SHA1 acb18f9f2ae49d862447528d50690295d175df73
SHA256 4ddd2bb442e313bfb9ca070764b2afd4c16892f3e9650661400fa8f96f482ec5
SHA512 bbf6de90893b0b00e1fe3ad2c1c243ce4a8d47edd4143bdaaf224a7fc3e29854ce81b797ccc149d05d4ac3367b2d98d279c0802558cede378a719ee3906cb949

C:\Users\Admin\AppData\Local\Temp\ccAo.exe

MD5 9e42a535c9513f257e6ed67f317cd47c
SHA1 fe23092fb6a9d2c9f4e37c9c432d8632504480fa
SHA256 65c1ddb03b2106bdc50eccdafe17b82fbfd291a95964ee9dcef161de26ef4db0
SHA512 d4d71a0294c518fc3db989a38fec18c40337f54262392242be588051d4b481581ceb795bd86b218cfe25757328b0050dfa060c7423bbb505b59444ad94dea637

C:\Users\Admin\AppData\Local\Temp\aMQE.exe

MD5 7b94543fca082bc4ccbe9ce647a26240
SHA1 3a4622d504187416591e04e071f419fb14103bb7
SHA256 1d0701ebdea2edcb10e997c42d8e49893253966a25d19c0143eaa8d6cdf8412c
SHA512 e09c5bc72b9eb74fece1fb75fd0b2fbb7324f814a2f225e35b600b5dec184e23789cca60e327f242f02492b29489fadff663f8a657aec6cf33ed25c582127f07

C:\Users\Admin\AppData\Local\Temp\sqgEEwQY.bat

MD5 86cb53af1861808905599850969d67f0
SHA1 c57e0db20373cc41f1d9e04bd183f3b9d00571ce
SHA256 b6d0239f1f0ab1dedf2d96d1f9409969ff2531c0df41a4d4be74264a88eaac62
SHA512 b5c53772321b919fded9ad8d9fbb24f2e72376094d0c95d568d4ab0deb07dbc775e1cc219f03e455c906288e1435e3b950e23e076b6eab6bce4ffbb781ccfdeb

C:\Users\Admin\AppData\Local\Temp\qEQg.exe

MD5 fe61063a854158d6ab40a8bdcc05d5b0
SHA1 e8a6098b206b68256f1f57907a1e1ab9b7c37b89
SHA256 c7737dd58e1c344150a2a5c521567e6a7a7cc8b62393ba63360511582ab637b3
SHA512 24afc28e95a8d7471ae89d75f9034380af355f22703ee3b67368502428704a36ba0292a9d4d58f253c2417d5e38043d5a61b639a4bcbef7fadfed243176d7960

C:\Users\Admin\AppData\Local\Temp\SUcK.exe

MD5 ee07e2ea00ecb876a9c901ffd4c4fbaf
SHA1 eb1c3e87c5ea24686e127a43ec2149936e52a84d
SHA256 2fea6c4e27f44be713a1906bd3fb2682ab702e80d7809e4f782c5a49907cbba0
SHA512 37031ae3359ffad66b7cdc5590d998871ff1af6927b6a12e342341aa431eb434709d4dabdb3efaa30b6093c27e7c7fdc52e8ec54a041640a7fbd2d0e9212ae75

C:\Users\Admin\AppData\Local\Temp\wQQG.exe

MD5 c34167cc50e1452c89aa9b20b60ae379
SHA1 c47648423c0aa4c7a13bcca70f1b6b5e0a801888
SHA256 30495cd01e9b5baa92f5e91b4bb8f55d0cac70a217c822e94b7aa17619332883
SHA512 f8a9aaa41878eef93e473146a17bcb74fcddcc2f20a23037341b43a14dae1a0fefd6f135a0e17a3cc7a297b4a39da75c0014d58cd2005f2268cc874942307fbd

C:\Users\Admin\AppData\Local\Temp\gEUE.exe

MD5 0b25ae697786fc34295a6080ce8b8b7f
SHA1 99495723400d5a1b717783123e9833ccb88ddcf3
SHA256 9fab197e87762b18ae7c01052af8d26a46e9aae91e11c0af45790a2a4c9d0858
SHA512 273b6a89b13dd97d17e2e2d28fef6896d758a59cfcf98ff7dc28066e322c22e3e8700d200099b9b506f34597f95c6392292967fffeeb2dfa2989f8efbfc791f3

C:\Users\Admin\AppData\Local\Temp\aIgA.exe

MD5 dee29596774a19b77e36062235497cba
SHA1 425ab4910ae6e2b2a5b96c49092a0989d7f93a1f
SHA256 0a3ef852adc87d1b85028ba6d4ae27ca1dbdb690c77f76d56501e1e6e3bdbdb0
SHA512 bd196b8767c3303626d9f25fd4c12e38ec5b3195e93f5ec2b18931fb4990ed5510cd70e0460cdf2efbfa52d892af995db09a6392f731c18831738326faf62396

C:\Users\Admin\AppData\Local\Temp\BIsUUcMw.bat

MD5 1434dc81fed90d3229debea0522c4e87
SHA1 697d87ae36870f071d584b17e655260b0784cda0
SHA256 dbed67ff778cba06304aa756a479cfe78c10505f64adc8d1c44d8d147fb7b0fe
SHA512 e4d8bc5e4306de826526d02db6488b44bfc945ed043940ff138765bc1590d4ac3ab033f7c03eddf3c9c782a150c06f5feaeeb33d079e97f53279e8a05ac7587f

C:\Users\Admin\AppData\Local\Temp\KYkI.exe

MD5 474d89711bd78baef13f095be68bd946
SHA1 d0798c2f2dd86282772211e7741d8afaf3149c23
SHA256 7a15e8615a2e05ea28b4b383ccce6b7939bd24accea903ad6768cc4924abeb99
SHA512 a2e57765e33385712de1576aeeaf5d4a28d6cc7818c1b9489f41789f9d31e67a69387c1e0c46af6ec3645327b201df3ce110cc78d52b5e6b32ac6cb789820058

C:\Users\Admin\AppData\Local\Temp\ekIi.exe

MD5 d2b89ccdd1f50be7617144627539db60
SHA1 f3e2ef536e1f359311027d394a844d393f500afb
SHA256 b11fd3f6890685e3f8260e44d35f2bc5bc6990145d669b75a5d245cddb3c6156
SHA512 b327fbcb901a1379c2beb75ec0cd8f2418e115acd6f97c296cdbe64e9d097e771859df645444b1af6d867956e52d70c4378c4512343af71e5c7821d814caf45d

C:\Users\Admin\AppData\Local\Temp\cAIa.exe

MD5 2f483b35194e5c631c5d316c5062e4ed
SHA1 8c87885a45c06d54b55b1f2443204dc2e8cf1f49
SHA256 7944e8d5fb39b39c94ded8d599eb1a85cd6c936a92116f0b85022b61ba7031b8
SHA512 9e33b0f43800980cf8cfd2c3a03d136991dd20b11e166f4b1966c9e9ce0483cb2ffa92229fcd700d9d0e1b21e43cafa08168313be1d36b96286c83e89ae27f58

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 2db47a788e4926deeb8f3c1538a905f4
SHA1 9880e219d7d94c7d3b8d8f7f406160874ff94a85
SHA256 d20f6259b4fdcbb144438f2298d8aca716c744d780277d37efb8743394cc12f0
SHA512 2676cbd919e5f428434ce3d0e5adf208b84bb818ebbf43cd48c61c3eee1e07ee301ec3872b9d384d2815787edf14a7fc76d48612426bddeb41f2ab34ed41fc78

C:\Users\Admin\AppData\Local\Temp\mwwM.exe

MD5 1f88aa514b9280af1c4857a5b5c3144f
SHA1 3ce915d6a387e318bf250149763e238af3604175
SHA256 c25e4a9e38458d9f575d1ee5dc5ddac7444406b4fd94af34923ac2e01ec05a14
SHA512 f1b8c3efec26b68ea124faac7f9ba9732392537412a5059689b479219429abe584fcde6bf3ed013153640cc551042f7faba5dd1be8d725f92883a13f6a76b631

C:\Users\Admin\AppData\Local\Temp\agIc.exe

MD5 221b58aaf8bfb9d1e47c5cdd3e24ff53
SHA1 2a508e188de8cda92be09ed9cef1d1c143ef2537
SHA256 5f7b6ac103bebea720d483e4c0b3260e67b13d5ae9e8bd44a587a61b0baf64ba
SHA512 22edb275832d2594f42ba9c92cf72e755fecb68d545078c4e00aa23b0ce4bcbc74388faf5871a9938ecfaf76597d3e6fa6a1f7d0016a558039ad416e3aa245b2

C:\Users\Admin\AppData\Local\Temp\cgIq.exe

MD5 3fd092ddde8bea2effc8c5cefee7f950
SHA1 b0ff12bf283c7fa16b20643106905034b4b82d8a
SHA256 596791efeb7dbf752769e120355be605d26ff8773963707095eacbda03b051a4
SHA512 2ce32c9584f09ac92b20f78f68e8d4acb9b1476c2edaa86fb89d3fa70cd9e4202db25ae6bd7c1b6b89efe074a7936c22e052d5028d65a33af76b33516409e072

C:\Users\Admin\AppData\Local\Temp\aUIe.exe

MD5 7be88adb6cacaf11411df5247aaa6e6f
SHA1 7ca9924aad40771de41da706c99489dd35616f65
SHA256 b01266a09f8837e8fd97f6cf6b87cb7bfd9eaad771e0d04e6254eb294ee628c0
SHA512 8978f50164b5cd2278ce4f86e1e2737e58e1e45c31c1ab90998be06ea3989f28274121737ade641c928c987025af6afaddbfb6b5bb245bf94beadef79f71e480

C:\Users\Admin\AppData\Local\Temp\RosQgwgU.bat

MD5 b61bd150975db592409a6cd9ad1e1b23
SHA1 3fae4ad63fa8fdb889429318a2610ee1c2cf39e3
SHA256 285919baea5efac73a12abb066b3795b4c7d9a69ddab1823e6d192a146bd7c85
SHA512 41eb0e310f54049ff1d2eeaf096edfda7b8ce372076eb2c10e34ea4c9cec235d10fa68544f456ad925fc67d5111c798853cee78321a85cd7e8198a8f9e788641

C:\Users\Admin\AppData\Local\Temp\oIcE.exe

MD5 1211b6f852ea41858fa1967cada9f3be
SHA1 1aae4bc59b624fcd5b218be84dbbc4253afedb69
SHA256 f6a9b9ca9b23fb74ae40266e92afb456e2a3cdd5dab56c79c4ee2bef54453829
SHA512 48633d34e3d5de380aa02059055d865b82d901d29b691ca2d5522bd0a8dc24f32264902b743d96dda5d50367235f6ed523e39822b1bd6eda4b22d0527db5e8cb

C:\Users\Admin\AppData\Local\Temp\qAEQ.exe

MD5 352e941779d3002174b1357b1152bc0f
SHA1 aea2eb91c0081bb68c6c7eb6ea0a1326b2a84e21
SHA256 641a5dbf5a13f08b10c1bfc753f1bbbad4d501701b2556b2a09535742006531e
SHA512 0dabf29519b82e3e61c380ef218d9d745700178edb3e5a51c47059194b947585a9ef073bbfb5c42436ffa4a6c8e2609ca89b97850c9a5b519f91906b574c8c83

C:\Users\Admin\AppData\Local\Temp\Qwwk.exe

MD5 bc519cbd4df208f6e74c3892ae97775f
SHA1 84b21f631a6318e20d8f998ace3f2b2d128173a3
SHA256 b9104e271ddd5da24c2e30cd14d76e67fe4f63aea74664c3d28e6dfd2bbe65e6
SHA512 5693702264b6915a7a07b91273ad27a7f74edcf05d4c1490540594d539633865cd4e9ad0a0b18096fec2cbe7b6c6ae3a04a364d61dde7d4046c54a6681276bbe

C:\Users\Admin\AppData\Local\Temp\icAW.exe

MD5 d0385189244e0b5dc32069b91c88ac09
SHA1 6c6be249b7c9e3b11a6d942064b2fcd8423eb89d
SHA256 91d0de5e82b16e2f864bc8579967fe292f29bc59e44c5b82123ae2f76c4335f3
SHA512 63d2fc5005988a9bcb5554879cb4cef99a16cbc281c92dd5f1e4550dfcee3342fab87603be18d238e3ed61850ce885f3a4f005053d56f53d78a5ceea60171751

C:\Users\Admin\AppData\Local\Temp\Gkgy.exe

MD5 4737d9c42bbb96974a260632afd3da61
SHA1 5c54f7d952cf165875e6b55709a603bca10e2df5
SHA256 049230d4916f0ad21dde183efbbcfdb3b6ae1e392c8ec7089faa9fb6e624c317
SHA512 da714e3faa651340c447938f9b7b5e27f105d858e60be1103ac991502370230989b8a78f358ce22f15c8e5df4865dc3994e772b63255a2a1a0e7af9dbf859a22

C:\Users\Admin\AppData\Local\Temp\mYAs.exe

MD5 9fed94cc09b661c7b57e563b8c98813a
SHA1 06a350954ba58362546d6fb4f6d8b3cae551e821
SHA256 53f30391df3668cb8993dbb3b6ba7fc2b9ad6d9026d314f165810b833b7aa5bd
SHA512 794df0b066e7a375103e1b7e5096e84d23c2bc2496cac31c7be0b5d58f7a1f40e829bd0515ab520de8ceba31137cd42808832990cae95c1e6e2b7211bc539727

C:\Users\Admin\AppData\Local\Temp\HIcEYAsw.bat

MD5 e88edf1cef364433ba315c87eb9740c2
SHA1 d529da9b3f4a9c057d6c6d38a2e387844e51f395
SHA256 c5992aee43a0b92666b5167e17d65205cf5d32044a66642a1524dee8dc308865
SHA512 703ed01b50d7327f045c279a4c39591491bb9f653f24a0874d4f833f05b6c424d9d2f9b54143a45978f11d2b57375d01466b29bf0c70d3657b851ab7f851757f

C:\Users\Admin\AppData\Local\Temp\eEYk.exe

MD5 d4edbe5d442a4e408962ba40f3c81590
SHA1 07739707120c4049cad985252dd16ed20d638598
SHA256 57937e6cba9602e32726aacc4aefa2bd86bfb774f2eaab6a8639466ef8671035
SHA512 4fd12f20742d58fd622139c5d55823d053cf818a7c03c5c47b6c9572ad3b39e5bf6d87045f7abbbfb17ff49b808cfe4ee74c20f87fd15a85979f5eaf47531844

C:\Users\Admin\AppData\Local\Temp\GcgW.exe

MD5 20c217ca32e37a56ead9b2ee7766ed7a
SHA1 f464f8fa548fa34d70d59d878c4ad70f76dc5d54
SHA256 9e6de94e1730f1ba8d07f9c8b7674ce6f1d6cfd3f3061138a39c1080072e4731
SHA512 2f153b1f44f320567e363077ebda0cbf3484be452f83baeb4fc741527efb61e897ec93bb1b4e6606671166475419482d0632b2225098dac9f1219e5601eafef9

C:\Users\Admin\AppData\Local\Temp\mYYs.exe

MD5 f7d2dea669ab1f3f3ddf19b481e7d496
SHA1 86ab5b65c35139e79b800d1000c4f4f888e69de3
SHA256 1e28f820e703ba97a166eeba7ec6019560e5b5e5e9c7b992722af12ebb6f3c37
SHA512 3c6dab41e339ad8509fdc63d5645b5b320d5443ec193e78fc496672bd1ef017ebae62852f9132bc42bb54e28444c517168ed3286ee6bfe8cf7022250d187bd55

C:\Users\Admin\AppData\Local\Temp\woEo.exe

MD5 c54dd2b2a93b5802d5efa8c64d1cbd24
SHA1 1a7c6367019c13b90581af2cb48b6ab09091a44f
SHA256 d5d82dbb2a553b8eca628524d568808a8619e0efc3634dd22f4d186b19683205
SHA512 fe6a8e1cc7d9a52119c2f8f6737fac54743d9cc94f679b9667223719f435e0cd0a48d9ef11fe2939758615633976a008aef0b76d7e5824e94fb50448a2c46b7a

C:\Users\Admin\AppData\Local\Temp\TSMsIkgM.bat

MD5 16987691a3621056119be923b7562b66
SHA1 c4c35bcbc897925982d66c331c2b22a4ed805236
SHA256 a1447af7a780cdca3786c220d77c5d8b2b5cfe989f674f854bfd32594c3f22f3
SHA512 fc08c307347a24337648175b21bed5374d99a6cd588d372cb77fcb97ebdbf54af8714b951d9fb9e4af424d5eabe1d78b83c8fe381bf968f7683ff3c76fcec435

C:\Users\Admin\AppData\Local\Temp\mwoW.exe

MD5 8765895ae7c7f6744317db47812bf14a
SHA1 45f62b9598a7a7837c40d03a46613a6b9818be54
SHA256 ce5426e364b2a06eecd0fcdff65b1bb56b718610dd4bcd43e56b301e2d42a2b6
SHA512 b60d621deb714ef185ceb34309db04fc8d083032384351eea59cb1583434cc280e255d30ee8060baf8b8d2d11fdc2a9af2fa8fa63dc96fd6c7f8652db0b4d31c

C:\Users\Admin\AppData\Local\Temp\WsQi.exe

MD5 91cfdeb0be042d0b6be4422e8ebd64ea
SHA1 b9a11884e57d8395ba12653592dc00714f43c153
SHA256 d942aaedafc23e0cc307243e780034f4c0759e375e3941be81b8298eb65efba7
SHA512 4b64963681ddeacb55ccbb541e4c070ce1e0c346d386accefd57ff21a7f072228f84d96248c237d7923a1b57a3c1582cd060b9672f81681e7a0288788e91a9fc

C:\Users\Admin\AppData\Local\Temp\KMUu.exe

MD5 efcbbd10fc45b93841e2e31263fa3a8b
SHA1 dab8500790018decd14954a995be71889645eb4a
SHA256 2c040fdc55e2a818064aba7c2884e7c40a42df5f748647774a246e6e6179911c
SHA512 0227aae4d9f91c633f29d528b35c13aa289688957a6867b811ce3e697a89f4ff7218226ccc615b6860fed125785f66a339e9962ff5af212d90583069fb6eae09

C:\Users\Admin\AppData\Local\Temp\sAAo.exe

MD5 a90fc691b0aec42ebbb0895962d6aedc
SHA1 e739ea1be8c2909df78e465a2f3a22559bd24a67
SHA256 fa3970c82490604587307cb2c82afbf10a2fb015bc11c0375474a94e7a75ba7d
SHA512 65a61ee00d409851c123ceef40b32b2bf81150a6ad6728ac592a97e88a4ef94818151aeaa622cde13adca111afb2c3b488c21f00030fe842a07273f4a072cfad

C:\Users\Admin\AppData\Local\Temp\aqsAgcgA.bat

MD5 2a7302f1038c8b8f057a86b410ca2886
SHA1 ad12d28b9fb3b747cff12ccfed201652089c6961
SHA256 af867f54fe4c1b824787b61e7ac6cfbe4c63e373f012411529b78e0d19bfbb5d
SHA512 10b269e8e54cc32089d4bd25ec606c137d38ac45eae35a77073f9f95e869be9adae068e507d95f3a98cdaa338d01dee69d71c2fa84771e37cefca050076548a4

C:\Users\Admin\AppData\Local\Temp\qUIE.exe

MD5 525a2a2e2e2fc732d0c78f2a1ec31ac8
SHA1 8c23dd61ab13276fea6a78fdf17700a7cf4ce155
SHA256 0ae8b87360b9d95590a05070a38cbdb9e55c750411aee4cef221226eb2878036
SHA512 8b91c4a042882076094befca5986fc742d0db43eed8c89d9e68dc2c6a79efe29181e31381ff9bf7fe0caeeb7a1a32986f2796b570b0624a8261a16ec91c07868

C:\Users\Admin\AppData\Local\Temp\OEMa.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\SgII.exe

MD5 375d3e728fbfe15f253e2375c4474bd1
SHA1 8e1fe13cc88088b1a3c5a8972829857f4bdca154
SHA256 6c085c00750cc8ec525146217a48a0bb51cf8794784eb532bfd4804b20440106
SHA512 ef36a646555e796d51f043efd4fa1c9b9722c66afb5c8ee26a0ef1b594406fec2575e229107ebd5607bf004a1b4811e171119393c892ba862a230a3c7cff0795

C:\Users\Admin\AppData\Local\Temp\AQQK.exe

MD5 8c6b40b9b625b070c40ca9c24fee335f
SHA1 0ef2aa8d3d3fdbcae2b55d1906a6f3bc156a4b85
SHA256 29192b82f596c756067f8d1b47244658c5a4a66754b26b9b5ab331e0a24edca6
SHA512 246d88cc24ebab1323a8a8a18a349a4f0e3bc1cf0dad0bb76c985eff8240b74391d1d09370f4dcb9da3ec400ee3951ec249e50bf4b25e2724e9141739a93c154

C:\Users\Admin\AppData\Local\Temp\uEAM.exe

MD5 1b393f98c000cc56ba0edea3289e7b73
SHA1 ade9eba57119fb51ca155a51f6c9678ec1a9105b
SHA256 0967cbc58acb8fa8fa4cd92fbee44d6c081749c25cb976c89c73fd70cab3619c
SHA512 7a7a86eb073dc728e09a83ba9bf7a22e8abd6a14b2264dd958f4a3da0a718bd63c8be5e55731fb24e3e6bb2df1b298094733ab884d626cff01b65cc16e0f0cda

C:\Users\Admin\AppData\Local\Temp\MQgo.exe

MD5 b7eb5472510a7d3288480edc1347241f
SHA1 8101b8b0a478ca072f9500c481fa8636cfe09a7b
SHA256 1be5dfce73a03e0734c7d74a3d8bc1d602477ee6124f3b7ceea9ac03078388e2
SHA512 68eb528587fd0aa1cfa94b153c560f07751498c61863c3286f2de40d056a89aceff9e381a81a1c0e423735f0ad97f8b8eaf1491cc1f361d8cd191158fb0ea129

C:\Users\Admin\AppData\Local\Temp\WUwkooEk.bat

MD5 d0d4ad423c7602b5ddc24755b3a38df0
SHA1 67276c3fc47a48a644830f7b5400d2ec1ad6ed41
SHA256 7c644c41429bad234e8354653df66ef53ea87caa42d3935aaf4ba33774f30d22
SHA512 ff950daa7efddc2c59d0ab94a8609d8ddd42f022c127a6514d687441b23a4c3dd0a83fed85e8bda9dd301af75be30557ca437763a03f407f3bcb501c5c670cdb

C:\Users\Admin\AppData\Local\Temp\oYUYMUYA.bat

MD5 a14844712201348cd0e790751fcf204e
SHA1 1a16c3dba62fb0fe2d63017f8093e4dee29a453c
SHA256 68d6c05c2936e8df3711c5e21f6da3e7b5395d085811b478ae760a8880125ed7
SHA512 d89c7c4a55c70c90410f6777a92b80808454b4468f3ce85a3a6b373e166c6dfc49b5e852e254ab3f52e64679a7fe3563d73d8328a7eb8babe96ef0e6d0c37d7f

C:\Users\Admin\AppData\Local\Temp\euQUoQck.bat

MD5 afa6f0bab3e855952d667156fd0d9236
SHA1 2e44afc8cae4d6131d5af1069fd8074ad02be11a
SHA256 fba1e0b23bfc80ae8ce115e3edc0b3fe3c685adfd64514782e7b59062da13a61
SHA512 cf0c91a8d5f2351df9acd7f01008535ce1f338fc3a9551b486d792bfd2d959eb56701b1ba1250b89953a0871df2126c3f1dc45652f6b75c91221405bc3e72f96

C:\Users\Admin\AppData\Local\Temp\ZmgIEoYM.bat

MD5 e220a14e49c8128a51e4cdf6df013811
SHA1 86301a8b0d5516486f4db3c661bffd91ee8e4275
SHA256 61ec81013fb26fb1bebe6314385067610cc1fb5659de47f86947b99d6f76c555
SHA512 0221b707fff2a72b734c83abe1ef5e1b887a3e73af6dd657e235a1d2044fd6f96c7b5615a2ee1a3aad9d5210c6a275a9636b399ec2f5a9f2b3eaab701c70659a

C:\Users\Admin\AppData\Local\Temp\jcMYwkoY.bat

MD5 bddf4052460302d5783738cadbfeecd6
SHA1 4b28377c828aa498cae5217756a5b233aa28997d
SHA256 3c3c123c359b8e4893877a3f6a582d3f9589b841f9d880b60334c61066ba8ceb
SHA512 140a2adc5f933eaa677ef6c3eff0bf6848bb491aaccb1f368ad0e6e4ee266ce113862d41531f465b0bb01eca0fc876e830161dd686f3ea347ad97d360b0a0bdf

C:\Users\Admin\AppData\Local\Temp\RyMIgIYI.bat

MD5 0dd725a8807de4b0ced908ea822475cb
SHA1 9c23523569f62aede24d25d6acd234dd3772ca88
SHA256 772dfbbcfba90f33bc8208749a28677696514c707e55ad78ad4abfe077742242
SHA512 c6ce9bce2dccb06cf63026592d2fafab33d143f3fb1b3425572872aa04f7172c58c5056b95fd15c80e4785c630fbb7cf31481c0bff51b01fef07360b4b41b457

C:\Users\Admin\AppData\Local\Temp\nywQkkkE.bat

MD5 ce4738c7de628cb07439d19e596268a3
SHA1 0af0d67f02167d1d2fae714c166dae8a3de60731
SHA256 9e24a5ade82e0b9cf48681d0b3b5b908b07cb7bd73c5b4a4c8390a49294bfd2b
SHA512 0d83197b9b053a7675455972513845f0b86d3b40cb1a339d78a85fef6cdc52b1fd07715d5d89a640863596bdf530bfbf3354299e3b8a8bf89f9d7530293db4bc

C:\Users\Admin\AppData\Local\Temp\aEQwYUAw.bat

MD5 35b029a12fc2e1685670e38225ed1b7a
SHA1 7dfdef3f2d792f66ec788090dd16ffcb646125b5
SHA256 fc3efbe1eac6513ad30667d43480c3127ff34a8bc3b82b0ab1e23de1e0e46947
SHA512 0297b9675746a9759928aedbf87f9fae4e1f66f8ad9b4fd18984357617933b85c8822c6224adbc16b46ae90c55fc5e6bc1fc214b984a74ab83b095caed44312c

C:\Users\Admin\AppData\Local\Temp\zescYIUo.bat

MD5 f5eac8695f5d5b95ab495f66794f2efb
SHA1 6dbfe18bad2fe0ba366cc50ec329b718cfb374bd
SHA256 ed7dc54245206e7685fc20d359150dac5443da0644cf85cee0600ca3e149bb1c
SHA512 aea72a11969b101f0ce9f829dc20eadc85870bc1330a9d0ec41b7a23d48b76bb80ef19e37a54b99ba8cef88d7a89140b605089b6451c4d3d76631ec6d1b045d3

C:\Users\Admin\AppData\Local\Temp\iOgwQcos.bat

MD5 d932b0224931b71a997ef87ffa58828f
SHA1 b1f23affe532ad8b3f8f44121d1c7c00805090fe
SHA256 c1d651639f28ab7377637a2a66821c43cd9102244578dcf3ba14b8284c65a631
SHA512 336d61b768e9d173fd5a21238c3faec25f8a601e8730c170cadfb52c571bbb2d52f0b96b34f07ee408daf7301a6513a942f6d0d24ebe05a6a4347c9ad8558485

C:\Users\Admin\AppData\Local\Temp\UoQM.exe

MD5 ce2c8f6462f8ccd8591fba0c6364082a
SHA1 2284f36c9912a72741588070e51bc3238e275636
SHA256 214292f4e8ec0a5afcbe89d6a89bee671c6cb02e3a5e34b2776c33e79bd5d6a2
SHA512 82be3cbf3900eb5a03563dd5e2d0c746fbc64ff87987a6193fc6b0b78148eda7501b101780f451f0a17dc599909a63afb76355b745896df4e29c5f2d84e84a07

C:\Users\Admin\AppData\Local\Temp\kQQW.exe

MD5 4a706857769995d6f812f39037fec916
SHA1 6734a8e314f738297d49f15953bdc1a8364127a1
SHA256 dd1823aff07d82e90417bf296be6afc7560b7714d2e2c58b91171015fa980d7b
SHA512 08664ff0fcc1bde3fc5074113a5f0fba26a43e007468db82adfad2b70819b8a844f90e72b74e18428536e4ecfdc2292245756da39796efe351b197e3ff92f683

C:\Users\Admin\AppData\Local\Temp\zywQkooI.bat

MD5 e0161dc16ea80cb7ea6fd8eed50c0cdc
SHA1 55c9263f7f9ece3caa56a5ee3c5b554191745f05
SHA256 4912a4a122426b465fb615baf71aa388b82da6593a7b8686b074432e2aa36e6e
SHA512 64711bed8dd9ac5b32b1b66a682dcb1b74afb79f77589e255a45653b9f5c3cdc6ed89c9ebdb97a8d75c03c68c6055b3d37cf6868db6c7119fee53eaad7e38b6b

C:\Users\Admin\AppData\Local\Temp\qIow.exe

MD5 8bcec61a7125446cf50322e37caa380a
SHA1 89586d5842740782c4753dee1ff96ee779055b38
SHA256 1632c96fda041fa91afbff72653c2b6cb523faf2769c71edd30eb7a3bbf64d49
SHA512 d3e7bbe8979a3470bf15c508c3e57c787bfc9c0b3ac157d1713570e5d90e69db244e44a84d45cadb8cba1113834686f142c7419c840b28272fd186973d5c6ce8

C:\Users\Admin\AppData\Local\Temp\sYom.exe

MD5 868f53ec1b82d8316acbf884bdef8145
SHA1 d2c04c9b987ab8678e89087cd2236cff54182f5b
SHA256 b539a9f216010391ec591e01df931b41bf069a9788e4effdcc5be0e7d8851f0b
SHA512 93fe2bc3e0b16b50eaa6610ba995cc94645efcb408fb4af906bb37ad3a4088362c42bb1daa963859a19bfe6fab72c125a48c43856da12da5dac5cd3a32c177d5

C:\Users\Admin\AppData\Local\Temp\SUEa.exe

MD5 cd2889ceb594efc226f7f6fa0cabc65b
SHA1 c52cac379744eb302feaea97cd5205d5ee8f68b0
SHA256 9b8876502ffb6f6984d5c230a8e5c16e6d47582106ebb0a17814e2bab061d6e8
SHA512 f086fc9360cc0ede213dbf9240c499b1c103f2617004b45e399b4767470b943d21956550070931fdd4dfdf2d14b5fe189392219fe280ace7ecc90aa89d20cafb

C:\Users\Admin\AppData\Local\Temp\fQwUsYks.bat

MD5 08c906f1dd96501fbc2374150372bca6
SHA1 4763d9a44f687e25eaece640ce009b887f4b2d05
SHA256 0bfe62d0d3db61d325621ef351873df529a672e82ebf4c930bade0950c35a61f
SHA512 8108a71b80021a59d37b48e6727069fe9e18e5111f9abe7a6baa41d05aafc749a1a0d39ea3b8fd5b462c9e6aaa514876534e6310b142c0fc94dddc841f78f729

C:\Users\Admin\AppData\Local\Temp\SswQ.exe

MD5 ea3d85358f4d3027d0cf9c556c4097ae
SHA1 d2da9832632fe91af3bab070526021aef02b8b96
SHA256 cce1eb0e0cafe490c0c010da22936615f74c7609b6f059d665680f6f71d7d86c
SHA512 177dd11973d35973ea43a5db298a3e28620da330a7e1b0e27f017938aaad24be49fa772a55c28f769c3601a6b735b1cb3dedc12b4f8072fc730f1439fb82af19

C:\Users\Admin\AppData\Local\Temp\QkUu.exe

MD5 66debfbdfdb3a13a389caec1d53eae3c
SHA1 98f8adce41d85b039bc39701e42c93aade058fab
SHA256 65177719210e180dea5376efb2852d05dda6771fd567649b61732f8a3e13e4ed
SHA512 bb07a9aa912df4072e13d0573aa645e34e3a0e2b3e22c53c513d7fe0a107212eb210a32cb3d3b8f6d8e876486288e3f832cfa58a576aacf4c7202cf0057ac0d0

C:\Users\Admin\AppData\Local\Temp\IUQw.exe

MD5 22ec7af946499c696dfe4aa0d60cebf9
SHA1 0203d5cdae1e7b13d9c47ff4952821976ab2e01d
SHA256 78902d67b89f2a9e5eeaf4f4464311c686681a371392770aa9b7063baf175a06
SHA512 ec9bb46b8da4a5a384bd56159a1bda1b34dd7290aff846c6fb0567f3a6de20bfaab994cddfdf684d14dd135faa76f913e1b92c9427be6a7591c4134cb5eb1271

C:\Users\Admin\AppData\Local\Temp\vMMUwowc.bat

MD5 25fbb76271e87df08ad60bbbdbe5006a
SHA1 ed94e8843cfffc11a5ba3043cef75fb7dd94b45e
SHA256 1bcae6bd5f003437bdddd4e020e1bffcb4b13074aa556f055be723df79a5d461
SHA512 e707991bce36de78d0582e44f7d48c0546eec31ec4fa303360aeb7d4acf2dd6735cfdf056647d36363a2942381d57f3400139fd9faf6aeb9cc195dd55c3c0dfd

C:\Users\Admin\AppData\Local\Temp\csYy.exe

MD5 62e598d405662595e2fb44ec26763d42
SHA1 1b9ce5bb700dfa83b9a9f02370c047a28614d4b0
SHA256 77429c5cf51801833125bc1e75e4e943f8d1822052b9db2e17fb76c54a889659
SHA512 80d8f10fe894a303996c8f24340a5323529bfdc88f211f335773c8de80c2e2550aa4188834ba5daaecaf36f0370f2808c69953bae5c50846e86fc919b25429cc

C:\Users\Admin\AppData\Local\Temp\OEUU.exe

MD5 0e1a6955cce39d7a9234172e140c4942
SHA1 b9c820c2b98cf2016c9c8764c10d9bdb46ce4d41
SHA256 28dcbcf5c718dd663d4f7077790527026b84b8770f79fbadb176dce123e5f95f
SHA512 2eda4f18fa1c41f699d7fb4c1f4bb336da5bfbdd28c3b60ca836aa8a4ead050f60dfabffb139372cc489ea974c412a2db742cf325b9e15afe6eef403abe61c87

C:\Users\Admin\AppData\Local\Temp\iEEYIYwI.bat

MD5 2d1f91fc310f7f10a848d2b206114470
SHA1 251c31e47b96ee57e150b968ea707fa23d849e96
SHA256 85ce31b894d2882d978f8e142d6945f1dc7ab205d696cd1d42fe0c12c4c54e3a
SHA512 898c73943da0a523d54469f1f17273f3accbe28490e4a6a97a589d7cea2f713b683a9589f21bd7c1bd76001e0624f1ed3b24844e79a137f615d87e99398fb750

C:\Users\Admin\AppData\Local\Temp\sGwMcQAQ.bat

MD5 1ad102a5dc5fd396f17475fdcc8e7c54
SHA1 1bd32bcd44afad188eac8c0d5e7996d68283b86a
SHA256 3591a012570d4ced9d67cfb4732080498c60925fc4d985440ddd2205c8174f31
SHA512 54d9bb33e292b0799ecf783213c1a30c4886b6de6321e1ede8cedf454ba6bd6ce603db61551149ff22cbfc3f0e3b8a74a4d0011c4b9473ba1389507bbdcd7605

C:\Users\Admin\AppData\Local\Temp\XgMgwgMY.bat

MD5 6ebda6eb09bd09b4eee616c541b21011
SHA1 34b98452ba33e3307fdf952d8244913ac7f915d0
SHA256 357efb1ca10f0c7e411976db342052e37bb599f845e995ae2f8d807d250334bb
SHA512 03dbbd40c7a33baa48647f4cfa5d4b0834c73699de5f84e7469ada6eebb1fca28a820458b922cd889dcc39fab43304faaa8c556f3017ba18bad84c1e8e7e9ddb

C:\Users\Admin\AppData\Local\Temp\wWoMQgoI.bat

MD5 c082a1758e2fe14bc09b37e0cab632dc
SHA1 e442a54c53b30efeae05da3cb18cd4ec88afbcb8
SHA256 e193c1cc129b1fbbec4133a50a4258c2632f1a05fe213e13e7abc095e3021f0c
SHA512 6a55686a2030da1b4c719834f2b59df244237b9910f1ace707a13537eb56289bfb2aff36c072c3242ef7ca84f146df9ba8bfd914159d58811a9a96f604008dc5

C:\Users\Admin\AppData\Local\Temp\wkcg.exe

MD5 e3ec24ae8b59da0b7c04d055a7032818
SHA1 63eabf1357ae9dfe9847c67645e7d33c295d6f43
SHA256 f5d5e755175e390a8cc44a6a3edebe19b6ffe274b0902b8bc9316ca35cbda3da
SHA512 2b8dcfb738bd3ce299644d1468fd234de35104d34c6c0d1cb46ba690fc0d7f70ca877e2870fa07b305c50532509d767aec8a596b1c38e247ec4ff8672ed8b5a6

C:\Users\Admin\AppData\Local\Temp\icUO.exe

MD5 81ae30a076d44c80a0451826672b0a96
SHA1 79c9c0796e51aeb0b517fc72b719d128f5917636
SHA256 8824643fef11023a846e8636acdeb25ecd800754d247249ed6eb910d2a27cecc
SHA512 d7db2752420009dfb996de8370988a608dc100f980b9c37e03d85a8f99dfa1771d4a0cc269c2ac5b50157d51bd957632c76ea731955bf966b99f82035f45a372

C:\Users\Admin\AppData\Local\Temp\zGAgwkUo.bat

MD5 fb8217909022031467ef181ba5c5a39e
SHA1 c73086aba4e80dbe825084c7e557ac5620e73cef
SHA256 4e23a477884b82a6cbbfdfd81ff90ca3b07015ad9c55486668902e8c15b7c779
SHA512 5fa8e546e2415cc820dae811809d67df198141fc840ad2dbccad956e27e78ba9fc24e001ed99d7616389f37804bc19c72292484a2f06443b10de9e82aa8f86b6

C:\Users\Admin\AppData\Local\Temp\wIIK.exe

MD5 98997fba9121b376aa8d875750fbb143
SHA1 8e9181a6aecd05a6a6a79fc73d641b1bb0a22e39
SHA256 edce4a3394e56b83bbdd76f5745d6fc4f3e4e7d2e3fed5b237f23c0797c326ce
SHA512 31b5a09d0b15b331fc11e670a6b12b0066a05e38de1d541dab52f972660945fb425732afc9a2a2a926cd0f6468fda715f800678b1887365bd1adfba2781c5dc6

C:\Users\Admin\AppData\Local\Temp\EIwg.exe

MD5 07f0460493ffc3ae587377884afae7b8
SHA1 9081d3355cbfa86f5415928f2c9f197a52759104
SHA256 dd6b8f3da00f721069b7208d922258f166a763d5786806734e9cb440f8c8cbeb
SHA512 460b4f808a1e301628d9132265b87e2f81427f2d4a1e93f1479e5422235a1363e9ea0dbb2247db95cf4515a3398ee1ec7ae798e3de071945d8591585c012b8c2

C:\Users\Admin\AppData\Local\Temp\UokC.exe

MD5 511bddefa7f17c821de79e2e44695be8
SHA1 e168fcd36a8947479ca048017b0da9f3cafbd882
SHA256 eede5d38a5353962f69ffd688d86944009603b5cf2519f7afda75735631ab247
SHA512 95d252083c30c7744427ae79e42bfefebd41178565f639d49b572b09d58b622c9b81d7d74ae7bb92ee5656c4e3dfe0d8c2202b1476e64a2107359bfd9a6bf0d6

C:\Users\Admin\AppData\Local\Temp\ciYwcYII.bat

MD5 bdd8e67c2817b06366894602e660a5b6
SHA1 8a9240a2f87de39e5f03f43332596c8848a0803e
SHA256 274f74ff3f2c936030a4807fd3d7e59224c4a637b9bb586bc584c8e2e9328a20
SHA512 419971aab055380d014599b8d4730904ff16e55c657d726855ef9d9400c972df8b4609232b0ddc25600ea3d890d04b7b8686760410e1b6201e37880395d80630

C:\Users\Admin\AppData\Local\Temp\swEk.exe

MD5 459a9af42b5f0391f75d3b10733a6e23
SHA1 762e86c6ff9134a3fd3fd813ca0ebb178578bc8b
SHA256 3fdedd568837ab0383118572161093fb4a07fa27e7ea5efc6e29ce005b2a9029
SHA512 40f72f9b21f6e704d59d202860f70844b457ad3eef950af4e3fc788f53de2d62a2c35c934f018cd722578a2141c113dc4bea3affd1dbb617734fe855eb4da2ea

C:\Users\Admin\AppData\Local\Temp\awAG.exe

MD5 15126f606a090e593c48a98c4a7567e3
SHA1 917a4c565cd188ead0bb6baa12425b0ada0db225
SHA256 1fd9dee16067becca2567fb44c0584b5743bad5acd4ca345225610a202e8e305
SHA512 34cc68937c315da8941058e62f2f0d8ae7886fd54ee78f1419897d1545fae8082f84dbe6cd68f2121d9f2fdd34f2663a15ee3d034ed3dcf84d538cd7ad5194f3

C:\Users\Admin\AppData\Local\Temp\AIgm.exe

MD5 441f8634ad1f035ff45b0ec5849e3f37
SHA1 a99358fb6b73413b0055103a569d1c3c0b00169d
SHA256 4cc045b03cf1ec9f4a9837cda4a2f7394c617818c722aa28c8c745222fc86bf1
SHA512 0d1153171afed2de7105b51a6aa864844b5325fb6137aa88bad2f2a09dca384758288098614fc686cee65aeb50c37ca05667918090c469a23667665f586b3c3e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4020bfa1451aa50683dff52c4a3b9c67
SHA1 befcb31339786097c7d6b9adcdafa139ed08a831
SHA256 cdf9c127a7d5148cf542944520acf8c795b018fcf46763e54423b3a296cd0357
SHA512 cb22b3f22565ff722d18a1c8392c285a10e662e83bbcdee12af373469ab01140375f8bb4bb40b78dd5968ca6aa9faaca9060fa667a3bb52e1d96ae48a74ff0e0

C:\Users\Admin\AppData\Local\Temp\KEIw.exe

MD5 b1e0afa1eb0defb5e1f73d464601bd8f
SHA1 b3cc38fa9a36238d3c328dae4d048366784332f4
SHA256 2b6c8e4b595990a409fe7c04f689ea9890489d75101e42c09d31f9b52a655929
SHA512 f36c8533ae68a52ac429c7dc4a7df9a5854d631909c43ae13d0d0343c5cc1bc435c2842bf29f6496fc97411c001fd4a8d64b775990c814aabf2f8846d536686e

C:\Users\Admin\AppData\Local\Temp\uwkK.exe

MD5 bba2af59805f41cf52934ce09e82ffee
SHA1 c977496f42d78bce51d797b5795ea5356c8ed5b2
SHA256 5099cc77016473e966f1b600e13a5b6e6a19bee13a14154ae433524855608e63
SHA512 b2571687575360d29671e0c6e4d2064190bbcf9da25244a22edf651d413a41cb7002df026327defb58b33dbebb6345505ad9e2cce5c8cf756c46ef0fe2768819

C:\Users\Admin\AppData\Local\Temp\MsAM.exe

MD5 e2a9defb3e77421c6f3cc28fbef8b314
SHA1 36167ee663596583ab2a377ff4e1193318b75e08
SHA256 294719e05a8a1923c1579ab784dddce0cb3fd1372fc9ac910a7d685bd3221cd4
SHA512 97caf1c4dbadd582e05d6bd3b25b870063377af740d61679184f7da8ee3fb1cc83b6d479c8a91f35b3f7ae520fa4d7e0fd08f8fb219cb0d80f62e5f29e6a277a

C:\Users\Admin\AppData\Local\Temp\IUIS.exe

MD5 27dcd6758d6fd56fe75ede9429210d82
SHA1 bd71b78ff237f1cd40eebdda22c57e337785c616
SHA256 55feebab765ba102c43ceec591781e3222efa7a7d8e4ace3408196e3dfd06798
SHA512 fe54f0799f5c73d313c483cf797c4d6b877b4b1df6856e15b1ffa827b2a0fc6ecd05bba2307cef6fde5ead725cd3ffd5acdaa4d13f1e13e42bfbe15b87dee634

C:\Users\Admin\AppData\Local\Temp\IMwy.exe

MD5 19195c1e7d98c7669b9a13dc5da0d810
SHA1 d5b93cd7bb4c91a6795317c415d1f48b321d8362
SHA256 ff303a8f26b4375666cef62383cce99e27bd1ecfb143f27b78b713fe28330b8b
SHA512 f027799b99d7f33e6b25823d6c47fba0ca84829d977f5c9c9e04dd2d25d9db07c2dd1e5632606a125059e4b94d0650f32c3299eba080581fcb2c69fb02557961

C:\Users\Admin\AppData\Local\Temp\rogUggEk.bat

MD5 89187feee5c78d65893dfcb92250fe7a
SHA1 fee5e1b84d1261f64a157b1eac8fdc7f29ee1b8f
SHA256 c79419b86ace6417551ab4d1695f39255f1b06e622496a312e9f9bf152b82051
SHA512 2bb6815f22018c8c7f6f986d53a7e57f9a2050cecbd0f6fac22c0545163575fb63c0de8e21846f088bdd37aaa0bcc479f303410f67d5a92603c1f7fffb8a4949

C:\Users\Admin\AppData\Local\Temp\GAEw.exe

MD5 aad4782f96a7498fe3ba2d9044a291d9
SHA1 79ad2d7ee19854d84fa99a41dc424eb03d916aff
SHA256 9c3a0a40506da0c2e2ac302e84843b9e79025f13f00d9fb32193b3f5fb76d7f7
SHA512 39c2606805f51328b119cae62e900163979a3f78e5e692af2d340c3dfe02145ac3ff037bc93d43c82b59183a24b370d33ae85ed7b03d4c5e3b5a585bdf733475

C:\Users\Admin\AppData\Local\Temp\GokI.exe

MD5 4acf3be732f0817f92ac61c5b195b804
SHA1 d17f0ef97be05b4905e5db22d5fb02fcbea27dd0
SHA256 0e56e307e1d98ce91947464deaf556d12954ac050b8c83c9195caf0bb4c0462a
SHA512 2c5f90e763dcb73aff02e7d70797e45d58e03f8d055d029888467b9704c6bbe9dad57e79f0cfc1635614521d74c8dccd3f71902ffd91bac57ec13cd9e8c45c39

C:\Users\Admin\AppData\Local\Temp\CUQI.exe

MD5 50d6a40afcfb401da0d0120cadca6161
SHA1 8da10ce2b0bad2a822435f4e30a86e3eb36fe04f
SHA256 a1a0560a98b1faf5076625bd254b5529eb0e33b06a5a6c686f4316853e3f829b
SHA512 d74afa4ada187dfdf902793ecd3a2576838dbe968a77e61843a90b2b93d293f9340d0f761a1507fe61a0cedeac3e7cf4c7392507ad9590acd5e8201118414aab

C:\Users\Admin\AppData\Local\Temp\WUMC.exe

MD5 a46de4d59c83039263ca1f78c97a6590
SHA1 8afbea5249e7109d1f9925bddcc28b0f6109cfd1
SHA256 99c0bb21b1e9f59957d8c81254875535beb162a221947fe2c12d1ea18c49e204
SHA512 f854045738ac9dda56f64ceb20c662d84d568248262a2369005354bf698359b4e9113254b98b5ba3d5c2aa13fcedc321dbe167fbabb7cbe9d0852d225995773a

C:\Users\Admin\AppData\Local\Temp\QYwW.exe

MD5 52eca6b7493a390ecd8e6e1f5d19660d
SHA1 922ccc073ff95b7a619f04d8fd9b6da3a26c4a05
SHA256 1dda952a2e4cc521561e5291352e3f162661b1c3bb8f7884484f13eeb30d47c2
SHA512 1721b9966090f6da300a48d38ca4f2d87c4bec0b597c840b34aa8103009eb14d50d7240bab8d7a86ee59b670466a2b7130022b7adad9b557c129a78d2081d699

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 8209db2005264f9ef35bffe15df6244b
SHA1 84c4664d09e129e1729aa2d3870adb9cab471f89
SHA256 1ab0028300df833ffdcb75d93c72a5abdaaa857b8fb61797edf35955a020c803
SHA512 478f6fde9f033b7c5891dc6e241110b70fa77ba07db57bb4b9a44019244de81ca5ae02c98e8b673f049352d6233d00f2a18cb7b267100d2aa75e3524ec09657e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 03e906674e922ce95510de0067b3c8e3
SHA1 55d53699e73e57e1537862acdb1442ab766d1533
SHA256 973c0a78a5d62e96c10fae813958959520a2ab85882d01cdd91ce4cc8e5664d3
SHA512 ab6aa8d5b33d28203bdf991d921d33dcbd5a7f01ab3ed9520199e9c412fee5942369deedf2cde33b449951163b8ef9c10af1386ecd2dcf5d7aeb84cce4c36236

C:\Users\Admin\AppData\Local\Temp\GmUAcoIE.bat

MD5 d5c2bc76f790e4da6cab7f856548c703
SHA1 2fdc07b5848994bc91679cffca96cde9b26dce3e
SHA256 eef0606ce9393a616a894c619818d0fbf3ca343a0b9b143cecfc1814f26d53f9
SHA512 de4faecde51d9928bc279a39c3fd2bd06387bdd73de621c9671e7a2b8b15d1f3edf8bcae4faabcfde884478961de17ce9e676f3ff82760d93a3849e4433af4c3

C:\Users\Admin\AppData\Local\Temp\SEsa.exe

MD5 cb13a57eec8acc33d6da175aa0c94216
SHA1 7728d9ee650a5c7e51379eb8f839f67ad39c74d3
SHA256 cf705b9c5dabf9c535ab0b77fbb8d22e724baf6d3ade8afe8786680fc33922fd
SHA512 57154b841018848f7842c3cf8ea2eb5dc8dfdd6199f941c8ee0e0e58189bf0f70c59ab7f7710c96f6fc540d64a14c2879717b4a63075e774a55dcc4484bc5bdd

C:\Users\Admin\AppData\Local\Temp\goMY.exe

MD5 266b69cda149fd05126aa047ab841046
SHA1 16eaee8d71d9e300e1d0128ae916926ece97d0d2
SHA256 f3e842a552bee61d0e754398d565f2976f5289da5ae24550d5b08c5597d32014
SHA512 45fd5cb55dceb2938c4f9270139f1acdcb9fd42fec773c6a5e6baa3370dabb6559baa88f0ebd33ceb7aabf1a2b51a41623654cea8ba1da5dbb63f1525ee7c859

C:\Users\Admin\AppData\Local\Temp\eMYs.exe

MD5 2c1c122210da722db716dd5faca74755
SHA1 1688f48310a3d93a88d1efe57f0a88f3b3660f4a
SHA256 338655ce31976cc37c8a54ce28966f98cbb86c54690c63091fc9464d0ecdb150
SHA512 c01bf4d8143ca2d9a85506a21e58e27f03185db170f5845b1a368a99de1415f7260b3dd40e02f350f5f4a9d464049357926a3fc9a221928719c94044911fd794

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 92255ade2c8371aa5be2efa98a90fd7d
SHA1 0ad8e9c56b4191c8b7f5a5d0f348fd8ae9e81389
SHA256 2857239de088311435868e75eda9c49f5bdb6409e4a9d5a9f5dc43f180d585f9
SHA512 0a37610e276062068c7697caf80470270578a14c51f1d6a31f9500a64bcc1e35c20730245ad30f7e3a07e799a8eea663e033fa9b31124178fb83525eec50d949

C:\Users\Admin\AppData\Local\Temp\GcMQ.exe

MD5 e8d335dd3048551d7588256d6c90ca6f
SHA1 155feeb8e12276caaac6df1c90e42774ef6b2cbc
SHA256 1f847a1a6098ec52ed24d842687b4bdd9491938f3b1726d43a2ca45ba8db9af3
SHA512 34e2176b830976a32e3f1f70aa3ffa4b0feaa708e9814cf86663bc659ded08941a7ef58ccef8a1292bc8059261b4a5fcc30385b195c1bd7fb98deb65224bbc71

C:\Users\Admin\AppData\Local\Temp\YAQo.exe

MD5 83a84d0c110f1ac23c0bd2128f5419bd
SHA1 dcfa8888b6467630cfbd09a9bd103c44cbbe527e
SHA256 591a28233ea497890794cd919d3ffe96da8096b2854c337179383e1af2a22dd5
SHA512 7088c846bb7a9a1ebe3bdb4b2f4c0bc4bab47de9378130671575ca09eb28428bbc5eff9fadeb0f98b949225ea03b90624b64d6ab8a6e428974369f465c92a516

C:\Users\Admin\AppData\Local\Temp\mUQo.exe

MD5 f5892ca47caa62ffb45927eb4adfa4a2
SHA1 07a02a73bdb39279995ecf9b28b7ebd2944c6cf5
SHA256 de4b6f4bbb4535b72d8e51335e7af5a914e6dbe451b635b50bbb05169c8ff63c
SHA512 a14c537ecdd036fff7809c38d993279af18b352849bcb2e4a398e7318a2b9b460d664901a63b7fec108c7faf5e3a64446e6b4a64169185b6b84537daf72401f1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 b492e2cac7ca526fee532f2468f900ad
SHA1 0d80d14abe18fc76a20e8aa556971d2df284bf0d
SHA256 c723263a254d118089f478da0822aa201f651f12bb928fa4abd684004cbac984
SHA512 0f4636a9de14f7c2bda1a04ddc32f1a8852e6eaaf2ede753aa310f386ed4dc9c0c0edb2416deebd1c52c8eb97742701c00ae7c66736f6215139364f50a824539

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 89dc16fb80bda5f6266589ceec2ed60c
SHA1 f53e6d4a048ea82725e80d162e82e95a46785a33
SHA256 9363939014a55957d9d0edc00b05eca3a372fc2bc486327ba9c89cf027c599ef
SHA512 c78d7375ce59922b971953fa11caba0741cb687060dc28fa2b873e363510b49890591d3cdd2360d950ac726a4e11f4b9ec9d9384b53e1785cb5f1acfc58f48d2

C:\Users\Admin\AppData\Local\Temp\cQAi.exe

MD5 052fedb0e209e9dbb353566d2ecbc173
SHA1 ea0549cb7ab10df8329c63edf7de1287557ecac5
SHA256 bb3131203933f222f34f270457a73dd4c57b3b51f4f30b6cff6f55dace09e238
SHA512 d630aa75d3af7bc43ef3d35c48cf4c62cea71c91ebe3cae17cb17478477c315593ac962d106310f5c9ab3d1d64fdd49a77604d4a75a2ae3e3192e01ab0851363

C:\Users\Admin\AppData\Local\Temp\ioQA.exe

MD5 0076f6c226eada0dfd2d72563e0e0799
SHA1 e891edeb287a5064b9167d4a7f3695d83b243e0c
SHA256 f7309378254ce87c0041fc385721cdd32b7a44a19093d0ceb8b4fd397c9f79e1
SHA512 1408a4b0d4148cd8fb08af2ecc8f1d21ed38926fb53c796b3f2e5cffd416ae383d53ecd06076b45518a18301b300d1169c8c508f797a3cee71637e35caf3c193

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 d524cd68c28b431986a80228773258df
SHA1 c80c642050e36df29f5e7c8d8691f1bd3376279e
SHA256 d8a8ec5fe819efb85199f479429dad61ab3d1a1b4dcf4cc9ea1025969adb8a34
SHA512 9eaeb1025450d8f014a2a4d961b0561a4d4b949cd66a8b2e6d7caddcc5f4ac53b3a22e5513c563df34d205afba8c1e9365a521903fed075bf65626ddc4c5dfe0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 487f2d8f2649a4567cc9257a94e1da1d
SHA1 0bc6470ecb419d8291a6d41458c7c72cd6548ef4
SHA256 8cc25f3651669814be6dac13b07f75c898bf0c920c569e82d4b98e6134b6beef
SHA512 a315be54a2b7086dc1a2bf28b31bdc428e6709cc0461aacb71c45c637f00a671ee5e015f27f5032fe3f45a602d9ad39da25dfd5996e8d4c9c634513734972e63

C:\Users\Admin\AppData\Local\Temp\eIsi.exe

MD5 106ed7cdf2beff1fd68c4d0ce1e03271
SHA1 457ba2d021217de707ede0ba3258af727dd665dc
SHA256 ec0c304818ebfc6d487bf985b099f70493536e70feaf75e8fab94f055573dafe
SHA512 7931cdeff01e6b4fa803eee1c7a2328c2fb3c98a456ddf50d557cbb910790100ae855d69ff5815236ba50f374694111ef9613f3c99c5e49e5115b91689c0e099

C:\Users\Admin\AppData\Local\Temp\uUYm.exe

MD5 48dd81682d0b07f2386361df33a56556
SHA1 66f6fc10c73b12b0bbb57b9d1eb102cff997c725
SHA256 448b62632a55efb2322cbd4440003aa28062270bebcd8cae598be245be4cf018
SHA512 5e3180b48efa15b4d3b5046b8bf8a7311fa94ae093d6ede751f4f3f4fe1161aec7eeadc193d4491bf24562501d2b6cebbcf25865a71e36fdde91a00122d34df3

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 c57f4c9f5a2f39f6b5931b2cd6fcc6ec
SHA1 cb77c004219b99903eda9b43522706392bd643f0
SHA256 89bec74c4e2ac71ed0552daf36f760e22261ac2395cdb48ecac30533436a343d
SHA512 617a9c74c2f46ec3537cb9d464f3f9687e6a599e88b0bb6cb5dad9a48c4537665ae941d0d7cf7a7204cd2d44a43496f0ea21b39a804f930efcfdcd7469d6678d

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 f579b764e0d92c243e207058c0565a63
SHA1 76c5780ac772742f48e9d3ac5818a34943d3ae54
SHA256 dce06d121c2dafb6cabc6952b928755da744b445bbc7bbfaa745c4cc49d3ddfa
SHA512 d8699c0c479356a9299aaedcfa2a5165776ce82e59c068a39a298c9f3f77c7f5a99095f392086a0fbf4f00fb171364f66aa75efc112f64f5a13cc161c85c04ec

C:\Users\Admin\AppData\Local\Temp\sosa.exe

MD5 5987392c56d2c794782e1acf724786a1
SHA1 0edef26738179a78694342b594e15be06991b3d7
SHA256 0aa1c981f20e000c2f39cb936e52aa710a7ca40081ea9727eae7c3f7882a71d4
SHA512 e31e512d73e711293e1300c05e59f991a52e29be69c385512ad0e30da0372fd6f44eea9121101266fd18569069d378540ec355779592ea6c0f89831cbc398c96

C:\Users\Admin\AppData\Local\Temp\CgYu.exe

MD5 49879f369f31d065975e56b9980b4982
SHA1 c8381b41893ce625ad52b02938ba8595a0fad420
SHA256 4ee4439df610db41704f4dfd8a9cad4031f5df0f632cb753d57dda232e8eb218
SHA512 6fc298da26da0254df75d284a635959b0233c561947520f8c360486c04f5008ac7d9689d698841031d78bd305325d50857bcc847eebebb231ff2f95a4e693fe2

C:\Users\Admin\AppData\Local\Temp\cAookoUQ.bat

MD5 f46e12f7dc06c4214448678f4b65d089
SHA1 8042a73c63f2c5e7b3a354555c8b3fd619ee0fd1
SHA256 b41eeac1cb3a0302d1b9b5811c4ad240a4753c38796e07d76aded284a6b5c264
SHA512 ce760f2a8dc086cc4c136436a2ff55e8bbb6014762c2a7c251fce89507f70ea17de6cb48650db32b8f76bc6f8c0499f9e0cb235ce7b60a7e179dfd63c2bc595b

C:\Users\Admin\AppData\Local\Temp\YcIU.exe

MD5 a2adf80df123a7f0c7747fcbbda2396c
SHA1 43ec0632218fbf45ce9daac89094f35fb1aac92c
SHA256 793b9b684cfb9f4e26b3d795e169942be3e6539c6dc602c59eeb146ef83688a7
SHA512 d4f7758665529bcff111cce1508cf53894ddcf025f6bed727edacd654abd855e37f27fb5b1830d6ccc3cec6d7317d0d869d54749aba1699e45d17af709ff1d3b

C:\Users\Admin\AppData\Local\Temp\EQsA.exe

MD5 de46a1aab096bc00b6926b12887bca24
SHA1 48ac679d5fd042a5265354d28f380a9c92ea655c
SHA256 7565a5b2a80bae0e0a0c102f5e95c994403d743fc44a405b7b17a3d661254a49
SHA512 bff8950f18bb6a71ce083e08af19147c442d24f6bb26f0ada1f489638b814b8cf498f0308520df9e682d33fac8d58b58c9b19c259365a59cd1c954154ac500d2

C:\Users\Admin\AppData\Local\Temp\oIYo.exe

MD5 d0a63c1bf3614788b223eb01628d8bb1
SHA1 40bdf1afa0ec6d086d722e5997adf63c9ee29d80
SHA256 4eab549a59fb88090f166856f3e319623551fef1ff02d9c65657a8cd53b0fbbd
SHA512 a8f9eea13d5efcda8256c25b69fe5d9cda16c99bd0ac5ebed228b95951a3c9d3dc5e1ceb6d362e0644974232447ea277dede954ce9c26c4f84e05b380f075c87

C:\Users\Admin\AppData\Local\Temp\WwUM.exe

MD5 cca3efcb6d0cc559ad744a65e2b05922
SHA1 aade262d91048607e9be80427aed363ec3cea72f
SHA256 50550058a3e96fd75ea19fcd187e79c7db1c649e70109940a74b6ceee2a18330
SHA512 c190abaab17586491a08e639c69e191074fb83b76d9855eae7ccadb8d45b67c0099ba058531397b9069277479239325b2cf9eed3bfaef2a24f7da6118a3dcffe

C:\Users\Admin\AppData\Local\Temp\UoIG.exe

MD5 ba5e0eac0c2a8e97d6c2845886f45dbc
SHA1 8925369c01729aec36233eaec207222cfa8cabfe
SHA256 28784ba1c8b4abe2b4df6ac6c0d1f0dd869b64ac355b31ed89a9ca94a2d9f2c4
SHA512 6c15facde2a30c87b47041ec3c5c0ffa4b604eccdedd06d24615c74d6b891ee9e6909b096b6b553a39c6f9f79da5d57c638e97566464813b353d76c811d435ba

C:\Users\Admin\AppData\Local\Temp\XYMoMMsY.bat

MD5 06f2a62ed38405abb0b6226f4096a259
SHA1 cb149d1b3dfe5c2146c3d026d6a6e139ac40af65
SHA256 210e48e4eefa0d9f2c51e25582c290e81519b64d93bedf699f527bd4c0d07e4b
SHA512 8a6777570840d10c888fe42a5d404346e7a039505697ad0791300793fa2888aee0087ac1e69973012a5e7f12bf0af0cfd480876a2da3b2cb046d1c93812cd5f9

C:\Users\Admin\AppData\Local\Temp\TwYcggMM.bat

MD5 a2bd74b5e5181b7833394ab30f71947f
SHA1 4fb7f4f0f0a52a0c4e0454a38e0eaad19dc18056
SHA256 ec59c64042d2d968a8af0804c5b15aaf2f973d2f770ac2f7b89d210cba5c75e6
SHA512 de94b9a63682b7544572887192e0cd14b0ac7acf9179a0513f54014ccca907d977a6999e49c1b52a8e693fc8ac98b02e719c5f1d85fcdb826b106be0e37a5b6e

C:\Users\Admin\AppData\Local\Temp\HYUkEwUw.bat

MD5 1b4d58d25158998dacfd3175ac7a4f91
SHA1 198d4bd054b3faee01ccc407034ef66d94b30ff9
SHA256 f2afab0c4026babc400e109f1e843964ad6b62591a59f2e0119a5ffc5dd6015b
SHA512 4a0a79c55a3c4e918fc7ced6e3bad10d806cef384992f7595216246979cbbf8b66a5610cb32048bb4792e8da0f25eeb3a62b93aa76d498a8fca4094fd548054c

C:\Users\Admin\AppData\Local\Temp\ZEEoYUAM.bat

MD5 44c8ee71f654234a8591e878a218f0b6
SHA1 8e4191aad15c963fc8ff65fad405edf86cc74cd2
SHA256 e657f4d4b34981e65eb662e17792348f77dddde841cf05009ae595caf65e95d8
SHA512 cd96e85107de0974f2854e29dd3059e884bdd960ba65cc9c6f6be42221c947cfc4b3583b0da354c845124d1199ebe3f58f5037bdc4dce65393d522cbfb759ece

C:\Users\Admin\AppData\Local\Temp\caEYAUoA.bat

MD5 2961f87c5cb839ac08d51f6192b522fa
SHA1 0711b1946619356e52f36a45f25a721c27d186d3
SHA256 634f223fdbafa0535bd825c1e14505b7186ee629194a56ba4880f1a1d0d47bcc
SHA512 ade26b8a938cfff1e3bb2c62bd7c559cfd2ab3cfb122b61d2206667f5b2d6148e0763bbda25a83c1c0d8aaca1d1812da3f924fa660eb8a4b60862a3359bc2fad

C:\Users\Admin\AppData\Local\Temp\MkEAMsYw.bat

MD5 a187d90190caa7a440ae732488fcf061
SHA1 bd4fe22706585635a60b5353a6cdda7eec2e8d5b
SHA256 39c39f02dc8e7601de066d42cd2abb577b2820aba60dd61cadab760c4c8baca0
SHA512 ee445496792623715943fae1b98c6da78ed41db48f7c401273374805dea3cd6e5f6974f126fc3f093829d73d3d8b808fd43298728246d795dbed5431b4be55ba

C:\Users\Admin\AppData\Local\Temp\HOEYEwgs.bat

MD5 2cf9ed10b7f6a2c44dbae5bf217b1577
SHA1 38f5568b08d3bab17ffc04043475d9a668fe9935
SHA256 1837119cba31987e44a23f059edb34858254dc155f3464dde11d014b398ba81c
SHA512 b4864d1ca2be1178557d18a5529bdd62f0ebf09fe348a1f2e07b57d13cf04c8d8f61cbfb71d76d5491fb5f6c339fd760e154b4a935b0bc91f4d91ce123a547f0

C:\Users\Admin\AppData\Local\Temp\tasYQUMY.bat

MD5 aa84f0ed798be52562fc5e665cc51f5c
SHA1 ff7c6ff33ea003ebdcd48caf99abb899fbde1401
SHA256 72d67fe5eb474825eeefdc3279ed108793fa61693d5d3a739b86ba857ad00df4
SHA512 7dce4f89f40704a898bf9e4fa630c8768fd71b93bc17a662c646bb2ce5256b6c4f6a4be08762ba2beeb8fb209a6af2258b4d11a4e72003f294a388a2bd6118a4

C:\Users\Admin\AppData\Local\Temp\oiQAQQkw.bat

MD5 69e45874ee8f04636825dbb90c981408
SHA1 363283f4bee990852399dd1be715a87586925039
SHA256 81350a1c3793b8d61a075aaae31e86697800dd6a8c6f34e4ac8dafe64a5554fd
SHA512 136ba51582a497e7716133dedd2f7d886d8ab40ac2fc2a7a09f05eca6810646568e51f16439c5eb53c0eaaeb99e525b072221440bd4094aca6ac2dcac8d26299

C:\Users\Admin\AppData\Local\Temp\SQUUMoUA.bat

MD5 ceb37a3da9c5c039c71262b1811fe797
SHA1 0cc2d25cd793d08bd156892d3e61729e33f841f0
SHA256 15954fdf1ad6e4a331e7a1adf4456fa57a1096da25f43162457aa81d76c24af3
SHA512 a675b721067cc6de7753b8ae06f39f0436c181a67800fd203a256754a74b255e97ccbbe27e9675aefe03241b24dee2be6a3e261444ef566d2a3cfc29aa9fadab

C:\Users\Admin\AppData\Local\Temp\NQkkoYgY.bat

MD5 2250457fa2787d9b5fa11ffe8964ca31
SHA1 fdc37992d50b48dd94c52562777479673c71a6aa
SHA256 1e5a311bad65af57a128e649682200ee0e750be1ae3fec0021cf6668572e03fd
SHA512 7ff2a6225e9914150e28ec5096851b8ed72d1ced1b7e226d9e2ce74100f9e2cd874b741d557174d7c987e199e1de9a6aa13f4c2bed15c4a3a846234fd70e3bb2

C:\Users\Admin\AppData\Local\Temp\LosQocQc.bat

MD5 6ed40e377f4ee34f60ab1a6805a0e762
SHA1 d6e8dabb07873c0faf1f58f8b624cb1613601167
SHA256 c40fdeb575ae228d61e3a3bf29b768c8e8c23fd61d9d1e648defdd307a73146a
SHA512 235817453a2d9ef73fd973b554352c8446787b8fec37e48d5bd07563a15f194ae5761a96834397c3f8694b8711c013b147dd90bd6d77b5a4ee576bb06c9a8315

C:\Users\Admin\AppData\Local\Temp\loYAAYsw.bat

MD5 496777ebaed6eea6c81120ebbd30ed31
SHA1 59792beb5a901ce217b4403bb413f8f2fff6d015
SHA256 71b8f74308f939482fe7ddde8c8820f52c0fbe2e57709b1c2e75e58eaba7e32f
SHA512 d8236ad170c943bf14ae55cfdd0605fa098df018a528c5c027dff9651ef8d8b4703713e2e8a3d44bb00d93c7e16945dbdb9aacb520425be50d7fad553ed426ae

C:\Users\Admin\AppData\Local\Temp\mMMcgsEE.bat

MD5 b430c0ee2f6f56a15dcab7a3bb04acba
SHA1 4360fd84d589e44714ed79dec100437a79311f9e
SHA256 79904658aebe131d11718813c17840c78f0e167e8a1a28dee19ba92966a6a673
SHA512 d7d8ea9b16e5cd3cfb220f711e6a5ebfc17556d2d9abc6ed68fcef94cc6652598d9d4c6ea9c51fbe1d4cd9384bd72e9eef5ff545703bbf27134f446bc5f2bfcf

C:\Users\Admin\AppData\Local\Temp\MYYMogwY.bat

MD5 7fbc5d660bcdbcdd1da2ce87d8963100
SHA1 0c7a39c9099eeca86526c61928444f585d8f1b70
SHA256 1cae172a553e2a6d6415e01c0de8107b6845036a1c308fd2d7fa85518f55ee22
SHA512 9f1a069f3685c9f49f28c87183876a7ddef2483516f02410f1fc2148fb61864c6f77edf74b713e268bfbd34aafb39a049e676098be7b2bb0802a3d565b66e968

C:\Users\Admin\AppData\Local\Temp\nGoAIggQ.bat

MD5 5abb0aafef086696f66357407f0cf706
SHA1 dc14a2c653cf8b76ebe50a90b6fd361cde774f1c
SHA256 47e55365c14dd894467fa6d73bf7f551282e6d6c8d5c2210df1eb43e31def031
SHA512 ffe69a4f2151de8f8f3a93e1c7bc1c562c1e72100477b9ecdb0236be60f2dda60db5ca12bcab9d0cd629a7db4797c02e167d302013a4dfd271b0a36d3be70842

C:\Users\Admin\AppData\Local\Temp\vAEgMwoM.bat

MD5 2b344d93928c185f0d2e3546b81023b4
SHA1 0a3158161115bcea8f23170d9c77fda237123616
SHA256 0c1d4fdf2c203b094ad6c1f743ced6b7ba4e67b1370b6f59d3c064bd0fa283eb
SHA512 30430ea53b305113cd10a91e114edf84ea136082e6c0c20bc2c9d42f678d307c58ada6e6f920bf5f95256bdd8e49eb97513254c687bb5245723c4aaeb1cb476e

C:\Users\Admin\AppData\Local\Temp\vygAcwIY.bat

MD5 cb033a00d15b16ae5e64168e7ad4c8d0
SHA1 a91cd45d20ae92a15866b3b217512ad0dfc6021a
SHA256 683198b28fd7e6299de3d540d7821c08a765bdf14376eb2e394826e3c71846df
SHA512 b12ac35396dda20f103428f4356352b1c687246120fd47c112a9363635a2d34d1d13dd892110ff792b813a94a585a1eaa5b5ea452a3045b353b86d95dad22ecc

C:\Users\Admin\AppData\Local\Temp\iWAskMQw.bat

MD5 9cc7e7aca484277d8f9c1c326eb03c32
SHA1 23c24912b9c4250250ef14bf65a157eeebe5ed0c
SHA256 fda444a5c186bba4da17b2b23faa0221e77eb152e1ca92f24fc57e51666c0cb6
SHA512 9bb0673d0f7030ddd27cc016975ba7e2862cb006437bc7c026f03d2299a07bcd51377cc97c94ce23a983cd5ea9d7707470a51f8dac0f3d71fe9b4838bb3943e1

C:\Users\Admin\AppData\Local\Temp\OSQssQEA.bat

MD5 273e20742f63a5d29e0da7060d72a2c0
SHA1 6a2edd15c42af2bb3cf09e30b4b2ee54ca22dd92
SHA256 0f3e5007bdff9e962cf0513a118e61ebb187f637b1fe6bf2fb8494cd207a3a0f
SHA512 1feb28cf9a91dd1e37a4b3d4a0c7c027c68b912047ac3f15640a5de61909e159320e5895a712d98938c1253c86c459cd7674044a1c5378488202b3257f9546a8

C:\Users\Admin\AppData\Local\Temp\iAkssoYg.bat

MD5 9a1ad6a9892f40ef76bd91aa13ca831f
SHA1 26c4bb58eb69067ff0bc0d786cc94cc73f09b5be
SHA256 7c44e5e041e9089106511ed99b2c78a4ab1f8330b344cbbc865b3a8a0e2514d3
SHA512 764ffdbadf4f7f95825216c633562d92bd7a57700b92b7fcc62820806a026807de3d42c497d263069b5d3794b99f4fdeeca9594c4de454244c643e197fd8097d

C:\Users\Admin\AppData\Local\Temp\mWokIMsw.bat

MD5 cf93a6075b4305f066b338e5cf2a8f2e
SHA1 cf88bf7afe22460b17d6a1e50045ca85c50ad441
SHA256 f72e873f5ee7bdddc22ede647d29d568170a7ea51ceaa8b756c49a1bc9b236dd
SHA512 688e9133210a47e6803ba137ee0cfd0b88ca68e0d7abeb764ea07af8c008557afc8d1a6dcada5b808918c038ab59abe2b3f60de878d854c4601581d6614a9212

C:\Users\Admin\AppData\Local\Temp\hOgwQkAc.bat

MD5 5825c74e775e7b021d5f8af0efe7382b
SHA1 73334df0e2a438e3c00744440969bbea65a7d5c5
SHA256 e756a1920e79e5577f57940d8c127b1328e5e935d27787afdca1b56b1d47c595
SHA512 f9697d9900141c18a7b25588e0822a6edbe1ab6f27abaefa235ec9d702a5d6cb201268e0ec99762c49bb1e145edd2ac2316507fb3a6c5b67285db6b3b5473a92

C:\Users\Admin\AppData\Local\Temp\hggMQocY.bat

MD5 dc8abb54f042d284820eb6c12d436b59
SHA1 de641c15d625cd53574bf3f2b67f981465bd20e8
SHA256 bee9aaf05d4d386ffab7a95a8f3026fbd491a5f0f8a288b72934f56fba6be80b
SHA512 c82b4933d50ba6cd98ae0654979d1589411285529c082670b15c82446091a77cc817a27b4b0c2e607c8865fb248cf9cb38c8e029a38afcbac92d0335f814a07d

C:\Users\Admin\AppData\Local\Temp\vEQMUowk.bat

MD5 531279bc18d343e32d889b1a3b2cf1ff
SHA1 07da0ca9903050a16b02b024cfb77a99474e4e9c
SHA256 1fa558b83b12caf8d51d894c98938b7b1be89b73949453d2b95fc6c8d9801e02
SHA512 223c85ca5106ede260981e9df011676dc841c06efd3a1ad9f0fa6d7d24387beab2205cf224187dd3db2aa02b454dc01b6771aa14973f3d6cbde4b5049174ad3c

C:\Users\Admin\AppData\Local\Temp\OoIk.exe

MD5 57522bec76a7f94d967ed97f028d97e6
SHA1 7ce0324c36e6ee3ee9f0de001d898991fb2a7476
SHA256 9dbd2d826b4e324f6e7ec3486e672080cd97193ee5df02f4cb519e8089d480e9
SHA512 fe93f42fe165c939f60df4f7da9f80afbd1a936811b026daa0bf963a0483bcb27e3811a1a476b70328dda5f27c9c312f14f68013b48c2bd48ea49bbfa8346202

C:\Users\Admin\AppData\Local\Temp\iGgEMwMQ.bat

MD5 7442508577de1510f3630b91f20c2d81
SHA1 1358685a7b4c6c19c45b5bd06beab8c68f3f1258
SHA256 ad6021d831e75e6d07eba4d69146f2b47e171e3fa5b4f66918f1127559704bb2
SHA512 885b7d691c0d1146481a81c646b930ee1ca7a8d3038b614e5bdd0e6b63580ce3e1d8ce91441ee8092814189207373f94c675904a085b472c2e0ce2948c4be262

C:\Users\Admin\AppData\Local\Temp\QgYk.exe

MD5 c9d3341dab08a02b9e63ae768bb302a3
SHA1 b8e43d4ce01dd622e2d01947be893f0151a7e8db
SHA256 4d2c7a210b37819825608ccf296b00e4d621c9af7191e727205d93ca38c45731
SHA512 afdcb588d8d39178a9ff4c2594ee788d695641c5650121ed48ee33f8b9e145f4c23432938a87e2430e55e2d62415052888e1c4e907dcb666a4beed2784110096

C:\Users\Admin\AppData\Local\Temp\KyAYIAsE.bat

MD5 0e1a432116a05940cba3e44c70c7da0f
SHA1 fa1be21894bdd51334747b6c56c1666c3c580007
SHA256 5ae32e5e7220806416abc85642b63a99f80110f5f9b07385764b392d02db4062
SHA512 4bac36b67147c0d61a8543941ce35fe22ba2c0f5b0f6accb365d5146415d22a564f5a0488dffae3d420e505152804671c5bd87313b60fbdb7ed75a9c6e57be6f

C:\Users\Admin\AppData\Local\Temp\ogAsEwgE.bat

MD5 e25f1c6dea16ffb9ddd54fae8440348e
SHA1 5cdf682966892a8bbd2e82f2a21a883287aafe7b
SHA256 c12718fc4c94cf1665ec04587cfca382bac444ac9e99b56deb1a42956ca3db17
SHA512 91d798e4a21acded915f6cdbbae150d7b69f27f45883ade9821994f5a697be9130d7519459c10e15c2041b42775160d27d73d0ba64ebe572305da0a3babb7332

C:\Users\Admin\AppData\Local\Temp\SwsEcoAU.bat

MD5 60d57dd02ae606b1c4dc3bf7dcb4bb5c
SHA1 88e8f99d2ae7c9b59019d8238cd7127c65de928f
SHA256 9f429807283a2bb8733d451fda1923842d78e0b3e89d91b5aed3fb92c4f73f1a
SHA512 ea6ab68d8a985f51abb85565b3591ce3abccf7f22982302114f896821b05f8671f2640e0b6c106e183f4f7ffd439b4eb070f7669a1597de329487a02a9125bb4

C:\Users\Admin\AppData\Local\Temp\NkgIEooM.bat

MD5 f8b60680f2d5471db59d4976b8843162
SHA1 87b5dbcfcb98a6486bc774fb243dccae4dece11f
SHA256 8fe325d53d0bca7b57d7f325adc8a34027eb61e9d37ba8b526bb3150229d38be
SHA512 20bd0fe6fe4467c8bf5d247312c6024f956d194d09ec83fa62a3b3ba801f54df9bf94935e47a0bad35ddde65026b23826a5a88754c791a55521d9fd9ee41beb5

C:\Users\Admin\AppData\Local\Temp\JQoIMwks.bat

MD5 d86bc584e7e120affe51269407d93321
SHA1 c56ee767fd02b8b3161feb6bdb50f29dae9ad7a0
SHA256 740f57d5b979db0d70aa9d6db7026ea8d497d539ebabedc9b8333f2df1cccad5
SHA512 89dd812864baebd6629e23b941215ebfc153c714c0935eac2287baa70a8b92e3811038e82d1ff7ac1d0f69cef9589477f597cd9e7a2aa3a028e696fa9ea7b185

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 f96daab60251bbcb5912d4f0cc497f16
SHA1 725e7c4e1bf14183308480de2d6433bc28f7ea0b
SHA256 c5c9c1902343e366c9a59d1830fde13d9f4ce6eaeda812019695fedc5698756a
SHA512 de91909981d2e31c1ce892cde3d10a40abb083ced9a0dbef40da1efcfbd63694c9552d9d603920ddaac86a8abf552026183aacb9b82f0f171c7b98842e85e1dd

C:\Users\Admin\AppData\Local\Temp\tkMcwAsg.bat

MD5 782ec6e6bc75cdedef1e3c3120390571
SHA1 790d69101e492e6bf2c15cb738e28613dcc00574
SHA256 8b64cc1ce54974830df5b25c60f8fd4a30764b13096985898aefbcc22ab71092
SHA512 1d5ac108bc2356ef3ee73629c3f59bb1788897f719cac92b28728bcaa99544cce31ea259acdd56c2cfd97c1c300c25aaf29e63c90f092c7dc477d04a353491d0

C:\Users\Admin\AppData\Local\Temp\eAUO.exe

MD5 3a98bbf63dff5aa22ef23c0e381e347b
SHA1 a8462d4d4bc23aa73435c15b1f0d044451bb4acb
SHA256 628b645987769185d2e7d04d077afdfd1a7903086bf6e441b4129c75e7ad356b
SHA512 79f9b8b618554e5c21bdd793ff9bde6a25cc118c0ab935368f61e5620c873c4ad489a2b465f56e955afa173df3e2a3841a597e1115ea6605abc7a01d023f2835

C:\Users\Admin\AppData\Local\Temp\xuUQYMAc.bat

MD5 e358fc90f4f7b722fc0f39045e99dc3b
SHA1 011669f5b86138353c481875683b21b2efb9f73b
SHA256 4732d072083096edfb894df19b7f2cd352e931490f6918f577abb0fde32d5441
SHA512 258177e3f80d4d4123807e06b4a8b331faae7599287718208e53a3500bcc389fe45ea155c5befe9aa5b0507f8111a4b6644a72c1f0dc8eb5742cde6263e41a4d

C:\Users\Admin\AppData\Local\Temp\GYgoAYwM.bat

MD5 3f63fb8146dd978912511cf4032cc5ca
SHA1 7a1866ca10ba3b157cd5c57e0289ac4b677c4c15
SHA256 c7fe672515a07c088e88aac125594758fb00bafa97fb0ba1207a1b3cce66b682
SHA512 9201a9d17e701f8e17812132f668e2d3030f2e91ab68e3b2f4062f8f4562619b991f0e8ed07bb754395aaaffc59ad23edcd95e910a7534c8ba2bfecd35b6fbb5

C:\Users\Admin\AppData\Local\Temp\UwYk.exe

MD5 cc789b39d356a9cd9a3d674f77eb01a2
SHA1 76655c925e4f7c29a40009e2478b75e1154d039f
SHA256 6862003beba25509ce7defcaa441f2ee7b39b0649b97045ff89ea1894883362e
SHA512 ca01a0be942ba850775691c75a947828323b7f3ad265c0cb56c6c48f6d03a3b92a352e4b08b66bd3eabf7dc87002f8470e9e10f2102c3287c5594e9a823479e1

C:\Users\Admin\AppData\Local\Temp\CmkMEgko.bat

MD5 89564a4d0c19289026ab24f22f20e6d1
SHA1 a687de20e72b18b5f9ab41ba922d22dd96c3d0b5
SHA256 8593da5d0fdbc92865316c6c7e1ebe8236fc55fd2ffdbe5992c841288c1beebe
SHA512 b5ec22abe43b561b0f81b9d7da53ae83c2e9755ffcc98640498b76ee9210bfcbc17347c7d9b87ca9477d688bd7ad1ad7f77b32ed06951871479bd0000e09030a

C:\Users\Admin\AppData\Local\Temp\UQMS.exe

MD5 9a2f6d017f873f7706da819398445854
SHA1 83fd23e34904a79f07778c74b02661707c94741f
SHA256 c20e90769b2e5bea6aefd9983225752bce33dec9435ee413a4b317515cbfd9c8
SHA512 d5e627ea2c57f6223f70e4051d80463f434c6de0ed39ea711f79ed288b42b7d2b87b668549f441d37b15e3db74fcaca4097e859c2a7d3b4cfcb4ed05feb4c514

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 972aed2144c1754415029b24bbafe3f2
SHA1 a62b8f3f545212615204e9b75909a0ae54330ace
SHA256 af077c6e706d9380019e47b49a2110e7597106239d44cf6844bdcdd67733cbbc
SHA512 3e7ea915d70cb7caeceeda49c459898e51c0d279146903c3db72175cc5af8e898c1a89b99c25e86c952a355d7fcf94c598d9b7bde5fc1ec5f7823273a670a5aa

C:\Users\Admin\AppData\Local\Temp\SUgk.exe

MD5 936e040e6ac7a197a0e1ab4f3c8a99b6
SHA1 9f0eb91ac5fd1fb7580bb316954d0770535562cd
SHA256 93dc3f2ff9029c3f1b692522769c99f6ea7e2dc4e037595696735f0a7182b31f
SHA512 e220a8218d0ec19ff4f234d4bcbf0b04b2c20b116ee829c189958d00aabe65b6d39b7c275c54b0a579afd5c2d5dde671745e0c6a5144b46600a8f08bd945cac0

C:\Users\Admin\AppData\Local\Temp\ugsYMgEs.bat

MD5 d91641c2d6dddc09bcac747dd7d75d13
SHA1 4ab044b79c120347c0f127608a86c4ce970c4605
SHA256 1645a86b390e808b0e4f405c4f21ecf6f0e120ee53e1d4d29a366a5d8aa72939
SHA512 5a161c4ee2a6e0a159866b3b1b34bd5077dd7713993d1c2cf48e96479d26ec8a4a3a292541cd66079aa2d0ada417de633cf016e626db84ec640be8818c0fdf01

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 822c7fd6c7fa4beff2b6667c211ca0a9
SHA1 83fa86c3ddf1ca8fd9ffee3c9383812e540456e9
SHA256 1bd7fe41d3a407fa0c33c503c95cf6195167c48b48cb68c6f537d6015f27625e
SHA512 eabf8e52b1eb8b88ccc87ae4e65d2b4d08d319f34d534afc84255530e59520651ad0a38713c83ebe44dd53d31064bf2448a9c179bb93f1bd93d4067c78fb5be5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 5ebdeb8449c22800854dbc304b821f02
SHA1 5c44c30a976bacae2f0cbcd83e3e98fff27336ca
SHA256 19967adf59dce587c324f4c989f44f233b7d4e33da4b504cee903983800c6e77
SHA512 91c9a11e80f45af06ac7c95c53b271c0ad45907ba00b5362d8a78bcd21f7a1524eec513a5066e940805ae941bbdca79839a0dbb563f26303d5dde355e67de28c

C:\Users\Admin\AppData\Local\Temp\CkQMQcAc.bat

MD5 9de2f04a9683d9b722853efbecca2440
SHA1 04fc0202bfc11d0c050bd9726802346a1f9c77e4
SHA256 5703ce50b7851ebfa843925057b901707f5c5649dc2c2f370cd574f8d89b4607
SHA512 33cd8c41892942d8a7bd16a513b1c61957de3cda43f7f177dea2afa6b2317a55cce4a8267ba0ad79f8068b1a50ac13f91295f16e4029b833fab29f15daaa26fe

C:\Users\Admin\AppData\Local\Temp\FqoMsgMI.bat

MD5 63a8fb8fb5a7754b0cd47270ee7fb50b
SHA1 e0181e199309dc8fe0d64deb8a7ff5ede0689ffc
SHA256 77fe41f24520b2d293ed739bbdb0d99a356b097a4055b771b1c8cd78363eb6c8
SHA512 2c551ece774105b82b094b519ec774533c91dd818c2c3d5bb3507317f393177a6ad9f2e85e8d627bf3251ffb26cf62f1ebe0df4a06aa567662200ff07fa908e2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 af55fc979093749d8ec443303215438b
SHA1 d1223b5dc10e1f7db89fb9971f2e87e356892ca5
SHA256 99d2d496361277be7813344c8a51b3b13b2692436969360edd8a775cbf40f079
SHA512 ba5ccf26af45a269a11ebdf557c06dd67df95d8a4c978ed2c54090a577dd2b24a10ecabcef2bb971b059073af50af492499012b5bbcbb9d51f3d654f3dafb4f5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 92c7160609fc4f6923ef6cf88ce2d940
SHA1 e058d4a3952b11ff2a82aa274b0f6db5592019d6
SHA256 e7dcf85f7a14643d1871584236e03ffddada85e25642ad743d38ada7919d6c38
SHA512 9146eeae9f355d9fc47c560310069a3b8a039b40c05c858475da2d5120c654fb4f4b0bb95f4e4d1ad94eb6713e5ed7b76afa83b2e2ec3970376c05b4997a55df

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 494a08789cfa5eb7c534d8ab32b07694
SHA1 8620225bc1883aa729a2cf37837cffa9508c3acd
SHA256 aad322d7155843652fd1170a6da228d09270d256e5da26dce160ebffbf4c308e
SHA512 bc39e5616de1274db69573f177726d57443bf950ac325512a0f5b4408e92146a1f44fd0e0523c18f04b1b96ef857ce63420091fbe1fdc7681726e20098db2867

C:\Users\Admin\AppData\Local\Temp\nEIYgsEc.bat

MD5 5c9e6c336b3dbe5bdaa0eabd6b9221d1
SHA1 ead98f3324ca9e1539a71c6144b2863b40e9ba90
SHA256 6250a2b3d0c6abe107d9d0010a615a516405c3c3485dac868b1c2aa6815978f7
SHA512 dff03877366f9c722056be1b746297071998a1f26760a5b72ee50a55ae133cc69a36223ad521499fb629178576281a848059d775f5ea2697f321138ee4e7c822

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 dfb386f193614eecc6deecc690ab1232
SHA1 8668b527417d6f3d6e866724ac09bda0c588cc7f
SHA256 a86c0331a7aa60bc380ba13ba3e81dc8d107b00377e66244f0eccacbce24feac
SHA512 22613a1e5a9bbc45cccc52be18b78717b929fe238ed61d8fc9a04e20dce2f11354dff01ae251b43d82a5f486a0d02127d356d4f2ffa4596937b789521270acc3

C:\Users\Admin\AppData\Local\Temp\nKsoEgUE.bat

MD5 88d5e787fff717f5e29dab6c06af57d1
SHA1 2c245acbd3b4e09de5771f39de30fa23da4e3801
SHA256 52a38b0724b054253f44488537d8ec8d5b31656904c5c973c18fe3e1dab7a0b9
SHA512 3369cbef6555eb4ed8740f67250ebe80b5da0db622a614cf3dcb457f2333926198c3a18a08140b84cd5607fc7bfb55df8b2b056925ee163a411b320071717ac4

C:\Users\Admin\AppData\Local\Temp\DIYUkUgw.bat

MD5 2e919cc7ab18fefc7bd1b92cc5928082
SHA1 3322558454a02e7063449305970c58c5c6f6d048
SHA256 0c928b8014083f4ea71aeff86ea029f3d0aaa5d4a9e1531decc4116980decf91
SHA512 1911261d78e8f8aead4cd3b9bb5b835e7eef05a70cec0702deef81e7090fbca37c624a39489adf0dc6dfe43953cee09b4ee3218a30ecb47e140c56006b23066d

C:\Users\Admin\AppData\Local\Temp\qcIO.exe

MD5 4666c336394a81f651a3f7fa59561895
SHA1 7779aae1448132e03ec7b65040e1c1e930f7c251
SHA256 cd6538afd099855a4ecb38a3b5d83597c65f767b65f82e1d54c5d6fe0abca915
SHA512 b9449f8146b04bfb4a2975b25ae5f7f36e165d0be03a6f914a94ea98278fec50def12021f3f8d3b101b888119f438ce1a9df9cfb4e1cdf433cb3c51de22fdc58

C:\Users\Admin\AppData\Local\Temp\AQEg.exe

MD5 2c2d2414a847a079c5eace02a1301baf
SHA1 4879f875e41f8832985c00b6765bc6222502b664
SHA256 6877e4045d9c6d63c1b67292a9c1765b7fd15e918dcb08f723f53f9f94f97e4a
SHA512 b37e8373fe1a6b2faa5843252fdb84b769785be7229ff0dd3a62e5c49b8a5191cfe8a31180f1b1146de08715b99eb3eb936856b5cd98f533330925a842e0f627

C:\Users\Admin\AppData\Local\Temp\CYse.exe

MD5 0726b5aefc97fe9a2c1d30c7db3376d9
SHA1 351c6a997e8b71e9125c423d40039caaa54b5728
SHA256 903960cd5831771ba354c7b4de754522e0b3fa51a3618d1d35a6159537b181f9
SHA512 990710a170749dc7624318bb3bf963545ba1cc8cfe03390ad6142d3dc1946bf6dfd79f9bf66261455ff01926b67c366a926c0762a3a0071cf298ffe7bdd1fc2f

C:\Users\Admin\AppData\Local\Temp\koMc.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\UYAw.exe

MD5 e0d5967151faa39b65de61e968af4d6a
SHA1 f21367accd5110bacb40627c82fd5b8072995a7e
SHA256 df45ceadbe4c7fef41d462c6f642b0b5859eed6be9da099cc50edebe5615a66e
SHA512 30f0f9aaf294358d548c23fa2a5ce1fa8342db8fd4041a3f59dfd943945fe38facb6c1f887080bb806e84087513bedc9f560508fb8d4f10ccc9fb0688dcaf242

C:\Users\Admin\AppData\Local\Temp\Cswi.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\YksK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QIwy.exe

MD5 01b50f2a06dfe3cc296ddf2e554ea58a
SHA1 cde5cfb30ea92e6231fd98d86b2fe709ad5f73d6
SHA256 cd7fcc4ebeb629023a127b012a40b1e76c7df2041006ae32a4567cc0c18fdbf6
SHA512 dfc1bd2c632188f23c2707c83f24f4d925b3d0a0adca7d89361db6c3795b485a3e86b5a02eb595c8b604012b152429d934cddece4f84df0b660a1262e7afe2a4

C:\Users\Admin\AppData\Local\Temp\eMEEQIkQ.bat

MD5 e73b81a110b1def1cb9f946c67f3c308
SHA1 c4f42e07e72f1c6c75e3b27a4150c2b0f5ff22ae
SHA256 fbcb13a7f2b39857eb19589d227493752e356fa9cb888a364ebc50e6f6b39e69
SHA512 0a911da15e88a2741431b40d4c4111f82d42892b0f5bd1d9aefc100c15b29c95be6a8c43de6f59cd28f5ecad69ab4d553bd7e65dc83224790c814bbca0db88e0

C:\Users\Admin\AppData\Local\Temp\SkcE.exe

MD5 6ff42735744a19d319e9df0b56b7c304
SHA1 0403b42b55228bb3ef27470da0ea9812c02bc006
SHA256 a943b013b062483b9c3fdded9b57ea55f0bc326f18b08d7e2a2a7c16ad0660ca
SHA512 478befee83d938365706697740affd307a49ef006ad20b16c74d125d8830abd0dbd1e6f71a8cba2ea546c13a374ba653beeb853da5c732185481b0fb4e989d4d

C:\Users\Admin\AppData\Local\Temp\CIow.exe

MD5 15b07da7bd785cfe4db057791fad9164
SHA1 63adafe596b165acb9ffae545a548c2a9bb4963b
SHA256 e0771ef92ddfc70473995e4b818cc45b03ac65fc3c47bf6c8f50d326cf411acd
SHA512 4f6f7ad4a1bc88098f9db5a7310ca997c6405b8ffc64bcf1577ea6334b60bb6d5b923b9944a2ad90eb9ba0097ccfbcd286f9acaf72cdd4721221c5afb4719504

C:\Users\Admin\AppData\Local\Temp\dSEwIYsk.bat

MD5 f8113b970513f39cc81d5ddac6ad9497
SHA1 580a80012a5c6a9dfa03ae207f85842c5e3d96f8
SHA256 b690dfd88f76daf55374020c94d0765fcc5b8883fafa8e6a26460c87b7172796
SHA512 bd27804b88448f3551781e08e7973aa6c6c1c6eda003d066f0b93d2af19780418953bc1fcefb506278220559051fddea5fcc9069de3c81313c04d938aeddc0e3

C:\Users\Admin\AppData\Local\Temp\ccow.exe

MD5 69fe1a941b0aeaae33769dc6da4c98a0
SHA1 97de1201040511b6701e73a21aab2f8aaa6a5047
SHA256 bfb64e870f70e8ce93691165ac642d29c286c4421e70a7e920e1f13cd90d3da7
SHA512 d9b6410d1cad2a2898318e3db95c33b1ae9502d1f29a655313b0a76c9c927654e476e3ef551c045cd145ecca02991e7fc5f009a95ae51e6deae50d84244f700c

C:\Users\Admin\AppData\Local\Temp\IMsa.exe

MD5 fc86a0b94b59fde995931870470e470d
SHA1 20d298e59e4604ee47c2974cf2a439d10a2afbf1
SHA256 b0ba9db3725381053a8170d01f5a1a413b789b589513e01c5392279b19900a5c
SHA512 c7c0da3909e4725c3f4cc466a69227cfaa19441c4fa30d38ea9c2150b91428e78d215ccb354044563380842aa6457f1fbe74e14974b049b5c6599307064bb1ca

C:\Users\Admin\AppData\Local\Temp\uAkK.exe

MD5 9eff75dc51d17ba154b530fa47a2b881
SHA1 7d4aae38731424df448d9a8334c00e59c1d17e8b
SHA256 065c33da59db9856b00f04694cf12489792b15ab14cb63edab8b091fbeb39363
SHA512 c3e5e57ddcd5142c4477f4559ccc10120410381219e9477cf155bd424d0f56c1741ca310f9fc708a0ed9d73610cea23da084d33889c8cb51574810239c83b44c

C:\Users\Admin\AppData\Local\Temp\AsQM.exe

MD5 d071449773b066e8aac1c3629745f3ee
SHA1 19feb38e43470eab1d6e834b057c3e49451d4f3e
SHA256 14ec8ada67283e50d8e231b07a9d2822832723eee4f38635fb22f53fecf94184
SHA512 836b0c2f70c50ca00cd79905c98dead6756af516b06aee5b7cbbd7a46673ce2e65e91a56b75d10d3ea24dbc23fc8d90c453edb0d20412b813b5b1b31996cdf90

C:\Users\Admin\AppData\Local\Temp\qKwMUEgI.bat

MD5 dd527e1a6c87707c0683bf51be0b4407
SHA1 8fd28d2aca47383649cd4afa1e40eca66670b01a
SHA256 d2992f60fe03eda5d5af01df85f22235df6c71abc73b1170c10514d99f398561
SHA512 8719f4ee6853242cea1054508e71304e571a48e26baf77529e85a7a68a7bae9c4faf94d287691374a17dca59d1f8d9afb23d1d42a5ce9e955caaf1ffe5331e46

C:\Users\Admin\AppData\Local\Temp\pmgYoogg.bat

MD5 0db1ae947dcd4b2f6892d29f61dd604d
SHA1 c02c1345a6b3de065dba02a984695d8101102f40
SHA256 818c913e6feaae0a11e8033b21ad96ee615db199c70006554cde94fe4a184e19
SHA512 c13eaf4201ad506854653b57aa75c948e27e27f0dab0f8af3f778ec769f0b524f1c43a96405d86526adbfe3a88ba280db69267f4008dca11d805371de9d93d33

C:\Users\Admin\AppData\Local\Temp\zegYccMY.bat

MD5 9943521c272d6d959431dae56b06daa5
SHA1 b428c8b2718b0bd65bfdfb557f0750b5ddaff46a
SHA256 ab932d108662f2fd39bcc20b04a8fd6860e5330bc051df3573337ebb4e622aa5
SHA512 11701d9058e84cbe353d34d28e9e1e820a235227b1e8e740691e76429637ac47136bdf9508d26614f8209254d747e389be255a2d3cfaa4f4f9f6f1cdc8c6edd6

C:\Users\Admin\AppData\Local\Temp\DMQgkcoM.bat

MD5 ce08a3c40ea48937154220367a699b1e
SHA1 fa12efbb8f62269ddd57cd9d2035faf4c154cb32
SHA256 72dc65ce9db72e0e858f81bd260862eff49bb562f1afc31cbed7dfadf798988b
SHA512 eb9bee3e5fa320dbeca52f0605c574a2e603f12330b11669409fbfd5b93b8b893ddcb3f3d5d2a872a276a8b911163170633eafd6bef76371b185a8fcb7f4376b

C:\Users\Admin\AppData\Local\Temp\yQoC.exe

MD5 d2d3bd973abab943ed2ccf3d557819ce
SHA1 3be1de814305c6c747fbbaeed69e95ec663bed1f
SHA256 767b7e6030cde98648fe183d6f05e13ed8834d7ac09ad789a36579756ca143a4
SHA512 3b66368b909914f3bda5e13f7347fa78a670c942597e92919a417ae8a0db8661998128557e51e697653c2a9e69ba568e067af6937dfa28ee6ab715a32067c9b8

C:\Users\Admin\AppData\Local\Temp\QoQIgEIM.bat

MD5 3f2176e19b7cfd310780fc59498dfecc
SHA1 ae183aadd46a02b268b229965144f3d9d4326b45
SHA256 c5c3720be5e903819c2fd6329f76168677f7e2e0d3c1ef82803d36598720b1c4
SHA512 15a121e637fa0deb99872a85b499f4318f0cba6b1752bef21ba08f45f807e37973deb055992de2020a6fc3f53f192ccf5cacd6d47af108c19657c4840d1cff78

C:\Users\Admin\AppData\Local\Temp\sosW.exe

MD5 9926941ca535684b40dfbb73ee68c77a
SHA1 6b625e2de262271d0ea1318e25c338bfd09aa5a7
SHA256 e414393a63b4d3da5d1a403e6c3f627373a0452e6ea86157b6c8747f07f0f255
SHA512 ec8c569d00b607fc9acd51d14ef2a07be352c1911996fc7697a314c5461aaad08257ba975f68c439a2d24cfc5a8051b96e4de3df3806c260566c5360abe53556

C:\Users\Admin\AppData\Local\Temp\Iowa.exe

MD5 1578e25a4778b45956d55b4418b96118
SHA1 9e50767d5784788e6436257642db699df785a356
SHA256 264d0801f58af42da28e29734a69a7532f19ab537440fb5e2d3636797f51837e
SHA512 2e8f7e9cd8cbb2b1d20570edb5eac66e040b6d1e872fc81cbc44d1becf81164805f2ea4152496544238b3ab7f7622eba9be8649e365f15895d7fe35bd79303f8

C:\Users\Admin\AppData\Local\Temp\wsQe.exe

MD5 c97f5f26b31c26538a04fcc1babab890
SHA1 b0cd314ceb1015518f594359fb0749c2cf65ae47
SHA256 dc7c48579f13f6cc6c0c0a70ae9a8e9ce9c86ffb57a9d212ddae366fd6733971
SHA512 b5e8be9e28127d759396db925494d1f8762396485b9e4139449cf67c5b058ec7020bb5ed526f2888752a51e08d40f8ea993a7b1e0f42d3f69487fbd0c23f00b2

C:\Users\Admin\AppData\Local\Temp\eEQM.exe

MD5 5868735e2893d3c1b598a9e2a0876da8
SHA1 2dd52a7f6d2bbd78033af312ab56434b081f860d
SHA256 a28483bb876a1440ddd4272974325f2538699694c591686d30334e1e2181f90a
SHA512 41690ac4ffaca0329b94542932b2cae8754f9e580afb5c2ea37f068ec2e1872c9312930d2cd1ea8afc54ad20c020e9f42240aa628bf9f89d7ea09008c485c6ab

C:\Users\Admin\AppData\Local\Temp\CaMIIsog.bat

MD5 9cdda6c302c89a42b4ff9a9bedec189f
SHA1 2e4d5d55db84f7513aa64b5d3cef39719dbc1820
SHA256 54ca05e8b6c4343cd165387d2f4d0291a57afa38dc3791df00a9901f0b8afc6b
SHA512 bf2d64d71da16a77eab6f036e9cda1e953cf2db21017b4b178bb6aa7a8dd79d41262b197a96aca2c1d72e8219c50ce8a316db1196c6a48ea0f399fd37a8a6f63

C:\Users\Admin\AppData\Local\Temp\wksO.exe

MD5 60749dba7cd7bf1d41165c125b41625d
SHA1 32873f30409c989471b0e666690ca930f27b8d47
SHA256 6d7c2b229062e2f72541d6e4d0a4978313f428c37b820903b1a98500eb64337b
SHA512 b779472ee27c1597054a604c944bc0d24798160eb5532312b20b8a5fe24ec034e1df9faa8939977a129bd4ecc54bad642dd0714e57cb20ac03945d1f0ad3e7f2

C:\Users\Admin\AppData\Local\Temp\roAcUAgw.bat

MD5 3004040c401308e81fa56767f86e1bec
SHA1 95dafd7032c8214cf3f50f1ef3c2c299b261b05a
SHA256 c0c955ec773f58b25140b236fac44ddc5888b4e61705616dc63b1f0250e68b69
SHA512 b0a8a3f6e9e38a805fd875cebf784e86abb72cf355aadbdf898c88a3dcf1a75112a77c9da147c58a0805962331707d78e31af685f3f7748507d6026acdc821c8

C:\Users\Admin\AppData\Local\Temp\kkAE.exe

MD5 0a5b876f248f93395957b6c40bbfff6e
SHA1 3de8f5eeb55915632573e0f05e955072fb932c2c
SHA256 74f7234f970973617fb8482f486fef0b97f026e1430c358f7026647c7766e266
SHA512 aa278b9582e77001c8a17616c7574e242bed897d85bde06e3783ff3ed841eaefd2652379056fccb892dd93b588fbe6aadd88630b63847463ec34df530a80fc05

C:\Users\Admin\AppData\Local\Temp\kAwW.exe

MD5 7abeb2d14ed89fa982115542adff96c1
SHA1 6c39db626f8134f8dcc213cf3b4079ccdc6e768b
SHA256 47315b55d61effd466058dfd7d67e38efc33439a683a1878f5be4bf9a820dec4
SHA512 36faef7cc0c919aea509b21dd2874ae6814eff60c7db4f867b6099124b9e6d236b4dacc5268d8c8d4198c929882c878b6124c39b999362f18515e0ebfab96391

C:\Users\Admin\AppData\Local\Temp\oaAcEkEE.bat

MD5 584cb49612aadda706113070b1a8baa2
SHA1 9d79ba4a70a6d9eb59776cde59df63b0994d8b0c
SHA256 cadc5e80a0beec70f3e6dfbb054172e05e0a240547b4f46a6b7ba06569472595
SHA512 78ab06e09af73f2d4e86f5be047d2cc6cdac23261c0c0ff9bddc17551eb232bf8b218a6dcee10bbe764b8d65de2d7122883c907a7c9165289d69f0ed537410c9

C:\Users\Admin\AppData\Local\Temp\MIQc.exe

MD5 ebd142cb5e78a332806549de10f4a166
SHA1 06b4444cd3bf26f1308b2b9518ee0d2ddb5d040b
SHA256 5c2c0294098f4979c4fdf0ca02dda0e86968d377f956d8161f97bfd78be710e7
SHA512 8b67bf29f303ef55bc2887421ce97a3dfd6df7f95c4c3c63c627c6659a270a02dc15cf4920d255e70f8ddd03f6e653812a061988edab8481e9cd9b98854664b6

C:\Users\Admin\AppData\Local\Temp\sQME.exe

MD5 d2000a34c2e966d2134cfc60cacec32c
SHA1 dbbcf35c9671a9e995179712a8f4033ea0e5e234
SHA256 1517a38aed170fcc61aaf23b7a827c02028d1e2fa68c58758e8fbe124c57fbae
SHA512 763111f7aee5fd0811644b43d969d450f1000c39478421e90ec927b749a8934a6f1d82a3ebdc9bcd29d8c1bc72b3896f0234567909bd60ec2faacf1365fec511

C:\Users\Admin\AppData\Local\Temp\GMYm.exe

MD5 4d14ee455f1eed6296866f1c5a3d66aa
SHA1 acbb37658a5eb1c657f4ec49e44e4716972e917c
SHA256 b8b1b255fcd1c94590812d8c968794ca3b1cb744752e01fa9c74757a0be95a62
SHA512 eb757b53e99907607d74657f53a8d4f1ac4c1c8e659d9dcd459fa47e9ce71a04ed384dddb4f7287176f68806c4d787d9b4212ca95635c840aca77ef8ab809948

C:\Users\Admin\AppData\Local\Temp\mEgQ.exe

MD5 5b0540aa2e1d93fd6ba84211b4e5251a
SHA1 5b8726f0f40b9572770b71241cf286eaccbfe6a1
SHA256 2866b5a6ba788813dde12eac3610e0b0640917e46339ce3fe61e6d3a3867344d
SHA512 37ad79a304377df3083e1a1e1e0f261e17ebbe55d37f7a3be95c45da99dc123ec461499b6b29c7eb032a15852154a5b429a969b38c457709c6d3911bf61ad6cf

C:\Users\Admin\AppData\Local\Temp\mYUu.exe

MD5 23fe9585296ddd76c440fd4d669a28be
SHA1 e49a5f3ff735df2ca5f452e799242ababc44e83b
SHA256 bb45ecb521923635ca128f12f3ac4690a16661423527ff8f518789e82cd9f272
SHA512 5bdba1d14cff0852c66db3771e3954974f109b1131f232ae7929720e92c2e44e7a780d7d735248822b03734ec824da0408df5350f3f33d9488ad1c8bd2c6b8a1

C:\Users\Admin\AppData\Local\Temp\Ewke.exe

MD5 311726e7d11a442e8eb4571053a3f71a
SHA1 6531bcba6ab96966161937ba8f9b02ce3af205cc
SHA256 bb94463715e09b4e80263b045bb29f7a5ef035d39e41e3ed6ef0ccd1f779c034
SHA512 e8d950a56521226da9ae2336f1a40b499405a499e22098b2cdcbdaaa10e135a8a8f713b317d7887c8364c018e1dec37201f026aa06bc10510c1fd56d94d20a45

C:\Users\Admin\AppData\Local\Temp\IsgW.exe

MD5 6a0f195acb6359b4de30a316ef7d780e
SHA1 a02820fce466a793a5a3e2ae9d948addb2abf96b
SHA256 e916df3251c4a50acf427141fb2272dda040c93fb61ab77aafd53e8f3539b6ec
SHA512 90e077f22542b9e4c586240a8b629a66695076a7636e23847340ad8573fb30830745b930c115aa5d91b64e2c70b7f495e3f770b03743aabe2983f63d9d29ca39

C:\Users\Admin\AppData\Local\Temp\mEcO.exe

MD5 4d57d15c788c070fa1216fa3b8786f83
SHA1 8e50d3f00cebd75ea9b5b4343eeaa0aa4ce55b66
SHA256 3f1adafdd2f14e88736cd988b94c7c8d2642bd61ccbd1c523fae6202aea65229
SHA512 30b9cbf21f19beb22595fc1207e84683a8cf8759c9d9dbd6fda927907f8013778ef2a4fd1fbe6849702f5f6112a479e9198c36c3b3baa7d8790bb9536c3ef4fb

C:\Users\Admin\AppData\Local\Temp\KEsY.exe

MD5 4b7eed1194c11b6c89bd0fa5f8d6464e
SHA1 925ae317e8dd1d3ef4b66f8bf0312e1eac80004c
SHA256 7961cf6d99cb70b98a7ef5aebf64125c02b303ff10ad5eda6f85f4351ff5461d
SHA512 ac4c312f23d2991dbaebc8f69ad23cd1a76a8b625de8ccb4ad79045a010b2da0f2f0de00efd120df9ac2f41edbc1eb5b10b83cc705f81b61aad908844f66b498

C:\Users\Admin\AppData\Local\Temp\gGAgMYAE.bat

MD5 90ca7031dad9818eb6cf4289b70476e2
SHA1 1bcbf3f93853793a3df6327ba4e861384edcb990
SHA256 3de6cc2edd16e0395a48fec0255882c44969d674b45454bcf7110e61094d69f9
SHA512 eb5ab28eba6cad02faeb5122fefd324b1dc42044db038070569124913503dca8984f4dee16a35b9f3cfb4ff6b185fde7f37877b91b65239327f74e55a02cb223

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:29

Reported

2024-04-07 19:31

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (84) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\ProgramData\aqQgIgcs\nugMEQok.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOMQUkcA.exe = "C:\\Users\\Admin\\tqAAUMkU\\wOMQUkcA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nugMEQok.exe = "C:\\ProgramData\\aqQgIgcs\\nugMEQok.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOMQUkcA.exe = "C:\\Users\\Admin\\tqAAUMkU\\wOMQUkcA.exe" C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nugMEQok.exe = "C:\\ProgramData\\aqQgIgcs\\nugMEQok.exe" C:\ProgramData\aqQgIgcs\nugMEQok.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCAsUwkM.exe = "C:\\Users\\Admin\\VYoQUkAQ\\OCAsUwkM.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rIIIUMgc.exe = "C:\\ProgramData\\iSQQoYMc\\rIIIUMgc.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A
N/A N/A C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe
PID 2692 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe
PID 2692 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe
PID 2692 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\aqQgIgcs\nugMEQok.exe
PID 2692 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\aqQgIgcs\nugMEQok.exe
PID 2692 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\ProgramData\aqQgIgcs\nugMEQok.exe
PID 2692 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2692 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 4700 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 4700 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 1236 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1236 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3908 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2800 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2800 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
PID 2684 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 736 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 736 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"

C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe

"C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe"

C:\ProgramData\aqQgIgcs\nugMEQok.exe

"C:\ProgramData\aqQgIgcs\nugMEQok.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWYQYMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\besEoAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCMIwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaowQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYQQQMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIckwEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAwMoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgkosEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwQUYEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gagIQMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmkYAEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icEAkkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYwIIEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmAsIgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYgEAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsEUYMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAAcYgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKgAsUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aagMEUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKYMUogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMccgUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGsMQwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUkkQMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKoYgUwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqkMsYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQAksYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWMQsosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KksUcQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUAwookY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keEkMMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgYEgkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaoIssks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUgwkskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OawkMAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poAgYcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewwAwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMwAoggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQoocIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwAIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQAgkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqskUooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUEEIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekQUUEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hewAkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUYQAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcEMMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcwAosQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWAEkoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMMkskIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEAAQooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQUIIAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOscUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DecUAcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQoscUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEkUEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hioQokkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqIAQgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riwsAYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymgUwEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySEsgkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QekcwkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyYUUcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWIwIMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GawswAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwUkoAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeIMUkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FowAAgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiMkwwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsQsQsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeIogEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAIEoQwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAQQcUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cacIgcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIowMMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqMUQUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsoskUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQgAcsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv YPSmr23Hi0Cumo1Ks94P6Q.0.2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMscMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKkQQIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeYAkwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKwMwMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUocIUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOEMAcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSUscokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWUkEMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sowkwEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgggIwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leckcwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCAUocQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAkwUYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIgsUcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIAQAkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKkkgQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagkYAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAoMAkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSUsMoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkAwYEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsososYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiUUAwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGcMgwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\VYoQUkAQ\OCAsUwkM.exe

"C:\Users\Admin\VYoQUkAQ\OCAsUwkM.exe"

C:\ProgramData\iSQQoYMc\rIIIUMgc.exe

"C:\ProgramData\iSQQoYMc\rIIIUMgc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dskIwUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEAwQcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCcYMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgQosYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TossYUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYUsMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgwwQIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQAookEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUoEosUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5000 -ip 5000

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkIYUwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 228

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUoUscEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:80 google.com tcp
DE 142.250.186.46:80 google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2692-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe

MD5 aa00012833b27e6b07b6d2eed3b916ae
SHA1 fd083cabc62bff9381351f34eae3be178a35cfed
SHA256 ca1171393ffe73ae7c363b677069ae2f3fb141c11e07485b3c58fad6adc7d976
SHA512 ca6d280bed3753186f93d050ef7c5ab650477d5da8737d3646f7a1e2dff9d2790ba06baa2adbd8d4c64814a6c44850bd0fc317d9ee75d579381b156b1d8074bb

memory/4312-8-0x0000000000400000-0x0000000000430000-memory.dmp

C:\ProgramData\aqQgIgcs\nugMEQok.exe

MD5 c3baefe3d7f5349c6198769455d158c7
SHA1 4a37b3485b4e1b12a5c7f283177dd7f7ff6f4c90
SHA256 04d7e9cd4dedcf7e802c3b135fb08e3ab0c053c84435e059eb7d0bbd08caad21
SHA512 b2a8cdd5d4bcfa8268fb1f135550d403ea99e6ae821970256c577f0351b37529fed1bc5e4f0c92a19ce028ad9ef39e7781a66dfc74cf938a537230993eb3fdc0

memory/1488-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-21-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sWYQYMUY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock

MD5 b7a1b79ee0aa71ff5c2704e112482771
SHA1 4695cedee75846b343188b9cdfff6b443766df32
SHA256 319296ecd18ddcfa1ac858cd0604c1a22ef1b39951806d93ae04906917481b1c
SHA512 ddba05c444613efc4c2b932e44b39275fc8596e571c95e3e5de8ff02881d45deb4df84a10104b768d45136c0aca4505278c1cae0e67088b08a97ee74c585a729

memory/3908-32-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/736-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/492-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1588-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/492-68-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3056-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/956-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3568-90-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3056-94-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1540-102-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3568-106-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1540-114-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3544-117-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3544-131-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4252-142-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2236-153-0x0000000000400000-0x0000000000431000-memory.dmp

memory/116-166-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-178-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2340-177-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-189-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3480-190-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\aqQgIgcs\nugMEQok.inf

MD5 c6ea4278c27e0f7ced246600a0acde46
SHA1 d805756d92b8e438e60ad5f00ea5f6e738cdb8ef
SHA256 961c408809939c3c5b6e059f9aab50b1ef559ac364a8c12811dc2be43353138e
SHA512 f4f6f6201c2f508304e87eb5ffb87d532f1fac5c1f2e916196451bea199fd37812dae5d5cef6d0fe8c82c8ef0f6ea79c1ed3d955db1d3f2c1443345de1063fdc

memory/2584-200-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3480-205-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-217-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3736-225-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3604-229-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4924-240-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\aqQgIgcs\nugMEQok.inf

MD5 ae5fb469ad56675b918d0825b41fb857
SHA1 d849ec78c35071835f8cdae69ebaeac651f39b78
SHA256 62e7a596747e8d2c990e358bbb5784f58c712ce6d9e7fc7a491fe463b99fc049
SHA512 9e7e86f43fde8aff227d61fd7c12c2a378cbe2ab986343fe34006849f4adbcd0c1c1ce1d83bc0841e2b0197a63490e6518b7edadf6c7b7ad7db92522463c3be6

memory/3736-241-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4924-255-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4428-260-0x0000000000400000-0x0000000000431000-memory.dmp

memory/340-264-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4428-273-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1468-269-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1468-283-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2500-291-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4288-300-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1800-299-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4288-310-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4236-318-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4228-319-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4228-327-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4944-335-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3396-336-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3396-346-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4468-347-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4468-355-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3020-357-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3020-366-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3936-367-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3936-375-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3352-384-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1124-380-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1124-393-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4680-389-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4680-403-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4504-411-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2436-412-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4328-418-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2436-421-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1476-429-0x0000000000400000-0x0000000000431000-memory.dmp

C:\odt\office2016setup.exe

MD5 afdea8b8da1f77f06878b1d420280b35
SHA1 fba62006e8151942fe4c7827f22349729d8ccc66
SHA256 6a8b7b37ef99b9df4bfb5c172811b19443be34be770d8b00053d7bd301c85249
SHA512 74633bae95b7ff1bc8951fc50402e4cbbd91ac72645bff9adb89d34bace866f2ca74dd6dc6f628579905e66649042b9a12274268d4be0b1882fc965e7b1b3789

C:\Users\Admin\AppData\Local\Temp\YccY.exe

MD5 be638632a05253b57c880b977cf12ae2
SHA1 2691f0591b1bef6cd0c08323404665563f6c0e03
SHA256 8fcad6e9f2c42e3ea0fc71056b25bb121ab80f4b2238b75d80f8bf58f9419314
SHA512 6ae7afc1d8a0b1e011d0d80154d427ccf8d48e554af3b98a5f7e05f685df51c9abd64fbf49c38c63926691c8f8907fd443273b8032dd77a9c36735abdd00a518

C:\Users\Admin\AppData\Local\Temp\SYIO.exe

MD5 0b85d26ab94c6653556f46d8432e4aab
SHA1 0bbcb4e63cf8d0dc9774ef5a4e912c1564f726ef
SHA256 04d8e58b4bb0283005d9cf5a11877a5655310938039572c06155159daee53daf
SHA512 5b0a1f190a314723ad730f6f46f094eea3f94788c7232a0cff6b13155d9780fba8fe89eed88a2414eb41dfca132bcef13d2866d0da0ff8a0d07d70875233d80f

C:\Users\Admin\AppData\Local\Temp\ewso.exe

MD5 7408322a26fb4f5302254c32745c6b98
SHA1 5e825031360d6ee1a1bb9ee7899d8e510e3167b2
SHA256 c13e3800c603405491d62aa918fa03c3a8b06a1593ae5bd56c175d52b71a9adf
SHA512 071a08104e47ca9d0e166e897ef2297603863a517006ff56e452990129eceb647a4738299734576cd67e15ae47b3c345fdea494b31e9ecaf35384d61164147bb

C:\Users\Admin\AppData\Local\Temp\CsoG.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 785a3fab5c7d710ebb5c5c47379f0a40
SHA1 20b0fe2b74a87b638d449d79c6e5a305e98f8b83
SHA256 dfecef086bda5199297700ff9f60bf5c672c5c49e65f764c7226525042948701
SHA512 7bb8a497bcb8070c051333ec42ed8ec9fd452ea7a5c621cfd566c6497181800710fa28917774fafeec1314dbb49fa8a9942d82bc3fd5b67f1666fd379aaff05b

C:\Users\Admin\AppData\Local\Temp\FMEO.exe

MD5 b9c21c6e8253b8e01e6fff57bb23e382
SHA1 6740bf4965c43c2b6ae90cd493c166b37d1e34ad
SHA256 da4889f5d7b9b5a671e2b97deea038091213ef48766b3b0467fb71d6cefd1052
SHA512 0c4be051c6eb72a4d9043369f62b79ad3c83fa5b5a9a4a7a825a1bdd81044b1f0b063b59405043030c750c98e40a56eeabd84316761566d08e6e64c180cc7785

C:\Users\Admin\AppData\Local\Temp\IAsg.exe

MD5 9c83431be3d5112e4cfe25bbbf727771
SHA1 d7b331e29379477182271dccc0f1cb48c227f305
SHA256 fa66aaae771b8bdb9581f6c5b037bf25baa4b41ba5314a0669c4a5dce9169302
SHA512 dc56909e4de37238edc3767f7bcfb61d08662ccb2903165b4772d3068b9147331e7a63542a681b7ea78c9ea8dacbdeb41f1c796c3ca1273f101aa8294965d877

C:\Users\Admin\AppData\Local\Temp\mEcQ.exe

MD5 d91cbae17f2e31987cef1841deb5ee04
SHA1 022c05d10e241d3b3ed37026897bbbc9036bb3de
SHA256 eef8ccf277f2ded6832c03338265960f940667fc65d47550858291ae1ba51fac
SHA512 b0774f3a3d8a7278b78a1647f910e83ccea62ca435213c2fac4d8b09abda5af4d92556396d82375cedf35737c3a91727ee069282da5152945ccf7d8cec8593ad

C:\Users\Admin\AppData\Local\Temp\BIQU.exe

MD5 00aa23b86e714a5ce5a1ffdf44482fc0
SHA1 75b704fcb7a8cc64761e41aa2285b5bd47f12497
SHA256 b576724563155189af9ada221cac439ba6eb9ba5810e05b070f5ae8b645a9ca2
SHA512 1e8d844e46504a8d08a907ebe171eef2631500bfbaafd93b70c27bca25f87431f0091823093696eeb080402b35687aa3b6c0aa4405b22afabe5beeea8ea68ece

C:\Users\Admin\AppData\Local\Temp\jMEa.exe

MD5 f1dac0cf30a8b040a3ae32a5ecf29431
SHA1 01f733912909dc4e02db5955d18fd24829f733df
SHA256 c6d55b124be0e4e6cf92780a6ce65ce8b6c23971873ef6f4169925062c29d2f5
SHA512 a4a527492e03b1df603689cee01f527cb76d033356063d61d2591332105bc626a23cef3ab073ef87987e2d11d746ebdfbb4283a04444b585c274a7df6ed53d85

C:\Users\Admin\AppData\Local\Temp\iYMq.exe

MD5 0f45a5ac66cc11183bf6cc957e2a9953
SHA1 00e6c86a26c8fe0d3a1d2578ef2891a6ead2fd3f
SHA256 a0230f224ab2ae3aa70418a51c5027fcdf44b4fd36bc473e9efbab54f81437a9
SHA512 d99a4e53600d63a2c254736220a2ea13373ca947ee552e6e7d64dac6757ae3fba64667caaf6d60508eb3a49e7c19097408d574de46ff8ab409454f26fe1b5250

C:\Users\Admin\AppData\Local\Temp\rsgS.exe

MD5 668e0e70d51424dcf8af610f2fe222f0
SHA1 8ea684f56028097e387c92d51c4fee6f2b7c1232
SHA256 859c96eb74d8d7ac43fb1c36c21f2ea766fae56598a6e71239129489bb50b134
SHA512 aa037847700eae7f5df57618f85e5f46bd2c0afbac9a1ed44b26894f6047bf3f34ec6782707473059d452d556e1825ba1da9ef6e6d3e134ca07885f75eb2105a

C:\Users\Admin\AppData\Local\Temp\LsQk.exe

MD5 d356a5cf14361d1324c27c453254c441
SHA1 82bd1da8bb37a876ac764b6c8561c0da2ec2015c
SHA256 3916db2f61b4e481c3f6b74aaaaabeea1b47d6f367ceb2e259ad67e324df9e00
SHA512 e5cdaad44b430c39d4c0793702d3e04f57c6ed10c24ee6a3b9a7f57e290336c1cb8c9b4fb8da29d58f9fa65f67f0bdfcb7579b3e06bfa08404a47ed7cc0fb974

C:\Users\Admin\AppData\Local\Temp\ZAwK.exe

MD5 97014d053cdff38b66b6bca37a66b37b
SHA1 e5bbc0cafec69869ea3565ae4a2f4ac6e75c7c9b
SHA256 ff92f6cfef22aa5d9d680c1c83bc9de9cddd6e770279119268e8d5b2048eb717
SHA512 c1604de7661da2d7988aae8709bf7dc30df5eb7482d96d0b131df81d752ffa772b44de305421e99d80bc5427e3ae5b302b7d65bb8b199e0bf327ff16a639d62c

C:\Users\Admin\AppData\Local\Temp\kIEW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\XEAk.exe

MD5 d71439433923621a1b1bbdaea3461846
SHA1 46f665c537b276b8f366a0c9f8493f9906e2d9a5
SHA256 89c7bd6e99d35a99243b3aefb3180da5fbf950d58b36ee2e53d5ce83fd889372
SHA512 df64a5e0608a5c9fdf3fa24c78d8021aadfc6a773ab63d333230fa3c2ca91a4f37b3b38b4b094bb7522872f445fe4eddd1bc1719562eb0b2d40aa2417af53ac9

C:\Users\Admin\AppData\Local\Temp\vkYU.exe

MD5 68ed83a0e7aa3f1d8ffb8295eb917ef6
SHA1 e56e052f251d3b64387c0baa2a714c16f1f31ea6
SHA256 f2aae5e3c4ad0ce0f8c9b0af8ce87b7a2a5350633cf5e440f9ddd251410918ff
SHA512 ed18b955de2ad2a96605a7d5b0fad0d5d1e926377c1be20134379dbc02345f84cc718c930bad6e47cd4de33ef80a94d29daff57a1331ef11f3ee5e751bb0f673

C:\Users\Admin\AppData\Local\Temp\KkgW.exe

MD5 0f4f8907500ce6061a342446b004f4dd
SHA1 31b097e686f3ae8046bbadfa42e461e1653a4e73
SHA256 7bdec7ca030f9febb3b1a27e635436cadae98a28e48ce60efd89d397de099368
SHA512 5b398aa6bca2dc30918274bdf101fa0f1ee12adab6f8e8c652479ca5d0e1d6e6f10e463c9103a2f25c461aaac24aaaa4d3d613087d15f424b3ade101006b34a4

C:\Users\Admin\AppData\Local\Temp\hAAo.exe

MD5 7f0d1304568aec8389915cf891dcbd38
SHA1 929bdc7a7dc4b804ec2b03e844bad48b8cf172be
SHA256 b7c40e89aa50ae1b9c4d060026f6a4574159165668fea9dba0053d710336f236
SHA512 664e1afbcacc7bede9a14fbfc4e0ffd5a8f6693cb3680c22990e8206a7751b96f0576704c49fe76aae81fa317d46146007188db8fb77abb804e0dad3c19f426e

C:\Users\Admin\AppData\Local\Temp\yMAK.exe

MD5 b7481ddf055608ad2f42519e06027c5d
SHA1 545c4923ac3fa1e4d40ad0f29330273658f7397f
SHA256 e3f9c245dd501a5f32eaa39a72a42d69f2fe4c83957c79bcc59ae1a05e746804
SHA512 1ce67e0ae5867328d64d914bff5e9047b18619379ad03bc778a7008c7323532a29ec106bb25909cebce6e8a24d1c1e9766b0d017664583a803226e5827cae3ec

C:\Users\Admin\AppData\Local\Temp\eQYe.exe

MD5 9fee7d23a907b64af14ef0477926033e
SHA1 ac1b99eb48798332e5152cbe153b50ec04849091
SHA256 6d99ecf52d445e023441f2d72088514d0894567763dcc6c68e248df2f120ff98
SHA512 2a6bc9f15039403502141167d33e75ee57979d2097c0c177047b085a2b631116140f57e2b811912c054f4ac7b68019b711cafe76f40c32daed21bf5568396eaa

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

MD5 0cd4925b6da6a94d18472adaae4cf715
SHA1 ab334e8ecaff1f61aaa0be5d7abccfbcae41ee87
SHA256 08cc003cb5b07f63582c370ee85a9474da8895455c68dc5af11b3683fc2d69c9
SHA512 809654c22b38ff313e159e6180fbf659cdff020ecdfff98556fd9533285e2fa8849a8c36e2fa186075cd200ef8a698d6b1fdb0dace7cc061ef3fd46dab08ef7f

C:\Users\Admin\AppData\Local\Temp\QgMY.exe

MD5 0fbcb35ef77cb93e012f90c41c9cd547
SHA1 7298afe46d069089256fd66484573d55a1c6d9ad
SHA256 27c7e9b698d4c172c62781812e1ebd1fbeeb7e8e40d59d7f8aa214d7bfd1a9b0
SHA512 dcfe7b0b0d0493a8bdbefe4a7eb17346b036a7db59728e92f719acd1395e0ca583ba29ba2dbbfbc01b034bd18091d9783af4a06ac6746c216a6c870f6860b5d7

C:\Users\Admin\AppData\Local\Temp\CkUW.exe

MD5 f8d6a86dfeff1b41427c728840d9e811
SHA1 855abf8484c61b17eacb1c8197740b462de51381
SHA256 b2c45f72f5b03bbc236d353b5c1bbf5206cac4a38ec0e9eed5840911697a30c1
SHA512 9460ac84a7015fba4e2a4f6008ae7edc4011b94a78f1865b24f637e3c4101bc7df1cc0d87952b8a0a70545f05b2d0222d785b698092bd1a74ec61a28ab56fa33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 0f9005076829dd8927277031579937e0
SHA1 238de94fb25abcff9fca8352926051de6544b4ee
SHA256 609a52dc1c7265efdd511e6c162c4f2c253057f124dd67feb2f52e0a2da9425a
SHA512 c8536e1dce70c659400a297aa48bed35ae7730d7335867d4d9a881691e92104ea20c03d16b4739941c5f68968741cf85cec1da53917eab63a533f0ddfe0462df

C:\Users\Admin\AppData\Local\Temp\dAIS.exe

MD5 f3511fdf5e8f9d763dc44f36e0144ea4
SHA1 1967abb6f5eeb7a1d3d17573248655dc66c8a0dd
SHA256 6a3683344353619ab921c0d983a4360d58c17bef502026b82ab362dc905072ca
SHA512 b4f0527aa26c1376241e8b8716c4b9a1d2c26431fa2a0876950142812424f4478147e5f8079a0182acb61c7ed873a30612c0121e84f8891b22515fe698df4494

C:\Users\Admin\AppData\Local\Temp\SkoI.exe

MD5 cf11e3a1c7b53bf9fa87316be2905fc4
SHA1 ded1b8a85c611cd0bb26ed0cb2db73188dff7de1
SHA256 95f8bf9b75a27e587951b85eda758ab5e87fbf9cfe1efe1e2700624d26768d0e
SHA512 96745e307408fb444097d2fe86738917de530f44e5d8334bfbf2d30a350e918794536a8122c93191eddc49859feff0b05ac260dacd992c036fb33c00b1e5e987

C:\Users\Admin\AppData\Local\Temp\jAkw.exe

MD5 60892ac6f1a893a6865aa12eaab65458
SHA1 150238c23484129b2b533bf91f412de6f3956db1
SHA256 2273cae04ecea6ec76db068e25ac7817978615592c9ec86fc2245d7068de4276
SHA512 837a1a7e5776901b07b5297b56e4d13598e37f91b72393380e1d086f5dc30949666c1ef28b4626b5d0dda867dc2cb14989409cbd68dd6df160f3e522666140a7

C:\Users\Admin\AppData\Local\Temp\cgwG.exe

MD5 263c508670ba7c6fc2332e3b42e5916e
SHA1 0bee0884d1d3e41f0b7c4eb5f24d8a1020f92e3d
SHA256 ec347d8d61b1a23696b95bf6c57b876a9aa2f6a7b418916c3e1b9789dd4356c0
SHA512 a2d786db75edb5e8836049e5d20591e9ed2efd1bb74c9c17bada7a1212818ecf7a427ed658bf4e7df737c3a118315d54524ae2bf854fb176d4bd616a54c41e97

C:\Users\Admin\AppData\Local\Temp\AowW.exe

MD5 858c09bb8efe1f39b2fbb79c55f3445e
SHA1 8fd848dda3db701124168e01a241afd367626296
SHA256 31997c6fae32fa99e47f8c720adcd95c94c54f4d263165a4bc66bfb98dbae1eb
SHA512 273d61161f9713ea48494ff3129c20ef8c0bae5cdce6d9708888f7adc537b9b143f81b6ddfc60da04aa29d387e38babc8657f058e946a52fb39ea506b104eae1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 a4c142a50b51a54f075bbbd4104b4b49
SHA1 6a6caa9740de201a2c0538110085ff999147714d
SHA256 fcdd0f54231ece69d615f856b2fc92f8eaa2d98cda5c7100a22b1cf58f0ebbd3
SHA512 2b958e7dd18e7aac9defed4dca64fcd610980ddf442268ee9e4c43ba928a8b5e2dd15d60db758c6d23e32494174c32ef184c3fec71776357f0e4dc17f96c786c

C:\Users\Admin\AppData\Local\Temp\HAse.exe

MD5 90aa7a7e65697774860a923230267f9e
SHA1 9f060b7a8f8006a706feb8f928091565824d5cca
SHA256 ed435f45336bb8a45f615bd1ee834d59013747c6bb709977dd4ef791eca82c71
SHA512 0efc33b11561788507783f8846d106a1eb537b813ea4e117a7477aec923ef6876b41acb5a5219a7a68a9e42b71c4d63022f904891c9ad7c80dd9d83f0e8d5e54

C:\Users\Admin\AppData\Local\Temp\hAMC.exe

MD5 a1635862e65359d711a506ee02349681
SHA1 cb77ed674adbcfaf16088d3ae69f099534d80193
SHA256 699314f661c56ec5cb97dea8cae8128950d3d80bc349139e68044ed53bd20088
SHA512 601dbeae78f3ccf354285b83f5e86c2e4fcd49f1bf0826d6ce1cd4ce18a86921594b0d5a390ebe20bfe974157f1a0a22dc2e8e95805b670084a18cd440b9d3b3

C:\Users\Admin\AppData\Local\Temp\DAMK.exe

MD5 01a11ee8eedb0056ae61591f2ed0c619
SHA1 be69ccfc4dd3d3bd9de795d76c3b2921fc0e0932
SHA256 580a734c7c66be5a76bdb4ada0a2ef6727f557bec03d307505ef46b1cf283d3a
SHA512 853c20ee1274689a2332c1cef54c1bad5139b1e57d0af492508fe9726ba9cce25e45c31ca298ca23685da7cc6215816cbc96b87e8dafd4c84df0df3454672524

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 881966e9a28e89ffdcbceec77bf9482b
SHA1 ceddbebf200c71be6cad194bda2d95462457d200
SHA256 953e6579ea1e66a5bcbdf372059e18bdd65ed64ac0875d2065279563ddd78f21
SHA512 0896f8d135f6df683db14ebf5fcc5a6e053d670d4319099b989ecd9388b0a076310999e5cdf3b6936bf12d65704293363618b8b7d5a7e45378ab573060049a1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 060c859a46fc63b3469c6a163faf562e
SHA1 f6db0f3199c2ba03c17eb6d9e3ff4038f0f7d850
SHA256 2bd77cc5234f4c9a908245379cb617005bf62fb24524cca2b27c105d5d5e31a2
SHA512 c7f8a63177c784a5e19e0ec8d2fd09cc2c3347a9c7dfd8abb642efa3b4351ec9d83d0cf3b875f1735be8d5b7bfcf3ddfb111dc33bebb98c95989e54506809c55

C:\Users\Admin\AppData\Local\Temp\AcMm.exe

MD5 e2832b8951a9828d2d7a5a8483dea351
SHA1 ee268000b5541c48f7f6b1151dd86b78ca0c9071
SHA256 8515525b064ed4aa72aa6a1f1508f383db62077578053f5e8e7b2e212c57bd0a
SHA512 26b95478ba5697c0b733222070c399b393722eb1fd8fbc08efb07a03c41081ffc158fa0bd6248f1b12ab69eef386e3fcaee9c22e15f32ace95b27d64066a8ea9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 0efc7a7f204b9f10e581591e770acaee
SHA1 dc0dcc1a4302d2f1684ac0427fabd536f631ce97
SHA256 5e59bf54ca77182f53baaa1678f91ee106c724dc2287c61dc43bb9655cbbecdd
SHA512 ad7dbfbeb27ff4bc91d8e5d6b0e5783c2da23040b711313d95d8c5624cc8573b674e632ea40b93c09bcdb1d4fb6102328dcf1e4ab874ea60d78dc7c4f9ff17b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 fbb8d3948f532baf420d53c52dc44100
SHA1 78462fcf330f1545d7b68e48506f5783e0e8882f
SHA256 81e757ec949ddd26b69d0852e3969389ae700f3695778f3f3c3fa64edaae5096
SHA512 2e806dc92fb9eb0978732ada15f88df4916f0379bcc33cd1d3e2f36205f5a29414d1f58d95b05f5eab613a1225a9640b31bca76fe44a10ec085967463c4f3081

C:\Users\Admin\AppData\Local\Temp\csYk.exe

MD5 d208f4c12d8ee23e2ceeed4df1037c00
SHA1 dbe172808f286dc3a08a7f53a1988166e7e762d0
SHA256 20dcf47d3459bec4249781d07e662c8cbcafb719e1efebb7fc826343506f8112
SHA512 0b7db1388df3c55461da565cdfeccbe3b01a615302be6a53b85e94eb2b27dfb56ad246eebfee3c570815f7bf8f0519508f13db72b2a90992e1779f5cdb3c6585

C:\Users\Admin\AppData\Local\Temp\lMcg.exe

MD5 1310b88d0bee2e3a1492394f93bd26e4
SHA1 21996b68e17c68b8c1423c60e5b89f7f64be4214
SHA256 bca2a814f8e919a03ecaa9605b740dbfe9b1c31fc6f4d1ad3e2ebd92b18f6e19
SHA512 56f30f0de0ba1a78551ca2c1c2ebcd3a22568c3e36b3e798432e3b0e2797796814efb404b287a052d8e8811ece988ff7fd748ff121bd7394cd1fc3c037aabd65

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 d78132b9fc3b166a3b8293bab55cc5d5
SHA1 16c140d13fb27ca76d7b66af61c685f7038ce94a
SHA256 07cd6d966f3b3b479fcbc341b8abf9d375170c851d4b5d7dfde8861334cbca45
SHA512 b3fd729a81e5ec088dc876de165bb103bfc2f974d6bf7bec425750a242d84b5f588dd9111a7db5164ac0bb7712d2930d0057f9fed1bdf2dffd02a6bd3f2d3978

C:\Users\Admin\AppData\Local\Temp\Hwge.exe

MD5 8a01295b40abb5ec9d1d565d12ad9e68
SHA1 1927fd04674f9c603ef6d25a1ba3c78154cc4853
SHA256 897e36d649cdab94ad4167815d15c20f86d680a8b769fd2cdeba6c0af08a4740
SHA512 1b06a8bae872a73e2a6fcbb251e8b5c4bf71acb7dd3d5d5d5062e5364e799fd126b3efa3b3f9c5eaacb5e1751f49e9bc63386286c54e39110ed7898a16c8fcf1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 728bc5aee0c7440a0d0a353080ac6861
SHA1 02eea1e87851bb0930003ae0b793beede1d03a19
SHA256 b77b881de55c4f9422cbbcafdade21a73ac17a8f48c002eceae54228966acb1f
SHA512 b23f66b01df55f5aec7eb6941ce092c1b131d832be78acd09e7185e0c1f0d8df961452daf60c84fc2b9975e9729f1e6772644546d562c6cd1af8c0053f27a0ec

C:\Users\Admin\AppData\Local\Temp\OcQS.exe

MD5 2617e96bfdbbaf12f7381c24b6c0f90f
SHA1 e9bc74b07ce3f099f9f933927fe598d4011fae7e
SHA256 5566d9533d5f8ae5b6d51b8cb85b9ab5420381ae3e68ee42ea68680bcaad3488
SHA512 02bedc2684ef6ba404c3cc3af0742e2b43beaab97ddcd9eca924747a32c60caf2515e58bacd09af2648f1d21b1b3ddb1eeb50e778b1c6d5562e14a3deac1bae7

C:\Users\Admin\AppData\Local\Temp\LYgO.exe

MD5 9c64be5cb04b2a7933ecc3a9db1dd09e
SHA1 c8ffce5e1336a0b769ea8770e513ce20838e25cf
SHA256 187b21be7f6cd8ef6b6be064861a2399c52fa709bd8f39fd7f211a91c854e983
SHA512 6cdafeb7b512c40432288db417777d137d3fe1fc87a72bbd05cd6343c44f01fea5c6960befd49c1f26d699f92c14fac77ac4ccb54eb4413f4b4d63e9b8a712e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 0373f459774e33a5336fbf851472f461
SHA1 697fe8ad2730bad0b7ba24b2c099ac65ab9a1a44
SHA256 80fd034941e4a4551a515f6e238c96784b8d2629b19078333b4168aff729aa75
SHA512 1ab69a557fa997ebb3062dc7425573b56014f0246f8c4e47341635639be1ec106c530eceaf7c7337ab09e73c41cca7dae1feea5fafe9adf7980a7ad66987172b

C:\Users\Admin\AppData\Local\Temp\hwkS.exe

MD5 c3f45e1d50e1009d5853ba8e2c2a52e3
SHA1 f1b490371ab342da8871d5a96fd82051a5bffaea
SHA256 b7f9e9a652efade528c8c85151ee41412d2802bd62f27cfc1f1b627833c96685
SHA512 10f886affa4fc170d5f7e19d9d578e8c3bd24568e8911e8725a51b4b1c6a0ffcf1e6d30242783387f14b554d669ab380cab0419632f3d408cec4e08d16523dfd

C:\Users\Admin\AppData\Local\Temp\HwQA.exe

MD5 8dc1106b19966d2f7272e2d3a27bb32e
SHA1 abf12c8eb357f60f4d1635b93ad7d8d4a550082c
SHA256 ca93ea9afce383144ac75fb4a1f18e6ece4149ee87cc2d0bfeb1d228a035cb27
SHA512 7812f27dbb7c57f62f4bcf193b8e3657fb898de6fb43f0b7c54d3b2fffcd9428b40d306b9c2bc3472335dd92f1b93a137dc5fe469f0a5daad95147b1f9b66ea6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 2513d1f6428e5e9ebdb8d045ee1b057c
SHA1 9d7b2a4bd9d749cc7e061b13fe57d169c911edbf
SHA256 0f17382baf5d704cf5e7847ca0be2e9d4461b1a423ce03548b9da32244cdbbd6
SHA512 c26b1dd67c8744a5af3ecb9097579a05acbf35be3e3a4b92bddec56bc5687997c8e1e52fa045a1b9fe154162aadc5ee33224774afa7c9470b2a5690e5f378a37

C:\Users\Admin\AppData\Local\Temp\noQi.exe

MD5 55e21be01ce81db386e654f085be53cb
SHA1 9b9fa2a49a09a3712f8ff8c72030bf4c733a46f4
SHA256 0844d4086ffbf242518c72746dc027bac00f1db4ca7cf1779bacaa8828812564
SHA512 28372bc40df4fe989d8c0bab61b0898063232ee3f0b30a6b80f236075923794dd10fdab08e128f8679531742e30ea5b00b03fcfc9d9186daa06e9b5e26e52273

C:\Users\Admin\AppData\Local\Temp\eMsQ.exe

MD5 790b645c6409f6948518cdf4e69b471a
SHA1 a68a8c469e8708f4a296d2b211142b2ed4cbda98
SHA256 7d1af9a4de35ba3cf2094ab71639609e34c45369746d6cc0d0ddc097e8873801
SHA512 508707d6c4e2e24cc83fc60ba81c8ef2dbdae5dc88637413d296285c9ed7463c1e3063e2bb5d8b9f5bbaec56ea2328e796a2a9cc2294cee06634a603de9d9068

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 b897d310546792135a4e0ab7439b62ce
SHA1 43ee6903b3316e0dbde04e6af856b8fe1b4b324d
SHA256 2a57c888277539011fb819e50ee5e06e9e04c3f2a2a1d0380d37130fe2d079d8
SHA512 172b5b811518c31681db6685b48ba2ebea60d41979f26b67e076d4211574409a2b154496f6678086c592fc60d770eecb2f8b24b55e6e3a2261f271c7d03c4770

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 f2930bce2ef3e186c6ed02973c25a142
SHA1 1137bdd7a3b8646da6ccf0a1c5792780ecbdced3
SHA256 e252ccca9bd53ed452482406837646666551682d09d920ef4677e393caa920da
SHA512 01231852f76f799a932fb2623774e56491c3b4fed1bc40bb191151eeb5ba727242b8ebe16d575c8fb346b5af18f26302bb7ba5ea8c7d3a1fb75f945ff1487684

C:\Users\Admin\AppData\Local\Temp\WYcY.exe

MD5 80d9a96fabe71977ae7ce63b37ad1f13
SHA1 9c683bcba68560d26dec8d34d6fd24e939c0c2c4
SHA256 b4934b6082d3f8d6984bcfbabfeb0940b357fe6e59febfb6f10db4c756f56e7a
SHA512 0406ed058764cc9408dcc3e0da92f4b215f9e50191fddefc5c1dea1a0102ab95f1309bcca32157d767bd72a3eee7c6f52b893ead4e6259302f5ae45eb814538d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 ac6dcf3b565fb6e0c7d7f9ec903a889e
SHA1 6a79e425483c7838799eb150823bc239a4455453
SHA256 1f4f26101e565e32de82a6253f3b7524132d13afea400eecd06c4bfff575666f
SHA512 592bb29510710fccff1a39e5a7e0b2aec2cd2713e7175cc78fb3f4527a357c24c46a698125fdc5d20fe93b75310430c322a251445bf9b0d8352194a65e76f827

C:\Users\Admin\AppData\Local\Temp\bQsu.exe

MD5 3584f757fecc600abfe56f9b75d8329e
SHA1 bdbabaf9c840ecb639b3d7f21c66585e06e8e1a5
SHA256 51ed88f6807203024ab891df3e479bf89cc0def7768acd516f62372482bde29f
SHA512 101ca5bdd1a9d62f0d12f1f5812fd42b03c70275da75077a125beeb0dc56412e6650bc3d2671bd8bc31b162af96bd71f17445be611407697abf1257a430d6a5c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 77bb03e79df67efe5e2f97fc19dccc98
SHA1 c0afd8b46fef9cdda38517d4f5cf95657b79b56a
SHA256 3d16c48e66331989327a2c459eacafec1de614ccc48bacf724cf14b058b8d28c
SHA512 91cf83f031aa49198da23d957a61f2729036d989c9dfd0c9a2b169de53b46b8097e070a037aa704d00984d60ffdc8793d20c38d2598994bb9d080abcc04aab9f

C:\Users\Admin\AppData\Local\Temp\GAUg.exe

MD5 1c523adb1bda0b387d559f8adf249a07
SHA1 3f61c18adabb3e4173fd76e5aa111391325ebf5a
SHA256 38c521dfc947065cb3d191cc22431abc3bcaaa1386633346ac0652ff946a7f17
SHA512 c8478c12f3427e5fd411eadba1ffc1306cf8ffc88816d0e578c6d230b6a27583515f56af0c2082166f2ce7626a8fb2d462ac120aecf9dd1358f19518a05f91d6

C:\Users\Admin\AppData\Local\Temp\OcUE.exe

MD5 981256df1f0c43ce8029c5e3da608211
SHA1 e10e17bd01c2cb05c7d164300f789909517fc83c
SHA256 ccfeb3379ae4dfd011450dd244dd00f728cc714e20a271e2070acb6faa24e7f8
SHA512 bca88cbbb633a4c16d3e8f3599c24935704640e51a8921a0c8ae2d6f9db6ccc0223a8ec47a2c80481f28d96b801de8d71de6d61036636319ac2ec81aa7a0820e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 29b7b50a31a536a08721999d498695c7
SHA1 2e5f00eeb55a30fa6be4d164db7391a542a82a3e
SHA256 37b933d7505de2920f1f20d88e204ff3c8fe93f64d41e0744d2965c20fe82686
SHA512 a634f23ceb77ee599160de34b057e45a3b4f233a114baafe5c2c0878c7cd27d247cc7e73dc45701c1a4592f77f3aa85bcdde9a0dedd4437db7ccde3750449b47

C:\Users\Admin\AppData\Local\Temp\pUUC.exe

MD5 eb94c1ffeebabcc8c0593fdcac7c36f6
SHA1 3243cd6a30f760ffbdd2fa9239ba04f9dbee1474
SHA256 24f1f6f9a2dd13effc4af16402a89ed24edee795682bfdb801779bccfb0fbb01
SHA512 5d54b27e6fd20bfdb29e0e080bda19e829157497cb4f4111f86baab3b47fb32772698c00b47f3c446ed0dc31c6a62f1253e662ce9991ed9f370187bac51a486e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 8056765e5e2053efed826dfe7d18e63d
SHA1 0954c3ce4de63066c09ed6854ecb834fdd64efa3
SHA256 d9ce5dae20759c14191be38644a788683f992308d734658082657105ace3bee3
SHA512 55b3aace0274881179609b7885419763b114dd78b071bd18119f2c953dbec8ff30781b2cc5d941304bc53e8d41a93fb19228ee511a94f829183abb95e1a68559

C:\Users\Admin\AppData\Local\Temp\WUoC.exe

MD5 4e3db7b0ffdd4a6e1c61e305c7749da4
SHA1 8f88b184b4b9168af4937f1c416e0267a4762978
SHA256 bd003c6f80e0e44341c55dcdb49ddcecf2ad28f3c23c97212ca0aabbeb30e41a
SHA512 b7ab735c6dbea399ff06700ef83d502cab3f6b32bc3f25063163cbe80fb4b9cd04a80be6554970c39c94f2dcb93e761e3a54b6e8167d89a14cef50c4fce9e3b7

C:\Users\Admin\AppData\Local\Temp\vEEs.exe

MD5 95d5396eedb1aa8a20849b302697cb92
SHA1 c7a7e94b14850214237bcd4edad6732e6891fed9
SHA256 27a5e4111dc3ecb4207ed33d91c978f5735b96969fac4b030587f78dd812ab07
SHA512 3278347a2f71a94fcd1dd59eea586cee363bd5e08f69679074f1f8e718bc7c55440557a1b13314171f13761a745db9a0085ff689be14e0b1284e414b6e13ea81

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 a4ec9b527cd14be2dc6145c1ecaae3cd
SHA1 44fdfca6a321df1817c1c63adb61fa5f341b92f2
SHA256 609127afa18c17765c7d5203a81147b1571be6bbcc90d63256b1db8cec93af18
SHA512 c192e256848f68f16987f70403fb39c2cdcef1297d76c21a6122859a62768f046514903fa5a6d3a5c40202375cee43bfbc968e57600b062682aecae14748907e

C:\Users\Admin\AppData\Local\Temp\fEsc.exe

MD5 dab9a68ee710996c6bb42480315ec6b2
SHA1 b2678ba142a5c5745e79f6ab04280f4e015df2dc
SHA256 c886e1c63e6e9ae5bd16ac6a40a3975a4ba18ff1cadf0ac2fc73541c13def724
SHA512 f5211a52f22712f5d9a1adfccf4b374f2270d39d194c9c7e2b6199e51df5649b22080479be69ade7fbb62d97a668b30da53668ac0ebe6259523f82510c4ae460

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 70efc62d8aeb285f63c15eb6ec63f68f
SHA1 0de8c34103436ab3da4bcf9e54fd3aff34fc88f7
SHA256 194d33e258dae46841e0094bf9912be6cdf50c1bfe347459c5fd8cc759d645c7
SHA512 b7a707f4fef2f6e851b2c8447d1d1cd84d10954b9e2643ed12c5945eabc25bb00d826185ab570c7da5071f525e693d9f3e8ee4007c2100a5c3e63721e48e8bf3

C:\Users\Admin\AppData\Local\Temp\lsoO.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\xQoO.exe

MD5 78d5f8ccb32093ac1c2863eb850db411
SHA1 82a6a73729a7e9eb8fe5a932558ba14d19ce0da1
SHA256 8f8b847cca05901847eab81fcc097a61a381a2cdef33568c0d4d65f5748c8f58
SHA512 34709c96f15765937ed5d46d2ff45e2bae656f1f232672cdda1e97582429e4cb1ce589db3631656c10dd8a4ce0adeeb9d65aca974a2bc23ad5d2579a37f4c907

C:\Users\Admin\AppData\Local\Temp\Xgss.exe

MD5 209c21b7e148c71d9cc946d6c19f2578
SHA1 6078850fad66957aaf25a2f7d61a2d5ccceb4c24
SHA256 1b36305522da37849f34425ce3812dd267df8cef9d7e18f6e51ad25932912870
SHA512 ad73a1c5bac314525b814b0e732cf12e663300a4bfa79584663bc0f4dc6dab75b980462b3b5676765431b88a04cdb492c5c79698c71d0dd6ec19ea1a4b7bf846

C:\Users\Admin\AppData\Local\Temp\hwca.exe

MD5 bf13d8da7ab2b133062e9224f651b3db
SHA1 dca6c221cad81406d8a8fa7dfeb91a35bb00476a
SHA256 111c833f305e93b140952c29679a9723360a8d2f67c27117f447627f2ed7a0e4
SHA512 ed222ecfa2b1f456a1660ad81090a036cc52f87e357e381c9bc57674b3847464bb0efed2f2791bafce3192f0b1da271ed82e67df5bb0fd00a36c09d37583340b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 6e490e6da4fb5344c495397fedaefcbe
SHA1 557817fb05dd9a00de42abd5bb748f7ca2b3f37a
SHA256 1137f09abacaec9d27ae78e7c31ea14335d8e64f79044020cc07a66c6e013db2
SHA512 afb2f173ba8879b1b1d8ed8948a0e88e3a67bae77ed88cff1650ce353ba45da9a8a1e25b7d0fbef2bce0693afd256bd7e1ade6c4c1b548a10570ad34286c1163

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 5e8724beb5b04b565747c98c2bd59567
SHA1 3a4b40f94844716945575bdd787db2033b497e6f
SHA256 a8b1e5eb27c15ba12100e90c7e0b7c9c2a8a6fbe057943e3306fe27ee5689b5e
SHA512 224f353b6c1fceb9339d014397f718dfaa67e0d14355897775de86d6d9da66946a44e2509d28082889eacb003d3bf6f00f015b6554b287f4676ef64f99241d2b

C:\Users\Admin\AppData\Local\Temp\JEUK.exe

MD5 fa46d907577bb91ab5c1a6a3025e9aed
SHA1 8dec7f07dc4cbb05188e8fc15e73ae355c38ae86
SHA256 9e1008c08ebc8f8c76ccec8c9b8497649f731c4b472fbf697d316ea39adbe971
SHA512 1ee1fa884ec0c369ef79e2906238dbb9312e7aed60f1aebc0728ef6682b06feba05a6046e0df3dd57ab5ec1300369aa8bd6d684fd412cc7c775204b5a6fa9bf4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 347459d56b759ed5b28cf1d386646a2d
SHA1 f2e8f07b4e62adb1c914d8ed922f77b081996761
SHA256 96cc317d8bbf94493959222dc69a6802767bba1ec93be5b9c7c1bcfef9e7ad15
SHA512 a78f15bce99ad292d2f8521c83e5fc65dbe84c98d889b07ee18384047201d1abc32738fecd9a5495d8b7ccffeaa5898e5bc89099e6586bdb4666b431fb639725

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 68038fb1ac89536447f3f7eaa78a215d
SHA1 9d48088f0fd60bdd089661869bbceb9a1540abd8
SHA256 b7e4c60f1aa5b0291bb697f393c78e6db69993e5334e78af56952f7f554d447d
SHA512 d30d75efc9b0b23ce0e9c0ebd43231997cdf8024b224693cf70c3d2a495f78ce2769463fcc30d89b2f29e9d8f2034e2841f5f7b791d9ccd21cc4ef65bc6c109c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 db6a97da172924c88128dd82ab8f2adc
SHA1 ecea98969f7de33405746839bbca860d8863b6c9
SHA256 2e576bd79f150bb93260e745b0097e0e486b498666232cc125feeee14ad12cdb
SHA512 82e6f6c213e6ef59981d7cdf27dcef2e79de26a7ed8124806c21009027858389bea1796ed467c3a0823f36e122ecbc7a68b77bccfc11648ba2592f2d9b45f8ba

C:\Users\Admin\AppData\Local\Temp\koAa.exe

MD5 1bc40382ad3c92d98ec45adeb4274291
SHA1 272f5b4301b464d12cddd57a2c0b64dd265fcdf8
SHA256 46e4680ec112da7dbe9c11c6b067ac1b11d1ddd45c29068b9ec35c3af3171181
SHA512 0893f20490d5d2200d557e6c9aff0a014aca9b4ad9311fed675f0fdc20ae3e987a867e62d82b9232566bef6d17a5e40f964d176bc8e2128dcf872399c78bba70

C:\Users\Admin\AppData\Local\Temp\PUog.exe

MD5 77f777743482ca23f6a772ccb8148ed1
SHA1 6cf109c8b7f15f3152dc4a8289822d7294fda230
SHA256 59a423a267d905893e0d97192c59a137b0d5d2a0a7ca10e8230c58754177286e
SHA512 b55fc2b099ec999ce0498248cc4da87ae96aa65df9184ce941220e1ac128134bbe908ea0be1e496b246b2d10e6cdde39785e537395a6518d245e050f0a539bf2

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 bf90d204003c295005b54ffe48a200c5
SHA1 81e7ddec8645d910a3e0a04deaccf07914f87b22
SHA256 2c72a5f2cca1c53c46fb1ddf774379a5e8fd271568b8ab290ef6ec8b69f94d56
SHA512 f3117d65f8f833a63c820126bbcb14a7023b954e2d2c54898b9fae7116a2d7566693bff3842b1479a0a2c84a24b02f52f9921e14821ade06c91c1be3eaff2d27

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 e4e060bec59bcb7457a479b95f844547
SHA1 8c39b8f04867a792a19776d0ed2ff7eba2c5dcba
SHA256 09f2ac1ce4e016bfe8f394ed2e9bffd624d6c0e6f0b17b6cdaa80f6a10f5573f
SHA512 6b4b928908807ec699124c0fb2fc32dc0c89c36839618d2e647086bd5f9ba7fe83410c0f702e1378d8886c03ee66a29cb2cc7c30351a8569360a710903597258

C:\Users\Admin\AppData\Local\Temp\IkgU.exe

MD5 bf6c6b045a259a963717405ce625bda4
SHA1 fb1bba7fe919248df5e4d060c0ad02e4129ae4c6
SHA256 8d478c1553427298d45b370310a7891fb77979b0972f972b9a4dd70c895258e7
SHA512 1a11dfef6b6d9da7a811e696ea424a0c4a934cece644b69aa375b9658ebe88120d98165902e14edf08de978769d4cc9d926c72f73b967237b89d9465e1b5a93a

C:\Users\Admin\AppData\Roaming\AddMeasure.jpg.exe

MD5 9f242d43042c7c25c768cc281ea9998a
SHA1 0c20c0eac081648453fa4aa945c21f06dcee04e0
SHA256 cefcf480380af7617dcc360788b56c5c2e604b0dd4ac28bab5dc620c6ef34a89
SHA512 4b61e96fd432a925fc0b9b9d6c7058cb717d5452f027af12c693f26f8ae9abc98e7c04eb469d1dbc372a31969c51486d2a05dabae1b386235d637331c3c229a7

C:\Windows\SysWOW64\shell32.dll.exe

MD5 b23a4d916d2ca2b929adf4826d22bd7c
SHA1 3a659f58bc88aa04c868502f5671b1813a898feb
SHA256 b82095a1c44cf87a241b1ee3606fffa0d92175db8d4afe544815f7486def3d6e
SHA512 9a8ed6999559a8c1778d62c814204d6730bcacf745ac490fa2eddcfeade00b2a28dbc2045dc8ddd5aa1c829350df1262ea6263ef48e6e7f07357d5e8281b1d6a

C:\Users\Admin\AppData\Local\Temp\tIUy.exe

MD5 7cac55d0b630b1b09ebe65131062da41
SHA1 e1c191bc3af0464d315369d3fb6b543422c4fbf4
SHA256 88b8da855f1dc717e4567ebd3cafd59b1bdf4d5cafcf18c7425ff14d504dbc04
SHA512 47de8460582eca2a21be875e8a46d4a692517624c6494a7fcc83982bd9d170d839e8136437ba6ad5eee69d2d8a7f26ce3cfec453b3aca8c6a2979663d26adf58

C:\Users\Admin\AppData\Local\Temp\bAwk.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\kUEC.exe

MD5 7ceedea1b103d054d6054ef34258aab4
SHA1 d0830ce9cbe3ea80d37ef6c437137483e38e3757
SHA256 cc48c18ecb71cedc4ee6789fe8b1508da4144de58cae5db175daf0e8de4011a1
SHA512 7d03823675adc93a4ca9abc9407421c94fca53f5a0a135674249be7a19c979857bf1b9068be934b03856477565ec5fbaa8a2ccd0a02671abdaa23183bfc0a0a0

C:\Users\Admin\AppData\Local\Temp\NAcg.exe

MD5 755c0ffe25c46cd6131b7b92fe4ccf08
SHA1 de8e2da2796a174ff0843ac67219e198ac9a870f
SHA256 38ad94a6314b82247b5e0c776ed7dd6e7902ed925c0d394cf635ea7bf067401b
SHA512 dd10259213549bc1457686d17be6a5812e04157ce59d80a1ef0395e428d947e0e17b1370e1f78287eb4ccdff34cdb5d888936f6e69da1705a8d23c5f02190282

C:\Users\Admin\AppData\Local\Temp\fEQA.exe

MD5 42b74ad4348c95e18f55460ba7d83920
SHA1 0e7d09944a28d198b2a2433010dae2b4b5ad8745
SHA256 979e1518f726ffbc6d4e5f89d415c5cea3fbf9b781f4dd87f033a1a6856ee893
SHA512 e51826a44853e2ccaec145335015bbf955770cfed5652a20a681f446d6e95feb4d184118712aaed13e02e456c089bb029a077a61d6c88f30641d0e30d7046dc6

C:\Users\Admin\AppData\Local\Temp\hEwY.exe

MD5 f806fbeb1f2d90f6ea5bf476b6efcf73
SHA1 378070a3f911b67a968e5066ca9f098c30350871
SHA256 4618b2e1773e3662f177fa52d1f9b907a99ca1582c69de320a8a663b2c92fea3
SHA512 67c7cf77d73aab0ee63382c919726300759956a82822130602589a78ba62c8f5c550e223bd3238b3fea845fb88e4e69af74833d0d8bcfa78b95983d056fdedec

C:\Users\Admin\AppData\Local\Temp\NwAC.exe

MD5 a31633dca8fd11eacb5054221b4dfb8a
SHA1 090cab48273e197958adac09171e6ee596da1eaa
SHA256 51bcba6c6ceae66f1c6e88e9752b95e246b37a309b6d659b6e461028ac612366
SHA512 e71f712c9f0ffa82967f354ff6a67ace15c1c8ea0b2c8f08c8d0fdc6d60c78504fcf971a331b4f8c3f2574c770a9e01d253eace3391ad159d5c1d4f728b18f4d

C:\Users\Admin\Documents\GetCheckpoint.pdf.exe

MD5 d67fb590435b6a19efb4e9fe8d7e3f3e
SHA1 45388c0f6057e42bcafdb5548afc2980fda3e89b
SHA256 87f800c972aba3765573064a6f40e7b2a644f571a83831844ecba48ab4cf3e6e
SHA512 0675b93831aad1f0bfdb6d5d6011358e3414c5e3d3e732d5c465a44f41fa8f8902633ffc20b96d442a517442f2e0e04b4eeb6da462b4f6dc6e5a53079f4f3300

C:\Users\Admin\Documents\SplitDismount.doc.exe

MD5 ba43ce1d827ca1e5c96e2814fdb9f866
SHA1 57cab643105f71547ba8a6f14f6ce78e912282e9
SHA256 c8fea85fdc7520895c0a6a897637275adb2e9782980471d3059bec330178b5d0
SHA512 582f08bdb8dbbb8e5282b15524ea55ff6f5bf32d047f16eac269f82dc27a5b9c784d6d8da206c3376a41d7366d22d98616d8aa54c7dd2531209df8378cc4b134

C:\Users\Admin\AppData\Local\Temp\ekAK.exe

MD5 67c902f298ee965969ec82fd61726667
SHA1 0db5c89f0bf8e89a0f8082e8ec96103f3ecfbb34
SHA256 b654a7b481cd95ac0ecbfc871d12ba807ca1709cede2ad0625a3176f107b18de
SHA512 fb7321174ef6f62c8371e873b52807cf4879c20ed92f2ca6868ac6d6ad6c6182e1c67260526ce1babfe841cf0b5565787994e9726e2c1aa415b74fa9f8720e89

C:\Users\Admin\AppData\Local\Temp\iYQy.exe

MD5 3db10087906b65e6184e75d63fba15f0
SHA1 3dcab988e0856ac7b5cc7c4d7e1382d3b3fc3e68
SHA256 07870bcece1e1d1fb23016882151ae712a217a3a9622e42f6ca3a350dc704700
SHA512 6a2e1392b80f64c4bd110182955b0db97a263e7b7833e2136dec1b51bfdf7e34680c64513ed33a6d5cf8fbd16320e1f461e48a37f8452f0ee8becab17a2bbdf0

C:\Users\Admin\AppData\Local\Temp\owYY.exe

MD5 9e70afc61489bf5adc2381b95049eb7c
SHA1 7b83105dec5cc80b9f19081993fae74046581bc5
SHA256 4b475a16ec06fd37bcdaef0cd9aea84bccfba857d67b576b32f78d1fa7c1d0c2
SHA512 20eda55dabc4340c57fc547c40f648699bb16125b1ca30f4d07d4c498dfd2c09adb3a3cc892fd6577fa04b24da1c8fe446df36b50942a86da81bfcd6bcf1dea9

C:\Users\Admin\Downloads\ConnectGet.mp3.exe

MD5 ac91b95c5b681523a8bf7967519e5d0d
SHA1 47aa26b5241d833bdc32b96c2f56f629f92d951c
SHA256 6c0b80174f75012ee6f49df9b68563e3eafaf72d3046e9307dacf51f61ca08a1
SHA512 e71d171c21cdce025c548e813503830332426ba67774dceb30e9310cd214763765aeea21a93bd1d7441cd4764dacc737f0eec68fa6095426bc119b3934bb91f2

C:\Users\Admin\Downloads\DismountExit.zip.exe

MD5 9a006d06089d502990b81af471f69fdb
SHA1 849e5bc395339d41a4bf5f28804820cb8c6a3726
SHA256 d33d32f69b493779cb0197b2ac9db87541f8fa850b2570e2220834a6bea851e7
SHA512 5c8b8cd3f695e0aa7e9a386b1d917f9dd9bbc9d5938c36b0703c9a625a28c529106fba22cd5267b23b461e67c1372cbcf181e9e1c0ea7162f54244e1a054fd89

C:\Users\Admin\Downloads\SwitchSuspend.jpg.exe

MD5 98bf693f38900552b8aadc0ef85a5ef6
SHA1 be1130eaf7fe7e787431dd60db95e145a7f015e3
SHA256 f23d23cd2cd950e0683ca2a9e5106e6c1eb1fcd567dca50e5c3f9b2fdcc8d80a
SHA512 f792f7642751ecf453bea3df18be497abac6c2eb7deb23abfca932afc636c1e5c56a9705afb82a136c7850ddb491e43b9968fe24585f7b92a3b370732b1fc6e7

C:\Users\Admin\Downloads\UnlockBackup.bmp.exe

MD5 aeceae5230bcc0819b3c8f5d8489971b
SHA1 6fa4a82c6553e5cdefe47f05a987d0587eed8d2f
SHA256 5c586f3dd79648099a9eceb546fd942ea096bbb0a8016d4ac109c3f33cf086ba
SHA512 9fd4a39e5ee510e4f22e13e87a093b01b7604e29e20969c3b486267a12787f20e74ac66a484dffc8b362bd83fa56eabd9918fd1da3140053d5abe65d3d161df7

C:\Users\Admin\AppData\Local\Temp\UYMY.exe

MD5 396c2633ab80bf7d4bd526ed853480c4
SHA1 cdcbc5650dfa94ea43ad39e5258600aa5f7648a3
SHA256 1f3a8d2eb7042762ca79fccc31f3ca5f810eb5a485d5f693d9e98e90b8543e91
SHA512 5abc5063174f2fb99809d743ccf68160bb3d68b9abb097634e3b08fe9401386ebe24277ac85fc75a00ea5e5bc96e82ce8ad1273dd2d87127c6784503f0cbc997

C:\Users\Admin\Music\RegisterBlock.rar.exe

MD5 963789dadae500453f565e7bb131d8fa
SHA1 8f85cf7c77e6f08e2294156086b7580a67f5b118
SHA256 5a344591d346eafde1fab3cb29dbc00f0464bd73fab1756acf83a91d779c3c93
SHA512 24c73e8193181c695ee119aea9b77ab2cfc871dbd1427a6243ae7759622af5e172f8016516b91a53a9ff8a049a758c4a3de47e5ce5f72fdf9858a7514ec2aedd

C:\Users\Admin\Music\TestApprove.gif.exe

MD5 337efa8d194d3f64a0466e8cad7e4a70
SHA1 aebae7e6fa8614c478aca8412a1916087510e0b6
SHA256 5da467fe52f571bea97761587b914b22b1b9c8a9ca4b19412327ba15a0400531
SHA512 1c2ddf1cff55fa454255e61035590103cd428e8d813e53e16cf16a3ad8863c7a0d6d88809f9df4ce2d8b7d2308c02ef9771d795de60661e84cbf4d14934a619a

C:\Users\Admin\AppData\Local\Temp\cQkA.exe

MD5 f9fb922aeef1ebb8149c3a66a45758e4
SHA1 413d6f7ab47af58db095972059cd019e61e8418f
SHA256 5782748ab2329a177693e5be26d7cecc21b2d56fa023fc8ba59b5a75c3139bbb
SHA512 7bd8b7e58cefb0507ef157e0674e014a65e4037fa308ef6b7fd21548eb99ae2979e487c62b2f6ed9e5f4159418a45f347f1d2f8a87b1f643097e9ec39fb28834

C:\Users\Admin\AppData\Local\Temp\GEUM.exe

MD5 3ff3626d8604369b4d499b9af2d46803
SHA1 c468646e301eb325f2b17c38fb370861250e449a
SHA256 48dc8e398dd37d85f8ffc065b90c7550c8af90f6bd98d1efb43fcec2be9a0c31
SHA512 dbf636c1e59a9ef77812cc9bda9c3b8c3ff22cf5aaff37e24dd35a534a5dabfef3619652cd20ecf1e7933713594ad6fc4922ef621d74c2b2f777e9d1d3025326

C:\Users\Admin\AppData\Local\Temp\VYcW.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Pictures\ExpandShow.jpg.exe

MD5 db8fc61bfe916502dbb1fffb5ae880f8
SHA1 10133b60188a570e487339d02c67ac90899acb7b
SHA256 404f53c732c5991ee68449746ec4535e931589e589bc67d83b4b07a3dd3eee9d
SHA512 9846b57ea1b195826eede2c94d20924c3707e6e870e2bc2b8a1b6c6022e5033ad016a9c43a1cdc3e73f76cdb1d7128a791ab53f84658b068ab2c5fe5aa2697c3

C:\Users\Admin\AppData\Local\Temp\tkow.exe

MD5 16d32973d2c9e8f305d0c10276228f0e
SHA1 51cb85e034b01d073d8ffe165f8b9cdf7cefc77a
SHA256 c06b1dfc83bdc0b1b0317d316986923f2be68e159a1c2643f682e84927bc232d
SHA512 9dcbbbe55989f9340b5c2fe01e7d2bf49ac6a740da4f19affd6ac7e17140b57cf567f49bdce7fe5df8eab9d5ebf415ad29bd7e9fd1331bc7ef5d0461c92094a5

C:\Users\Admin\AppData\Local\Temp\LwkK.exe

MD5 e1a0f1b0e5eb33236b887e16a95e80b7
SHA1 d7e3aab73cafaf6ebf451820b5a437e2c88ab3e0
SHA256 2b85efd7f423f2da347a0ba53e17cda35d5170054e9aea441b810e38692573f7
SHA512 76a89f225f007c00327369e08123d2793839ea0be13649a1d003fe2823fc74adf4592fe48e2689203a5189ffe0c5a6fcdbfc8c25d55ef1c90021ea08602bab25

C:\Users\Admin\Pictures\RenameConnect.bmp.exe

MD5 23b0114a63109b8113539b16107d72da
SHA1 5f706c6a9cdccbcb9e22ce371d9fa43c41e6afd7
SHA256 fe20510d7d31233a6b7053fae4ddc8e35f1761787bd1a1e7d65048e7f899edf8
SHA512 71fc1043472765d0b111518f66280d2a76f568fb4b470d6dc8915c9cbd72f2fc60a36e1858072bec276846369e52a68d01e26291afb387c23eba0f62369ee76b

C:\Users\Admin\AppData\Local\Temp\Voom.exe

MD5 a95c8fcec89baeaab6eb98d72fc25cd1
SHA1 7fc57c3deeea371ddeafac31c17f39196ad8b311
SHA256 0783d270954f3adb4543da3b2fc6f3d3745268ac7f2c4a7a69a5ce54cd043fc5
SHA512 8cfbae01c639814ad31822cb50df482604af2883b17489e9b3bc42bfb3ea6cca8e9f7c322a53efd6b9d26d2ee432fe9f64e4ff874bad0174d852ae5651f22b0e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 2b8739a7b423ebc585d32b8aebd9ad76
SHA1 47950bbb0c95a1b82868fea6678c596f49172b82
SHA256 64973059eb88f317dffe8c7aa9508d76ca33b1211d06ebca6c9d288f765c2b77
SHA512 b171f34ecf289105230af0b711b66fba9c1cd8fe519d3fc2d7f5c0b32cb30165f551a0e25ecae9172c3406cd0dd57777f01ca16e42e6af2bded205adb8a01d61

C:\Users\Admin\AppData\Local\Temp\fUso.exe

MD5 af8c1a87fc4a71555d16f80a8ea25f64
SHA1 7e1cfe5b2a7268f039e85c107d499957a3d3222c
SHA256 58c8b1e79e3e633747bdbcfbedc3ebf6f2d90f4e328e0d160e36659c68575871
SHA512 581a0632f81e179ec96d0bc177264529b31ebe1aee402d9040ef29d7d0ca55894136f9bb68f65438344f781af932d399d91f03fc3a952baba224f2084cf4215d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 334d18575b3c2b1ada275ae9a5de6504
SHA1 6c3aa32dd36798f09c4bf4b25add037ae2c7d61b
SHA256 688d0b18ccbace343bd6780db00ee5f912a497c127fbf33fc12126f8ce55ed8a
SHA512 7911ae2909c723e939042c1692e949bc92fe9a1f20a6b4502b3904c4237879db006f3b33be0137bcf98da3de529a2d3254a9a0e7f7c9e3c0f24ad7eddbaf23d9

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 7414a08597ee8f30c34b6efd119623c8
SHA1 fcf9285a7338eeca6eca77fefa24b20bbdd92e83
SHA256 3bbd6ef77ef590db17edd78190eec388e65303a089c50b7d2db33032c4a41e96
SHA512 5879ef8bf6a14c0ec9e790a596d60df587e6bc1220ba41f8035fb0680370fb790d83f4bb990a7e7b2b2e6b0011b10ede6c7401005c7061a9888dff7c7adcd387

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 901087389152fad0a5a2f6977e688a83
SHA1 68ebc49e2a66d097813259125c66bd2c8ab35b09
SHA256 39c4f66847ef8ce161dc93107f4d9b635aa4efde4b7700b541d3b3f9653b919e
SHA512 8d9fdb676329107fa5227ef0d13958dcf736805af2409181218df0894806e68a94123f7313dd156ea4cd460e2fa552f2e164c9cdb50c8fd1c87d5f69d8e6a4e3

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 4689dc6b6ea49836b6279ed5224b946d
SHA1 08e2a8603221f4ccb081b7c6a4c991144b915044
SHA256 d7233711f59b97de7ef55827f907e7ddbfe7982e6229e82b414c0295370ac049
SHA512 a905766fb8c558169618190b3e2636ccec58c8ec58dc6cc8412944913ab99bccd400cad2c37cf25e7fee63e77ddcc80d58fa8e515f8ce43c9de8fdcd1c94deff