Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-mq3b8adg37
Target 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock
SHA256 dc1c31aed64946afa7cedc15497ada98cb15b20b28db91bb5dfa3a08915b934d
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc1c31aed64946afa7cedc15497ada98cb15b20b28db91bb5dfa3a08915b934d

Threat Level: Known bad

The file 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Renames multiple (61) files with added filename extension

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:41

Reported

2024-05-15 10:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (61) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\ProgramData\VSgwMYMU\oysAgQwA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lgUcsYAc.exe = "C:\\Users\\Admin\\mmckAIYA\\lgUcsYAc.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oysAgQwA.exe = "C:\\ProgramData\\VSgwMYMU\\oysAgQwA.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lgUcsYAc.exe = "C:\\Users\\Admin\\mmckAIYA\\lgUcsYAc.exe" C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oysAgQwA.exe = "C:\\ProgramData\\VSgwMYMU\\oysAgQwA.exe" C:\ProgramData\VSgwMYMU\oysAgQwA.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A
N/A N/A C:\Users\Admin\mmckAIYA\lgUcsYAc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\mmckAIYA\lgUcsYAc.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\mmckAIYA\lgUcsYAc.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\mmckAIYA\lgUcsYAc.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\mmckAIYA\lgUcsYAc.exe
PID 2256 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\VSgwMYMU\oysAgQwA.exe
PID 2256 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\VSgwMYMU\oysAgQwA.exe
PID 2256 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\VSgwMYMU\oysAgQwA.exe
PID 2256 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\VSgwMYMU\oysAgQwA.exe
PID 2256 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2640 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2640 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2640 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2436 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2436 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2436 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2436 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2696 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2696 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2696 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 2072 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1728 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1728 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1728 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"

C:\Users\Admin\mmckAIYA\lgUcsYAc.exe

"C:\Users\Admin\mmckAIYA\lgUcsYAc.exe"

C:\ProgramData\VSgwMYMU\oysAgQwA.exe

"C:\ProgramData\VSgwMYMU\oysAgQwA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wasoAoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cekkgIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mucQIIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\guIIAwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pKYgYEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUkAYAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSkYgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WucYokoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmoIMAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkkYEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaAIAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgkQwMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGYoEkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMMYEsgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOUoMcow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSYkIQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQIkwQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWUsMUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCUMoMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkAQsgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\liYIMEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyswwYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEYUwIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyYkAIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWAMQsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUowgMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwgkgYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wkskgkow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\euMwwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQcsgYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RawUIIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOYAwoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIsMUAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWkIsYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gswAsEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYAcwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LecAEooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VuIMMgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSMEUEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgEAccwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqAsYoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSQEYoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\geswAkYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuMMIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGgsIYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmEYMEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsUgAMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsQYYIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ockcAIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsYosQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewMkAwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWEkwAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tycAsMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmUAgAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lywQswsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zooYkkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiQUUwAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsowIsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkwMoIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEoEcggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmoUAMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwwEYQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiMkkUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fysgsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaAwkoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eckkQogU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcAYYAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WggsAAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIowcgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmUYEQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lisowoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsYYsMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOkEAMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\taIYcwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEskUIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsYQEsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWAIYAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYksYgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeoAAkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmUkwAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgcYosQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQsscQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKEcckEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYMEwUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAUQkgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmAMUAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmkgoAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuUYMQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQooIIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAwEMMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAUkAMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeYEcEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgYMQgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkcsEgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsQMYEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmQEsosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZoYMccwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCkEQkoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TeAEAcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqcUkYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
FR 172.217.18.206:80 google.com tcp
FR 172.217.18.206:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2256-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\mmckAIYA\lgUcsYAc.exe

MD5 5fb392b01a6269628efa194c77cbf35b
SHA1 86c0e867d191e0079fc58f783fc9a412d7a40c0e
SHA256 c7f76bec9b445ba8c78c2a69473f1d27273ba4a2c4a9f32e705f9286b445c51d
SHA512 76edd648f56662536b5e1b09e2733acf0d01d1bab9d268c07bd40d2596439b8b88147315ffe27a06c2b66ec8abe0e51e4741273da47ae372278c58bc37dbe1e5

C:\ProgramData\VSgwMYMU\oysAgQwA.exe

MD5 a1f9d0b209b2ee3f6e68c737c4a9b266
SHA1 a082edb75bba20fd95833451f50deca0ec2dcac8
SHA256 eb2112332e166c05cc21ac87ff81d5993ebbb35f86d1bb2747f567e7f182b1ff
SHA512 d6f8ff2fdb1b824bea8aeb27a2aa411a1568c5ec66aaa421b3d8a7cfce611034d7f89f0767baefd451bd1d9948176c6264724d62482c30bf8c09ece2e3e4f41e

C:\Users\Admin\AppData\Local\Temp\YwsMYMIA.bat

MD5 e0ff941122ea2bc7eaa3b05c5eceae5f
SHA1 af23d5d274467c1d69d0282fb66e7f2790667071
SHA256 0997d0e2801ef5f1e0661650f60819791ea6fed32c967d219669babbeb66a61a
SHA512 e1f2eebe2780bbb56057e74313a7bbe2328f47e8e148f9fe6b2d786e577bd27400174ccd5a34bce505a806c1db1a3d2e39b18a144b03847905f75b1f2f5feab5

memory/2256-27-0x00000000005D0000-0x00000000005FF000-memory.dmp

memory/2256-28-0x00000000005D0000-0x00000000005FF000-memory.dmp

memory/2604-31-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2256-30-0x00000000005D0000-0x0000000000601000-memory.dmp

memory/2944-29-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2640-39-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wasoAoYg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2256-41-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2072-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-42-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

MD5 ef625f28a5fa08948768d1836c3227b1
SHA1 96a6f727228c1ace18c93c9b6117b0cfe7f66a74
SHA256 9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889
SHA512 0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

C:\Users\Admin\AppData\Local\Temp\wCwwUggc.bat

MD5 8d4d2ee33df7c4c891e9ccd00d638ee6
SHA1 0ba914d534c6ce8ea51a9bc8923964e6d60ca041
SHA256 b84ffbe4209267f193f45487113b17de8660e9877703791834d1c1e4e1475f95
SHA512 26b376d88b3c699cb418b513149073f25337253279f9ac93fdb7a9e44feddea43a0513cf0d65998dc121d82981b70f1988051f62755c66434588eeeb43e37719

memory/1628-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2696-58-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2072-68-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UKUEoEgY.bat

MD5 3912f8be5ce04a39d23ba2efc9a46208
SHA1 374e38c065c1678b5c1909a331474b1abcf31332
SHA256 8f2b12510343da8c7d6da1d7efd74c2483122947ed7bed7010a1bfad9c4af837
SHA512 137c82e319efd2e56e6aaaa0fde4f8bdab3316710c04be773c38502a6ecd06918c925a8a5dc3e33382e6642e51e57ff26e6eb2baf430fcb1c36b760af0b92825

memory/788-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/780-81-0x0000000000150000-0x0000000000183000-memory.dmp

memory/1628-91-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OEMMMQgk.bat

MD5 e47a0466016b5f7ddba99f07393cb7fa
SHA1 8701d0effe0cd9203d50969a3d0e5706119e1ba6
SHA256 46b783c3fe08d907a4d75b07fe33ce8b54d1bb7fd13c31699a4174605ecb98f6
SHA512 2866e7312cb4ee33645586018d7978b1a097826cc55fededdf5ff27260507feff1ae70a127c06c8fa50942e677a9a316c3c11e556314024a1a64e198bad28e3b

memory/2224-105-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2768-104-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/788-114-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XKAEkkwg.bat

MD5 080c6c1f994a18abb221fc57b88f8bca
SHA1 10b9171beba874fe15d3118e4ab29858d3905043
SHA256 5c272bd53dd15fd77154840d0744c4919cbeaa0c3293bb8c1df650e3f90d3bc4
SHA512 b981a5c856af44ecbafe51f072d1ba25835bf1c4d7a7a007ef335063bcf6456d784578593c44926d4d2054c9fcefa1586c8b04a705522619cea40b924af4d645

memory/1476-128-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-127-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2224-137-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hagkgAcg.bat

MD5 ccf034bd2c59f2b2493f445cab175626
SHA1 fab8783c5d12c1ce4a717db3028352be74657ef0
SHA256 b8d3d2290c06043902b1275630b1a49648ecc05590bda70eddc3ba5e96c05420
SHA512 eeb101a257def4e68c5879b5c28d3badea169b0cd0e6d926c04a30113aee92808a9dc32e0e18d148169ed7d5c5c1bc6380efa505eee9696afbdc9ef3a48675a4

memory/2920-153-0x0000000000150000-0x0000000000183000-memory.dmp

memory/2920-152-0x0000000000150000-0x0000000000183000-memory.dmp

memory/1476-162-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCYcgYYg.bat

MD5 7db97ea16e4c26833491bf4463f07c09
SHA1 6208a325e0d260e1ec5903016d06d5dd7b6ac7ac
SHA256 a547b956b9c6bf60dc4999a1f5f0cacaa36430d5d264217a39f35ba3d9c8e836
SHA512 16efae322e7cbb325d68feb42dd38d8e929e582fdd0e1621ad797ce93aa13873b65b48e13e56bb9b8047ab6d61cd381defc62058a717db60f7f2c0b338239405

memory/2660-177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2420-176-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2420-175-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2012-186-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RkQIgQkQ.bat

MD5 8d757c19c95fc8eb3f20f31ce3227cc5
SHA1 8b784a7e5c992b92fdacbf43f3dba85a16165797
SHA256 9577814ad54de7d7ab547dc6915bf8bd60f7c2001482a6bf12237505ce2235d2
SHA512 ae7f7bdd4fc9b2325944571963d0d57c7d1e4ef86653d4815b9e18f3582fb5870ed57c37794c0b6ee6f98740588d6831ff40b03439117f6870c35a1c89e794ce

memory/1536-200-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-199-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2660-209-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WOskQAIU.bat

MD5 b75a7443bb60b17de85c3713b91e249c
SHA1 2b0baed8348f1b2d30b84d948ce390bd87ed00e1
SHA256 af5652c66fa1d141ce66bc3bf3bb632f995d143b02a5360388160d7665e0ef7d
SHA512 facf784622e88524a04da7fe2ca560a54a7c6e23f3faa4ff1776d4b30068b3796db75fca8d9cea8f3842c4bbb77ddb97feb3eb96ecc3da5d85085cc9ed24ccee

memory/2796-222-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1536-231-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IQkMggYo.bat

MD5 400ec2f7dc3cc59f3a8cfdf51389f45d
SHA1 975676db4ea4534a770fe3c9b9f417db4b2fd803
SHA256 23aefa34061a29a2ba7ca0c9a356ffde1fa98f72a4d45e3ec9c68f36daa730be
SHA512 1f2378067389fcd0119a015616a766250e8f04fbd58ca7edb8b2cc52387a49337e193c2785696536da2b6802d80b22855d1541ec84d03986cf766e44566dc36f

memory/3068-247-0x0000000000400000-0x0000000000433000-memory.dmp

memory/636-246-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2796-256-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qCoAwIYY.bat

MD5 c1c6e15de1061e5476634469eae7ca16
SHA1 6d192cdcdb87a3fd6376568ea1c0849e6076dae4
SHA256 310a280bc201adaf840b237bfd097382339ad2281482327bf4e65b8c02d8c0d1
SHA512 d3613312b91430b241968d00e966e8067aa3b9ddcb73e65ca7111c143171cc34e9759fc16769ed84a7c351c521c99a7594d13c18b497a385f2db4be0497310ba

memory/1052-271-0x0000000000400000-0x0000000000433000-memory.dmp

memory/472-270-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/472-269-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/3068-280-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qeckkoUY.bat

MD5 d68c60ef6c9b4e372afd569761822fc0
SHA1 96ac35c9012bd0b821c85288def00cb411cc528f
SHA256 b1419f0a757cd1e9b2f476e6a217d16e747e33a3bcc4a9789f7e0ca1fed324a1
SHA512 49f320bfca1a6088ba6a6ed6f14891cbbc2298328d57433d823bf7bcb21ed8849a7dcbd894805b94c4bd90913b7b596184ff7f40e50f92f6d6cf1e046edc42a7

memory/1284-295-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1788-294-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1788-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1052-304-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NyYEYYck.bat

MD5 cbce38bceef6517300fb5432eca40a16
SHA1 f72f35c0d2b3e795341009efa45d4b0acf67ef7f
SHA256 2c4d5b9bd728ec94c31a014a3b57a2345e921bfd8e9100229f788c4f9a68ee73
SHA512 e3956b44a9f18169719e2ebcc20d3205bb4cae86b2331e8a6a85e035fbbb5be2d1566c5e2f934ea06ce016459a0f3a1c00d84505f195d24214947e31d38d5ccb

memory/1188-319-0x0000000000650000-0x0000000000683000-memory.dmp

memory/1284-328-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BeQQosgY.bat

MD5 3dd65d04b424c1a5d9a835f9a987d2ab
SHA1 e02a9b36900585df14b628430f566513ef7df356
SHA256 6dcd0bab84f0d6f5027fee795feed9dffa33d7f5ce1ac0f986d1523f5df20643
SHA512 3b7d57a53d37d55f3153b4f3b6d8365fbfb4591126d644be0790835f37222e7ad5f2af49ae6b8b1360afd4ec93a27cb55dcd4acb37a949b08ed285ccf8b95bc1

memory/1868-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1748-342-0x0000000000460000-0x0000000000493000-memory.dmp

memory/1748-341-0x0000000000460000-0x0000000000493000-memory.dmp

memory/2836-352-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZkgAgscY.bat

MD5 297d32094643b5eca040e1a5b12f5d03
SHA1 4f7ede56eb364f4c0868ed59c543c002fed7127d
SHA256 6bbacffbeb8185606c11b501b956a94ed01899416c7a055f5e0d18de4e98f8f7
SHA512 5f1871dc1bfa101526f4d6abb507b4f51c51df5bcb6f8bf041b3b1f717c0e7e7492428b6bf6c4974f6c70e6b72c529cc43fdd293a0c9322473468aaaaf99e9e6

memory/2772-366-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-365-0x00000000005C0000-0x00000000005F3000-memory.dmp

memory/1868-375-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HuQosEwI.bat

MD5 8f410a0a47e0f59bfeec973d42d3637c
SHA1 9b5ce65bcf4596c596a44f42317da6a6d5cb8439
SHA256 504b4f17a9cafe752c005ba47cb7e44a47a3312339147ba0b0548b31aefc128f
SHA512 5d2628f87be9a08613345861e1e393266d7d8dae30f23d35ec9ec3511cb000743e25d00703522ff06c8e39e7a073c7c8201d6ab295de2fc3dde9a41fbca30c02

memory/3032-388-0x00000000001A0000-0x00000000001D3000-memory.dmp

memory/2756-390-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3032-389-0x00000000001A0000-0x00000000001D3000-memory.dmp

memory/2772-399-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAUIwcMA.bat

MD5 78c9445244919e37d71bebf36e947334
SHA1 c78af49327ab9d4ca92eb3f159166a9c9cdb6b2e
SHA256 d6d413af84f31aa83ab576c728f5cf773cf5a4a10fad16bd4dcb464c379dcc53
SHA512 9212c4e757daa90b2cf24abf7468648561ce36f9c8a55210b7f8f111b9af4eecb1f7848759ce06e61621f939158b06b18b1ef7d767a26b9e7b421b706b9cf3ef

memory/2216-412-0x0000000000160000-0x0000000000193000-memory.dmp

memory/2840-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2756-423-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UyoUAMow.bat

MD5 d830a3c5413962dcde8707cf22aab36d
SHA1 9d0a240e95be8270f9be62c3d38cbbb14f7aa2a6
SHA256 a2bf9a5c4c9d9bc083233fab84debd42bb53e609bc9f2729bcccbc488b90baf7
SHA512 6aaa6cd8569c92eb5fcd4b2f2ea5d39b70fe8686d215b6973a237245742e885823390cc165215860f520227260b0ae612080b6f77b1e7057f27bc291ac8325cb

memory/2656-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-437-0x00000000001E0000-0x0000000000213000-memory.dmp

memory/2840-447-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YoUAUMsI.bat

MD5 eeb9ab1c2b925715e65e51f145683dee
SHA1 896fbf9c0ec455827fc5d3670879e56228f95da6
SHA256 6e16fcd9ef015673b68d05a282791b6d5231ca358a156692d7692ab9fcb0ee1f
SHA512 9a38b5d2a556b71384bb0a30e522a48092bb439624257895ccbc64e7efb863022c1a95b3f9496058fcdbc21793eb4bc44ae9214e0ca1baaa851816a786a90e19

memory/2460-462-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2448-461-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2448-460-0x0000000000120000-0x0000000000153000-memory.dmp

memory/2656-471-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MiwAwsQM.bat

MD5 f962800a18cade0a7d0b2fc1c7ee54b5
SHA1 ca8e011d2f250a76a7f36974f38cee0c66eb7bbf
SHA256 c0978c6ea0fb9e0890205c76d01e22347b065ef0ab527c52ef8e887da72f3408
SHA512 5419447d46796f2de6f2bf3a3e6ba7d121a3de3444c53dddba5f3f8d3a8e60ab4395e1d12ad7188ad0133fed2392be67841d8b459e4a05ba54296d17fc96807d

memory/1188-486-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1576-485-0x0000000000210000-0x0000000000243000-memory.dmp

memory/1576-484-0x0000000000210000-0x0000000000243000-memory.dmp

memory/2460-495-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vyEYQQcc.bat

MD5 d98fe858f4c8df3ed41720beb3a4171c
SHA1 0b5579dc90e096465d6b3b531336f1f74fd5a3d4
SHA256 445afb7a2a9a9f29eb890d38016bc57d453819a313b5147e9681f1e94636476b
SHA512 6ad54b513c7ff7cec167e4a5ad3cee40fbc301d6be71f6ec7a4ff0841c765bfae0cf9fbc7a3a3481efc2d6650bce6f1f36b9990cfec028034dc5ccd4e9d55240

memory/1104-508-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-507-0x00000000004F0000-0x0000000000523000-memory.dmp

memory/2812-506-0x00000000004F0000-0x0000000000523000-memory.dmp

memory/1188-517-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zMowoIoE.bat

MD5 948cf16a2358c0e6f72e798f756bc8b0
SHA1 ec1458ab8b9a1faee8241bd57a61d46ccf6afbce
SHA256 256b3b36fa51fddb168966e59d49e2a812c3a433dd0b02b42e0eec8a716904ce
SHA512 2ea8c9fb0b7d16c81f61c3964189f043f890661b24d66a17660be2db9801f0464987aa88610fbdee9bbf81989b9025f536dfbfb585c74a7730ada87f6976a585

memory/952-531-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2376-530-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/2376-529-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/1104-540-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XIQIkYQo.bat

MD5 9022225e5268a7d67e5231fcf1d55661
SHA1 1bb03ff42ef43d055f9cbb20636cc64c1c730c74
SHA256 077bd9c75d36fd708880e7051cdee93ad20ea3a0399eee94d92715bccb846d56
SHA512 8aecf1a532671c505ee4bc3f448cabbd0f3eee92f74bc6a1e84fc7fb0aef955b2c51a952074ba87816530f26e145614a08e61a38d8e13b28762e8215263362be

memory/3044-550-0x0000000000370000-0x00000000003A3000-memory.dmp

memory/952-559-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RGQIcUck.bat

MD5 d55d9023758ff090adff660485178d16
SHA1 cd62e7ea72a7c4ca345d91dad9a4a398cbdfed5a
SHA256 8ea95e65829cefa364f8f5195e2efe4333ef4c179f57fd7cf40908519f99c6f0
SHA512 c6fdffd55e1aa684cd3257b3e0d9fd2260e093fae304ee91da3075a7f122985ea27de54e36009a1b7521c90a0130d5bdd79f70f9783453d4cc892e90a6b5f824

memory/2868-570-0x0000000000180000-0x00000000001B3000-memory.dmp

memory/2840-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2868-569-0x0000000000180000-0x00000000001B3000-memory.dmp

memory/1648-580-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkgoggQs.bat

MD5 3606d2ab593568631d7fea00d72270de
SHA1 17390fc4a835334a8776a159954e326f886226d6
SHA256 1d90e4f5d91e08772e0abe6950886acceab17db1b0dd7243e6ae724716fa5f49
SHA512 86d4d16c535725522f41094335425ba124f5f0793fefd19872b318e9eae22436fe188819faa936fff10a9fb21a9f5f4fd2b223ae42a6e8fceb2e28c313bde7e9

memory/2176-591-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2524-590-0x00000000001E0000-0x0000000000213000-memory.dmp

memory/2840-600-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAAsAkMU.bat

MD5 63266fdf07f96c2e432b57c6e1e0fbd3
SHA1 c903fed6ab7f54e84c1272f75d6f71394f2f0344
SHA256 f363c08456d3f2379e104c3d7b94beeae0c7d20a26881060d08634202eefca3f
SHA512 2aa44257fbd9d5d02e9135003c6ae32064f14074f44109240280e24cb965c96db4b521f495b7d74f20358d0e709b5dffba4e6dc5052aea4db79acb74f7650cec

memory/2460-612-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-611-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2176-622-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OGcYYsEk.bat

MD5 92405d58585c291fdded46233e822c77
SHA1 2148355a9c8bea25ea0ff89cdf575093515b6d23
SHA256 b1bf6744b64cefa9fb894973b008a86cc4d07a4abea14d97c7a66f4b6bfdc5ca
SHA512 ab9c46463fdb608d6617f8862a5d06326fdf10792c1a181065a3dbedbd04447445957f4e0b04de7e486f82769e32a68657bfa146f48cf613c842f91638bc5c08

memory/2252-633-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2460-642-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2492-632-0x0000000000120000-0x0000000000153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgIMccoQ.bat

MD5 7bba8f1eb9871e07ddea45ba58fc5ad1
SHA1 156d37f1221734ced227f645bba381a35f8c5ea5
SHA256 9f136ad6ecefc6cfc6c79c2bcf09851f6ba8db7de9e541529fd65672baade7c4
SHA512 8c29927de6e7cc009b78a901394c2be78d698bfcfbeb9adbafd4d0746ca7c2a9ee20e76940cc0bf7c9203b99bdf160b4b1655587a9a1ab31c0b6fd9778271884

memory/2252-660-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WaEQskEk.bat

MD5 2744f341236511b57dd08182c7153a62
SHA1 e9f5a38560aff7b362d0ba57bf1ca377e3222d93
SHA256 3502e1f8b9cbeddde46a1c057b225ae68cac0615ba306ea11f2cbca69b55b230
SHA512 27a41c4a1526b645dab262a3819df03825f2ad196449d67a1f801d311ea3b0b44857a473a51b821b324196ee87f6576b80b0a761e4900826e3d734a201a9239d

C:\Users\Admin\AppData\Local\Temp\TyUAUUsE.bat

MD5 e405a527ebf1d9174cc69e149249c47d
SHA1 05f489136094a4595cbd40d2385224fa10793e65
SHA256 8357e8686cabf580b8796aa5eb9fb57440d6da358e79f535392ad2e706b338b1
SHA512 67fd8adbeb6126b0ef36ac474811934a29668d35bc12276d4b63259bb624c2e4d9782aa4dc6a04f28da24df1dc70c6a3bcf991362dc8e5c5f51fc21f392af835

C:\Users\Admin\AppData\Local\Temp\GYou.exe

MD5 cddfdaf9548e09f750562c639ee75953
SHA1 89e8a2a0f5a20533465f09cb6d25a3f80d76f42f
SHA256 42e3b54c8064126e091a86439daa140f85ce015d65d24d38b3390c422628f6c3
SHA512 05296d21c849fb8000a267d8bbb02105d45de264753dccc8e420317db9cbf85c8c6e396c9390016f5d3ba19dfc51d0ac89897a11d8069fa2cd91a973d749be13

C:\Users\Admin\AppData\Local\Temp\BmIIkAUU.bat

MD5 7df5064b73ea2425ac3b9a53080e58c3
SHA1 beec8dad9969f260c1206d66af1e91c4f6ee2f52
SHA256 a3074611ef72cfbe62f1d534db460128d11a03620141fad088878c396cc6a419
SHA512 ea2c3549819620ffbe1153061d30fda0b6e26da99fdae9575974af98e291a4876993b0d33bde8143e94884cd7c8ade20d1b3232f6057017d1cb4fde62a05569f

C:\Users\Admin\AppData\Local\Temp\TmkIosYc.bat

MD5 73850864a857e4fc8a5977a47fc6b9e2
SHA1 319775335a04188df42721228cb2d8dd390bc05a
SHA256 b2a075e9a2cfe23aa300ea9d69e3b4f0e04dcd42a543a59cc64bdf9626a03374
SHA512 67cbc9b913052c91590d9632f82dd34235bc08e1d382adde08a0a8bb355fcf160adc7b37241d54afca6c91be08ccad478b0055d36948948ba13fb8883c003979

C:\Users\Admin\AppData\Local\Temp\QmQIUAQY.bat

MD5 7f33ab286e457b362a7701ca6d6c80df
SHA1 805607a5d3de4b3e7e57b0a525333e8fbbb4ac1f
SHA256 061ff137717687966b7d7b30b0135cf444db76c74a5ad13fe44630b05cd0ae75
SHA512 8cfefc904179d2dcd291150657ae51431b47c5e9b8116f2d6a2d799530c50f06b3e6feec2c47e171544133b88c3d52460fcba3a56f93e5fcf74d7efa61909afb

C:\Users\Admin\AppData\Local\Temp\aaoMgYUA.bat

MD5 3416663f9815970939b99afd7c1239fa
SHA1 193a1ac137b0009c989feaa02f1e0d00407cab5a
SHA256 c0a4637cf217d6efc3048414720fbfa51cf5f05a651b6b91eb1850ed55d32e5a
SHA512 2e5f91b328684f043fd26d8163e2823e4feb8590a5338b920dc09b12e76a1e90360b58b4a9c67357738ebe9a752b248e8a47817c3fe160eae1ccc586310df80f

C:\Users\Admin\AppData\Local\Temp\uIMwUcko.bat

MD5 563476148ae023561c181f4eb05c365b
SHA1 b104ffa54b590604c577e214215b4367e77a2a7a
SHA256 04a1a4ec61aa309aaab314f1817d708a475ec8bc35fdcc0104cf28e5f9eb6d66
SHA512 9d796654cb7941cc243c5b271813a07b9fc399a1a94a2fa3acf53c090e56185a8d29c663255eeef04f3fd01bf8910f3d67651f1a903783251ab27c6fde4ad003

C:\Users\Admin\AppData\Local\Temp\YUoggoks.bat

MD5 5b8878ba5e682a91852df86b1546729e
SHA1 f481b5229aa72fc51a0eb474dff2e631ab68b348
SHA256 deb46c1fcecca47747b5f3935150ac66fbdc03b85655c70da546978076050047
SHA512 40b7dc564a9088c0c1d2505ece9a1fb899c771f7fb27a4f1b5bc1f15dad8b4ecbcf4a3616182945e1621e967ceaf7c258a4f3619f74d79865a00a997580876b9

C:\Users\Admin\AppData\Local\Temp\hIAQwgUI.bat

MD5 dbf7953f7f3c456054ccfd16b1c4b6d4
SHA1 bbbb986d93414a8da1c8aa370697f0b2b5e000e7
SHA256 ebfcf321eeeb71640586d7356bcda0198dcfff5985b3cdb5ea3359e9c3960498
SHA512 fcfe7fbadaf392f49701dbae8ba7ca853b7333da872da6adffa31551de739d8695fbb0f3cc91caa75524eca3b77d10315e1cdaab2a2932a3bd1112194cae1083

C:\Users\Admin\AppData\Local\Temp\zeQMMcQk.bat

MD5 e9e697ee40b1cc4820d40e09206c5822
SHA1 2782729b4775915c7e8dfa79e7bcb82580c7c936
SHA256 9cf865e41b335fff8ab352023cf5ad0b22ecf40dc3af8302d96d88f6a373ebce
SHA512 e2a051e81137c60fd499edfe1360067fd62ae05f760464a140d4c819c3e3db5c75482e35382dda3ba655c13d83206dab14f689b51c3c227cd4de13405892ea0d

C:\Users\Admin\AppData\Local\Temp\TisYUosQ.bat

MD5 4a1b726fe82426d310709f0df7a8bd00
SHA1 d78f20579078e84b6b7db46cd060b29b539fe51e
SHA256 5dd7aa1aef34a21c2eb8cea61d68c22525385d552f4281b669879036cc476f51
SHA512 cfbf0ec84fc0e44e3e2084bb07179350027e2be9ce17f34420c5a54659db024bf4f6c0393f989709cc197da988979b087a1043088a69bea0aba43c4198f5c6ce

C:\Users\Admin\AppData\Local\Temp\OGcUcJEh.bat

MD5 23e102916a540089cd97b1fbc0080d3b
SHA1 c3f845b221d3ce2910d18d70db2357d47d89b091
SHA256 6f6b8c893a49da45052a0ca24f45e7e2ca778cde66d3c6e1b4aefd794444937d
SHA512 c42f9878e98dbe228ad563a537ac936236af76e4f83d59d69e596b4134b9c3eadc5724f281f52523757a4436009473c1a0b49460e0d65bda236d4cae937e5fa4

C:\Users\Admin\AppData\Local\Temp\mMIIAkoc.bat

MD5 274664483e16421f7a616cdbac247351
SHA1 00270ae02cbf3a25455d50ac88d8b8c09da0c2fd
SHA256 11e672b9a20dc90bf6d921a013292bbd6908fc0baa1daff847cebb6100f55e9e
SHA512 b3b76605a00fa867cc5306c1d4a0bc8a9b7831789ad8e402bc59bc17ff148b0787fc57eb00e210c0f184396b0c3e864c763db01f070f96b6799e85a76dd09023

C:\Users\Admin\AppData\Local\Temp\OOwAIgck.bat

MD5 ae85339e5237eea385ed84c354beada8
SHA1 66f4ef37d8081ed0a8a7450116a91a8e0b5a6ee3
SHA256 61e834b6dfd400c0150ccef699d95e72c794965f73192e98085746cbe3c63041
SHA512 25488c2c280aae3bb18d7d07149c67f28b80d471cdeeea25d44a84d9dca4d4ea939ab05c431bcba0984e34e910b70b6c29b066698ff10a10deb84f8f7c2a0e93

C:\Users\Admin\AppData\Local\Temp\gEIswgYk.bat

MD5 37d1b0280825b7b00c5a4a9de4ac205b
SHA1 4384df42fccdf9a909e2df0e52c48198743c6dc7
SHA256 87bb46d18949810537f17a5f4552c73d1879a95410ccdc6d3443604cf4cf19c2
SHA512 7040f62aafa484ec22b7d623ac11cbcfa7a9ac6d46a1f8acc614802f55284c05b94f848d3fea7248f7b42590f34ccdfd196a23fad8ff97ff18042ff1ad8ce2fd

C:\Users\Admin\AppData\Local\Temp\EGAAgQkk.bat

MD5 4c790883a417ccda3d0ec8fa66aab2dc
SHA1 71bf463a818a25cf758af82755c39d345abd0c80
SHA256 98643dadf0122786bfea4c998b2b646779bc107fa1e536c5cce598ec305db62c
SHA512 910481559bca87214a6e7fad17b2dceec4b769538e334d001a2266d3d14afbf9b0f4fcb362b3ad1366cb239babcdffec2a5e727dfb2cd753c2ce1d9ed9a9b395

C:\Users\Admin\AppData\Local\Temp\huIEMQcg.bat

MD5 b24b37c0ed7af9407d0252e50578b64c
SHA1 f133009ce5f963cc32a267a24d8962cf7d50a975
SHA256 fdcd23a1adde57f96039b68e28b71746e21f072d7bfd23dd62b08d3bbc60ae9e
SHA512 eee1d3139ab8b73bea933d49b04b4329bb1bb6e051c362a4269dceae710f5118d0192fbc4b612c9475b207ccef5f9ce7de0524b603d6cf7d2e971f9d6fd542c8

C:\Users\Admin\AppData\Local\Temp\DYEkUAMg.bat

MD5 14b441957e084344c99988dd792e4f66
SHA1 2ff007f801bbc575704a718a12da1c545f76876f
SHA256 38e9684d45218536db4f39953c4571c2a6c3e6d374b78f3887f685231294df12
SHA512 3a8dfaa4d3397233d93d35766010d39611d3805d4d9fb28c093f3042c3904ec731c74181bd335ab9e509cca85cb7ff7eec0f07603778389cc56397a9249247fa

C:\Users\Admin\AppData\Local\Temp\IogM.exe

MD5 17fc3c1f2a819fcfe86ca78dac2b69e3
SHA1 fb48fcd2e3987a766f3016dbb8b92029e94f9db4
SHA256 0d2ff1ef3b8d829daf80bc22873066a0cb034c98950d69cb2b574dd8aee565d6
SHA512 22d863fce05dc033c5b574bbaa9f773058762457d91a0d64a8ba6f60ac7d54045f382b7122fc988a5a56a21ee6d330162b30457df0e160be3f298ffd51e8cfb6

C:\Users\Admin\AppData\Local\Temp\MIgy.exe

MD5 f0625f1cecc2c2220e60a7faaed1bd06
SHA1 ad3f8a806dd3efb406a61c282688338fe97bae0c
SHA256 cccb37f2718b43e04781e5033475b6b2895fc04c9e35bb4f3374a402aff6ce0c
SHA512 569a669ff60a28523fee065f1c9f7d909946bbd43383d25cb7e0360a8b5f2f29904ea105384ed0ef9d57e01dbb1225a00bbd390c78dbc7eda2506cfbe68a34f1

C:\Users\Admin\AppData\Local\Temp\iUoO.exe

MD5 bb86af392c9d6aa70943bce7fc89958c
SHA1 0d3189a7ff1885d99c84b597d14a289b36119027
SHA256 1006970635f2b169c832c1100c75a3bcdcf02d4ca3c4f56743bc73368820662e
SHA512 57054eb944d34e02d80d3e4b426be8b8c1d18e32977a4b92351e81694d44ff9a0dd5cd358c2a9153ff34781edecb8b3dcdb6dd4c0de6b76e8180f517b7288bc5

C:\Users\Admin\AppData\Local\Temp\OAQG.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\xCkkkMUE.bat

MD5 2578848fbffdcf83bc7e5b637d344aa7
SHA1 2e0ed6ec57df9e2c30581abef13aa873c207d8c9
SHA256 c3e4146ed0f85cda3a4fd4c49f7c0e9af21324f34f13e5331296a338a8645641
SHA512 298890938d60b1c9befd5c2876c3cc794fad0757c108a3c3ebcd3c6eb3107902751537e96d4a91637eaa59c8b972431d53c393618631bcf1f75a46997e8cce37

C:\Users\Admin\AppData\Local\Temp\aIsw.exe

MD5 b028c295812790f0e25ee04393a940b9
SHA1 30465e8f27e538834189bc3116ff4f820640f594
SHA256 f75031a049239e446e6e1f43b9d21f1bc1091ce05d8b1f6c1f543f4c60e58fe9
SHA512 cb5d48ac8a8c3e2ac73eba3f9f0374cec015dd06a2725e30591e2ff6baa9f374a2d60786a091f4757348fef985e36cfd443c9d4db715400d56f572f00f689a02

C:\Users\Admin\AppData\Local\Temp\SQEi.exe

MD5 bb16c0c6b8154c24d8b74e71503b4d29
SHA1 7daf3b0588d7796fdd2f9990fd3923104baff29c
SHA256 6d5f8bdfa2c2e873b1ba86c50ef63bbc55cbc01a7f94485af1791ff92057357b
SHA512 20cb83d7fc187804a6543e72920889e1d1d8fabcf1d714cd89628ec3443c4914075ad8aa7e10b52904e1824e1cb7c90e980ed6efefcae71f963af49dee5fae45

C:\Users\Admin\AppData\Local\Temp\IAwC.exe

MD5 776415b9572165f3c592120a162bbc24
SHA1 87e7c2d747a070ea9f9572b8c82ce54436622724
SHA256 b46db832b93bfccb5709f4f6b98b096688daea9ca20db7b204a7b261be53a251
SHA512 703a20c1eafb7f18e83c3b3034bc0eb177313594ca74297dd39acb2ef812ba52cbc663e8849f743115957ca0ee2989ce329f9ec049183d1262ec6a95d73781fd

C:\Users\Admin\AppData\Local\Temp\EUkE.exe

MD5 48d71850d59ab3368e51f9ffa0445e64
SHA1 63aaebadbcb29bf4eb469d173c8da87c025c68dc
SHA256 2f8e89229cdde34fdd3ecf6dc5e09617def21acca8e52017d1cb2e2607a20522
SHA512 99cc07ba49e49d0459c820e084e02d19c2dd13ea723c6d922e2f87183e25b94a4672b26aba9d3c29f07a3930b5b8b8a633dd61bf708f197118162d06b3f2c8ec

C:\Users\Admin\AppData\Local\Temp\YcgK.exe

MD5 8222250751d2ec24788f11437c36705f
SHA1 23a57f8facfa92b84b8184fa35c5a1754dada4d8
SHA256 cc6e99bdc8b8da6f082b11b7480e5c86a834bb340e0366a3c1170794a5f8b8c7
SHA512 5023f6fa7bbe2d593903f4abb9638011fac3fd5c13e4937fe175045917b301c81cc22c38fce79629f72b18a1af76d127fff929d1e3ceb6bc93e783952d0b7e75

C:\Users\Admin\AppData\Local\Temp\eokw.exe

MD5 393b5c9e986911a06a6fb9f203e036a6
SHA1 389a0f5b2a4bad74a887223a732067dfb4fa6a83
SHA256 1b4f38a24d9249837d0b79284ec45091260acc37ade162ed7d3a3db58767dddc
SHA512 87a0a1a14445dd22499089278db15d0f6164c4e2cf05f68fe7f612854f9f0dac625e88ed1676a2a7d0d7637ee15b96a397b122863abe3546b7a13ca0afce1866

C:\Users\Admin\AppData\Local\Temp\pcAUcIsI.bat

MD5 fda27849c90e9c24ecc642f77be8e5e2
SHA1 06c555001dc6825f92a3c7ee40a723fda4032d35
SHA256 ac197b29e2f981d170bc13bff4ee37a882b7454ea44ba832abe29fc0030b3869
SHA512 054114989e4e27f398263e1a7fdecc85e72936cc4338f5b68e066241810ef072648bb76dd5157fd92443f74d122f56163e82e2adb34e13adf9bcc7d9f787c523

C:\Users\Admin\AppData\Local\Temp\WUsU.exe

MD5 40c4b016c2499b0dadffbf0b5afd0ae0
SHA1 9548d0a0d334bb1dd931a4b7c9ac0e97f781f52c
SHA256 93563b672e883e9f3a23abcde738241e9043fee374942c3a17f47c61a7abe253
SHA512 73db92dbf1b6bf142918b75688454f847e82a0acd224179dd15b2365708296721aef86c886edfc480588157e72581860d0c91e8f1ebc91e6b8cc2f651f4d1350

C:\Users\Admin\AppData\Local\Temp\MUIs.exe

MD5 a52da22a543779fc0589a663d6913a64
SHA1 940e3c7355c13a9eed909acf9bf7945509aafa76
SHA256 bdb60d8144498646e96c6fb81887ce893236b2529ddf20f18541ef8fe4aefb7b
SHA512 610148c19a810fe1cf0eadd2e9edcfb0275c2ffded02f8bc47489504bf95e1a0452928a26459c6cfa3f8b304d6f848f68394bd2eda2486d0f226fc20735b0201

C:\Users\Admin\AppData\Local\Temp\aEQO.exe

MD5 cd48c7c1f2504a0b6404f6e09dd4f1a8
SHA1 423fc377ad6fc6a6e6fc82bb5473dadc3889689c
SHA256 6bee0e9d25aebd5b462d231c97218bf59824041f13bb40eba1f5cef8a0b64331
SHA512 e9e805b3bc9f88b81677fa778cf63035f35440e34449dbe0ddef59b7db3145bd195ae80e700c17d1d67ae62d7f8a77628717e2b04a4e2432a3f4032c816a18cf

C:\Users\Admin\AppData\Local\Temp\SUMo.exe

MD5 2d8c9130463f8d676f7af97f68ce1906
SHA1 337f74978dbe7335f419f10eb57da1dff741c69e
SHA256 38e7cfe746e6926bd96a430f719e009b93383207483c1c67963c58a34888f78b
SHA512 75f25905181dbc85aa36780f28e86bdf352e8733595e2366f708abb4824f1709a54050aff2e48998c74b1beecfa7d2d563bafde55bf19c4e5695b291b1847b00

C:\Users\Admin\AppData\Local\Temp\cIUwoMUc.bat

MD5 10097a95bdc1933efb9e5825462fcdbe
SHA1 43d0772b552f0aa351c15082733faec155e0bb68
SHA256 606e77c7be461aaa9d07322b1431f89bacd80418558836b946647da376ec86e5
SHA512 3b5dbeebe36a44cb0cbf8297aa52674fb4484e1442f7b4c9aaa7cc0316bdd517bbbe230f07a77099521435abd7f6fc695c6834804bef33f2d43e893ae8e30265

C:\Users\Admin\AppData\Local\Temp\EQYY.exe

MD5 baef9e7449e4d521626987a8cefc7cf3
SHA1 20be46618df08b5460dbafb8a4cd804b7de7555c
SHA256 712269063293bb9ee23531573809913e51cb2882dd4f56485b3f47c6ff5a1ba4
SHA512 b29db1704108475c02657d803d89b90a9d85bddf2655db8937a5f0f154b7e3c8b6cec4095abfcb569919280f49538ee40569bd07ddcee9aaf86314bdc3be84bf

C:\Users\Admin\AppData\Local\Temp\CoUu.exe

MD5 3e3f74964623850b2abe0dd826ed1cbb
SHA1 d462551b4cfe5bdec22ed25e39709c4a7c0e8a35
SHA256 df5ade339b6ce4e24861cf5ef5bc6a8acba5f0c4abb4d236566af15d88c0337b
SHA512 f05406ef8d67770609a17f478039e3e6fe4c89453fe7affc38c4290890d59fa444cac90d299442280e751d35a3f4941391e715b70e14533851fe170e8e36898a

C:\Users\Admin\AppData\Local\Temp\EcQK.exe

MD5 54bb75e6c6287948a3139d1b5b1660b0
SHA1 76c066415949c9498753701649979a5ce203aa67
SHA256 d73736a96039fed294493d92c587c495ec05f7ed0be43120f1415d8d9e7f5086
SHA512 e473a5616664023a07b81388f7d3c7fb4c80cb5d12be90680e441856a4823484c8e4e48c42d6cdffaa6676800cc156eca86a553279e8e107febfacd1db207d33

C:\Users\Admin\AppData\Local\Temp\oUsG.exe

MD5 75c8ffb450e67dc9915de35990b9256d
SHA1 819bb6c0f3378338b5f1aa4d918eafa976b4497e
SHA256 4bca497565d2e0eef599bbce54ab64695b114778a78754048c33d802dc275343
SHA512 b8a14ef9fdd3b24719c94b90d349b3e2c648b435e260e61564bb0ba4d44879b00140647cdddf6796d90de995e8135dd6565369f3c10cb69b4af4bb1781675649

C:\Users\Admin\AppData\Local\Temp\OsIwkYwo.bat

MD5 45905336a6d18f29aea1f86c2abebf4d
SHA1 0bb6d841e401dddf37cabb8832fc00f30870a390
SHA256 749843970c84361cd97fc1c70ec8e1d77bcbce0e6c5a4d84f9932ed6b733100d
SHA512 dc403c61df4b35b078c130dd8ae3b47d07ab301f3f4d7f459358907d23e7339f9110641293c9a506c9ca2a558737475d480782e5437ac25ee91579af330c474f

C:\Users\Admin\AppData\Local\Temp\uEAa.exe

MD5 e10382464f7633ebffcbe4c8b51dd2fd
SHA1 8f061eaacf98d5556bb26f57f0c2c3869ab25ae9
SHA256 f77e08e985740978b373db1a7e8b64e1725aacfc47a7005643c8944d7806eb57
SHA512 7e9602b02ad0306aaa1fc1074b373c8741f8901af034d7633bf9f286b845c3075b1ee2014ca23d0f0fc7ea116e85a202a8e2c3227d27df86962c4880cc689252

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 a410c871ec89519ad4d97b519d1b8b60
SHA1 23daa0fe6d70845500529f2c285877830881ff17
SHA256 f584859e2dc4310ec4b242d2c3e530b7e80db4c6decbddfd29c77ba380c408f4
SHA512 2902c446ba656646ef56898d51c3975b05af2d4e14dd46892129cdc78a6877b2c6657c400ac465f29cc964db449b982be9f6c9186e2a5dc04bb009d085f58f82

C:\Users\Admin\AppData\Local\Temp\QYwI.exe

MD5 7aaa5871030fc9283d44ea9e6b488077
SHA1 f3544df0ca5f4bcd321ac6be1b07a77a1bd4f737
SHA256 5ada4f98522344d5f10402f9032b336248627782dbb64a51c6b3642ca3af59f3
SHA512 b56d6d16afd6a2ad81f38ea05d17fc73597ac3269c0d15c018f7fd0ccc9c8a254a4896cbe6de8303ff3514cde675850cbd3490a666488bd7a802120b5c37d55e

C:\Users\Admin\AppData\Local\Temp\mMco.exe

MD5 048e2c6dd86a46b09618612f9e7ec763
SHA1 9b0186653473342ecd1f90204d6b577e1b7aa55f
SHA256 9584cbfd4663f9730c6c6162b9118a3d991b6d18d669bbbcf457df6754200000
SHA512 774fd6340f67ce2fb0f9f51764b4e3402fe5d75b6a7f61f0b6f0958e677003afbc3aca5d586a73f98cc6645665d25afa0195af871238b6840d488b1094de1982

C:\Users\Admin\AppData\Local\Temp\KiMsoYAo.bat

MD5 e7ab09bbbc3c9ddb92cd0596bd52e4b3
SHA1 608ce189f3e1fea76e30552abe4d3b484da31196
SHA256 b37d900be57d590d277ccb204899cc97e06f9aa3bb2b383f1e373d56412df1c6
SHA512 a5a04a2482c078c12d7f48d73f34cb000d89300205c857a9c633eff24dc23c8137bacf4032e831e705fa953dcf85452602985b810841beec59b5fde1fdd655a0

C:\Users\Admin\AppData\Local\Temp\wcIg.exe

MD5 c7db4cc451ca6f3cc56d2a2b3826d401
SHA1 2edbe7fd773f5d7003052539b8254bcc02e68f32
SHA256 5f195dece7a003a6bc12406c3bfff1d334bcb9e6862dac23f6cff88d2ac11d29
SHA512 16bdc3231d5fae1d08b746a1e91a36f9236045816bb12f8d5dfd32fe419a52d396362b144f01402fd31399a571a41c10fafedecbf992d8da8847069dca2ac0b6

C:\Users\Admin\AppData\Local\Temp\mgUo.exe

MD5 89290b9727123d436ad7426fd954fd08
SHA1 8d732aa7d1fc322db8f1e3acb0788a91f4e6d295
SHA256 fc3ca9ecc07366eee673332d2597b2084f02cde2a7942e1b25e8c4b930bd389e
SHA512 8eab1c85393ec4104cfa49cbff85399c6356d23616467b0357ac66b050f65d0020b5f17a3b7ca7545e8d15dceca7d933521087466f8114ec28248010b92cfad1

C:\Users\Admin\AppData\Local\Temp\eAAe.exe

MD5 70e8500f0c73bbdb7317b2dfe1fdb7d5
SHA1 df6b801a5e51aa4985723389d99a88f81ce2f5a3
SHA256 b9872b200e457ad35567a2d8aff691ac8fedbb59d0a833064ebb84c8f0f3292b
SHA512 e20356d946dd0e654b407a860f4ee3b2c5bf04e068540af279e1268978610ac7e0da0db8d36f71894595866dcda696ad839e2395c7e21d29b235a72dd3eb9526

C:\Users\Admin\AppData\Local\Temp\oQcK.exe

MD5 aa8132a668701a87da5f63c1b831ca9e
SHA1 a8633c3bcde5e0fac21d87c58860bdac7ade043b
SHA256 fb79e7331acf9d6ebb02aecd5e3768e2e2606f4dc583948161540dfaebfbbf00
SHA512 f3f0a9ff3546a606cddbf47775956e1bb937052bd19b10740885990ca41c46cda6834be21e2cb44720967e510fbbbe294b8f299fccb5e9fb6f6529e782cb71f1

C:\Users\Admin\AppData\Local\Temp\miAMwokM.bat

MD5 ebea7b555523da0e9a4a72946bd65c0e
SHA1 e8ea014a9329554fdb0ab76104448d1592a95ece
SHA256 0e0f4cb98c541ffe8a55fe65e2ee420a655a3903df00fbafdb5297ded0dd4a88
SHA512 0084902313ce89577959e8cd9025999875b4081e05dbae0ef74bf3553fb00a55b0ed6bf844e0a856cd191dcefb65ade8e4fb3609f3094a5ee457159172d3ddf9

C:\Users\Admin\AppData\Local\Temp\AksO.exe

MD5 fc3c9c7c563f0ef28a9f68a5355a8481
SHA1 f440516c60df8c6bdd70919a89d15b15e9ca6cc0
SHA256 79787d59461045e24cd2a38960f202a570707f95828ae4d2eefdf457e2c534ee
SHA512 e2d61865e77c9294e9dfea9f76a321fe551e0157865f7146d5f4d77b20e5b5422180e83125793accec87006eb6fd53c4a6da84def07c59340960d2b244109838

C:\Users\Admin\AppData\Local\Temp\GwwA.exe

MD5 6c8c6d46fee7a3a31466437a7e6a3336
SHA1 a6118cff8bcc91f378776d28330f065bf96dfb7c
SHA256 4e164355cf83955fc036368815af86e1cf3e1e4fda81bfd86f60b1cca0a5c550
SHA512 32e1551e19ef9f6a0dbc10e46605bf6b2aa0e09e18b7be4925a2d3a53d49e30cb058b67d49fcde7a3fffbb479801d81b2396615d523ff49a65d04615ea02c675

C:\Users\Admin\AppData\Local\Temp\iYMm.exe

MD5 8e00b5c1e2d7774e55eac90d937f3515
SHA1 81b3c8b6863b68213f592bd984095c3b2b569199
SHA256 8892213fe47fccf867cc3c33824fdf5bec10c63aa1df8742b21ee0d738f3ecf4
SHA512 83ddf4488265091e7705603d02321a9566ccf5bfef9c6e3226c1210f1d9be875d18be035bfc8498574380d93470772154a23f430fb07ccff9b6c9664cbe06742

C:\Users\Admin\AppData\Local\Temp\aggk.exe

MD5 31211b7480dee9bfbd0eb6881343f780
SHA1 e8ceb2cb98eb37938d902e19d02f992d524c824a
SHA256 bcfa3612ccfaa179b80a98d6616addc393bfa9fc206b34ace212fd9bdb7bdd49
SHA512 70e5c2716dfdeb3ed130b77aaa355958e5bb5324bd22e4a71aeefe457a4dec730bc4d2b7cd6b4d602f378e10e9df3be2191c1d44f05722f9ac0a30b44ef42383

C:\Users\Admin\AppData\Local\Temp\Goow.exe

MD5 87802c78ac66fa004962f99ca9f797fb
SHA1 0cf7ff628ff37079054e0112f8a9fab537c992cf
SHA256 4fb62b88233999c02f1de5e7fd0cc1a8d5ea0ab3db33d5b328a992134b519f24
SHA512 658c7ef32ea8c68c54c63b5833c06951e511dfdc6e52e8a88bb2c3138000933f638f5e215bb8cbf118bd647555b5f07c782ff3868e740f3d06638f95fb754edc

C:\Users\Admin\AppData\Local\Temp\CEcw.exe

MD5 9c0a202e1110b0c7d7853bfeef6230d9
SHA1 8519a29c571e43826766d1cfed385e03af5a2943
SHA256 fb682fe6d04c7e75d421308a76c934814c428ad7742f1ad359d40ff84eb7282a
SHA512 3222ac6989e9fe893086718ad245e27147d7c4e1f4d8a851d4af1889a476fdc3b472e7e85d1ddc6b6c0006b88c6a1647c201e4f6f954832067012c266f9a21ac

C:\Users\Admin\AppData\Local\Temp\mMQu.exe

MD5 d2f67c774073dfc32693e8e372003847
SHA1 24242a5861c6736656772fe240b9a72d26f5d54e
SHA256 274256cf88286fa5c7209dac0e6b28fcf86a94173c5ae3ca171434479790bad6
SHA512 ce72faede904871498206fe412eaa54f7e09b193bea85e81ac145576b7dbab809ffe55393505e9227eb25022010b2a604420d0cde1bd52e319e821a0c7976877

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 e34b65ec586ef683c756e6e23b6a1d57
SHA1 10a27abcd546a13b17ecb7206ab394c27132a94a
SHA256 43f1a0b44e81e40f83c65a0b4fb076c38265e03fdcdc7c4139002b0ee62805ad
SHA512 13d46574f2a4dfcce7b093cc39a19db9ada52ed7ef63e56d2487a86d9be004df637d065670a511f565a0ffe70d07a2153d34e23170da74769fb6b83d0be8ea39

C:\Users\Admin\AppData\Local\Temp\beEEkkUI.bat

MD5 b6b827a442c81ebb864098f90c454fb3
SHA1 5a538e892b88e0929a3cae22255e0c660254e1c2
SHA256 e489955880159bdede8cf2425df8c3d3a3f54fa03bff66dadfd2e7fe97be7928
SHA512 ba0a5a1c3148a3a57051f02978bf1efaeadd1b6a5bb23da7d3086e50ff27f6802ef2a67eed2e3780f8c6db354612df0356f5e83cfb93e99798dff97a3c7f10a9

C:\Users\Admin\AppData\Local\Temp\aYwg.exe

MD5 3da4b47f1c6485270c4bd11b8338e6fb
SHA1 92de3aa4ceb4a57cba021cedc16734795bb859a4
SHA256 0b05086641a1cfc7fb2c560158f7bd3e40db36a42ed24fb47ae49e5bb8e556c3
SHA512 209191fe64cd15324b45b38f15529fa18ece0b3e37c636b9611c0a3ba2b9b9090b4f9ad595a7b08b4116396f852fc0a3ffd788cf769933ced93e3c44cc32215b

C:\Users\Admin\AppData\Local\Temp\ickS.exe

MD5 8d1c7b52d142d2dd18d2bde2419c24e8
SHA1 1fdc08f071a38f7983a08f723c66a9ad45d26a8b
SHA256 9693eabb4610a466d7d3421c8bf51ad25f5ba04cfbe11aa3d78ad17d8dd7ed9d
SHA512 d0ec508f17457899b2e05e28385333638e3d86c41d0e53e60a8d7714bca713a8bc6b4d84b16c20f6f36391eb346234cc23f14a9420cd4e81454bb5b6eb3dbd3e

C:\Users\Admin\AppData\Local\Temp\iMwI.exe

MD5 4185eee451043ca6077f19cca49e1766
SHA1 a26f757bc6109e5f404d91e6249ff895e29fb680
SHA256 970003c4d01de9b7a883fcc4c7ecd50778ee97ba823486fd17b04a08c1b8d997
SHA512 8043af885d5adf6eaa3b1eb40fc42066ca136f39ab0ecf5b9346adb6e59c5ac32a280cd25adc3312695513f6a45b58f3eef43a20b59e1959da173583e8a03afb

C:\Users\Admin\AppData\Local\Temp\UAwY.exe

MD5 9391c7dcb9a500d39684d7467436d5c2
SHA1 925821cbbfb1ed119fee3922e2f6f7dbb953572f
SHA256 ad53f554fdd791aa71cb949655e39af4ea8080d995fb844ed066835d5c4c0fc1
SHA512 aca0e6b76ff3ae2a0d37b343b8fb40b2079d93ba90fdfc00572847f281a8441b0622f6a1c1b494c7531553e8fbcf4eba2f621398a9133a36e37c20403cecbd32

C:\Users\Admin\AppData\Local\Temp\PsgEMwMs.bat

MD5 fa65975f29f7eff3ea8623c18794b8a5
SHA1 6d45bd2db7a67821fd46450653735371bf1ad7fe
SHA256 925e98eeff9a1b58c16ba91ed7a41a485c9aaa7b2e0d4dabd288495642c0fc38
SHA512 c46ddd5afdc0476619cb65a45a00e0e43a439880259a8f71beaed25046182f7e0900a80b11ef280f237086a87036f79aeb4dc57d076cd0f239c9a3efa57b9be2

C:\Users\Admin\AppData\Local\Temp\oQQk.exe

MD5 096df95bdf3bbf2a541ffb899157a51a
SHA1 afae74f08288fa78c09d84a176b4a2b323ed9882
SHA256 88fe7bbb8abdb29ff273119f797ce2619488fd2ca80c47a6b80884459ee7e1ec
SHA512 1de06acdfbda2974a4d9e3aef6c8aa4bd0d5c7496e86149cdec678d44f2c5d4d42756b7751e5394f9b0f94aeb36c423cfb0822be49c63d126341aa8a2b15ea0d

C:\Users\Admin\AppData\Local\Temp\akMS.exe

MD5 39f48f45f6a53f3ba3e6dee96ca65c14
SHA1 9abfafbf8d54c4e3626b5aea7f54d058bd2bd078
SHA256 10b332efedccb776040fd98553493ee74131d3a9bb5b798a770a139650c696bb
SHA512 daf4e67fe90293c85a10fea420b3e4eaf574451ae97b3aa41bbc4f5de9048b94e44b1b235f8018d553df2f0641171a31f0f48708dcf61fc60cb3f3fd1ce9ac0f

C:\Users\Admin\AppData\Local\Temp\cosG.exe

MD5 80969a51de924fa1acdf74ffe87ac1ff
SHA1 1f696ccad72a2f82a35c928bb65bce97485e27e9
SHA256 5cd2f8eaaf8e4f3e11e0fba5706ea93acc32fbeab09d8a854ddd2b36cce8b68f
SHA512 ee5eb85da91fc4e8a508d6efbd75d601ffc633cb80f8bb94050ccaf0b3db6a1d058aa8eb498d4230a3955049eb74c79c56eedc03bd0946ab5f0e20ef478bce94

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 8a5bf6d3e08287e293b83cc84e5508b7
SHA1 d217951d63be3718b6dea7ab955aaff1110ddb6c
SHA256 97e081669610c39c4c441779cdbf7b596191a765100d278bb2f528fe5e3f50db
SHA512 3055be85b3f862c583288858438fc13b1520d936b4770acb6464ea5f29c7e1049435c6545b3e86082ce108bd1c8ed8697866e4d805130ad59b000dbaaa4e4087

C:\Users\Admin\AppData\Local\Temp\mQUA.exe

MD5 66050d5f904c66a21078e05f209d081d
SHA1 0d42c572e115df4cb7963ce87eb34293d0b1b6d6
SHA256 ee089f57d54ff62defc71927ed2d2a6e6e1ec94199f7d227326e0c3c02b8af80
SHA512 e7f7093ec39e387a374c7cb0004da94049fd0a230b1f8fffdf10cb3130f2a49d14fc5227b3bdf75e4139a6bf2b9b02b639034ae19e60b81b2f560e9760dfe0e1

C:\Users\Admin\AppData\Local\Temp\yUwE.exe

MD5 0dd977d24fbe77f8f9f056e15c0fc607
SHA1 b21fa4a38f22047ffeb20b4efaab655c8e083430
SHA256 f3653901d9f83c3b8ed2434768767ebf1942a50e7abab84959aef0bfffa61933
SHA512 17852053bc05c1db6e953b93e514da7f39a209d45840f03762e3b8519dae3816a0e511934e4e55aefc2dcb935577916d4f52308d1162b00f2b46887ca0c4920a

C:\Users\Admin\AppData\Local\Temp\qwQq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3fe366b227b0a88d7e9fac32f7cb0513
SHA1 ce25949d415a90ecc7801e5b84c92afe53886537
SHA256 f46adc5a897077d8d670d889fb2b1aa781139ab924a1349e15a873c4191b41e2
SHA512 9938dfcd11b905463ced7a6dae81fddabf77b3b918f5bc567bf29c3634bacbf65fb5735040aadb6ef90222ab9fd395b5184cf2a03d646aba1302d72410aec25c

C:\Users\Admin\AppData\Local\Temp\lSEcIAwU.bat

MD5 a42e9cf5ab31261265984a5ce87d12dc
SHA1 e5a18d788427fcb53fae5d9a35b5998e496dd480
SHA256 6694787b46bc0552647d17ced19ba3bd96bba40f44910710379a7e56ec17ac91
SHA512 006511236736da51cf15c3573a3797151cfe2a4247ee604883abecb3b36d6cd6dad3e533f14bd695b05b6567c9c3720770acb92ba2c66e3aa0e8689806ac1d3c

C:\Users\Admin\AppData\Local\Temp\osYk.exe

MD5 d19a840f6f8cdfddf75e188eb297b44d
SHA1 e798cbdee582e982b22d67a49da5c3fc21895156
SHA256 1796380e6a243f348271967c1767f782c9c1f35fdf0964b7db156cc90273aca9
SHA512 970bd0f525d7f83688e744987fe05d771153160d0d66b60eff10e6466994d72301b6e2a055e544b811193f5ebbef759cd8c3dedfe03c66ada5a4a91ecba3a8c9

C:\Users\Admin\AppData\Local\Temp\oQQm.exe

MD5 b91d4ba696d6d88c3587c5ad3fa5ad3b
SHA1 253b1097a869be54f21a114ffb474bf762ff5d99
SHA256 404adaee5bb719344e9fe8002e9aaa9aaa1f13f7ff2d2138b018f34050c113ab
SHA512 87aeec59a3368c409d0fb7a912c49e5a434361877a70680290c39f952359d2d3458bc373dec8ba9786c937d1ba121f3e0f90f22a2ad627895d2ba43cff978b16

C:\Users\Admin\AppData\Local\Temp\goAG.exe

MD5 f88e59e51401b95cf5860ec1dc80fa66
SHA1 9931cb4fb10eda63f2f21bdca0d67aaf88d8f0fa
SHA256 cac629d3b8b76fc3531e1506f32796bb0cbcf43089d86dbfd8a008902433e3e7
SHA512 f28017dbc86515ebb4b46d031dc24d59224b910df9b59b90efb1ca71d05afb3f688b80c41154321fd67e5b5defb2132d6dda55802343022288d691530e3bedf5

C:\Users\Admin\AppData\Local\Temp\FicAUAUc.bat

MD5 bd102f97baa2e2190f52c0c76e01d3c2
SHA1 d581bb586c265a36d3fc04dd150131490060a625
SHA256 3b0cdd08956f02bc07d71ca6890e0640c8627a0b717392f53023985b5bb02fbc
SHA512 5dc1b666a5a586f47d9d2a6632eb51f75bfd1e4c6d39480ef7ebbfe7586bfbe599d2341256c39046eb950de0f43f87fccc5cc8ed3e10e0adb19618a98e101d3e

C:\Users\Admin\AppData\Local\Temp\kgcEMAgM.bat

MD5 709196e80b23e4f6838e0e50ebc43a93
SHA1 ac4a1e9ced7f3f82f459464c15ce85286e0699d2
SHA256 2bd3f0b8ec80af5451bae8067e33b4109608683023312b24ee750983646c1de5
SHA512 ab2be29a1f234ef3ffad68b40f64bdb22b14f26be2ea0c51378f6e267904d63be2ba7269b5c3c28895d082c52049214e5641da2eaa9b4f077e84addceda5838c

C:\Users\Admin\AppData\Local\Temp\MCcIEkEo.bat

MD5 3f1ab3bd980dbdec70fde91568731f87
SHA1 f001f34fd1c5267698308cf88e4f7f4bde99e54e
SHA256 3e9323cf6a143cb895a6c010f16884b3cbaf3fee6158b39b5b34b3b5588c4a33
SHA512 2a0c23df33dc65ea8629cc42c8047ea127519d018df88d6ad7067a883ce1707431f4bfc20407c461f64302a772beee399c9381fac37f029e179698dad3bbe79b

C:\Users\Admin\AppData\Local\Temp\iMEQUscI.bat

MD5 06f201bb51d37151d1759052d9339409
SHA1 48e304610c1a7a1e559fb241c7bc63d6bfa53bc1
SHA256 879256f14d73e2b00fd9c9d57c2c778e5787629918a6594615eff6469b3a9b1f
SHA512 a61e365179d5ff3321fa09acbfc381afa8a023dd0883d8849bc3eea821fe8552e1633126582cd5e19106de94e555e700a68e017e3dee1133d67bfc1aea21708b

C:\Users\Admin\AppData\Local\Temp\UGQYUwIE.bat

MD5 328252c18718004361cb5ee8962ae206
SHA1 2c23640fef4bbb26975aa1169e9af05506332629
SHA256 ea6a6efd6e7e44bcb69e954b5ba48f4f40e1b198845b5b4d18621a2c10b970c9
SHA512 bb3438413792c10c1e6508d869a56c9c4a69fbcece5c7f0ad3317a1e86ef27afa603c53c5c218409cf9270a80724aede96b763191dbe6d704cc31fadf84867d6

C:\Users\Admin\AppData\Local\Temp\MWsMYsoE.bat

MD5 1666a7ef1f176f69d2dc9e936c9fdfeb
SHA1 6a2ae1b5d8234fa49a53e9df9d25657b16deb9f5
SHA256 0c869144fba5575e778797009f3b4b21867b0efd42dded2736ed4008dafe7a85
SHA512 aaef91a235e49b7bfad66ab60af4982027dcdcdb7e9bb836830ba8323387d78c9eaba9566a609280369ede1493621809ec96e695a129e07ce135fe0dc3da7578

C:\Users\Admin\AppData\Local\Temp\xscIMYAs.bat

MD5 ba64a312209168a616d9ead96e9957ba
SHA1 d7d25e1551049334146e5d158bd0d135503038f6
SHA256 e1cc5c2451e3ee3abdfce82b0165df51447bab880315b2f1454078c1076f802c
SHA512 3369e15d785c0b6ccfcd68e024355608bd21818665007fae5fec338ed82251174a0bf245cc20b8876a19928daa2a78551a6cee60c2c0124f2ebd920bb2fd9a1c

C:\Users\Admin\AppData\Local\Temp\PyEwwUwE.bat

MD5 1132bffc5559dce257ec5807ee7decb1
SHA1 06f8697b0c89e0393e0c9ee2fb5f6d2fc1201fe2
SHA256 a35ce0e94430d30303cadb1b17b0e5721ab3ff40970d32b84006b5de479fe0a6
SHA512 8a24a895d0e869fbae9d3630f8609e7a2b879cc2652aedf9254760eb74d83b92a567fc6c83b4bfcc3c47438ff5d22fa1804218cc68fdf94b1ecece5e62d9df66

C:\Users\Admin\AppData\Local\Temp\XoAIccEU.bat

MD5 fe69ab5cba191b50dd24909394117280
SHA1 87b7c1f0f30a220f0a48cde782bd564146a0562b
SHA256 6ab3e3e4b0de09af1ae2aed44895ad9952eb360f8d19e94a03b6ef2bd78bfeca
SHA512 167c0db480278b84917048e3a7f0a013322dbe58878bc37f8158c79a1c42552b2c2954132aaafc5d53f458bf5715b085026616fab66bf1be4238d9f4c55e40cf

C:\Users\Admin\AppData\Local\Temp\FiAEcMoo.bat

MD5 579b516013c61972361636d62a9d65cd
SHA1 c952075241d40352302b73d2e3d3b4822ce967e5
SHA256 1f6e14cee89b306dc68e4561428a18f3a7dee351def5e555a6fc0900f79e18ff
SHA512 f3f6aeb0b2e5f6dcad924f712c49a1b7ad15f5806c92e7e2ffae823408b720f7085665c1b3559c98a00032fda4c8b6658e63f6f81e3fb920d4769be26d885366

C:\Users\Admin\AppData\Local\Temp\EowEsoQM.bat

MD5 0ef2e0541c466ec4120621f3babc8ec5
SHA1 a84b12d17ab215ccb56d74813962f3c124ec41ec
SHA256 0c416556d9740eb7d51e4f181ce4a244dcf955172771646241d5214b282bab10
SHA512 d1fa22e6d6e58be6a90217b59becf16d3860389e8f02a679a5ff51379f87cf8fa28a34b3427da5a3c31a98fe29a57f1b39c32b6d066ad4b63b4d909c62beac54

C:\Users\Admin\AppData\Local\Temp\cMku.exe

MD5 de84032a048929a0293389afc3cc7e0b
SHA1 7e9bd472ce3f602ae5156bfd348980d2db9d652a
SHA256 98e2788cce045bbd19e840a8b5d701daa6a3699b698e8e032ed73c55e9fc6180
SHA512 972b007ea5de17167de2a754d1adb03eabe322927145aa1da9db15c357e3ecfafe4790367eff025b5d08599bfc21befc49c5896c4ed5122549933c010f955799

C:\Users\Admin\AppData\Local\Temp\QaMUkccU.bat

MD5 2e8ccb2f08387b171cb7cbaf5faf37a8
SHA1 6a165386fc975c63d2d6bfb27e46d3d20a1de8ee
SHA256 245fb80f2ab9a6fd05d4b544578a7bef29cab57c31238a4d9d9af70998d056a2
SHA512 205df7a842253deabbb7ab14797e8c502f102c9b504359e8456027e15158ed98e08f318debe9f22833c88df0c3fc731bac78122d82ecf1dec05c21e796b41dd9

C:\Users\Admin\AppData\Local\Temp\cQIS.exe

MD5 4c2124ed648e67ddb89b192ec9f5086e
SHA1 439c48bf043e875b5be18c1761d6365e0605b425
SHA256 dc77c09b5e34ab538d3c7efb79a98ecddc325e45afffa6a080ec32f2a63d0851
SHA512 4b06c58b222429c32bbb07cf815afc9004ddf037b4e74a55ec0098bd474227997453b37656c8f1e8f556a1c193fd519e40462b5a41d45a16a637f4eaad49a762

C:\Users\Admin\AppData\Local\Temp\MAos.exe

MD5 5fc13ae177f5368a716ae961ca862d97
SHA1 798185f8d65e3ccb17b1b23f83100947b14ac1ca
SHA256 5d42272cf604667c9407aee749e649dbbb674befb56d8bdad319efd75a23b0bf
SHA512 7986e6bf23d4048e20728f3ef8d6f61ab860f5fbf7c71955eb30c6dc949b8090b0b1e029db02a55e82a603fbc9cf1e36cbbfeaa800cfed0de0cd8b03ddbf6479

C:\Users\Admin\AppData\Local\Temp\ukQe.exe

MD5 de2605cc3b3fb01afbf9258f28a50942
SHA1 27388779b29a20b55c0040017321bc045169dbe5
SHA256 6a2e375022f24d8559a9a3da42848c2c111623ea984147913a8d704b899dbd88
SHA512 5570e8f60f448cea1525eae1f7847a9db67cf0eb04590301575e35cba53010f5c9d7ff020a44a910be66dc9e53b1149f27e0970e4ec6f4698b6835ae7180c498

C:\Users\Admin\AppData\Local\Temp\Gcci.exe

MD5 86359e1c10deaa91d63fd46d0806320a
SHA1 abfc5bed37ab258955c3acb1120fddc49e55a358
SHA256 1844fdde7eb69b22c34d0a98684ce680deb12f2f781c65b90807a116eb982399
SHA512 5e377f6188722a8a44d1c8757c5412c78e393097b14f9c12cece8befbf4665be3c093cdbc5444a0f96d5008bf510e241a016639b958e73ca17230ea583af5b82

C:\Users\Admin\AppData\Local\Temp\KqoUEIkg.bat

MD5 a1f5c537b7a52a57169e483d375b9602
SHA1 07f466a7f8ed055b2e61d62031cd568c56d30f7f
SHA256 ec48d7595213770cb37e4fcc3dc9d49f918fefb922a5f668b4062e2fccfec513
SHA512 20c6d3870d9ecb755d45c8c01eeb897b1bba86dfc94325c44bc491c1f070c3e713039a54ad436b6bc31fc30fab790e8c0ecb7549ce80d7f66ed30c10a8fb9dbc

C:\Users\Admin\AppData\Local\Temp\AIEO.exe

MD5 49d7b0e40bfd78bc2d362ef6b467b72d
SHA1 d46cb3460884e04f75198557510a1848e9d2d8a1
SHA256 de526c36c51977d4fe9fbaef4f93f10f5b31d1c1deee03dfa56ec8bbebf2f779
SHA512 5c29440a1e8dfd08651f592814b5394eacf6ff41953e6cbddf6ea4795afa3c9cc7f270deb2a302f9c31ceb30b37c99b6813a7ec4165ffa56da8dfdcca448de15

C:\Users\Admin\AppData\Local\Temp\SYkE.exe

MD5 61846d775edd817897dfda7a7e26502e
SHA1 f365908ed951a98f6c4abf8eaa90f89e6db56431
SHA256 f93717c159fbb071abd9f22d3321b13e01716b2b639ea6812c8b092de3c86b27
SHA512 50ae8048341dbc3caa860974f6ab921e291cf159910f7c98732fbdb0ecf53870be1e5cb0dea9e6dd574d1b72a2f64d057092783851016ff64abb676264aed4cf

C:\Users\Admin\AppData\Local\Temp\sMoW.exe

MD5 253e8b96714f28f5eed2e6f83a8feea2
SHA1 b62010869b1bfb80758a41a6f504fee92269a2e7
SHA256 a8d0f90b4bf93ea6663ac8ee0399701adb7261ef6258d1cb54588d58117bfe83
SHA512 f1b00de1dbd9a98a9d0a2a777c20597953d25ec18573ad608de1ae098bc7676f88316e5fd7a4582c2d8781a3f2635514d1676ba9a46efb542c8537771f2ecdac

C:\Users\Admin\AppData\Local\Temp\KIsAQoow.bat

MD5 dc5764aecc6cdd90b8fbf887de628bf6
SHA1 3c09fac4c434bb21e766ee7e6b50249aa90783c4
SHA256 a793011fac5d0eb4795c4db8a0243968262c442ac4e1929b07467b1b7e70bdd0
SHA512 1dbb6433cdb78c68a9b6a98c7e930d33328042f93dfd090161519998dce319343c7fb1ae0cc5f3782728ec210f1e19de37262ab88be0be7312d4fd852bce45cb

C:\Users\Admin\AppData\Local\Temp\YUYg.exe

MD5 50bb42b32546d38bb6c46f0d30e673b9
SHA1 b9f53b0e268d0535c7ac5e77a845b1d45a139918
SHA256 d99005a43f2ca1c954143a60d11e969214f56ff06b1f6edd007522a2f813d649
SHA512 a19beb1ab84492792b659e0cdc7a9fb7ec92df5873ee2c42139d4fc360c672bc02df968393670179da262ed52b7264fd51193e1eb2b2f4502376dc180eec8a26

C:\Users\Admin\AppData\Local\Temp\OkYi.exe

MD5 7baaa9d67d46f56af760acec9557f2de
SHA1 4666bb534b0c7b6f21464ce2e04e32c24e5a2435
SHA256 d6853e2b5476f906eb302ccdbe5faf8b12f466709f41e894995d588eff5bce17
SHA512 51e91d876d0bd1459b0711b2dd1c552ccea94a1f204465bb7e2ade5e9291b01628eb4bf3d3bf8d30e66be62a66bcd4748775b5ad7db74f5b40c28b8aae82aab9

C:\Users\Admin\AppData\Local\Temp\cgIE.exe

MD5 ad31a865a81d493148ed7c610acf33b6
SHA1 2d7d2ca575aca571273e4957004808a7e422fc34
SHA256 829655502bcd73e908a8b3a724d8d003bed45af346d5e7cb803b3a1b43685166
SHA512 5c726fc5caeedf55105d43ed437ecfc56208baebc37f554f4db165b40f90298bd847dd5aa5d1775d8a569031eccb56b436be734d8adc87a4cdf57e3400678714

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 27c9e2c3aeeb81787122ad7e04664809
SHA1 0e32dc2caebb22e972acd1e0585c6773631da217
SHA256 fdc4ebf12e5f72ab4e52a11ff8dc4cd8558a7d3c9e2ebefb3ac3aa2795b3646a
SHA512 7bd73e1f2839d32e1cf7cb21f5c6b87739f6fc7a5ad6c8d08dd90ec4de23687585bb17220c97036d374b3d39c1ef696c37591223bf5b311375d8701c78f6ff0a

C:\Users\Admin\AppData\Local\Temp\HSQcUAwA.bat

MD5 87223074b727a3fb05d091bd7f5538ba
SHA1 8f2b545aff93b306d5794242888f52cc5d47192e
SHA256 28264c6a7bc4a98b3f7484225b9a8e9864831644e08189eae1ca13d629a05a3e
SHA512 6aaeb858392f5cdc21f78468f64a2379f97c1c0dbe1f1b25256fb35a7b70bb856b5656a5e11045c80a97ea0fdd4bc5839723e39b3ec912afd64fc1305f28dd55

C:\Users\Admin\AppData\Local\Temp\OcIG.exe

MD5 070c342bad88bc78766742b6a0da42c5
SHA1 88b308a6452903ae90a453d2991cada47c06b1b3
SHA256 144dc7397533aef9afaa4b499ec973f920304b3a987589664fdaa3e76d250edf
SHA512 f02fc9a0f650f1969af0b202cd05ecbd9cfda11ed6bfa7c2bdb9f31ff0ed62d6efbe3ac36ff23bd1ea7636d9dd71bba1226adc143b2bfaaba9c72baffa10773b

C:\Users\Admin\AppData\Local\Temp\KsQO.exe

MD5 e8eb43cde68ba3062c12376728f71820
SHA1 682133239d9a6c628edb6ed19414029c94ccdf2f
SHA256 23f0eb7a8455d81f7e49057d0fe960c32bae175a217e76233bdd1fbf7defe3d1
SHA512 51264fef4fa3b40f9f9be37f2b15c66a469f380c9c1f74db9294cac0467046eaaf54da89ec6885fb8b08ed6ab99fd2656e08bbb32f75f382912363108fd67c02

C:\Users\Admin\AppData\Local\Temp\accs.exe

MD5 5885d996de99529073aa09da9898b708
SHA1 e3c39b437a3686442595142aa8c2e7bf6cdcccdf
SHA256 31b7ecd6fd34cd4ed4c803b0979ab00f1de01b724802d8f1f8241efbc3261577
SHA512 64bcccfe2ac8dfd9ceab95ab2f97eb1ec74cf446a09b5780964d50c403b404909f9763e9b908b7c43a129b3923f9670fb785fb5161bbe669a646f70af2ffe8e0

C:\Users\Admin\AppData\Local\Temp\BuokscAI.bat

MD5 d49510d667d8e24faa2f626718869fc5
SHA1 5e4c2854640d4692a3636a16ae8cb613438dcfb3
SHA256 839a5cb544223b8ab837c9612c41bc3b5439dd5e2ede5c36f07bfcbcd11bf7be
SHA512 a9ab05866a80a3247f7acfed70aebc36ec6c0503277cd29c7cc028b0a598ff1a57df579168f87ef3764961336b089065fbc5f41ee36acb98c6e0b122ff39b4b3

C:\Users\Admin\AppData\Local\Temp\LgsogEAY.bat

MD5 5bbddc4af37451201b33644d6c13844e
SHA1 4b256fd1eb1f8d865e6a307683eec7304a6f0961
SHA256 d0d6b7a34656dc6f4dd0875ebdafcf8f1ae977de0a245673725ae1bc9643d1ef
SHA512 2fd3f144a28eb575e19085b62a286f04767a18af12e73e90aa0cc07b476490edb042ad0bc1f61d56f898fb93660f81608812090e13dadebf2a3ab001db4d2adf

C:\Users\Admin\AppData\Local\Temp\sQgw.exe

MD5 760159017f03ddb1d8ac78cf11714e5e
SHA1 42cc8c77f46e8702db568d58fa7c7fe998d74cdd
SHA256 9d1e2a047ad83a718ccf0e2a950111b336125976debf6038077ff29db5b305c2
SHA512 4abeea458fcf5e2a765c971a90148dfa8ae1381feeb23f6a09978dda0513d086af3b8dfc9ce72d00c8f105ecd16e1572eadc5cb83ccf967eb16a13febaf2b618

C:\Users\Admin\AppData\Local\Temp\IAQe.exe

MD5 023fc5c3381973838c08c88c6667140e
SHA1 72ea235f3fa8a2ab645d7158c7e1b6203b1b36be
SHA256 19eb5de6501c75b412c3bc8674ac4972b317e174ac4f22dfabbe349fd8a57477
SHA512 2c614e751163f70392e89d31fe09341ea1b934372516e186ce1af3ec94a174bf2990d66fa6cbb464d1d28f13a2cd97bbefe6fd26dd119799a9c886692a0d7aea

C:\Users\Admin\AppData\Local\Temp\sooQ.exe

MD5 16aad260843e7ae44efaf3c009ec1208
SHA1 09347398f49b876712999e0a98251ddf16719ec8
SHA256 97d8d6a13dc5945d5fd77c6b74012465bb4f6e200b06d4d09f950d635521dcca
SHA512 7e873031a5fd2159aba821ab8d0c20c54d6d4dc68fea85b219b95443efc552afc69f6df0e8cf67dbca96a3fd7ec75c79fb26bd09913238e124548e98ef2908c9

C:\Users\Admin\AppData\Local\Temp\RMQoUEUQ.bat

MD5 b87416f41edf3dc3d803f5c76c33d3b5
SHA1 62a2d7be0be249d7a2d38838300aaf965b744290
SHA256 da1fcc3ab97e68df000dae41efe40245c8afb35855291b04cbf90847f916a042
SHA512 d847d3312c9088f8f87cd9439efef5c0222be26b8148b928a1e3bea3662cd8a503455c107c8c729d3b393fdceb4056cba3f60a1e46a2e2f73365950bde6e0d85

C:\Users\Admin\AppData\Local\Temp\KwEu.exe

MD5 b8df7eef1a40e801baf692da6795bd60
SHA1 77fe45220c5eb36aa198e0293488843f8573cdc0
SHA256 2b9abd23d5d58af883e33b0333e7ea0e8acd023a8b7ff9a25ec34030c712bb6e
SHA512 47a3d7bbc503634996c46aa660f1f2589fa6820a423a550de0e1938d2a82ce9cfb401be094f30c89327fca0877801524d1787412b04aa64d3324eb736871cd42

C:\Users\Admin\AppData\Local\Temp\oAIW.exe

MD5 b797fa11e6477ce197b0ce23adf5e300
SHA1 6bcc2e5359e27e88f8258efec79808f62e7688aa
SHA256 8ce6cc6129fa72a31939dc6bf9b9f1357aa89f15fd7ebc7751110f9f3c973e13
SHA512 8dcfd0e6934db21c59ece3603817f51683db827b78dc65333309bfcc3c6fd77c6c919789f68f3951e29dea6b6e672bf67a88f2dded13a744fe250863b8165bc5

C:\Users\Admin\AppData\Local\Temp\kgQU.exe

MD5 22792798e916b3a9b9af663cdabb20bf
SHA1 4451fcc4dfff4622841663a97c08b16ed4c1eba9
SHA256 6e0fe6d9da8b590b4ecee238b54626c06a4221043da8ef337efea4988dcf38a6
SHA512 9c0b2babd58584fdbdd1ac6d0f0d984537294c38777cce24b15a4aea824c5373ab22fae52c7b584fb4f637ec90ff54417531efde9a5a0dd99a1ba8ab2da52044

C:\Users\Admin\AppData\Local\Temp\LcwQYogg.bat

MD5 7a62bd1e6cb810d9bf4624793521d91b
SHA1 f23cda03a712bbe0402df6b19d62d98f1285568d
SHA256 a088ab60ae1b70eb791e11b4a42e7b52b2b92653922c3b73f1cd9615837c3705
SHA512 9765f7fa7bf9e8aa7f0d34fe6829eb4722c56d9ebbddb32dada2cb3b2a67b955582b71c1e628bbc009533207726781692cfb11069f24aead4af2732b576d73d7

C:\Users\Admin\AppData\Local\Temp\QgAG.exe

MD5 8e739809e0e04753c26c730b6fc6e211
SHA1 ee44aa1e9fa59c28874513c25fddc410e6f0a97c
SHA256 9e3315999e26d8cbaf97f7884a430397a83b338fa5721fc2ae0fc4747a22db1f
SHA512 12ecd03cc7af906af09a190eee16fc8c2b48d615947f9d2ed272100ca10baee7ab05cfd40e6c0ba2b26672752814fed530547dae3c46410a87a23329c893723f

C:\Users\Admin\AppData\Local\Temp\EscI.exe

MD5 635014a3fc05b5efaec1941e3e844afb
SHA1 4c1f6529ef1028fa0d163e456d2c9d2c01c2d06a
SHA256 204fc5459a6458cfe8e1951e5c5a98f805d997aded57c7cda1f71bc971b18fb1
SHA512 51a629e728487a5911cdf6fd7a74c25b426eae377d6106d613c57e393b534bdf42ad3d551bdb7a0da7a2f1c92477229b578ed51579b090d71bc801199e8dec33

C:\Users\Admin\AppData\Local\Temp\SAUO.exe

MD5 e6f73d39add4eb7af43d22da22c11be3
SHA1 d9b98c931dcf68f72c9db703bb067793854b4785
SHA256 08a755512d00bf05651d528bbad665e5f0138cee5123aa04dd92f23b460c5196
SHA512 e08514bba2f2baf793cf6b92c21d9c39ba8724a03298eb850dcf7600b138cc503e7b52f3020ed25d281d758c0178702173f054d6416571df39712ac024cd51d1

C:\Users\Admin\AppData\Local\Temp\MAce.exe

MD5 e5d40591f4620396614699193b513d19
SHA1 006a89b7e79cc71610c003d902b93e90f87a61ae
SHA256 f4efede6f416cb0baceabfed02d268bfd02005077bc878d2ad8d48b9b27535e9
SHA512 f0dfe3ab487031ee20f3df2446311c05aa2148b130b62a9cd0c5f6fe5a31334a6d5a98d8fa6f0a9fd198a5563ea111dcd6d09f8f33223f6eb1bc434dc1c96805

C:\Users\Admin\AppData\Local\Temp\isUAscsg.bat

MD5 f26e5f0ea9dfa8ac789943cb6210f3a9
SHA1 a55f75a60c63c57ab2f93edaeb5796f8ae580f35
SHA256 5ab8a57538a1cb8a0caeffd084e0c884f7fc44e72528d690c3ea5534c63fa49d
SHA512 d38d5d12c0b78b1f640b6bf3f51e2b044a56908aae5f5761cec7bac42aef035d808d92ccab6ba9a8eecf97cfc65d6dce4715b277999f95558bd00d33bf8b85e8

C:\Users\Admin\AppData\Local\Temp\OMIk.exe

MD5 aab725a91a56e0feb789e56da0f4f1a8
SHA1 530724248b687cdb8f5d0eb7d485aff2b51dbed4
SHA256 4aafdedfba33a7dfa47a659b24f1c4c1cfd66264018c5da05d755638f257ca9f
SHA512 c915eb751ec14cfeee341f4b8f7393eb1b6bf2110460d5a766a310d0962aa86aabf5b313e037a26f56ab6c5cb73a5c4f6604c8c7ecdbf024d5c1651340cd4899

C:\Users\Admin\AppData\Local\Temp\Ecoo.exe

MD5 0bb2a01dc8235c64b057131e00f2b21d
SHA1 37c86ec46ee6c66174e3c3ed63ee168b49deab68
SHA256 7757f300e66d21d4f5d55cf336acae76403ac3bc3f70f8df74254732d3e9cc13
SHA512 5cf21547ed874652cb90888cc2b7b27ece0ccca267e95c8a8415298adb7c3a980a9debaddc87403809dbac91927ccdb7bc9da57b4049208dc23c5bd1d6a0b151

C:\Users\Admin\AppData\Local\Temp\OeoEwYgs.bat

MD5 8055202ec72f60d9e83ca586c38f7c7a
SHA1 370af1b7494a0d1d3de26fbfe10369b38d525b61
SHA256 fd90bcd865afb4c01d034602981bc26c934df1053a912f0bc9f4cd5f1f334f97
SHA512 5efb743ce3036224f2eecac197e6b90b71d2ef8a9a9dbd8c832a941d7af149329ac3e81747cd1dbb147150a51e527bb264defe773a97d1d74278df3a1111e2df

C:\Users\Admin\AppData\Local\Temp\gUwe.exe

MD5 d12a370fcfc6b336cd2362ac056a779b
SHA1 dab00494111f3ec59349098a1f38f740f832654b
SHA256 17b9ecff56cb65394a6a5d62cd90849b634dcbd840cfca7c1d1a3438a40ff847
SHA512 4eac099ce14fe18eaa3615ba417c17de897b4c527122adeda568c883a538f174c3577e37092890c7e06248bced3e524fea0ce58668edacf64259b65161f0fc67

C:\Users\Admin\AppData\Local\Temp\YIoq.exe

MD5 c3ce0398c6e6b9a6b875ac7f7c9f137a
SHA1 4378ec82c191881feeded9277a85486d20558149
SHA256 c391c61234522f985ae5cebf1bf1810a0328ee47eafae20a3492e9a3cace8e43
SHA512 8f1c3bae9231474192b1b8fc740fedd456274f44c6436029487ffbe4a2434a1b6059daa8b2b6a429c7811b9c92b5f3c4dbe26b5d6da5195703305fd97a58c996

C:\Users\Admin\AppData\Local\Temp\sUwo.exe

MD5 960f128556f9c3c5f85a6632f46f7999
SHA1 bcda23e39dfe0f5322406d45470069103e4afa94
SHA256 8d8173e82ab630ddb602ee88c7e1ce09e3f8f13ab2574b7c3072adb3c1585b44
SHA512 e406f68eeb3d7c0f848a89ae8d62d3db5be6064078a6bab03bb5da8818ae40793537b7024ffc0d1c637f9e8a55ee2bd6a35fe72a80d0b484e42a4427267d159a

C:\Users\Admin\AppData\Local\Temp\ywQS.exe

MD5 f1bfdc61046245d4ba1a897ef26ff099
SHA1 eb0f4c9d90adc12462a1aad516a78e3837b590a0
SHA256 a6229d6e7da4276cd10eccf5340a0dfbe97b5c6150d83782cc1a6742a2e794e2
SHA512 15a654bfbc3668d944d56397dbfbc317d1dc96e661b51ee38a44f773f7f6ab56038a4ce2284cfada34abb696b70e53c195716734247542ce23d3ac4ffa2870d9

C:\Users\Admin\AppData\Local\Temp\YwcQ.exe

MD5 268e50caf68ee516a73dfe2a969c4aac
SHA1 ac5d8924ca5eac191666a34ef68ff5219847b026
SHA256 56c62b2ec0291e07398742de0b49c4efa18a3599394870f6d326a87b0cef44a6
SHA512 0ae711019d9f2312d1d7e704aaacbd5de82231c379aeed89bad5f888050c5db163d21926d675cdc410ee6b025f26f98c39b3ce7611293dfae7a7e4ce850ad903

C:\Users\Admin\AppData\Local\Temp\OoAY.exe

MD5 d86346f5e7c1a8bb495d5b95380eb940
SHA1 c442c22913060658fc23099094e129dd6bdc2809
SHA256 7f99cd08633a1ac3a56b928c483354e7378885459de9ecbc26a1f09358f9f59d
SHA512 37f954cb37a6f5c17c23b9d429bbe1a595c4dcba05adb5b21bfea387d0bf712b349209ad451f2f173715f5bda9ff717014bff4d894b98ac472952aac1d06003c

C:\Users\Admin\AppData\Local\Temp\uMMYsQkI.bat

MD5 5e1f5aa12b88e47393d59988bf2ee0d7
SHA1 1f92bd4fc760c1532f2497e68ab61405f0b46d68
SHA256 3a4ab79fccfb8d909833c0a312cb2bc4abcee8bc83294de0f58d1d0f6c8771e4
SHA512 72a7810178f63e53cad724e58b6a10c7bedeb98716a4516db82fea9631ebc5dd5f15da43626964c9fa081a88cb7de2d2db0d2856978ba5fc0e7a890ade856f7c

C:\Users\Admin\AppData\Local\Temp\MoEa.exe

MD5 a92919dc92ca5423d6ec3bc80526a388
SHA1 9643e189aa7d622f879cbe046c6d50c25636c057
SHA256 9c9697cd23f88f9f317a9199719111bed80b046743e33f0d38cac01a780e067f
SHA512 d34606344e5f85568dc54510c4cf2f91806989f0ce45f37d67b7d3bd4067390b98572ebd91caa7b07f1d66e3a55a997795f6169bb4b2a3a7f80a970da764987d

C:\Users\Admin\AppData\Local\Temp\OMse.exe

MD5 c466247c62640f49f1d865f436ab70e8
SHA1 47e45b6ffc302f3858cdc2fa482689fe32db5d41
SHA256 513522a6fe2b6fb6876fdccb789f62fcffdbd52421bff3f861189c9471aef23d
SHA512 2f9b487aed6c96c7c2176fb7be98302c5b1050fe56fabdfb2a19338072718e7de5adcbb503919e3135568194b275aa43e839f91823dcc3aeaebf5e443b6b3f78

C:\Users\Admin\AppData\Local\Temp\KoIc.exe

MD5 3b8a836c5c5be4ca2c87cd48201c45d7
SHA1 43761b8aed1ab6ee49565dc1995710e34807470f
SHA256 ac0ac564b303f510f8038a3c56b1c7fbe2ac1be9817fe1ea528a771d3a409d61
SHA512 ae57837a3f1ba83bc938903863f50812c3b46d6b90a873827fcec4531113af38da31913396832674137f1e1225d89d227c34b85ca42bb5c2032f9a1f062588d8

C:\Users\Admin\AppData\Local\Temp\UosO.exe

MD5 6d0661ee78421bb86bb3d04289e78180
SHA1 38662413a80c2ec0eba2318ea00ca328cf994450
SHA256 383dbcc29916d19ca4175961bf960fb5a5a707162fd360b79b1cda8a4c978ab2
SHA512 8f69d2d3cb1d226c969d25f4583438c6e715956237daed0c1adf8a24a774fdb988a99c7a35c4448fb61df44b6ff79a3e9a3c3def738fd010eb37432a1a6695d7

C:\Users\Admin\AppData\Local\Temp\AAkW.exe

MD5 91a71c8dca6406faf6940165c3a01402
SHA1 c149f855763a88a53a091f3b64038ff8ed1310f1
SHA256 670bf3c474c4a42db5eb92102b7fd48f985e0fcd93b1ce6c2b58c1ce8b8fcd2d
SHA512 719afff3a8e295042c33fed914494006920dd3fb0a22e924029b9336f57117a15737260d8781bda57f898408c30375fc9cab29db35c5b84a47451d95c6cd89d6

C:\Users\Admin\AppData\Local\Temp\ucwU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\yIsY.exe

MD5 0dde2d9d36509ff983eef82dae795692
SHA1 6e6478249877f9773252dee622578e55eb0be77a
SHA256 db650572a5247bf856c90217e9c732476284ecdd3120be3b63199a8d9700c748
SHA512 efe27fc4ab497a352baf4f8ed18bbff77bc6cb469f969aa8068b17b5ae8e44ddaf98d8910575306467171b6bc073e1e9f932051fbd432e8791a4bdab1a33ebcd

C:\Users\Admin\AppData\Local\Temp\gQca.exe

MD5 b82e574b03897c5619a69ed5da55fa9b
SHA1 8ba7921bb9b159dd42d0b813c0a77894e878c7b2
SHA256 ef16fe8c9c94ca70741b4c5375336d31f5424b5192d88238891c7e6f3ef2cd25
SHA512 34d2f9cc59c453c74fb086a922f143841846770cf687735bf58dbc3da28e5030519a315c6ce8fb1900c7a19227c60c3ec124304c407e48a015488ae04a12ec2e

C:\Users\Admin\AppData\Local\Temp\bKMsQYgU.bat

MD5 3ebf22bb2218fceede8ad75e6f157885
SHA1 2594aeef1633fed510787283e63a9d1bb7e6f288
SHA256 dd292c3c310fd034dd62758646cc576ad48a1cb02aaeffeb63c15aeec04e13d9
SHA512 2de542fa10d813c8bbc222043893224604b7aa30c66e09a3d440e77fc52e5083ff63f07dca3408f94e8194b8c7e81a7ce89dc726fbfb8bc9a7dd26262cfb6e86

C:\Users\Admin\AppData\Local\Temp\OsUE.exe

MD5 9caaae22892233d4bd930c1d966f0304
SHA1 d5616dcb526f9dbe5f9202c09570a69abd981d03
SHA256 e7505baca9d79f48fc4401ce28aa2f34a978927f139713f83a306d12cf263624
SHA512 de8682b90fe8c55fc7fb3e97c9f7005112e1903ac8e4d2e95646fce0512fd06d68738265d86458d1fe88d8aa57cbdd349d47fbebad2373a1d02c90fb0e4a2129

C:\Users\Admin\AppData\Local\Temp\MsAs.exe

MD5 ab26a25c318a23caa8820763bea830e5
SHA1 46eadb40661bb6035ba9170d49446ab7d72f9730
SHA256 9d60d3a585b7a65ba4eb0dff2938c5d0dc82bc310787ceb64d0c765a91aced21
SHA512 1e4441134d2927d41e99aff5c82ee423245e068221d0b5c00f171770e515c05963c2b0b2357dfcb9b90b46b5595c0c5920c442a97b36d6dcca509069aa02fd61

C:\Users\Admin\AppData\Local\Temp\sIQI.exe

MD5 9de7a624a08239e3d30771ce777ab755
SHA1 2d56a3d44ed27b31a688b8e3268d50d43f81e7f9
SHA256 3d15741cd9d180cb02816d4c4540175315289484f35b80a22040687a22aa9f3b
SHA512 a57d06b2790ef5e1bc43db879d02cbf961354ba68811e18c413cddf8d2307fef837e1b2d507f63b39131923fefc50b61c992f1820faca31d137b0ee79507c5b3

C:\Users\Admin\AppData\Local\Temp\VaQsEkYI.bat

MD5 a2c1b2d030a930156b402f4add777769
SHA1 1c814d33a85fcb3d6a446d9bd83557cde67dd95f
SHA256 d7cd7b63848c0f2afd54aa0ef13f9e8911a0c3414327accf9b81d0971685060b
SHA512 49f00827e3c5e86f49dc59843056bbe3255ec691afc4ea4785435deacbca22ee09a14b6b90a61f6d3fc940c01d2e7ea305a8f1344f45ad5023a150e6a96f52ff

C:\Users\Admin\AppData\Local\Temp\QMUc.exe

MD5 6094ccc612f5574b06d04a43d071d6e2
SHA1 d4f579bd188dd8d700ca02c71ec6d1a4163bc2d3
SHA256 3a3777c0de33c111dab458cbc1bdfeeacca253278453e1dd7d6013f3a86d5dbe
SHA512 fb9ac13bfd2614c157a1b6ce3c8f8b68d02245f73fc6d4a11f6ab2ff1f7c96d229f8f2abe34846bacfc420a829665d25be21227bfbc286ff678a0eb54e5e88f7

C:\Users\Admin\AppData\Local\Temp\sEgu.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\kIwS.exe

MD5 be8c5108c1a56e94b1bd92c614e19811
SHA1 e0e5f5f7e00f2e6e771d994626a920a2bc662c87
SHA256 a65b14a648a21daac960acec941b0656b24d73d6248faa32b25cc17adae74490
SHA512 249eb63abdd18330e575098cd9273848f6a32d45d9a37830d388bf1663e9c78a96eb95917fd8f7450c9321481785839f6a7a96ed138aadd3bfbe03bd56caa50c

C:\Users\Admin\AppData\Local\Temp\ggMQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\EQAo.exe

MD5 378c8a3640057566e696f9e9b825a008
SHA1 29969c2f28d715bdb5ea8eadd7236a5f479bb1d6
SHA256 407f9f6d279e2d9da40f89e16f4737f103542dd8c51812acccc669252cb4b7bf
SHA512 ab6a084fcbf1a699acd73f36af62cef0902a69c6be4b78b8f8312d0341db1e4dbd7b99b7ca56ded1e196aba16ade5e910ab7959ca7a92f18a5157851acebae10

C:\Users\Admin\AppData\Local\Temp\ckkA.exe

MD5 587563484a868707204a0ab80e898fa0
SHA1 9612d1f6f8a452967f5e11103c964def7a13c43c
SHA256 dcd376d8b280627ea99291dbabd55315d52b5044ebac47f0d0cf9b3bde1cd9ee
SHA512 74363ab725851534602a60460907a89f4f919e92893a00a647db6700d6caeaed30f9afc8ea4f96be1dc5fcd0a4a0ea58d0ca4d2a558919d0b788555829a24aa4

C:\Users\Admin\AppData\Local\Temp\PEwIYEEU.bat

MD5 be8cd87faee098ba9fb98c0361d14a52
SHA1 c6a8f0d8becd7a126128d89d9aca457e5e5f968a
SHA256 ba342329989cb88db9a52709f2ac46ceb1ef74c2aa49f1a7067c07dfc990730d
SHA512 52e3540ba91d13d9e3c5089d6e8a04acf3071e2baa45f58007fa98ff1b9a7c5d154faddd24ecc9ec77befd1889258d3d567c99bcabf7bd00f7fdf49ef8905bdc

C:\Users\Admin\AppData\Local\Temp\AUQi.exe

MD5 23d5aea5a0e4e76080bd8a98161a340d
SHA1 1264e8c7a2a7e42ae1890fd180af899c029afe8f
SHA256 eef169c3bf60a38e3971119b238eb8586524ee26d817a86fcb9d6a36b2835340
SHA512 5d498816c2cd01d0898e85b8f5b284cc01da5cf8499def72f3169b4a3432bc4e0711cbd38098913fd811eda01d0da8e442e55cd7aa84672304e9a290e29fdf3c

C:\Users\Admin\AppData\Local\Temp\AoMe.exe

MD5 b6f49f08e05e57e58d5012ee5a3d195c
SHA1 e0c518d793f88df0801a68f3ae02e54a2bdd4e20
SHA256 1a982764f565b27e5efa6bee6246404fec8a1feb8643fb36c70ff1d1dc5d3cf2
SHA512 71df5bdcb521465f52c8c792e2d06807f9288395993efa87aba7f0aca19e10fcd44182072b277865ce418cfe07b34ec765609791bf7041c39ca928eb62b5d1af

C:\Users\Admin\AppData\Local\Temp\ykYE.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\KIUo.exe

MD5 371945c7f0b2d600c35d04beca97b767
SHA1 959f241bddb850835c52346301cb11f9cf78ca86
SHA256 6e20dca2d2714cd0580db3e2fb6bf51ff60a0ee9c9384625fdfcab49ca100455
SHA512 82dc40e2d486ad83fc9f207357b6b1ca1d49d8ea935a474d53279016db49edf8ec14dbd7693e559e3fc38e5fd350eabc7218ed12237a6b35f4289868e072d22f

C:\Users\Admin\AppData\Local\Temp\sIwe.exe

MD5 4e992f048fc7679f8be929f6ff284feb
SHA1 aaf3b99e3eadfe0e5119abafb25dbdf765e2b749
SHA256 b88e6c9e3194cb1f11fa43e5f9122dd13d691d4de24f069c5a7a9a18e50fe708
SHA512 38a95c5c1a18df2b6ed297ba18cf16233fcec90e819bb614e4f48647136d4d4449c58ffbbf77b2090f79ac573aea91ab0880c1428df2fde2497b10e1b0c89205

C:\Users\Admin\AppData\Local\Temp\LgEgAEEY.bat

MD5 972079f11061399405af4d14b49729f0
SHA1 13ace32d2baeafa42a565fedf1f138684774f75b
SHA256 e0400b4550654514597edc8975f1aff5dd8a78dc3524a0da99e3aeef02229c79
SHA512 e7e9caa3641bcf4d66053063d1b90c3984d35f18d3ec23a5d87d0f0225b6218acbbe70cd0747eb56c912c9a615ab4d51526f671cf5ff3b62303072f434d52b4b

C:\Users\Admin\AppData\Local\Temp\ycEI.exe

MD5 ab586e5272ca75aac0b63f05fbe54054
SHA1 5809d7263387f8f583f3a5a35cc9d777ec0ce5d8
SHA256 174506e8de9f6d03eaa9885f50ed1baf0a3f9d045eaefc773638a46baf4d3237
SHA512 442b91e0af0afce34b4fea1be63a99ef18510e73ea1b066a827a8c0fc92e01148b910c622dbf5d58de7212faf8b607201401d242f0985b90b97ef21836551d53

C:\Users\Admin\AppData\Local\Temp\EoMM.exe

MD5 da9b703af29e619423394325c7e961c9
SHA1 3f9eb379c4ec39aef3e8542b10b5dc28e0450786
SHA256 c59bb8b31a3ec4df2f4e0225f010c85cdf479b9f075379ad1317b00ab41860d3
SHA512 0d58b48895ee8f0ace14d77df7cd2160efdc5d426716efea6561482dc68850d36261e8dffa9b14c1b3340d99e8687b1b214cdcfca6a2e6a84b5cb1d1d4ecafbc

C:\Users\Admin\AppData\Local\Temp\gccS.exe

MD5 4c011b2f2feb468887147b280e7fac66
SHA1 083535b57aae4863af820f469bac277481255123
SHA256 3545ed0bf1794b02b418cb9c20ebdb619eb68e19b4a3e649d121fd5b6d5913c6
SHA512 6d9af8c170ffe3b23fd2e1f8bb38fb27f163c106d184d115e4d9d41652691f327dae14ac2a521882e9357bd1e98a291fb443a5641136bca956ccee91e191e0e3

C:\Users\Admin\AppData\Local\Temp\HeccYwAY.bat

MD5 3abe569004e18de5f41e3c887a30982f
SHA1 379939c69e5f5a23b8e250570d4cac7a5c9f8bf7
SHA256 64e8c336ef88ae6db551e6054731e9aac347112f8be28a5b13495ab5c33a3dbe
SHA512 a507f56bbcb0e0e5eae6973cbc1a3454714afb3883db33d0c113927def61f16e66efe3940ded569fb1c28e58d2b24fed27e696e10ce73d8533a1694daf1406ed

C:\Users\Admin\AppData\Local\Temp\ugMC.exe

MD5 289efbea8f81db76771886b8b40a640b
SHA1 4cfd898094d096cb6a0cf14a6755198de1d91303
SHA256 d1ffbeda27e0ba090ca1dada7036214ccdeb64aa2accd7a4fc3e62b8c8bd67e1
SHA512 b8be5cbecdf9214a3abe426c9989ea2a40431c7b5be84603dccc278dfe3ab5ddaed05112acb73b8ba008b1505cb60377a99da0d1b4e91be53f02ae52d506eb54

C:\Users\Admin\AppData\Local\Temp\kkEC.exe

MD5 b2592ccb5cb3f930e4e332a4b9e6a24d
SHA1 09e8883ef036c702699b3684f8e84ccca7610a01
SHA256 adeea8cb249f6024dbb381e51b26819e74219753a5ae05c54100b8b5cf82bd63
SHA512 86b2d566658614fe20b9cebd36e10ac0ca1e57e9e32d40d32bd6b17eb9edfb57bb6cf882c13c890af09467c8617317bc26854287bf1afdbd7e844d4571a36766

C:\Users\Admin\AppData\Local\Temp\KAwm.exe

MD5 feafc5d62c387e54613b97767ca3214a
SHA1 52704ffbb712d4295733d8b08a169b1468b3b6af
SHA256 cf50ea7f6d779543c2f36d69ce4b077c9b32a0c1f586b5f26a0f1240af9e9204
SHA512 e738670cb2400699975904f74092cd7f71f5fdbdde7c919833b6635eb2b2dcf9783b07dda92d4853114b287dceaee58904949bdbae85551e7c64f60ebd48db25

C:\Users\Admin\AppData\Local\Temp\oQMwccgo.bat

MD5 f6970fa523f3da9adee6f4d81d7109e1
SHA1 3133a42c55a353c02926698d2e5ef6373fdd019e
SHA256 4c7d35e0e1fc0c688d8ed5f4b2557fe70cf228e0d6cbec955f3377d1ebc7e21e
SHA512 68c44199f5ceaeebf9e4659f05cd6876fbf400726392de53087b30436d7e35eefd0abf3b00b4285cb312749de8816008b4790fafce6af061d2f7a834fcbc9c1e

C:\Users\Admin\AppData\Local\Temp\eAMk.exe

MD5 e85264f7e847b5ec2280a5b3b4530638
SHA1 58a8eeab15a930fd45cd8a2b518e56cec2a04059
SHA256 95656ca5912a4ff8093a748f7cdfede72097679ef8286c1205dec92a111edeb2
SHA512 7f90f395f775aa83fc662089b940e3d0277e99d01f38bb7d51327e591c5da23c1359e8e2a9e78a2af143ffdae2d08476d85776458f3d6ccd8e1a976fa45a3e33

C:\Users\Admin\AppData\Local\Temp\gscQ.exe

MD5 8cd8012c02aae5b9b03e167cdfed53f4
SHA1 f2afec1d895c114a717d27a0936048ca6b3c4c24
SHA256 3a6fdfe168e5b229d32dc4de7a0715ebd1c7376c981459625e76df5115a8bc3b
SHA512 8e712ea7c543e9790ff4b55345a4a6ca15c62446482cede017ca52342904df7113b1e6417e875f8b0282163a9f016a0a3ea70e341057f2145c1dc69ae78049ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 278f169c42e9c6ca4861641e21b56260
SHA1 d4700880904b2f67e04f3dd69a4b03fe7874883a
SHA256 c9c7926e31fc8f110f925f1b51a43017cef950806b4b1d5f6f1f8350380b4315
SHA512 3c0ab9e5fbb85a76a7dc059ce98d8553e52f06b62198d181ef3f830e9cbc2c8c77702f1fec2713c92e7a55f01e686d6f3d986350c3349f01cc06ae77e41ee5ff

C:\Users\Admin\AppData\Local\Temp\MEsscAcU.bat

MD5 c023cf847a8946385d075d2f6d466734
SHA1 8e8c2cf659878e5677ae7ef4d3ad3e0e241d9766
SHA256 af01464436616187ec2f761f663808a032c31a2f66c859de9a5d7fae9c362380
SHA512 42ebd34b80ad343284fc9ebe4480b52c4acc5a9379412924982f43428f7b431237795ae60b5e5d3f3907f7b902be38442a92957bc06914388ff8acf6c2a3ffd6

C:\Users\Admin\AppData\Local\Temp\qEww.exe

MD5 ebac3a734089cbbeafca4d1edf2fa8a9
SHA1 cb0e1d718a2aebab3ec67ef5f6812e90ef9ed5ba
SHA256 3c70da00eb78a9d2480a041ee3c2e58c51686ee2e66977f23445e98aabad2169
SHA512 ab1d7aba452839ddd1e2f425c660fc07210faedf352ff9b15e8dcb5be3614ce174915b97ced5299165ef10775b34c4d8deea348ec511d55d18d3a80d2ecaba9a

C:\Users\Admin\AppData\Local\Temp\GEUe.exe

MD5 6f515b022154bdcbfbbdafee15dd43af
SHA1 a38d22958abfe592cd4b8e537211721a2a04ad47
SHA256 4417eaa74a208469fe1a3b40d6a85af6251fcd6127a0d0120035e73cf16e9dc8
SHA512 268122ada9503e88f3e2feb4e2947c41e00e723628ffc2caeb45424c0dc672ae4a09dda9d76a346e05eb8510fdbd0f4dfb6c4c9d0581e60cca43a419a4ee005e

C:\Users\Admin\AppData\Local\Temp\WSAQcYwI.bat

MD5 26b276b3ba4af5262e8a809c3a38b38f
SHA1 cade735f454fca507bbc355202520d2dacc9a630
SHA256 9482b6847b38246fc64c073f6ae1377048739cf72a40b7b4ae37f68a1809a8b1
SHA512 d7a68ec6ee2bb7a450960d234988805cd7f1bd09801812362188deb6c476654645f8a3affd681926edc48af000a68962c0cdd3a0b3410b3b3597f21847f1fbb3

C:\Users\Admin\AppData\Local\Temp\KMkU.exe

MD5 d92d3105bb019ec48dd8a8a0c286e803
SHA1 4a08f9d8dbdc1decc60447f76b9121b4126df9ff
SHA256 34f8ad08be99e89b8a8f30b7cb06d6405dde5bc0ee95a0d6b9b73db47a00f0b7
SHA512 8bd690d406b97a9b0b5a496275b1b754d7188b85341c4e0325b2a64c073a81a1a3008b6d5b9b01b15c958578f8f05152027112e96cc4747e87955c8da9ab5a96

C:\Users\Admin\AppData\Local\Temp\YYkg.exe

MD5 d991bf9d607d29e016bfdb6a31b34bf8
SHA1 38857bab75faaa146d97aa41984921eec4dc7b92
SHA256 abb238909062607b98780027bc60ee1e88b0f5f7215968110973c84c3406ce5e
SHA512 9be854503353f8616164c2b135fda88bb750bae8ea144b9aacc5b31bb3761b5431a18ee632cbbebabb6524b1079826b5af270d837c9be3ce84759e096e27e206

C:\Users\Admin\AppData\Local\Temp\igYscIYs.bat

MD5 f6144a3be57d1b667483817d149f5ffe
SHA1 87640ccb2e9247d617c13245028a03204b0a4275
SHA256 e223b31d0854776df1e9476063da9ed9d313e4aab6fc52e670596f853cf81dc9
SHA512 eb34bb29a98c7caf5085793c9977cd68a2e5552c7248e57efa6928bbe9fea0b30ccce0ebb8e91104ae6240983e61ee039be04ac33b9a222165b8fb115cca3a0c

C:\Users\Admin\AppData\Local\Temp\AkcW.exe

MD5 8c0a5977694a210870f56caf7084893b
SHA1 f8e8e63b7f9f5c40b58f7126e2ae7268cbfb93bc
SHA256 dc41fb636e056d7f9923dcfcb2235845e7af39a8df7951ed166d9023b4078c3b
SHA512 c5e7ecfaff61f74fb81f75e45fbc98a5d9a963f7bf2b7870808f560628355ae3fa5eb80356e1f8eb98bae87ce091c5f342bd6e8f982cde2d30cd45c72162cf2f

C:\Users\Admin\AppData\Local\Temp\UwMk.exe

MD5 34788fee673922003feafd525bccd84f
SHA1 5208e8ff6b03e9addfb15727f69014a9aa6a6a06
SHA256 c2e1ddb542462cf3600b0861b2ffbede263754ee613e483c3b8fcde1f568e84a
SHA512 934e78f66c180da737c26ad615a2c992c806f155a1a86184076d1cdaef8bda872b68631044ef1fcdf4381f21ca5c306cf3a7663cf217b8cb6ee98ed47f642a04

C:\Users\Admin\AppData\Local\Temp\SAEO.exe

MD5 bf9ce9aa9214c2478426888de6eb3f0c
SHA1 3d19ecf5e0fbdac42ddf7d279b564658166c2130
SHA256 972b1f4727ed097994e5356397035f741a88c2cb473dc0c37dc3e7e935f60a52
SHA512 5147c9c3f766fca74f0b78e9238e9298155393a01edbf65d161324e127a38801851c5e1ba0b89bcbade47f7c8a41ebf7e59214534933702c86b94112feff88b9

C:\Users\Admin\AppData\Local\Temp\figoMcAg.bat

MD5 43f8351edd38358e4bdb2b4616158bf8
SHA1 fc79f68b4dcd61de17007870913386d333038861
SHA256 b03f8d81cc0b067c0c2cbf95ae0197c165ae3b719c34bfafb5d84263538f7648
SHA512 4041b3bc334caf52b2b37c80b1323748a38edaca4c7d855b4bbd7e11140f9dcfcfd71bc0b14007b7a56d7ba21411107d9e24a3a721212f8f41a5dc79cdb54658

C:\Users\Admin\AppData\Local\Temp\UUMm.exe

MD5 f7612ad3b68bd5791d052815c9527ee2
SHA1 c4192fe092328224fbf214f4c613d6cc1518d5bc
SHA256 e3a7f9dca645229aa569dfbdeb3d377b2ba72d265c925dd01253fe5e676f503f
SHA512 1a05c1dc847379c2a5e1b314ce469f7c9395007a7a3de1b8a1f4b344053635fdb540db70d363adce8f2ac7dcaadef6a29360cd7f2cf609861e8ed00facfbe502

C:\Users\Admin\AppData\Local\Temp\UQMa.exe

MD5 c7377716cf839d8f92289b3265e812b4
SHA1 b7749dfbdbcf339a88335bf43e040e9d6bee1250
SHA256 26984fe26fffb5ee35b1a11e647388082851f74ed604f2d23e38686f6a051314
SHA512 5e6a8bbbac89b80deb70a18752864788c76703e43e8f20b19e2299ee5397e0449fde164a2db1011c0d49d87c964bf30150a6a25466c5e744c7d38d593de45112

C:\Users\Admin\AppData\Local\Temp\KogG.exe

MD5 1c3379a47495d89394ea45ebcc164c8f
SHA1 24d721a85153246b028eec2c65924e36d0346ae6
SHA256 42fe6e188e25ac677db17fa6f0d874d210c0ad6c6d3c6963968257cd2db3cc39
SHA512 da479f78143d2575e788d6599e38e68a68dca39f6fecf9d47ac7a4ab932679f9ec7f317b0dbf9f5a4536c43c6c8576c0258c21a1d6a0a2997efbd6586aac3a1b

C:\Users\Admin\AppData\Local\Temp\xaooQgEs.bat

MD5 5b5eac0405e822baf34969a8f1d14459
SHA1 e7307da0ce93a19ca826f9594d6de25798326991
SHA256 90563164559fce630aa733da27c710ff9fa0f89d5c650ab33aa74eab3f800094
SHA512 3d583211dfef84ae9343d0e3b0be2485b47ffc094cbcb4f3cfc79343f1281bb4f465c9752fc9419c463f42b0e3dac4312f2a8e1f5f206968f99feda1e54e04a6

C:\Users\Admin\AppData\Local\Temp\CUIa.exe

MD5 da16add1013313dc311e4199c00f6ca9
SHA1 9c63016a0dbd6af32fd1ebefa8d93030171a5666
SHA256 f7aedf3b4e570c3f30afa82f7442ef0ab56496de4bd251ec4fa5d9a4ff91cd3b
SHA512 9dae79108c652f6dcfd8948b24a1bd3356ba8609fc3604e7cfe1cfe8476903a826f6c55098c0b38e8638e184b367ef1de12fb6739f04f9b27198a30eba16438a

C:\Users\Admin\AppData\Local\Temp\tuYAscYI.bat

MD5 1567c7cf06e7d5239f52653f2c39c6fc
SHA1 dc6ed82cc450a7ca25f3ae8bda105bb80ea26b2b
SHA256 9e7b8ed1f5f379cefdf22305e6d018c7664c9d24552c1e08327e2ec556e5308a
SHA512 2c8b2fd0fb51228941ab611f7c9c8dd0e41f64cb77291e55cd5b7e1ffee440cb24bda12fd33303563ce7daa1476bd65d65fcf96ae31d7f2d84d4bf887914d654

C:\Users\Admin\AppData\Local\Temp\gAIU.exe

MD5 0c8e82c4d4f372f541aa7db791fb1537
SHA1 1f4e040ea7ddfb150cd757a2130051afa2853e2d
SHA256 ee4a30dd4d59893844cdcc6b931b99571ad62e517de186072b16e7d43f326b83
SHA512 13054343eb5eb6314f3a49bcb165dfe06aeda38c52603a25f2dbb0079ed447ce4a78753eaa37aa17f9f9db42e67187c1a60fe904b7407959d517a4b2d8d86a1f

C:\Users\Admin\AppData\Local\Temp\ekEO.exe

MD5 a84a15e8681013aa800e39e9f655780f
SHA1 5b35dbe1f103288c90d41828fb966d4c801aaaa4
SHA256 190b0ec45d2c61efedaba52c90a99bed89089bf10e02303350271bc3106bb039
SHA512 39d553d632a2613e0aae33a065fc89c482bfbd4ee0ee05463fa46c0d1b3f7690c2000d0cb6231b6c82d8e25e3fbf7082b530d40efcb59d7cf5b53778bca2b99e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 6f0710f986c4642d035af37eae9c2f2e
SHA1 74aacfb8ad7ff0be136646465798c4d9f2b2b3b9
SHA256 03df54ae7dd06ed8e269f364c522a7250a3ae90789d241607981ccd1cb1ddf9b
SHA512 f38815e180808572068490bae3717b37983d43bf245fe3026fc93aae42d180e2311797bf46528544c57fc380d6cd1631eac275cbacb30eaf3e8cfa7de146b767

C:\Users\Admin\AppData\Local\Temp\FeAgMIYM.bat

MD5 586fc608d740a9fc34068cff774fbacf
SHA1 ea8821d7ba5a68fc4594771efd8b48a51af79374
SHA256 9e3389258eb970d6bd8715cee801da46601dc64c4cf87a1067a39bb146848274
SHA512 19da2e151197891ac1a3093589be94423c21fa6a297505acac7a88fcd855be6d6f4b25326d6e0a73c119c9f541ee35f3512d07adb570bb216e4eaf71ca8165bd

C:\Users\Admin\AppData\Local\Temp\eUQK.exe

MD5 87d12d13a10287864009a9cc20dfa007
SHA1 421056b1567760033dc5872875bb2db90801bbfd
SHA256 6217a8e0ba5fc33972d99e113dd2d60b99ed27c838075cbf0a9365df4b08f7e1
SHA512 6f0f080d0af2b021e5cd02fd05d91bdcbdf5e0f0539f879bbe5298caf2e33762c57e22a803f26428083c95e49df6ba909aabe56e60f14261852a9477c4a16e1a

C:\Users\Admin\AppData\Local\Temp\aoIM.exe

MD5 0845e802be3049e2eb220bde1dcd8b15
SHA1 c999c62152621098eeb60ba1113d22cf77ab5ecd
SHA256 e3cb64bf718d50dca428ffb0eaa69aac7da2fa69952764acd930d87543824015
SHA512 5faa3dcbf0282dda36daec562c1598c11920eba0530c9eda9218655932daa37c415989b253af26c5efe32e2550d133b0b2c5e223705dc35eb7df45fa1b7cd997

C:\Users\Admin\AppData\Local\Temp\fgkcgAsA.bat

MD5 5e5c0eb6d20dcf23b4999069ba9893dd
SHA1 b142a287afba76938641b34dc6d504c3055b2448
SHA256 a09c0bd0ce382c5dd572665f37195f36a8d45fcb1615f6300d8a396662da3afa
SHA512 10cc79797e12fe35c2532926b6c1bb6cc5096aa734720dda739e73b9307937cdbaf195a64a62f5fc4895980eb743025ce4ed1ec2505d7d70e3f4f4914b009c70

C:\Users\Admin\AppData\Local\Temp\gEEo.exe

MD5 1214851b9565a59f932fd210748bc903
SHA1 79eb54588b452bff9cb9c398e7610812ccc20f79
SHA256 799b22c2ea8406115c50e326b9bbd872e226b6b323171509b3b0ee3e3de18cda
SHA512 047930c3a6105cb35baf5e2276f5146ccc1eca9901c08c9839818cc6ffd91936726938e71b9ece65a8afbdf7819bf3d6d256bab913f604c16bcd8e8c26dfd06a

C:\Users\Admin\AppData\Local\Temp\sgEo.exe

MD5 a3c64c44c18f88e4c2d55894f990e8a6
SHA1 b6a65a5a8db6a4c2380f328ce7d674cea4d38af4
SHA256 ae778f2b8f98c66f35066154e5f6148decc60f4fdd4ef5dc502bc42d9b7ba4da
SHA512 dc97aba373f96fb356a8ae3d403a267a465e6ebab9606e3d8732f5fa7a7cc5c354af84b1045a837951a2ce55ac5701ad2a90fe98e2e27a54e6e6c40a0cf90d03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 73d315b1bf5cc7266e6eb4e5ea66fd63
SHA1 332010e43afbae0cbb0bb369c5f88daf5e4e8c01
SHA256 0187bc4dce874a71a8d1e85bf45080143ee1610849a153064004cb8603c8fca3
SHA512 c383eb0c0aa6d35329daf3b6785aad528dde6a174971ed273af45ab40cd864168230053fb4b642cb8f8579d09e9588ffef1704c76e48586b586f9aba778b033f

C:\Users\Admin\AppData\Local\Temp\wUsIAgUs.bat

MD5 5a0034f54874ec10850d4b6a816b43c6
SHA1 66906a646db5a61d6cc4975a4b3ea4a52b0512e4
SHA256 4ff8b754448a88abd7e72155e07d26d0bcfcd0279e22e6714a4b2fb746359d6a
SHA512 2dd0096d08abf985782753f3506cbe8472c807a89a5f44dff6925a0f31eb579bb62cccebf0534d65265605a93712e2836d34ee0f43cac2925b13fc30b4821333

C:\Users\Admin\AppData\Local\Temp\SQUC.exe

MD5 a004f6a481cd41663255308c5a8e9cac
SHA1 838da091693aa4cb56d07e043256c7e423a32499
SHA256 fc485574e7c1d2f5a6583db3b3f71b00987b28e0454d9845e1daf838cb6b481a
SHA512 c6e41e713477982d2e437a867feb0f49871895260714a621bf13f10fee7b1d2eea406c2f2e3d91db435960cd4c94c2ea01577cb0cc6563adf1c72b92ed4474b6

C:\Users\Admin\AppData\Local\Temp\yEgQ.exe

MD5 0b7ef11cbad5565904ed2e7d1d76b7e9
SHA1 987d0c3a029f166fee29afa0c29abf8290279a75
SHA256 cdce06dc8016e28607894115a5770281826b8fef90cc19c1e0bde352152405c3
SHA512 d4d30701a4d3fd13a7828c9aab445381be5be46e3efae7a492dbc789bb87a65045de09a2c3295c2019f399b7ec178844e3b2bf902fbc86bafcc8c3f2d9098eac

C:\Users\Admin\AppData\Local\Temp\YokQYwYo.bat

MD5 5a823c70a3a1a4bef152d82e03b904d4
SHA1 649c273d572c9a80c05b611a6dc163023f8cd282
SHA256 65d2dbeb93e8e786ece070f41203f85c7f14d102c0653cd721ad5158af5a0d57
SHA512 0d82c3a3a5f8e3c28cce0b209b2fc06fb7cc73031b5e74bb40c466ae97eaefd1567f590af3d0b4a19f6624d75def4fcfdcbed72f25aa9bd62c45a370e6ee94ef

C:\Users\Admin\AppData\Local\Temp\KwEC.exe

MD5 94bc6a970701e2a1a71b2ee91b0a4090
SHA1 368e508ae1b7e4c5496dae3631bd930a2d03b580
SHA256 ddb8808948ff35681b981f948998160846a922843507ee2cdceefbbfcce2bbd8
SHA512 5d294d2ee7bd936a1369f74587a4c030615ecac229958d70b18a604c84031e216a52d097f04dab6c03ecfa793948ef838cb6ef6614a83959b4d0186888d40cbc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 c4a03279925ece1812c610966b675774
SHA1 aabe020569797ae16a3d5d402dc2f5c82dbb3df3
SHA256 2cfd764ea6ea03e997937c2951df7719c160dde68eb1618725cc3224891de1a3
SHA512 c2c0e8f08c7d19c9aa9df323eacd6ee8cbd4365fa10597cf558a32f798c155bd50496933e00a7d3d8cbae2f0931d558d9a3b3f1f7e5b2722176da88ab7c1df74

C:\Users\Admin\AppData\Local\Temp\gocwQwss.bat

MD5 c04e08345f00fdbf1002980864d5638b
SHA1 3e77c612e316ed5a648ff06dc7d7351fb9ebbd48
SHA256 24d82a9d458009b8188be4fe5012f851afd1bc9ced25c132976613f7d087af4e
SHA512 943c7d2515bb750a163d274b6daa930d7d5a3fb73c8c5c774225f1a76347977090931c1ed1f777ff10ee49da20568282203a6a5caba51e4f9901063e2774cc90

C:\Users\Admin\AppData\Local\Temp\yAoA.exe

MD5 2b13d9f6341f1bd5aa5d70eb09dc26e8
SHA1 0696820d7e48ecaadf88702dc3dc056009c8a576
SHA256 5732f1700be5b8cea4c9a56db86ba352113ab0f2001ec1afaff7e678e971a831
SHA512 d10a1645e3737c7892e993a195345a6450cad37c028b131d6edd30850742afc8d28e7eb1f4b7e9132f658d5b68b990803126e82bcc52faa84b98872ac61c0ae6

C:\Users\Admin\AppData\Local\Temp\mgsA.exe

MD5 9714a7f94fa3fc88365555eeb8ff6da7
SHA1 d62aa36405c7d62272d1c595b55e6d09e8e5c1d1
SHA256 fa532291212febb96b64f83f30a561058d8fb82fb3fd24ec3f39f37826437efb
SHA512 cae05ef2c380a482af489f688f22f271c42881e3178242aa6afa8ca5888911388e5a55afd9f54273f9339dc36923dd0dacd936544c6ae9fcc070a5e2b2850092

C:\Users\Admin\AppData\Local\Temp\eOwAkIwE.bat

MD5 4326fcda474ba1c9883196200d4a5aff
SHA1 67205efa2460e2e0fb18d3af391af0d1421f9de8
SHA256 cc1a59908ffac049471bf47004bc1ff9a2567d701fed8c9b2545fb7c618e75f1
SHA512 4918cc191225a99edb0629437cb623cbae86fe9d2bfb38487aaf642f0b15102874b788f96c23320a0307d2682ba2325820bd229b08ab11da69196525dd71bb54

C:\Users\Admin\AppData\Local\Temp\gAMu.exe

MD5 c61b6c3ea811412394cb55186af03574
SHA1 d507aaa6b040aa96815373a439baab1735b97e21
SHA256 49b838d8f2e808ff948863fb30955b1401f0f9aaee95c6e5439be841495b8d90
SHA512 b38ffb836507a6d9e47998d57144993fb0b2d4a01b43855de6d8309ed8c92198e38ebf36d74a92fcc93a87802a799d6dd3331d64e400fbc27ab83aa5de36fea3

C:\Users\Admin\AppData\Local\Temp\msAm.exe

MD5 7ae08bc327c92b140ff8888c5ba70c39
SHA1 695528aedc017167682d8d20f7265b73e68c4ff0
SHA256 c10d701ddb0feed43eb35e411b9e9ce30696d2e0b7a7a8e0bea6cbf1bad06603
SHA512 60c47fd58604f40530ba9d276dee2cc2942dfa43de98742e4657f8482f9873efe049f13b9b7ed5d51f45abf29de63d3932528320b79e372a51dc3f9246ae2835

C:\Users\Admin\AppData\Local\Temp\HKcEkAUM.bat

MD5 e9b537ea5082e51981ae58561428f9d4
SHA1 4a847a6dfb0d2d85cb87f2b2223e3b1f497ebb7c
SHA256 c61454b3518e8458927d429af095b127f8cbb3819d6599ac3f37632e8af90496
SHA512 d5443dc2a81c614ca048dcedd335b43cb02e21bcb938f30f3b8539a29f0b99add230435a54dd617b4d87a8368b9ef5cd84f48589870e31454f75f71c124cc465

C:\Users\Admin\AppData\Local\Temp\qsEi.exe

MD5 06a132919b085bb0a7a73c6a2f33eb74
SHA1 c5f358f60cfdcf68af4f467406797886c20e1fa1
SHA256 5fb36a31156457fcbbe1c1fdb15a0c836e5121e6eb087fac70be5110bbb92f45
SHA512 e408fdc0ea2a75670e5d71735cb8984e7cd2aea53f932b6cec60b0d1b187dfecd422d1038162749aa29c8d844bbe581a73b415e783bf2d54c053552da65506b1

C:\Users\Admin\AppData\Local\Temp\mowY.exe

MD5 ce68d4683097867787c74e9ce35808fd
SHA1 e97ba81a80eff3320ea4004e022d283185b95666
SHA256 3ddb68693977fccc10407b8d7fcdb506af175efe0fa08f048a0994846b564c9a
SHA512 400660429b8af9566f5ce7f1e19df94c1862986ffb336a150333728979a900eb29507e969514226b47b9305da2baab1dc9a652602fba87a932fb4bbd0be1969f

C:\Users\Admin\AppData\Local\Temp\cMwW.exe

MD5 099b721a6558bb94fc6b4ca24948ea85
SHA1 f871c42111764ab1ca87cb8689bd00599eeb3cc8
SHA256 96ce301c7cd7c0be4245121f6caee26c7f51ebfd8dec5deebecc319345daf25f
SHA512 0e5b5502ef3e3ded3a172ae83cdae0c0bab3d9fcba134587c05140af05587d97c52901a27a1ee7bd8ea16bb4ec3ac6ee429ebc4d38f2bd778ba2e1feffe33838

C:\Users\Admin\AppData\Local\Temp\NqsQsAsk.bat

MD5 0b571af7692ba982501a9a4eed88e185
SHA1 3f8381c2c49b0a01ecdd04420e055d70f1c8cc73
SHA256 83b416f76f719c890e9d8f5bf92b97425beeeef12267aa4c49b58f764f5eb88d
SHA512 eaf372a7b0070c0653a324ad66f9c2587be3d6244eb27dda6d91de4a873e60e323f5012a2b832d409fabc421ae4f3df8f9248a9db6b15cd25c9677a9416f7773

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 b114334b25f682df49f8c45e6e165bd4
SHA1 1f3996a82292476588350cd661a534dcc5280ca0
SHA256 a79244f7b954d3b1a76be746620d55d95e48a24702cfd908b25b3d7091b0ce65
SHA512 8436ae5fef45f9fd59d0b1ad2a47b31e1a49c28d274cb85616f4adf0e8c2cd8a26bd56392c68702f9efbc2e45cf5df184ba66446c1265b4aa79a4501efab87e3

C:\Users\Admin\AppData\Local\Temp\poUUkgQs.bat

MD5 cd8a61cb31019ecc8f2e6b1ad0de3daf
SHA1 92e2ccaae36d296b1163cd8cff44027f3db5d076
SHA256 43081bfefa625ce4f4f90a56aad39029ad69f42739d0ba345a8048458f0bf4b1
SHA512 68edc6f58be7d9c4989f53deb7705ae3d8ae996552e9a4867ff383bdff5a7355ec5823d823d577dd8fada960e65ceccd33918dc498bf5bf78789d0662017494b

C:\Users\Admin\AppData\Local\Temp\fsoYQMIc.bat

MD5 b2c303ea30b5ac75248c8829f96d2747
SHA1 1caa6b954c0ca02a90173c5763c635e398534955
SHA256 8b731640275b809affb8f429059b540bbb904a8ed4a6c728035c22dfa1b21a6b
SHA512 e9510d22d6f44abe81431bf8af7ab0a42a9c6d66e0bdf5a1dd8d41255da9202c694e9acf753de0cfc10a9d5ae4de744fcbbc12148b2661da39d035a5f7ed8928

C:\Users\Admin\AppData\Local\Temp\YsEs.exe

MD5 0ee22b26ea8d96aa68446a6f183d5a65
SHA1 97e1d32d24560ae2551fbb83e7566c2ede7b6389
SHA256 da19bd2690e734b8358674cb67eecabce9f885df55cc234b4a3e339ecc69f966
SHA512 c977b9ce0a2aec99c9ca6d49789fae793df22f17c6216749ee0b51ef393096bceb160dce5f34666f20f9025aebe4288185bcb43b8d28adae97f4e98ca1d2f05b

C:\Users\Admin\AppData\Local\Temp\OgUQ.exe

MD5 a6bf4a43bfb2bff9b538c968a96af3da
SHA1 3be5808c884f8c2fdc093144e36b1c5d23e4c58c
SHA256 029f77c403f2ba95ef23b09c5e5d9931bb13f3f9a94dafd9c3deca4d955b7799
SHA512 837f3f3525efaff33c484d6d17457a9a007b61a7b9a756576889d556a18281c56622b49c3b2df9a22a2bacacfe5a96506e48719ce81e9d784172348661a9d3fc

C:\Users\Admin\AppData\Local\Temp\iAsi.exe

MD5 9a8188eee2a2633ceff6b51b279ee760
SHA1 57bb06713e3ad1eba36cebbcfb14af72925cbda5
SHA256 c65fbc5f19386ec6993c0122beb6a5783b3d3b3f564c6326a2659d311e49bcbb
SHA512 a0ea424b65f1df346735607c14ddc24a189c2a60dbd7b151f35910159ccab8a7502a08e9cacc9a9f7a0da0af68f2f55774cbcefb7d6ecb0ec41700538e4281b6

C:\Users\Admin\AppData\Local\Temp\IAcokMAA.bat

MD5 7121efe14f1d2e8a3c2a0cada9e6f050
SHA1 f2c9ddd9f776dd116faa9ff2ea765349c5881a10
SHA256 a09a5a9c58493d144e3dad329b398287300164b68c4a5e131d3927dc58ff1341
SHA512 cca55f798f3f232eaaf1499ebb5e7dd300b25f581fbb601546de5203999229e9e065652daf7413f185f3557080e8f42d9e667b58727cc5f6a839f85e69bee497

C:\Users\Admin\AppData\Local\Temp\esIi.exe

MD5 7eabdfdd060ca3d45fbd676fa48f038f
SHA1 94e41a404b63ca68afca369d36f17ecc9b82a8a7
SHA256 b34485bef184bbe4f3845439c67cc7e2c1195febeb16818a710e762a878d0d16
SHA512 199178e4c6973e55c7bd31cfbcd5cb95e7f48300bc64bac6e4a20885cd5288d935458ab00a1f86c84a40d4b925f34bc5510dbf397c8543d9c2ae66c218f69356

C:\Users\Admin\AppData\Local\Temp\agwo.exe

MD5 94a036be92b632d2e7760ee4af3e63fe
SHA1 e3497a0d314ed9499ab9c5d9304541ffd885a7e2
SHA256 ba4174e3af367c7a48ae1b4606ce33a6faa6e6bac8a1d7d2e86454bb37183c31
SHA512 6c24b51ffb52bacec352b2be372672da5632abe9c6ebdc99a5feeabfabce62392ee82ff6c5f7b76b66b0d43b5a22f11b7e131b139ecc2abcefc2caa5728906f8

C:\Users\Admin\AppData\Local\Temp\uAwi.exe

MD5 33497d6f70d92521491bfe9475ab0d62
SHA1 2b5cd21acbbf6f25dd3f900d778e3e1f9373b41d
SHA256 bc1d09fdabcd89222fd1e1304a9157f38de2fd64de5f5d3dc6997460db572ffb
SHA512 4a433722a99fd311be2fdf3ee3f798cf64f1dd8297d93dfb6580f1fc9cdae3a817f856234d570b7ca0441dfbe994c5fd03b627b76d7e9203a50ab654d7c5a828

C:\Users\Admin\AppData\Local\Temp\iQMs.exe

MD5 cbff10d94e091a06ffc3486e391d1162
SHA1 b09679740168d8ba11fc52d29fbf0c1a3c4ece12
SHA256 7a3a58947fadbd97e732d93dedd21d884bb885b715a02c3c055c10673aad8f43
SHA512 b8f63424304665d9bdd82a4f74b55249b90563d1b985734eb618ff57c6c4d7eed039a7042b926b7d6726f9e76602cc4f6a4a538d90efc7508f544f322324c39a

C:\Users\Admin\AppData\Local\Temp\sMoC.exe

MD5 3f0952b875b26e4398e3b516a185813e
SHA1 80319da1a7011897816408531f7df665df03af5b
SHA256 4c77b7b7bc062facf72402d9daf888d17aca39c90032584f18f5eb161f61a429
SHA512 068a52fbd3f8cf4f40d2c5b91f3617b8713402841520a078a7f7630a8d1b4dac9593a60ec1910d554736aba4c2c14e7bd07ecf92be662c746fcb2db1f9a852c1

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 27daffcc1abbb17d68d866305c6a2225
SHA1 93f884626a402cd96409eca1abc3b5b926ff1875
SHA256 4619f06eb269fefcfc845e4ad2463b15e3a4646bcca0d1934380ff00151c5b14
SHA512 9193b03657236b60a01d1399716cd9bab066f1d19de4b967a513a8fb02dec1a67048476924b5bcb13098aa09ccfa96c1e3da2065662dcb33047e4ac5ce3694c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:41

Reported

2024-05-15 10:43

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\ProgramData\LiEYcEYw\fKoYYgwc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WewIQwEk.exe = "C:\\Users\\Admin\\tUYswEoQ\\WewIQwEk.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fKoYYgwc.exe = "C:\\ProgramData\\LiEYcEYw\\fKoYYgwc.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WewIQwEk.exe = "C:\\Users\\Admin\\tUYswEoQ\\WewIQwEk.exe" C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fKoYYgwc.exe = "C:\\ProgramData\\LiEYcEYw\\fKoYYgwc.exe" C:\ProgramData\LiEYcEYw\fKoYYgwc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A
N/A N/A C:\Users\Admin\tUYswEoQ\WewIQwEk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\tUYswEoQ\WewIQwEk.exe
PID 3764 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\tUYswEoQ\WewIQwEk.exe
PID 3764 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Users\Admin\tUYswEoQ\WewIQwEk.exe
PID 3764 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\LiEYcEYw\fKoYYgwc.exe
PID 3764 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\LiEYcEYw\fKoYYgwc.exe
PID 3764 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\ProgramData\LiEYcEYw\fKoYYgwc.exe
PID 3764 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 4184 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 4184 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 1984 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1984 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1984 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4560 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 3348 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 3348 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 4560 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2476 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1360 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 3824 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 3824 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
PID 1360 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"

C:\Users\Admin\tUYswEoQ\WewIQwEk.exe

"C:\Users\Admin\tUYswEoQ\WewIQwEk.exe"

C:\ProgramData\LiEYcEYw\fKoYYgwc.exe

"C:\ProgramData\LiEYcEYw\fKoYYgwc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCMswYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CewIQAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWEgEYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeggsQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIUoAIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQsIkIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMYssUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyQMoIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCMkUoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMEcIUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgEgEwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiQAAsgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGkcMIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIMcYEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkssMwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aakkkwcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkEYQsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IygscksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKIYgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSoAkYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\desIYYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkkEYooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIwEgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQAMEwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIQoQggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIEwcQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAUgsgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUAwcsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKcMsMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMocoowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmYgQYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQQgsYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWYEsIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQkQMgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgUUAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeEQoAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEsgEwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOEswYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiYQMcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQQooUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIYogsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSwYgccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcQYcIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOAoMwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEQMMogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQQckkws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMQIYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQEwUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqkAIYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeAMUwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQsIIcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESkAoQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMUAosUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaoMAkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQQUkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWEIEgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMAAUMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcogIoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwUAgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jiskscwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkMskgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIwUksMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CscAQAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gwckkwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSQggIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAUkAcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsIYMEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCUMwYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIIgIYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maIAQsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWsYgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqAkYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwscIQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyEgYcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYYAIooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOswsQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swYYsgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYAsYEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsAYsAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAkwskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUIcYEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsAsEwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIIYokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCscAwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkgscUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkEwAYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQcgsQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uisYoQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmMQcgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYoQAIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOIYAcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKkscEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEgYUEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQQAIQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YckgskEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuYYAYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwUUIUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsIkYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkYwIMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
FR 172.217.18.206:80 google.com tcp
FR 172.217.18.206:80 google.com tcp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 99.107.17.2.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3764-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\tUYswEoQ\WewIQwEk.exe

MD5 ea35558d5cf85909262fcb76d956d9f2
SHA1 aed45dd654a6f670dc4a41489d9036a08c36beab
SHA256 35f89dbbdd391769f99dff78b84af022b1e76e3af72a1ce74dc29ab26f482af0
SHA512 6f7e5198581a537a4289693db24be5686f25d74f4a7286721c52a85b4c0dc89dc07b157f09904cd76311ca79ccc22e8acc54757ad35c00d6ffa5adf69b3b5432

C:\ProgramData\LiEYcEYw\fKoYYgwc.exe

MD5 8fbc132591e7c1e445032b0d446ddd59
SHA1 8ef77c85f9e90340d5d366b1a49f9c755ccd52f9
SHA256 163e636659b5821fc4356f59054326ddfa353d790e5d524c53e1e938b46faaf9
SHA512 9b80ced84c551cc69626994c050032f180a06a044ecf2b5bc13a062c4d5ecab8eb5864db1d9dd0232d17394b068595e14be8a1284de1c57d8b6f597c9e1417ed

memory/4948-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3780-12-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3764-19-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-20-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sCMswYwo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock

MD5 ef625f28a5fa08948768d1836c3227b1
SHA1 96a6f727228c1ace18c93c9b6117b0cfe7f66a74
SHA256 9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889
SHA512 0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

memory/1360-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2548-42-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1360-46-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2548-57-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3592-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3648-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1804-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3648-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3940-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1804-95-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3940-106-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2624-120-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-131-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4444-139-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4064-143-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4708-151-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4444-155-0x0000000000400000-0x0000000000433000-memory.dmp

memory/216-163-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4708-167-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4588-177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/216-181-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4588-192-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2572-200-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4612-204-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1988-212-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2572-216-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3320-227-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1988-230-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3320-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4428-249-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1876-253-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3612-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4428-265-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3612-275-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-283-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3248-291-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4380-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4380-302-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1840-303-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1840-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4456-312-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4064-320-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4456-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4064-331-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4532-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4532-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5000-342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5000-349-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4880-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4880-360-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1848-361-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1848-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4972-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4972-378-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1804-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2044-398-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2044-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3828-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4340-426-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4340-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4732-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4732-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3096-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3096-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4472-462-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2536-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2536-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-482-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2804-483-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2804-491-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4732-492-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4732-500-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-501-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-511-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3920-512-0x0000000000400000-0x0000000000433000-memory.dmp

memory/332-520-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3920-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/332-529-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-537-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1484-547-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5116-548-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5116-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3472-564-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1240-574-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcsE.exe

MD5 84a297d0a17e16e09ed67022303b57fa
SHA1 0e99320340d477eec7fd146776bda55ef97aab1a
SHA256 c5fe5185ca1bae27faa2596c540d7c4c93f18f38b749e18da7d219081cf1dd6a
SHA512 8db66f499581e94180f66dae1264c5d64999475b6e38f152d0d60355b731563406ff42c8836e91c4d6dc816d965387f773d4d8c7777cda58a68269baf5b85403

C:\Users\Admin\AppData\Local\Temp\uMka.exe

MD5 cdd83f43dfcdf4252883260f7d5fcd49
SHA1 31efe33875bf9d59f0630fb8fb3b1b8ea17d00ae
SHA256 85351a48c0a1ed71f6299c0441df6bc956728a26ea7ba93a013295a9eac89a2c
SHA512 c921559a3b6a42f240bc11d3ae7d3a464cd7e615b0e7527a4f4ac0f50b8ecafe8cbf2726282dc3fbb2b602b33aa22d35109e9e7b561659c985852ed538dd99a4

C:\Users\Admin\AppData\Local\Temp\SAsW.exe

MD5 a1219a9c0a94a51ea4b0494af597040b
SHA1 8673c02e0452918d62b3c858ee1c4f941058ee5b
SHA256 bf1e72c841b13fe9e7025a9d264a83ad74a888c999ac7e22b932d9d79d4f0443
SHA512 513a497caa6b06888dd085b001e94542c62d41bc9f416125133f0bd58fa627332d5b2f32622f974b2a2e11a441b2160032d314e91885b14c250e61b94f3e77c6

C:\Users\Admin\AppData\Local\Temp\qUoQ.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\MAUg.exe

MD5 f45b5344e5290c547a0279438c3c2cc9
SHA1 800aaed5f319ad1a5faeb69b885b623472057a7b
SHA256 00319af261ce621a54e24946ba20480eaf49ea6e514c27f6f448656a0fc10c80
SHA512 2e2e14f68b5fa800943ada282e15415dcaecfa124f4e61c48a3dbfbb211ef05aca5c4e0cdf4238147769dadcb79a6560783c049dbfe2c94df5ce26497cd4efca

C:\Users\Admin\AppData\Local\Temp\CkMg.exe

MD5 af869e289ef866efbef463c575c87dbf
SHA1 647c08badcba15c3be987cb0b9398b0dd6363e3c
SHA256 6cf4ca30e405f28002d934319cce30a8aa1d393586bc78bc63d77f7663090d1e
SHA512 edde1901908c1ef16570bc006a712c3ea6a024a502838afc885f273b9853c948dbee19d869783af406e6b22025264ea81f2ff6941cdfefe580dc2f1639f3310a

C:\Users\Admin\AppData\Local\Temp\mgoM.exe

MD5 d12b402e196fc2f0f4a847565850be47
SHA1 3a6bc1729c121c83b23cef3f4c522621481b3dfa
SHA256 22a832f309da287916f8eb11e7a557ebd9d13df3e9efe452ef9d03b931244250
SHA512 086553728cb4f30a5879c8be4c4f58119d3f2016269ecc6296bd1222017c8c5ca4c64bf8155fa8d473db0c1d5f906e7cefd40ec0cc2b8c5de3ef3a7ad05e4762

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 d399d547e0e4836d2dae32a6af8bde31
SHA1 b8f311f24b6f2db3e8fac20c758ef0132ad79834
SHA256 51163f7035711315d1fca39179975bc98fcd3b51acceac61dba7c68fd58df639
SHA512 ab13be63effe2840eee710f58268b1ca98b3b6a6b68771f607ee7e834b5e5ee7b7389ea8f614875e80fa7039752ec3546bc06586697502a5fc32c4a3acd02fd0

C:\Users\Admin\AppData\Local\Temp\ugUm.exe

MD5 1c1207ce374857c3084fcfcf710f7894
SHA1 49c90a5c256f7ebe2ea04849c487c8ce0b6b144a
SHA256 8042af37e4ed7335ed6d32090b8bc0dc1ae4ed7aee092233706a67a57b42be46
SHA512 157e08c878068d8c5a30bcec9114fa453e00f11768aeb0d2222eb80d3d386095d7c33f5f8337b35199695f45e6987a98a05374bfcba98ff736d10f45742405d6

C:\Users\Admin\AppData\Local\Temp\MMEC.exe

MD5 116522ae6b3823c051dcfe4f717ea107
SHA1 0e7529f64ca247993c37595ea8223dbed0744fac
SHA256 8bd809de5c1aba1786de61e828f64765e4d6cc5cbaf5f94ea12775ab5111da09
SHA512 e04831960faae02f5fb93a31477093c3305a861b4c9490ddc59b913d2beea44678f55e04df5037d65662de78e6bad814885d83fcb0b7aa8f14dddf74f79f9d54

C:\Users\Admin\AppData\Local\Temp\CUgC.exe

MD5 83457d55c4bab0fa86824f2e660444ce
SHA1 8a796a4d13ada542e12a14ad9802b9bf1ed950d3
SHA256 89e5a623483ba21636602f353f51e329bea47fc0786d828f0e34bd938968e28d
SHA512 b55fb189f286933d2da5cd86e0d6781a387f662814c96bb95af2499d8416d84cc45f8e50f55ea10465eb8ddd693f7725d6a13d5e3d5a11f7ec6193f5f35215fe

C:\Users\Admin\AppData\Local\Temp\yYss.exe

MD5 4cd42091c188e308cb258bf9f1c27b35
SHA1 b0ce52c6a20f0b329e10352b58de4ba1605fe880
SHA256 4479df8a7a98ebc7fe6307e89f69ff5e86eb494fb9fe17acf9de45b98cb67647
SHA512 f3351bf4d25f2eeea149d4e4b722f192d22ea20998d154a27bc6651e6d1d273d6464063eee25d8a870d85e2cf92291b51407f3116301bbf971a894524bda05b5

C:\Users\Admin\AppData\Local\Temp\KEEe.exe

MD5 3f01b81fba7786f7732ac3ace064a427
SHA1 7b9f33979db941a8f8b8158ed5de80981888a7aa
SHA256 4192c769001cc045df98d8191eba43072721a212721f6584c38688a370c0863d
SHA512 ef614305e315ac2d80319aac88657ebfb23d801dc4ce92376addb529c72fb2fdf45b72183c93081b70d4b53c18ac88f5eec3b609f62223c97893849eded65dad

C:\Users\Admin\AppData\Local\Temp\EoEm.exe

MD5 97b3b27c85c71b3406b918c3d3c32c68
SHA1 77d2277cfa6538893af6a78298b79068491e3935
SHA256 9964efeb44ad05fb040cd7061c61ae7ccbadea692de1755e26ec9bec88c1ecce
SHA512 785994c98a68545ea27a0470182c8a575dccfb3abfffaca81a16ef3cdcb68e614e0d7430ffd81f1a35645015feb9e7eae139fefe9249517e84dc1fc3622e83b8

C:\Users\Admin\AppData\Local\Temp\swgc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iwoK.exe

MD5 c02b35dc3386d6658fb78f01836476a3
SHA1 822c80599424d538b08619612d1234b8f323dd98
SHA256 3c561d310b2884dd078fa04dd09de079c07d9154fc897095df1f2959e9b61e2c
SHA512 8ac3f97a7e033ba17b9aa765dd4e9dd492ff179ef3d510aa5355f811ab2e8d86821a817b0254203265a52649b47af8de5105350d9c62fd4957820526ec8617ad

C:\Users\Admin\AppData\Local\Temp\YkgO.exe

MD5 d0ef1d0c1596e48df55151b020fae419
SHA1 60c376da5e954f0a9614698af7b28de8bd2f534c
SHA256 0d112cfa720890155efe3078e85201c5e52afe294255996a8631f63429307764
SHA512 9b5a0091cd83519b42cf73155053c608c9f734a4873d56ae6c0c71bf4324eced65ba11e4b8d4ee6192d13f1b68a03b6d1497d921c8ad8b04cce5a157d59264da

C:\Users\Admin\AppData\Local\Temp\mgES.exe

MD5 2e2db2be933750207e3c073fe161433b
SHA1 8d708b1996b42a32f9b5a3cc75baf4393d7f3f5a
SHA256 8b2212eafea1e42451016751c56a1e10f10b0d3f6de729cc6a678c2d84846b58
SHA512 ebfb9aca132980d8a339eef6a6760c9480d543ad43a201d2b7dfe77d9189cba44e8f954c1ff6f14e12042ddb1d9c59862c82516232b982b26b60af4f820ab304

C:\Users\Admin\AppData\Local\Temp\Iggc.exe

MD5 2533c8e1b2f3d06112c62d4a4ae6274a
SHA1 0c2a3d779dbdc6d4af71a1710529186ccb175577
SHA256 5e812383bf623446cb3950e8160b9e6a2379471740a82d86b6043eab632813be
SHA512 b6bb18db67a440658f4f5516f0a6b9834b99d8c4f140df9212f8534b13b8e561990a70dc18463ec8648043ff8f1b75c4949cf4459243fec753f4f45df69466ae

C:\Users\Admin\AppData\Local\Temp\QkIo.exe

MD5 7d9c71cedc72e25363ef033329981a04
SHA1 a7d93808069a01544826322ec0c687f706ef40d7
SHA256 6f88a6302c772425e62570e42ae383841df556dfdcbdef5ba113184ec4ee3c0e
SHA512 45a81b53294dd4519963f32e414ba2bc154042bf4643fb35d914c7180f3009a89a763a83d1b5b9a204505c325c3d5f43ed2808e2e9e4647c17d5ee666d42b537

C:\Users\Admin\AppData\Local\Temp\mIQE.exe

MD5 0d3b4c063e2748f9df67691a7afda3cb
SHA1 98ce0943feba7b88ca787c27db84e17e72e92e71
SHA256 61e40938dab1f00fbb78a59bf72db69770509e228a1373fcbd99fa218f99933e
SHA512 acca3d72cbe715325e63478d4e16d6db8c9bef77c9825111849ef20e2718cc9ed6128000d78d8061c8892948ea06bb631172737e91461d18e4ddc5b1c94bcf71

C:\Users\Admin\AppData\Local\Temp\qYEc.exe

MD5 390e06688ccfb1ff030d51069b374527
SHA1 348b3be8ea6f2c4c500b172dc0701c752b1101b4
SHA256 590fa8036866155eb07b7795e56fc538de2217a30f53b523a43b30293c476246
SHA512 e216741fef8cc25d0a57c8ea32546980c35da17d7e70cb968f5de90d31af9b6f0e98573194415fc7f0115f268a4ca4ea9f2b43c7a936935b6cd4e360d7d2658b

C:\Users\Admin\AppData\Local\Temp\McYC.exe

MD5 e3e36a3fead0955a94dc623f66fdff94
SHA1 347218357608bc329d2ea2003596677db03614c0
SHA256 bd9a4fb125e87bec84b7baceec412aae7a31272614afe6ff58cd34837cfe0875
SHA512 e4d5aa7f46e3b256e89d4212455cb78e53990784cf64633b86b946c67b7acdd80fa5df555521c568f323030d663c6ffb9b9fc0312f613f3eb0bd7d0a700c7c47

C:\Users\Admin\AppData\Local\Temp\oEoU.exe

MD5 1b64cda54e9cd7c7a86cb4960b1b03d1
SHA1 e1fa2e4a5d79fe5970455ed757ea2f54f348e009
SHA256 1b27976f2677bc6ff421b54bed488d42a2524acc09e8ed18a3a2beee269c7c42
SHA512 f43747926a7180bb08e52f867097ee4ff448b0bc7f2759a0f0fd184d7d2bb10d713f7452a46fa247cfef87469ba76aa798307e13f5dd1c713de03714036c5fa7

C:\Users\Admin\AppData\Local\Temp\eIwM.exe

MD5 fd9c650ce58e0d1f0fec773d4d0bf0fc
SHA1 8c6dd7ae4d0fa211982c0e9197c3d20b7acae8ce
SHA256 dad859e290a7b7a8f06ea511832105015297b5489863db376e2d382bd3180e4e
SHA512 c0398e316f7159f31f411b93aa05e8f70ac4e70d055de5d95acfa246fc990170018b176ac89d40cbe3a6c7e9b5b688aca1c5899310a231cb769866b0977d000e

C:\Users\Admin\AppData\Local\Temp\UAEq.exe

MD5 e5c46564ab8fa4675b6071283352dddc
SHA1 43a040abf01896086c7866b1a8fa773ff9f7c3bf
SHA256 9a8e0759e367984284395717241530a8192ef6803fea10bd3906a955ed04955d
SHA512 99c32001b86edf7440f3457069bafb07c76aca75283663515851a2a1507460628a3533e849521787c224e3ecc6badefa405f6a8368d258ecb31a195297488ecd

C:\Users\Admin\AppData\Local\Temp\mYwk.exe

MD5 f8425946d3b607e927f1a7575b0c2d1b
SHA1 3577743d26344748a3838162e507f2d194850102
SHA256 62eddce4fd9c786d2560a56577b7f7a2bb4f3a178ad76727cb2bc0999080717e
SHA512 7bf0857ff847c90b9bf1981382dc97d327c26702624c6f38a411144427cb194f7c8ddb4ff939d39b513031a04231ecec1f7404dcddc0fb6b3e09bf9145bba68b

C:\Users\Admin\AppData\Local\Temp\ocwA.exe

MD5 d8e21baf9653cd91e5935e8b95e4aca5
SHA1 1f4c54b7bca989a15cd188f93444616e86d53039
SHA256 7def5d1b64b80b30097cc75d1aee3e65620487af26f647e46abd7073d850cd8f
SHA512 1d5ca3dbf16b401ee5381b35c922fd207f43c5d429fa6c83e6e6c80478569aa62b81e73bea75a2cd1ea76e78b2dfd07ab65fe8be9c636d2543dcc1fc5b674706

C:\Users\Admin\AppData\Local\Temp\SIAq.exe

MD5 1a7a3b268bcfcd01471d87b4db2c2d14
SHA1 b7f38d3b7c65598eb17202ca6cabda331900ff96
SHA256 9ef32d7c7f0a63f2887278f146e5f06b0b2037b9f112356add0c247872af58e4
SHA512 b27826e34a8799ff6bb263caa5b48606e01e6d3153053710e0a013b551a473a6de1be6687461b05288ca768c4697253071c02a9b242b043e072426f560f09f5a

C:\Users\Admin\AppData\Local\Temp\kgcG.exe

MD5 12ccad0adbd54a896386a85e76fdfa84
SHA1 685f5a985f83f4065febcfd0175623b48ec916ac
SHA256 65aec9233d379380bbf83d411d361dfd00eb074e097fa89463eceddb84df9b83
SHA512 05754f69bc3e8bb07f5efb9644bf517db193209890e835bfc836c3c983efdc3c0b93e1de3b4deb1537052982012c76175a584645498c5d87fb99bfda0e58110c

C:\Users\Admin\AppData\Local\Temp\WgoO.exe

MD5 1ba8e4e5de5cc2cb5eac5dd937e2a6b9
SHA1 42b706d81a3c045d5c7f4a1b47173174d155e24a
SHA256 f6aa0bc681dcc382d91b4f7184dd3ab77c0377fe0d639af1e3c45c26b393308e
SHA512 b68c8cb1481247c459a080713aa996e4af41e433aaf0a04b1df8c34b3b8cf1d720b631875a69f052a66146092977fe2a3d914045292acbb5ac52a2ac898632db

C:\Users\Admin\AppData\Local\Temp\yEIS.exe

MD5 560e43773805df4382a6caf06ebc8ade
SHA1 0456bb043b6e4bafd7c958d6684fcd9bab59d212
SHA256 3d4e7b5c69e77f091ee053d47b12a2fe6883166627a89c9d7b882ca483cd8578
SHA512 779b77253c7412ab2becaa312ad34dd09b03666a9fb4c8ec2a24e3fed811b36d0b237699b7dd847453be3fa95db1e3278acff5417eb5f026ea602a57fe098585

C:\Users\Admin\AppData\Local\Temp\ygog.exe

MD5 5662a28a8986492ed9f2eb8a942f8d67
SHA1 10da764145e74c21df952c0387738aa27c43c4f8
SHA256 c2dcb40832e5a9c41aba35e2f322c7c36dba8270db11c538f5edd1f77da5567c
SHA512 6433cbb1b741f3b7a857a20b944e3018b5f63a6c31daa2b419d00a86b756b5f117f8a5e68d9d7ca75f5d9a3dfb55ac0e7be63dc9408a92fd98f018396a174b07

C:\Users\Admin\AppData\Local\Temp\Wkku.exe

MD5 b61e218988472ff28e4e88bc1325c401
SHA1 6b091cfd25831f8d047b39a8e37211bb65a9f045
SHA256 23ef90f3d90c9c75a738faaf4a4bdd225c342a568c01cd69dd820e8301bb509b
SHA512 7d24569600784cd040cbe21b6d09c9a3ed6e4f253e726343a15c215b16c8dbdac026b49f4df5720c1022f91af65dda894cf895cb28f7baa1515bfabcaf5d2ebe

C:\Users\Admin\AppData\Local\Temp\EIos.exe

MD5 a68ba8e37cf4d8838d6059e5e789977f
SHA1 d472c5606aeb018a43c3dddf17eff449e54073c7
SHA256 c387033648dac2f7d3becb93d8e4882a60efd148c81e0994eef707d28e99dd05
SHA512 7bfdc1a47e1b09ac378ca7c563bdef55535ae936df35a8d72cc2af121cb36059d24ddd2dae67cfcd364e8a75997f691d1dabc83e63ea30ba9dd7ff60e400d4d9

C:\Users\Admin\AppData\Local\Temp\akcK.exe

MD5 a261d416243b045b70e8e61295bd3c75
SHA1 0463a5fd3727398950254db6bb2a105915121b5f
SHA256 f2252ae85c135710100200d62f471c45d67f25a5ad97bf7c788c0c0d2beed410
SHA512 f5d37ce071990dbbd1879ea9422e39870f66aa2365a2f1677b56ab6026635f8d792740a3694211cc8b6655ce46c2f913408f24aa67cc3d466057b6475193b499

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 abf0530347d3dfe90f823392925c95de
SHA1 af374c9afbabbc9bafeae24a98f8da678413a333
SHA256 1c7c3c6614f776c8b23306a60dcec82e7819ad9aae69cd7f8b86b8ccd72572c5
SHA512 4c08eb0243ecbd77ffa2861f028613164cac046a14a761f83731f3d5592557defab6e072c23b6cb93d089ab371d1f8c917d65ea93086ed0ef0eddd2ea40d36bd

C:\Users\Admin\AppData\Local\Temp\gIYm.exe

MD5 80c16d191b1cbb4a147737cfabfc0244
SHA1 c00dd82d2c9eafe6221276ee2ec4067b679cb9e8
SHA256 b8411187ba115ebfafbe0356b5b2e8fb973dba466ac14dbf9d67a81b7a051ff8
SHA512 0d614dc578017781a8e60f905eac470b06cfca1b20336498c90040162fe7d7589a430a1eb48eda669c3a237ce858740c6aa7e574103db9c987f0ecc45f5cafef

C:\Users\Admin\AppData\Local\Temp\oscy.exe

MD5 629a21b8b18493e104b81d8a366d1639
SHA1 90005d32b4e559bcd0e799e3fe84a803146eb02e
SHA256 41021acc800685a5c697abcdc59610cd7937f527b152c4309594408b5e76b0a5
SHA512 bc91c67caaa8f9f48cd903bff217067dbd9551bb635dec2afd0210c2ff1f31d5c3776ae2d56ad54dfd79cf3f1593a34fcacdcc76d8a39029c8d763b880e6cae8

C:\Users\Admin\AppData\Local\Temp\CsEc.exe

MD5 fbf9dc4d62ecaa034f66065924ede921
SHA1 f35dcd59acb5dc88c4b1ea791577ff84be556b4d
SHA256 68933faa30ffa3e21ba96e12c9d7dcdbed492295e3c6b478ef8e9a7417ff1a91
SHA512 c01a49c53b83347a11b918ed100fe78a3291d71ae93e6f760b2e39e2fdf67bbde6d135ad3e567b54b00f3fedb509b7ecaba2341619bf9ff85c92ce7d33db400c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 12a96b1ff03459e838de02017e6d88cd
SHA1 46a3128bf67286c6e35ac8b092edb4e705406dbf
SHA256 fe11cecf5fcbb039bffdbcd783e7531602c6ecdf976bad207f28a913b70673af
SHA512 ff65e4540c1e11cb18475667ca77bd919811a347632cd8cd6060862dc58f797e3e12ea61f0359b9883e360f6c1c0e722906d824d44d12f08292b6225378c578b

C:\Users\Admin\AppData\Local\Temp\OYUU.exe

MD5 7ee29cc31839c3b5a8031c7b498976a7
SHA1 fbbee8624219d286c0f8a09f230d12eee95cd0c4
SHA256 13b529ef0cb6393a3675ec6f3c746711ea4bee0db6203070dde1e329430505fe
SHA512 cb841ca9638bbff929967ff81d06475a1db17f408e30a1ccc471ecacc5f2dd7a2091c0599ae4730cae4744d21f13600bbffd757b6fcf6e62795df88ae62a7b01

C:\Users\Admin\AppData\Local\Temp\qIAu.exe

MD5 31ad3d6aed540285248f18f44c04b7c5
SHA1 2d1a0c69bca00a4d50c2f08653ee1113a2b1655c
SHA256 e7177603234933a95c06731c43563833239ed8578c2273e2a38f5e5718189173
SHA512 cd476c85032c1b6db5e823b1f4ba4a420eb8c4886796335ce2245f42a4fc5426b79d1f02cd37b47bf27c7a3ee28b516b4d6b7cd8d490b8f5af935fe80e31d08b

C:\Users\Admin\AppData\Local\Temp\iMoq.exe

MD5 94bc132d4a0d48766ecec2b7b592e490
SHA1 93c7d1b8e3db870ae62e1b37a64fbd6dbea7a741
SHA256 158b124c91434a672789b1ff67c4968509fcb45ff0822587ecc9f7f6b1b39ae3
SHA512 61be3d1ab1ba49f688af238381ec05fa687dc99bd9cb3460a7b3f431102552a7ed5b0d643973eadef70719c9a402613f4f01b8d269475c369bfee7b1d9e019b5

C:\Users\Admin\AppData\Local\Temp\gUsm.exe

MD5 374e545d9101ac03741506f3e7f107c9
SHA1 4f7ddf0b8f1d2976a689e21a74e8d6b8f9855f09
SHA256 ded4de5210c407db621478f5589f20de8273f701f34b06ff58014ff8d8e851aa
SHA512 ea524f9365fb7ffc48e83040249e36c7f223d3696ba9e5259a0c08993963906b6af46b4656dd98bd167825dde95ab4c2cc1cbd05eddfffaf47df8bdd653519a1

C:\Users\Admin\AppData\Local\Temp\oMQg.exe

MD5 73378c1daeec72970015eded4c98588c
SHA1 1aec657199aca6676f597f05c6fa6cbe88c84ba2
SHA256 9cc343c9d7745ffd38f00ada563faadabff23737ff1e62f808cfc477d53b983e
SHA512 0ab9e25b5793dcfa65cf7b8a2ee2072f4995c7219719f0d627cf815f255edd6ea657ae5e7a825d889f0d81622995669621a3a068045ab8be4ffa5888f1586ca4

C:\Users\Admin\AppData\Local\Temp\KEsS.exe

MD5 ed98e4a0518b3679826d82395d4158f4
SHA1 1524023120c04d1017a60c68b5e26abf5dc0539d
SHA256 ef64347e40ff8b8c3d110faa9f02bc74b9e12eeded276264fb0c4a03ad6629b1
SHA512 6b1da5ef30b473c7e131447e162ceb85cece99ec0c3485a4f8ef8f8098b24e089d1ad6da69ddc0638a3cd53f5c2c03bace34f7af968a4d6006a99f750807b8e4

C:\Users\Admin\AppData\Local\Temp\MwMM.exe

MD5 0b76d165d87fa193fb3f654a815ba3d6
SHA1 e781b63d26be082b4b594239ffcc56438e0517d1
SHA256 79900d993874e0464157a1b903ba38f50bf85b2247523490616425d8ca7ccf77
SHA512 8793b052d5dd8394c76aaef1a779a2393106d63bb1fb2e94911bcc1e03aaa17377bd8fc54a9b0bc6e4280415c1c5c43cbec3e0ddf7a24cc4005561084ce81a94

C:\Users\Admin\AppData\Local\Temp\WMko.exe

MD5 ed1f1fb34bb069663c74e7afa7518c10
SHA1 fc8ee5e9c067f6aff8fe2f4321344b33977bd518
SHA256 95e9189be137a1e9ad07749be12af6cb089b37bc7d51cfc6f7305f36f425a5dd
SHA512 b4cc148bba855f932a56f2c53ba44fb83c3f48b6181b2189f2b84c2f5628e26561d1ff52b90848b2b54cff60ff624320138bcbf2d51d1b0fa4597a17ee022ea0

C:\Users\Admin\AppData\Local\Temp\GsAq.exe

MD5 3a8bff3771a3cf8b9863162b440ae93e
SHA1 2325e228b25efeafcd767106d5516fea0cb922fc
SHA256 b82a4b40e68cac55e902c953518bd9f28a675623b481c5e62027849304437e1b
SHA512 2fecd93f60d5004adc451c2a6fb26e134900b19710bfffdd5caa7c109c946a1ccc6eb274625a0e598e7c3f5c4af558ef080cd5b2309c53ad061eb2acd87e411e

C:\Users\Admin\AppData\Local\Temp\uoAa.exe

MD5 b2f68f65a23498ca90dc5597842384ff
SHA1 57cc03367035a517b54bd20a6a8e90ff0e51c522
SHA256 885f684b426c19e44b3f565acc4058b1462037d9b46e128592135282620df4d7
SHA512 0e2175818f3b3d216d67a2fe50bebbbe6a40760c2d3ccae3c657f4015fa85156eb6f7985292e066b09849e4157ca69b635bdda22a4ca07656a59fd3547251080

C:\Users\Admin\AppData\Local\Temp\eUMw.exe

MD5 95560a7038a1ede048907ffce394403c
SHA1 2f8bc90a381d69edcdf294f54f156ae1f9284279
SHA256 0f0ad2397404d989de8a7c6c3b9dac00e603653f6bf4af369412fa7e52313e5a
SHA512 ce0226d7a3ac15d16d01c49ca326a184d5d5fa02eaa55bc021cbcc9cccd3bfef5336c3ac6ebb8af4a10e1340e71aadebcbf5538aa72dac49bbec867cd1ce95c7

C:\Users\Admin\AppData\Local\Temp\oUQI.exe

MD5 371702e1aaa856dbe601d8b3ca4e2d9c
SHA1 a02c2719ae5dcfc0075422fbb26c6fa58bdf365d
SHA256 4054576a6dfb942d66e244783a2180da502229ee049fa7689a7850e8f4bf6920
SHA512 feeb3632eabbff36e6dbdf94674e4148cf47506466ae241162961f06d1ebc30bd5d31bbd8ad5541faacf7ae6c1e8bd74c83963b6a6609dd3154d20e788a7f387

C:\Users\Admin\AppData\Local\Temp\cYAm.exe

MD5 63d9cf3b1a5cccbe665d7aaca884632f
SHA1 9414d34ee87938abebc32c8649806030550bd0e5
SHA256 147d8710e2154148ad72e4bb057578a99ef2789f74d8188c84e8356c469d8bc4
SHA512 c4232bc18104e1a3fd2d6946bafdf79e3d21fa8de072551dedc6226d1777cd221e10052115e6895916cd84b717237b0d5129937fd8abf72612e96080a05b2155

C:\Users\Admin\AppData\Local\Temp\Uooq.exe

MD5 63c516a61bb4388a0d2fcd4bd2f33f1d
SHA1 be9a25943d9598532a8a19fda33cc80e854a95f5
SHA256 7e60762e90fb347edadb1d35bd0b30d0ecefc4ddc72044c9e6e3afedf67fea99
SHA512 a05a1c76aaea43fff116ec8c62231c9d4defb2b5fc7fdf3b5600b14399a312a260671e030efa7df755c157dd64f52d9583c67a24a3d694c440e8235c4ac5d864

C:\Users\Admin\AppData\Local\Temp\oEoa.exe

MD5 7d5def927e2bcbff28845d871616c1b0
SHA1 ebf5671a5cd66de03030a4d2f57561563314723f
SHA256 801de2e4c19f89a3d668fed38acba7139dff855a1e75fbce4cb011bbee86ebc6
SHA512 c9652aa5c1d28fbf34bee9635745d5994924615743cad91216c0f221f7e5599dc9637c4f10dc584f14aa335caec3b366b7795965438cd3a7e36a15afae0e0f4e

C:\Users\Admin\AppData\Local\Temp\QQse.exe

MD5 a013b54e0b848056ad0b8eaad8dde647
SHA1 584ad7cc67830738abcb212ad89ac84d3fd99d45
SHA256 ad313e9857e447fc9331652121435fa8f499ac08addc280413dddea2189c834e
SHA512 0b16bcb04da6adf48ca77cabf51c0548687bb02bc3572915e2616013cc11d546e62e5e8610de74b4eb980306831f2f3954d4929501a099e358975f9a5b63ec8e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 c8b4a738965dd8202c74a550cada349b
SHA1 bca81f1c134377ecfe3fdd00bcd910e4c0d32f7c
SHA256 1bedc1f088b1178f84bbb7cad388576134781d753a7a0dbf1fb24715f8792e5a
SHA512 4e69a4eb081e74f2dc9f87fba20f615e1f533a57a65a675f382cdd031c8a0b2cdaddf3f1cea791e007429964eb27161c1938e9fc224067d6972639bb9082ee52

C:\Users\Admin\AppData\Local\Temp\Ygwm.exe

MD5 35e3d6739c10b6097cfff7a990c38f56
SHA1 9b693d8c106ca0c0f6cd835add7f621df0022574
SHA256 b74b3edc4bedb68cf7e0c18716e2a14f01331ae63d5e5e9c078b0faa06f661a8
SHA512 0c17ce0dd374ae50ba6cc202d8773819ccff1b080869a2e351b22ef4379570274f7e994bb8e6a91215f5254a6b0911186c36e6f9299db74ca544e8e72ef177a9

C:\Users\Admin\AppData\Local\Temp\WEMi.exe

MD5 1f2f32b3afefd89aca30cfc5cdb1cd9a
SHA1 1557a0b8ecce34e8634859affea59bf848ccc185
SHA256 86e372e3e6638a7563594f38ec3182c718cbbf9f68b1e216ae938a8795d3a0e6
SHA512 21307f5668c3ada994e18d44359b3603acf348aea0386c28cfd7e87ab626ff7ddc716c46f009bc7d5e8e2e3a0bcb55dc5605ffe1d4d43a1dc05f862d08476068

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 7d9b2cc52ab3e6e52100202769800374
SHA1 55ead4d832416ec524ed02118f993802980121b2
SHA256 9e001516907e0caf9c61ad1786b1fd6fc0e876dc50b9dd1bf3bd866be6890c10
SHA512 8f3ec4afc5265f6486e1c69d97d178ed33078710e31cd8899422b9a94998b8bc0d81f88abe099c08bbf755d900dea14cbd3da18691798decadc8063cd3783160

C:\Users\Admin\AppData\Local\Temp\EggC.exe

MD5 bce74ed747d506257db97c671da498a1
SHA1 c6d11f266544e6dfbd22194707e882a55f76b644
SHA256 71ecb99c3db5194ec243762a5b7933700e1080587e863805d766342851f78dd6
SHA512 1f3ae21c2623e1ab57ac9ea6aedd8f878c72600f19829bc7314503dc404d29b1ae8ff1051ad267b7c678f3e20695e42a4f9ce5143ce93d12f6e4b4711d384047

C:\Users\Admin\AppData\Local\Temp\MEIW.exe

MD5 e0c47186d2a3f5b20e51d03fb236e0ab
SHA1 94d16b1c08652caec3d7d6c750445b03219ee061
SHA256 6a213de0216371d174cf7c384db38508f3406327386700c89eafa1431f0ff244
SHA512 a7a5eeac5a1896d310936ef36e7284787b07c90d0056215d59f691dcc5400e9545d1ee7cb53fa9133c76cc2f9889ca33769bc574017159a3b66831eaec4992cc

C:\Users\Admin\AppData\Local\Temp\oIUK.exe

MD5 b0b2749165e11af73914809370d935c9
SHA1 c8aa2a075a061e0b04a543962db7acd78a1405c1
SHA256 7da25c3de2a0d9b981c898eca98a048b3f1516a1ec9ef7eb846ed70ea42b2311
SHA512 41657e5850df63c2d2ae7d70a9249c93deee2b8559b0af9b96b5f4c31a3ed30bead413c0796f489dd56847914e3e778c59f42dc59a8a5f3d6d719607d9a751d1

C:\Users\Admin\AppData\Local\Temp\wQwK.exe

MD5 bd282249c14681620b84b5ff0fde67e8
SHA1 814267790e424cde6bbc2d5e858f9cbb92c80505
SHA256 90fec74b93df6df77323a816a01646c00bb651ec3d6c6ebd5cbee8bdc14e0634
SHA512 840826f4f04b1f1eeafad17661f2e0dce0afab988f4f1b89c4cf7da2feb5a54d51caabaf09373bda8c3cbd292ba89407ac1c55cce091db765c0b7c7ad690be1b

C:\Users\Admin\AppData\Local\Temp\uEEE.exe

MD5 42656c92ce7d632a5e1c342e1b58c48f
SHA1 e7cee7e0de1da342ff20319cdea4bfb58ef905b7
SHA256 95058c0c254f2b90ff4f327c9089ba740f697bece663e3b0b78bdafe3264afe6
SHA512 ca8443e7ddc3bde89682cf089859147ac99a3cab1ecb0d25a5d57541c2debe1472c46fe779e3bf12ba17bf6c3c3b67e0b23ee88e8cbc36ba341a7d3fc1f50c75

C:\Users\Admin\AppData\Local\Temp\mUAq.exe

MD5 0445c489170f209774fb37507438379e
SHA1 9c96be0f4843bdbd139fe41867baa0f622456aae
SHA256 6ab36b0a23bb9ecf9c7d42d9c24ea602fe64cbe3f860c72a1767929ffe6c0ef1
SHA512 7786bf1472c33e04f6ead63201d14f94fbcc1bc8396fcfa024d2c01e6b0637ef6626e9f4e8107c3ec724d7b238bbe0433ef3e74327715904c94c9feeaeba6837

C:\Users\Admin\AppData\Local\Temp\ygMu.exe

MD5 6c5c78bff8367ac7650651a5ac0c9aaa
SHA1 cefd4ebbaeea2a629d16965b34d6f71b6ce926f3
SHA256 bffeb3dd6833bd6800de4891521fc40a312aa09200fbd3e8a693435b0d5861d0
SHA512 291021cf7b59fd4364ee00964b5b34e90287e9aa1313dc6568ecbd97e5bc140da048466e56e9dd97e0ff7a81acf6218327757f83e2a2cccd2b022f7923f0773c

C:\Users\Admin\AppData\Local\Temp\CMsY.exe

MD5 75fca5a8f75f40afb251006710458a60
SHA1 12a2fe3449352ccd52851bada6347d3cf67fe101
SHA256 3f303be095a860b8f87174a1b3ecb8fe745467df261c80a105a0d2ffb95ae839
SHA512 353c8e40774ea760a862fc705fb02e31ccb501595962ce76cc1fad27ececc45e06c538709ba47d48bf59946d4ce1c9a79d5029d18a8fd1ccf79e405b7c492817

C:\Users\Admin\AppData\Local\Temp\OUkg.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\Ukcm.exe

MD5 00cd506e1bba5a46fd42bf740367701a
SHA1 24fc9abd3f0e64d65e38fb7c0b298c545940ed36
SHA256 88875aa28548347746f290fdccbb1770bc5797ad02354256d4c46c622c2952f6
SHA512 45a37104244759a100702daa0bd9c28cfc82576d6c1d22d13a4b9baaedfe10ebccd9a36fc9e6ec56b91c38c94860ee162df2cf683af961bcceab104e60668cd9

C:\Users\Admin\AppData\Local\Temp\MQsq.exe

MD5 dbb8da9b78d9fd4769b9a3d7d3e55bef
SHA1 444a0aa193a06afe15219ea5308d7f7b76d9096a
SHA256 3e6768bf39bc56478eeca7dc7238559d2b065dbadb30a3fb2ab55d2ed449312d
SHA512 da89fe9a8988f90aa61566246fd0d34be9b7046958f985a3019ea35937b70ce273fd5072d4800f728b8cbeadf1b24b4208328c615afa3a9d035c82acdeea3241

C:\Users\Admin\AppData\Local\Temp\CQAa.exe

MD5 9e2d369eeb857c340827124e4bb1e319
SHA1 2429fca418f2a5f280c973a7e9eb01d290fe145c
SHA256 6d4128ac526cf6d7ee105601cd2e2b8d563bb0b57502e4c990912c768630f3f8
SHA512 21830c57466bcc6b95ec02b64897084f0ec13ae11056047872068ec26fa14e8ac9220e9b4ad075cb3e27a859e4e60d01620d9d24b015e1cc166a3b46ceff7af2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 417f8d20078d28525f53204fea5347c9
SHA1 7901ee45094b0e45c71183107f90355e3c101cb1
SHA256 188f3ab50994ee638c2c6aee4bec8f752e1571c9683b9b740e2a5ad662b53799
SHA512 6b595a4305f29df21a590dd5634527ee734a75109bcf3a731b6c6eb612c325745046c9172e29b4002ded7e4dbadff90197fd289fbf3951626426dc313ca8223f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 3a47c06f4c78a8e7ad1bda7d8f9caffe
SHA1 d1f9283ab2d0fc0dd8a3426d9c0a38104e69b10f
SHA256 042bcedf05b787e70fa0520fbfb4c37c358858526c5ba4b7ca2e5d40f916bfa5
SHA512 2fdeeeb73bcf6056047150a60079abef1d0efcb22f6af81dc24ea671123db5ac2ac28b35c08b8d0e6d7167a567560d4e47a89ee1209b6af210ed59e5e3bed261

C:\Users\Admin\AppData\Local\Temp\QUoW.exe

MD5 6a322e96d15ecede7cff2afa4eddd166
SHA1 9b3e40abf0af5d2ff4c402785124df66f19022f2
SHA256 5f62cb6656e2610e20167c4b880dd99289592d8318cbcb34a3e9e95e3ca87a2e
SHA512 2ab03ca19d9da473c878a8271c722f10734bd7c822a76e081361ee03cb5696d19df133c6904cec36d41e00c34b39c8f5b73829fac262954a94d72d0d71303e80

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 555792f94caa793680d296219338e1d0
SHA1 200504dbfefc5589e3a4f0ba94e2f349c8d87e6b
SHA256 bb77c4573a76995aaba870deda301723463727d8f4468b8a72534d521f74b86c
SHA512 2953cd6c7f0fe2139092a0c444c36dfe3dc0d229fb369a18dcb2a0f7adba2ec24230357c9660705c2391589ee63eae7135fab106a5b3e23042f3756e82b476c7

C:\Users\Admin\AppData\Local\Temp\sEsk.exe

MD5 76aa6466e3a3f78bc7e167ff93df01a0
SHA1 1f213434b5179a8b43442b0524c6636421719aaf
SHA256 6e4845b7bfcb5c6a5e30f053fdc155913f020e8d78682f934fb3095a79f632d2
SHA512 5cc8dcbc45ad165679afe80949040d67114d16bb780746de7b69decdd8e9593a5e79e865a6323f47be04ee2584591849740440be76556f3bd55e62ae205b42ee

C:\Users\Admin\AppData\Local\Temp\wAAu.exe

MD5 b3da918ead624c6f70cf180adad4f093
SHA1 27cfd2099a3f0aedd4acd8ab1a24d2f1c7b2fc69
SHA256 9c38970e872b678d9c8f8708810311cb289fa1a230de95ebfc0c39b2ffa5b8b3
SHA512 51e310a04f07a00ddb721f13cfe5d032dde8ee37fb9bdd93e3e53cdb3cfe9c0c037f070762951f9a819c4bb6815cf5ff2077d3e7e0f202ba1e643e6542db9e02

C:\Users\Admin\AppData\Local\Temp\YAEG.exe

MD5 fb4062d2548d0705cbffabe31d1c0c24
SHA1 5e15f3cc5ecd8234a8005e355e8038bef2a0983d
SHA256 2fe56ccdcdce17cacc910b336c79ecc9f30f42ed0f6b89d86eb7d748ca25c7c3
SHA512 793300591c20bfc13ce612444ae7e022dbae83f9ae8117f98189273e7e1d58b44c9b4f3d7a0ace75c4abf91b8a2d78f03b3cce83851bb8aef3cb0cb736983e8d

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 5bc75d3a02cbc9e7773582e08e1790ac
SHA1 1df2a3701e8e0078cf280254acccb4d2add566e3
SHA256 8afc81ec727684298bb57d86e56b239c86ac632fbc7eb3c7289752899efa4a10
SHA512 7b2a8635ef46bdd1b93351ecf3af3e92e1ec7df8f667f4041713a1e71f7729918feb93b3786a4d15d4eaaa75fba30941704924043d791e1f7a99cc73a7e87394

C:\Users\Admin\AppData\Local\Temp\UIwI.exe

MD5 efe3c41c7508bdef40b4caab493edc73
SHA1 2edcfe4f1abc2b827e8d2177dfdd9f978194b457
SHA256 2d163ff51546d07f7c10b2fa4c10a8fd630acaef9ea5e0eb846e1ea6a61dd1f2
SHA512 985d06f0c8b68726f8908fe472eaae0a9d65b00f3f245fe171527dcfb63d8b6de1ad8fa5271cb00ea72977b57cbd8d5f0ec68ef075b2ff2c16693649899fd942

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 6d6ad648e2197125749f88c3a1069086
SHA1 ce204a25cf4ba90e8fa54422bf3b84a925830d12
SHA256 b405c4b1d906d12a4b3ec036979c1f4bb201d596a884096bbca43845048d7dc8
SHA512 82d87810741f12c8ce6cb1453e1cca45b9e44c863a7c7ab1973b2f75f1556fa709fad5e412d8e13dab2e28b55f4dcf117a9d3bec97b5a4c265aec0f3ff2b9884

C:\Users\Admin\AppData\Local\Temp\QsAy.exe

MD5 96412a2b526a7dfd0552f39baa4e7e17
SHA1 f5a861e75f14b5cc949b0c5494f43f4658c19366
SHA256 0e84ed97ffde55dfdd0fefd08cc14ca2fbc44be7cdd7a7355403cb7520d14d60
SHA512 18938b50b2b71f0eb5d126f7ce65694deba792980b83a1af976a2648a42421be6fb2909659e48e15d4f1f7ce99ec22c2d4599e847778a853ec24a71d93224502

C:\Users\Admin\AppData\Local\Temp\MUsG.exe

MD5 4ce8a581374648c550329dad08d2233f
SHA1 d5a310b54dc253c5aed6988b2edea66181926745
SHA256 af91effd4195eb30b9ea4d4b8b175ddfa12e014179b1e42798b93f8e9781f492
SHA512 bdfaa1dc502132eb886af8dbe406edce2adee6d2bb15d44b7da33e5b31db6da5ffe50c0120978c1db650233849c6a48a2dae5a08f88627109eb0af43768baca0

C:\Users\Admin\AppData\Local\Temp\Ascg.exe

MD5 5cb440fbe7f494035fe5cabc0a9138c6
SHA1 6ced672839b8daba91fcece3e742817a09e5dd0e
SHA256 c83d335bd0406afd7f0bd7f151833fdfbbe0f760c0666bfd228bcffcfe9ec02c
SHA512 6fa2a7045a3facbf55ceebf4daadff5bd3705a77e1b85e9390ed6a12a718383f12ff78448a6c15dad11a4bf4d2b32d303a07a8aadd954d0c8f7f7c3b614bcb03

C:\Users\Admin\AppData\Local\Temp\uwUI.exe

MD5 7dd862569ce6e00b6a9b497557498008
SHA1 c0c69ac46238625e87693032b652d92f5f5e43e5
SHA256 f0e4bd22d6ad16900a126ea6c803cf9dbde0a261b94298b6aa405abaffe8b3b9
SHA512 3a19e44f860058c7b412791b590f5dad3d8d7399a3d8016291edc19f7f91b4523939643b0fc711a82438475c6c8909b333909868a3d6b90c90fae491ceb8d683

C:\Users\Admin\Downloads\DenyInvoke.gif.exe

MD5 5ddf2951d88f463b375df03339ab3bf5
SHA1 0762ae2d095c66d99236ebf586628376bbffdeaa
SHA256 688050c1a60c999019c7c59e988dcd9df9a6ca8d71ca95c9844429dfe44db05b
SHA512 52736cf3403575dfb3f346e383e0cfc06646dd811bef8bf0d804db2157b5e2ec61c2261d8cd032ac44e88cd6b3d2ad22f871fe216ae51fad05e37a4c9fda4459

C:\Users\Admin\Downloads\HideMove.jpg.exe

MD5 3114a245ad4a13497f52bdb79e61a6ad
SHA1 4cadef112b081ac805aca5552d5063eaa3bb9bc3
SHA256 e171f2a975c843e93308105d8a0d01adb5a15fd64d104ad2fe0cfa185aa41eea
SHA512 242fcfa606b24f43d660c0c5cc000173e2b663f02357a555cc430ee75494a2bab99ddd3371ad4fe17459a4b992701e371c0f6670f5ce20d33cfd1d258f4602bf

C:\Users\Admin\AppData\Local\Temp\AcEY.exe

MD5 633e416ff5570d5d18f09f2078891eba
SHA1 1dab6a2104b66ee52f8476c6ee4397ccefba5e6f
SHA256 6f208ed94081b5e726060de3abb7d5315f0cf1e446a4d6480f105859264bd4a8
SHA512 9f0368e39b69cb94a256bffa86cb5ee1e31b5bcb1b8e4a8b1a585dc37e1b121203a11edc30a65c3ce8de9114423da7c8e472d611d31e5ff754787916e0d5d529

C:\Users\Admin\AppData\Local\Temp\ecAQ.exe

MD5 2098262830a07008f8541e8714a2450f
SHA1 5d965fbb25ada0c1644eb1fd029c3d3f2f520b83
SHA256 114dd1be67509f499377fea33095a6ce831840fb013fa8b586098137d8703048
SHA512 357249ae8273b95ace79606590d0c3d3df87bf45501172819783dc1bba4c3f3a3da3be6754a5de65c214ea12ee01af075108f400ee04df3c1574e72d5b50ced7

C:\Users\Admin\AppData\Local\Temp\SEkm.exe

MD5 98f63c89640dfaeb211867273f39fbec
SHA1 39d079b2a976365d6e75da6b53d8d4ea92a9471d
SHA256 beb3638127647fe35d4ca0ec225f6103bc622568289647e8661785b024ee49b1
SHA512 0dd12349939d471a6687f57240668a694704e30b5cbc7b6a43bad05cf49eca34ab86b34d56fc9abf0f69f77c9e03b8039c337dda41efdd8aa1ce87c1a6f62523

C:\Users\Admin\AppData\Local\Temp\oYky.exe

MD5 5582d280a5398de69224a10ff93ad669
SHA1 e526cde356a628578df6e628a6f7801498e7ba53
SHA256 e3e47a91bf8f78b0f403e30e5ec26a19373e04a437234de5844bbe11d7347e33
SHA512 3beabf496dea9c66fadf219c556186acc0ad5f656a75000decf2c1cee560aa6d62a46ce8012969d25fec1c82dc52837858edc9d1d46b38f245055f85e6038f76

C:\Users\Admin\AppData\Local\Temp\uQoS.exe

MD5 fa93bf5cbb443c520313777f469683be
SHA1 876d73a9c554cc0d17ac5dbd5a639ce9c7bb02e2
SHA256 a9c9e4cad484a62bd8a815d0fd152191cddc546d6f990864b6eec82544273409
SHA512 9d8d4614212d7f05fb000675a97a828106c589a23f61557217fce46b7fbfc3c90e93fb7423fbe833080e73a70f7611ad3bf72d34eab045702fa7f2e250190d07

C:\Users\Admin\AppData\Local\Temp\wgcG.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\Ockq.exe

MD5 a57dbb7f1d4b54e0a0ecba30cf69f10d
SHA1 907817e3734e6abe9a2f475612f6868666ac636c
SHA256 d6e2036360a08101b61aa0e3a59488d9c8077ade644a8c2a52bb18032e41f72d
SHA512 e91b8836bd2aa8250877ee3ad9ff469bfdd89d71baeb10eca98c0849ffd8b111295b306fcac05bf98510fb7298ede7a2505760cef0c5764e7e8d0109b1eba469

C:\Users\Admin\AppData\Local\Temp\KAwo.exe

MD5 b964ecca59b3ccb55dc52b8958e8528b
SHA1 3448aa553cece0c3e1b9364d16713985fcde9333
SHA256 439e6b426de06716109251484662c767bbd6032afcf7b537d05841b3a092e62e
SHA512 14bb7c8825063938f883fd8340c1052a7c21588ef54ab1093c86ac6db83b40b57eaa176066c867ba636c079e4125c7863288f53ac3dea4ba0d11835591fcf8b0

C:\Users\Admin\Pictures\RenameCompress.png.exe

MD5 c127850c79c3eb95dd66c8cba1ea5d4f
SHA1 f7ab6b59178ce1efde572d634c6f61e71f8e1797
SHA256 57182b94f475ce5c8ae9462d7e72b5a7d9a0723fbc92494977df6f122f632710
SHA512 5eee16301065d36234ce1ff3da876dae0af994f532f050e2323421eadf32e9a035b99b84ab439b34aea82da6ca40eec93704d1d94ff446e51e12cbadd15d6c80

C:\Users\Admin\AppData\Local\Temp\ywgc.exe

MD5 efa68b7b4b7796d4f61020e81025551e
SHA1 138e4b709f871e7ea4035dd85153ec24ce481d9a
SHA256 91dba627fd3bfcc3cadb5942f1fb2e4de34d6d6008d7cdd21fd5912bf13ef8f5
SHA512 638d93adbde25d96227cf3981b0db2782569ce9d3adfb287cbd9566bc74319ff5c3859a61793dcb1b8d5f887493d7cc5422b55c5569b8e3b859600c8064bf685

C:\Users\Admin\AppData\Local\Temp\GoUK.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\UseNew.bmp.exe

MD5 a7ad6e2ca538786c73e5e106932eac29
SHA1 6de82e5ca691b4b120a201923caaf662828d79a8
SHA256 2c11e69d0b4e70bbc0149d23879b37fe182c1d38699528a6aaf9def260b58883
SHA512 a043611e6f09bcd5851b2b1f813d925f0da9f103d27ba93cee6f57ed11bac0930b0e85c71ea6fde408b20075877936bcad445744009394c94d7ff90977d8644d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 72cce5d3abc24aa42dd6e22c4bb049e4
SHA1 2d144f42c52d329742dc8d2157e85ad9f9dec094
SHA256 8faae62088e2a16a6db1d56a633119d7d52b9a0c4972b929948be1132a0db81e
SHA512 9b423469438be4675e3f8e2e5d4a6d58d1d707e09b5e34a9f90235643b7120a33b30454f41ee4ba8b219f555aa981a07a2809c56c76b7cae83c6f93cd948181a

C:\Users\Admin\AppData\Local\Temp\QEoM.exe

MD5 5f704e662ca325076e166fbef68a6207
SHA1 e5875c42353b818affb5ddbab162b29319907d89
SHA256 1a586b5b0bbdc690add630b83f1a89b0c988ae2d536ae5c322697c4920fb769e
SHA512 59e8739a1f73c1e55ae96842c194324a1d259262cff1da15eb70d1629deff8f7ea19497a3ddb77562b317a5db2dcf0e695e9a201e31be76dcb8ade8798489576

C:\Users\Admin\AppData\Local\Temp\AgsU.exe

MD5 e77b803783d41b02991fbe20740cffb4
SHA1 50d988ceb67dc91d4cee7edbd5538984854b0cd6
SHA256 fc447dfaabc3cc596f494d0e0b91c8635907934e9301125391d339260beb6258
SHA512 e0f916d349f717b6770af8da3fd2d7f0f51b9def9752a08f7403a5726a4410492b21053bea3ab072ccc616ff53f832628d3a62a74f39ef33aee2ae95e527347e

C:\Users\Admin\AppData\Local\Temp\EgMC.exe

MD5 a8b8eca8edd33425e6e1ec552c651b43
SHA1 225a70ff06f977a1ba88825769147411867467f7
SHA256 f749c9a63a5af2622f6d38fcf1a8ba44dbcddf8803d69c2d964a71487a2fb3de
SHA512 c87e82573c9e58652c43eedde14c197443111461eb35a383ba75644b92eb2a9b20d2fd2b4452fcc50695843458586098c27a469bc9878846cee540e89087f58f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 99503c5ebddf47c557e339688d1ba14a
SHA1 d1b0a5608453a5b50a9325ca0357fb953dca4fe1
SHA256 4f22ecc9d32b00ef62778844cfbda2686816dd76827dd85734cd1f862916d7ec
SHA512 3b95ef028d4da176b19129e542a6698b94cead2bd2fcf4c6f66986899be31d51c667c91295c30e5745933a261217d569d764acc96add1cfade5e8acdbab91f6e

C:\Users\Admin\AppData\Local\Temp\coIq.exe

MD5 19fe3677cafd3fa9a416a4cf2428bbcf
SHA1 09ee9587772718338e483230747872917d3e283e
SHA256 29673bb8351c8c4e4c2e1c8e89e13cd2ca9e1f83e072b93f643f52d2dd0c089b
SHA512 1d4a17aa93f3a4f68e3e43c63a171e78c4babada1e0fcf7ee14bac435e94d8582fbc41c5e7c914fbf3c241b80af3d4e5d55ab9afbac141b9dc2ee5899a3db708